Following the EU’s announcement unveiling its plans for an ‘EU Digital Identity Wallet’, this article explains the Trust Framework and the ‘digital wallet’ requirement for remote eIDAS qualified electronic signatures, seals and qualified signature creation devices (QSCDs).
The EU Digital Identity Trust Framework
On the 3rd June, the European Commission unveiled its plans for an ‘EU Digital Identity Wallet’- available to all EU citizens, residents and businesses, bringing data and documents together in a single, personal ‘wallet’ repository. For this purpose, member states have been invited to prepare a common toolbox by September 2022 that includes technical architecture, standards and guidelines for best practices. Once the technical ‘framework’ has been agreed, it will be tested in pilot projects.
The Commission’s plan builds on the existing cross-border legal framework for trust digital identities - the European electronic identification and trust services initiative- the eIDAS Regulation.
A ‘trust framework’ is a set of ‘standards, definitions, requirements, specifications and processes’, containing the necessary tools, rules and accreditation criteria to govern an identity framework. It provides the required structure and controls for the purpose of delivering confidence to all active participants and accredited providers in order to meet accreditation obligations. These obligations cover privacy, security, risk management, records management, accessibility and useability, fraud controls, service operations, identity proofing and authentication management.
A Trust Framework explains that a digital identity is a digital representation of who an individual is, enabling verification of identity during interactions and transactions. Some examples of digital identities under the Trust Framework are:
- a digital 'wallet' storing various trusted pieces of information about an individual, called 'attributes', which the individual can choose with whom and when to disclose. This 'wallet' could include details from the government, such as legal name, date of birth, right to reside, to work, or to study, or details from other organisations, such as professional qualifications, or employment history.
This will mean that various service providers and relying parties will need to trust each other- from financial institutions, to providers of healthcare, insurance, mortgages, banking, government and so forth, in turn, creating a clear legal framework that enables businesses to innovate, encouraging a more practical approach to worldwide digital identification standards. At the same time, providing confidence that both businesses and consumers are protected from fraud and that robust privacy protections are in place.
Source: European Commission
- a digital identity providing user authentication as an online service. This would be relevant where an online retailer requests proving the individual's identity for age-restricted goods. In this case, the individual could sign into their identity service provider and authorise them to release the information relating to their age only, without releasing any additional personal data.
The use of trust services supports citizens and companies around Europe, enabling the performance of operations that are most required, in a way that is secure and transparent. At times when face-to-face interaction is not possible, trust services become vital - European Identity under eIDAS . It should also be noted that the use of the European Digital Identity Wallet will always be at the choice of the user who will be able to decide how much information is shared, with who and for what purpose.
Criteria for Digital Identity ‘Trust’
Digital identity is key to enabling individuals to prove who they are securely, online and in-person and plays an important role in preventing identity-enabled fraud- digital privacy, security, transparency, integrity and accountability all affect the overall user experience.
Regulation (EU) No 910/2014 (also known as the “eIDAS Regulation”), on electronic identification and trust services for electronic transactions in the internal market, provides a regulatory environment for electronic identification of natural and legal persons and for a set of electronic trust services, namely; electronic signatures, seals, time stamps, registered delivery services and certificates for website authentication.
In addition, the eIDAS regulation has recently been revised to respond to the dynamics of the markets and to technological developments - expanding the current eIDAS list of trust services with three new qualified trust services:
- the provision of electronic archiving services
- electronic ledgers, and
- the management of remote electronic signature and seal creation devices (QSCD).
The eIDAS Regulation introduces the notions of qualified trust service (QTS) and qualified trust service provider (QTSP) with a view to indicating their compliance with the eIDAS high-level security requirements and obligations. A QTSP is a TSP that has been granted a qualified status and is supervised by its national supervisory body (SB).
What is a Qualified Electronic Signature (QES)?
A qualified electronic signature (eIDAS Article 3) is an advanced electronic signature which is additionally:
- created by a qualified signature creation device;
- and is based on a qualified certificate for electronic signatures.
Qualified certificates for electronic signatures are provided by (public and private) providers which have been granted a qualified status by a national competent authority as indicated in the national 'trusted lists' of the EU Member State. Those lists can be accessed through the Trusted List Browser.
Remote Qualified Signature Creation Devices (QSCD)1
The new qualified trust service for the management of remote electronic signature and seal creation devices would provide significant security, uniformity, legal certainty and consumer choice benefits both linked to the certification of the qualified signature creation devices and in relation to the requirements to be met by the qualified trust service providers managing such devices - specifically for the recently announced EU Digital Identity Wallet requirements 1.
In preparation towards the toolbox development and final rollout of Europe’s Digital Identity Wallet, a Qualified Trust Service is required for the management of remote electronic signature and seal creation devices in order to bring security, uniformity, legal certainty and consumer choice benefits, both in terms of device certification and the requirements that qualified trust service providers must meet in order to manage such devices. The new provisions will strengthen the overall regulatory and supervision framework for the provision of trust services.
1 Secure signature creation devices of which the conformity has been determined in accordance with Article 3(4) of Directive 1999/93/EC shall continue to be considered as qualified electronic signature creation devices under this Regulation.
Blog post by Dawn Illing