An Introduction to the Regulatory Technical Standards for Strong Customer Authentication – Part 1: eIDAS

A major challenge faced by the EU in the creation of a Digital Single Market is finding the right balance between processes that can be harmonized and standardized and those that need to remain flexible to cater to the demands of the various Member States.

It is clear that eIDAS has been designed not only keeping this mind, but actually by taking it as the fundamental guiding principle during its creation.

eIDAS has been designed to allow for seamless (cross-border) operations while ensuring technological neutrality and flexibility in terms of how its minimum standards need to be met. The Regulatory Technical Standards for Strong Customer Authentication were released to supplement the PSD2 Directive and they also supplement the provisions of the eIDAS Regulation.

Main elements of the Regulatory Technical Standards

The Regulatory Technical Standards (RTS) are a Commission Delegated Regulation. They cover four broad areas:

  • Defining the requirements for achieving Strong Customer Authentication (SCA) in accordance with PSD2 and eIDAS. SCA requires the verification of the user elements which relate to possession, knowledge and/ or inherence. SCA is a central element for both eIDAS and PSD2 and the Regulatory Technical Standards shed light on their appropriate usage, the need to maintain their independence from each other and other related aspects. 
  • Specifying the conditions for exemptions from SCA in certain specific situations. Achieving SCA obviously has a time and monetary cost associated with it, both of which will not only affect the payment service provider but the end customer as well. Therefore, there are certain conditions under which SCA may not be required - like for small amounts or recurring transactions. However, there is a dynamic element here as well and service providers are required to perform real time transaction risk analysis and insist on SCA even for  exempt cases in case of an adverse alerts.
  • Protecting the end user from having his or her security credentials compromised in any way. RTS specifies multiple requirements to ensure this - like masking and encrypting security credentials and adequately protecting cryptographic materials from unauthorized access. 
  • Establishing common standards for things like open and secure communications between various parties involved in a transaction. RTS mandates elements like session IDs, timestamps, transactional logging, ensuring traceability etc. The flow of communication between Payment/ Information Service Providers, customers and other involved parties is also a fundamental security requirement and is covered by RTS.


RTS mandates the use of eIDAS defined qualified certificates and seals for identification. It states that “To improve user confidence and ensure strong customer authentication, the use of electronic identification means and trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council should be taken into account, in particular with regard to notified electronic identification schemes”. 

This is obviously a crucial element necessary for the smooth operation of the larger machine. The use of eIDAS enabled electronic identification means and trust services in ensuring Strong Customer Authentication makes these two directives complement each other pretty well and takes us further along the path to a Digital Single Market. 

References and further reading

In Part 2 and Part 3 of our series on the Regulatory Technical Standards, we looked at how it complements PSD2 and Achieving Transactional & Account Security respectively.

About the author

Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.

To find more blog posts related with below topics, click on one of the keywords:

How can we help you?

Talk to one of our specialists and find out how Utimaco can support you today.
You have selected two different types of downloads, so you need to submit different forms which you can select via the two tabs.

Your download request(s):

    By submitting below form you will receive links for your selected downloads.

    Your download request(s):

      For this type of documents, your e-mail address needs to be verified. You will receive the links for your selected downloads via e-mail after submitting below form.

      About Utimaco's Downloads

      Visit our Downloads section and select from resources such as brochures, data sheets, white papers and much more. You can view and save almost all of them directly (by clicking the download button).

      For some documents, your e-mail address needs to be verified. The button contains an e-mail icon.

      Download via e-mail


      A click on such a button opens an online form which we kindly ask you to fill and submit. You can collect several downloads of this type and receive the links via e-mail by simply submitting one form for all of them. Your current collection is empty.