eIDAS Regulation (electronic IDentification, Authentication, and trust Services)

eIDAS has completely transformed the way users and companies interact, not only in Europe but all over the world. This regulatory and technical standard enables electronic transactions to be carried out with complete trust and security within the European single market.

The rest of the regions take Europe as a reference for their digital identity standards in order to establish their legal frameworks concerning electronic activities and transactions.

What is eIDAS?

eIDAS, electronic IDentification, Authentication, and trust Services, and, officially, European Union Regulation 910/2014, is the regulation establishing a European electronic identity recognition system. It was approved by the European Parliament and the Council on July 23, 2014, and is in force in all the European Union countries.

This set of rules repeals Directive 1999/93/EC, which was the pioneer in the standardization and normativization of electronic signatures. This first regulation gave full legal validity to electronic signatures and equated their recognition to traditional handwritten signatures. However, each EU member state implemented and interpreted the standard in different ways.

eIDAS came into force on July 1, 2016, as a regulation - not as a directive - and had to be implemented directly in the member states. It creates then - for the very first time - a secure and concrete space for the performance of electronic signatures and the provision of trust services.

electronic IDentification, Authentication, and trust Services establishing a single legal framework

The new standard not only regulates everything related to electronic signatures and extends it concerning its predecessor but also specifies the following aspects and their development:

• Timestamps.
• Electronic documentation and its technical features.
• Certified communications through e-mail and other equivalent mean registered with proof of delivery.
• Certificates for secure authentication.

With these delimitations and specifications, a new world of possibilities was created to operate with absolute security through digital services and channels of all kinds, as long as the characteristics detailed in the regulation were complied with.

Accordingly, the eIDAS Regulation establishes the specific conditions for the means of identification of both natural and legal persons to be valid, expands the legal framework related to electronic signatures and associated evidence, and at the same time allows new types of transactions and operations remotely.

Finally, a regime is created and developed in which new actors appear. These people will act as supervisors and suppliers to ensure the necessary level of security so that electronic services can be provided.

What are electronic trust services?

eIDAS implementation and development led to the birth of the TSP (Trust Services Provider) concept.

These agents act as issuers and keepers of digital certificates that enable the creation of electronic signatures as well as the authentication of signatories and the confirmation of the websites on which transactions are executed.

Trust service providers are responsible for guaranteeing the integrity of the electronic signature process and the provision of Internet services, including - as mentioned above - user authentication and certificate issuance. 

Likewise, these actors safeguard the information for a specific period of time to guarantee the non-repudiation of the transaction or operation: an electronic evidence service is offered, end-to-end encryption, and proof of data origin, as it is traceability for each phase of the process.

How to take advantage of eIDAS: Benefits, advantages, and possibilities for companies

Beyond the mandatory requirement to comply with eIDAS in order to operate in the affected markets, the adaptation to the standard brings with it several benefits, advantages, and possibilities that will boost organizations.

The implementation and use of trust services regulated by eIDAS occur in processes and operations that are crucial for business. They completely change user-organization relationships, streamlining and securing them. Now, companies can create new services and transform their business models to offer the ones they have been working on within a completely digitalized and remote way.

The savings in materials are significant in specific organizations. It dispenses with the need for physical storage space for the documentation, eliminates the risk of losing valid original documentation, and meets the objectives in terms of sustainability and CSR (environmental impact).

Furthermore, the European regulatory framework allows any company that adapts to eIDAS to operate in all EU countries without complication or the need for large investments since it can offer its products and services remotely thanks to the eIDAS regulation. 

Implementing processes adapted to eIDAS implies an exponential increase in productivity, saving time in all operations (from weeks to minutes) and employees' working hours, reducing administrative bureaucracy. 

Additionally, the resulting digitization of processes will imply the reduction of frictions in the relationships with customers, suppliers, users, and collaborators in such a way that they are given the best experience, avoiding abandonment in the middle of the processes by optimizing conversion.

Electronic contracting, signature, communication, and transactions

There are multiple use cases in which eIDAS can be applied. Not only does it improve security, trust, and agility in the processes we already know, but it also opens a new world of possibilities for organizations and companies to provide their services. 

Here are a few examples, among the hundreds that exist, of affected processes:

• Certified communications such as, for example, service registrations or cancellations, modifications in tariff changes, etc.
• Any electronic transaction and operation in the banking or financial sector, FinTechs, insurance companies, crypto-exchanges, or similar platforms.
• Contracting, commercial agreements, subscriptions, commitments, etc.
• Acceptance of conditions, signing of informed consents.
• The signing of labor contracts, work schedules, dismissals.
• Delivery of materials, purchases, spare parts.

These are some processes that have been completely transformed and that thanks to eIDAS and the solutions provided by Trust Services Providers no longer involve bureaucracy, obstacles, bureaucratic processes, or blockages in organizations, being carried out in an agile, fast, and inexpensive way.

Electronic Signature: types established in eIDAS

Directive 1999/93/EC already regulated the electronic signature, but it was not until eIDAS came into force that it took off, became legally official in all the states of the union, and was implemented as a standard for all types of processes that include a signature, such as contracting, acceptance of conditions or the registration of users and their associated procedures.

The three types of electronic signatures included in the regulation are:

• Simple Electronic Signature (SES): This is the most simple electronic signature. Data in electronic format must be logos attached to the document so that the signatory can accept the contents therein. 
• Advanced Electronic Signature(AES): This is the most versatile, widely used, and extended signature. Its creation must be done once having used data that the signer can use and that are under his exclusive use and control. For more legitimacy, the signature of the documentation must be unequivocally linked to the signer and allow its identification. It also must be sealed and linked to the data in such a way that if the document is altered or any minimum change is made, it will be registered.
• Qualified Electronic Signature (QES): Also known as the one based on a recognized certificate. It is used for transactions with public organizations. It contains all the specifications of the advanced one and differs from it in that it is issued by a certification authority and is created by a qualified device.

Why is eIDAS electronic seal important in regulations?

Electronic seals are used to confirm the authenticity of documents produced in digital environments, guaranteeing the origin and integrity of the data, in addition to certifying a record.

As with electronic signatures, there are three types of electronic seals established by eIDAS: simple, advanced, and qualified. The purpose of all three is again to ensure transparency and security in this type of operation.

The importance of the qualified seals is emphasized by the fact that it is aimed at companies, allowing them to create a signature to be validated by public administrations throughout Europe. It also allows to carry out transactions within the European internal market with full legal validity thanks to an independent type of eIDAS qualified certificate for electronic seals under PSD2 regulation.

Other standards linked to eIDAS

eIDAS establishes the necessary regulatory framework to offer trustworthy electronic services. However, a series of additional standards complement the regulation so that companies can operate on the Internet with total security, guarantees, and in the way that their business models need:

AML5 (Anti-Money Laundering)

AML5, or 5AMLD, is the fifth anti-money laundering directive. It standardizes the way in which companies - for example - in the banking and finance sector, can offer remote services. Thanks to AML5, digital onboarding or bank account opening can be performed entirely remotely if the requirements and processes established therein are met (KYC process).

KYC (Know Your Customer)

Although it is not a regulatory standard, KYC (Know Your Customer) corresponds to the process of verifying the identity of a subject who is not yet a customer to become one with guarantees and security.  For example, Tecalis includes the KYC process prior to the electronic signature to ensure that the person signing the document is who they say they are, giving the signature the greatest possible validity and making it legally and legitimately comparable to a face-to-face process.

PSD2 (Payments Services Directive)

eIDAS and PSD2 are closely linked since to comply with the requirements outlined in the latter it is necessary to have digital certificates based on eIDAS. These certificates make it possible to identify PSPs and banks, validate their functions and seal communications, transactions, or data. The NTS (Regulatory Technical Standards) set in PSD2 establish that Trust Service Providers are in charge of issuing eIDAS certificates for financial transactions.

Adapt to PSD2 with security and the support of an expert.

SCA (Strong Customer Authentication)

SCA is one of the requirements of PSD2. It corresponds to a series of specific standards that must be met related to authentication. A minimum of 2-factor authentication is required for online shopping or at any time banking data is entered.

Learn more about Tecalis authentication services here.

The future of Regulation 910/2014

Regulation 910/2014 turned 7 years old on July 23, 2021, and despite being updated and working properly, on May 6 of this same year Order ETD/465/2021 was approved, which standardizes the forms of remote identification via video for issuing qualified electronic certificates (closely linked to the KYC process).

Following this fact, the inclusion of the Order within the eIDAS Regulation is being considered, which would lead to a modification of it in order to establish an even broader legal framework for the European Digital Identity. This proposal, still under study by the Commission, is not definitive and is based on objectives such as the one that by 2030 the 80% of the European population should have their own personal electronic identification.

This same proposal to update eIDAS (colloquially known as "eIDAS 2") would also expand the catalogue of trust services to include electronic documentation archiving, attestation of attributes, or the creation of electronic ledgers.

Given this situation and seeing that the industry has responded very favourably to this proposal - which would only create value for citizens and users as well as for the public administration and companies by improving the current security and privacy environment - companies must have expert RegTech partners who are previously prepared so that their electronic signature and digital operations solutions can easily adapt to the new regulatory changes and take advantage of their opportunities.

eIDAS countries 

Although this is a European legal framework, any company - no matter the country - can operate under this regulation worldwide. Being compliant with eIDAS means that your digital identity processes and needs will be covered worldwide as this regulation is the most comprehensive one in the area. eIDAS countries benefit from this regulation, but any company in the world can also use it to grow and expand.

These are the countries where eIDAS fully and officially applies: Lithuania, Germany, Finland, Estonia, Holland, Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, and Spain.

Adapt to eIDAS with Tecalis

Tecalis, as a consolidated RegTech partner, accompanies its customers with solutions 100% adapted to eIDAS as well as its future modifications. As a Trust Services Provider, we secure and digitize any operation or activity regardless of the industry to which the company belongs.

Thanks to eIDAS, Tecalis has made dozens of businesses take off and has boosted productivity and savings in hundreds while transforming organizations in order to make them more secure, efficient, and scalable. Expanding business reach, multiplying deal closures, and reducing late-stage churn is now possible and achievable for any organization.

Tags