DS-05-2015: Trust eServices
The policy context: eIDAS Regulation
Cybersecurity & Privacy Innovation Forum 2015 Brussels, 28 April 2015
Andrea SERVIDA
DG CONNECT, European Commission Head of eIDAS Task Force
The eIDAS Regulation (EU 910/2014)
Strengthens EU Single Market by boosting trust
and convenience in secure and seamless
cross-border electronic transactions
Mutual recognition of e-identification means
Electronic trust services (e-signatures, e-seals,
e-registered delivery services, time stamping,
website authentication)
Electronic documents
Why eIDAS targets cross-border dimension?
Insufficient scope of the existing legal framework developed in 1999 (that only covered e-signatures)
In the meantime:
Electronic identification schemes and means were deployed and developed in Member States' public sector environment New trust services emerged in national markets (e-seals, time stamps, e-registered delivery) or international
environment (website authentication) Such a situation created:
Lack of cross-border technical interoperability Lack of common legal understanding
National market silos
eIDAS cross-border dimension in the EU
over 14 million EU citizens are resident in another
Member State
(1)21,6 millions of SMEs
(2)of which more than
40% have cross-border activities
(3)(1) Memo of the European Commission of 25 November 2013 on "European Commission upholds free movement of people" (2) Annual report on European SMEs 2013/2014
eIDAS vs digital identity
•
Digital identityDigital identity"economic" drive Personal data = digital currency USER ENABLEMENT eIDAS eIDAS "trust-building" drive Trusted assertions/ credentials USER EMPOWERMENT Personal data = private asset
•
The Regulation does not impose the use of eID and trust
services
Key principles on eID
- Mandatory cross-border recognition only to access public services - Full autonomy for private sector
- Principle of reciprocity relying on defined levels of assurance - Interoperability framework
- Cooperation between Member States
Key principles on trust services
- Non-discrimination in Courts of electronic trust services vis-à-vis their paper equivalent
- Specific legal effects associated to qualified trust services
- Non-mandatory technical standards ensuring presumption of compliance
Technological neutrality 6
Mandatory recognition of electronic
identification
Voluntary notification of eID schemes "Cooperation and interoperability" mechanism Liability rules Assurance Levels: "high" and "substantial" (and "low") Interoperability framework Access to authentication capabilities: free of charge for public sector bodies & according to national rules forprivate sector relying parties
8
2014 2015 2016 2017 2018 2019
17.09.2014 - Entry into force of the Regulation
18.09.2015 - Voluntary recognition eIDs
1.07.2016
-Date of application of rules for trust services:
18.09.2018 -Mandatory
Commission Implementing Decision (EU) 2015/296 of
24.02.2015
Procedural arrangements for MS cooperation on eID (art. 12.7)
By 01.07.2015
EU Trustmark for QTS (art.23.3) - Positive opinion of eIDAS Committee on 8.4.2015
By 18.09.2015
Interoperability framework for eID (art. 12.8) eID levels of assurance (art. 8.3)
Trusted lists for QTSP (art.22.5) Formats of eSignatures (art. 27.4) Formats of eSeals (art. 37.4)
- Additional IAs may also be adopted when appropriate (e.g.
circumstances formats and procedures for the notification of
eID - art. 9.5)
10The eIDAS informal expert group is composed of MS
experts to help the Commission prepare secondary
legislation.
MS experts for eID and trust services
12 meetings so far next on 12-13.05.2015
eIDAS Technical sub-groups are convened on
technical discussions related to operational aspects of
CEF - DSI.
Organised and led by DIGIT Voluntary participation
3 meetings on technical aspects related to interoperability and security of eID
12
The "e-Mark U Trust" Competition
03.07.2014 Launch of e-Mark U
Trust Competition
15.09.2014
End of submission period
14.10.2014 Public online voting 14.11.2014 End of voting By 01.07.2015 Adoption of the implementing act
The "e-Mark U Trust" Competition:
the winner
EU Safe
Watch the Award ceremony with VP Andrus ANSIP
An eIDAS World
STAKEHOLDERS' ENGAGEMENT•
Promote EU market solutions eIDAS Regulation CEF / DSI R&D & LSPs Standardis ation activities Expert Group Comitology Implementi ng & Delegated acts Negotiation with 3rd countries Communicati on tools Engagement events Global industrial policy T E C H N IC A L REGULATORY M A R K E T 14 ENISALarge Scale Pilots (LSPs)
•
15 Interoperable
e-procurement 11 countries19 partners Total Budget30,8 M€
Electronic Identity Patient Summary / ePrescribing Business mobility eJustice 32 partners 14 countries 47 partners 23 countries 33 partners 16 countries 17 partners 15 countries Total Budget 26 M€ Total Budget 23 M€ Total Budget 24 M€ Total Budget 14 M€
Electronic Identity 60 partners 20 countries Total Budget 18,7 M€ Consolidation & extension of LSPs 22 partners 20 countries Total Budget 27,4 M€
CEF/DSIs 16 New LSP … STORK I & II PEPPOL epSOS e-CODEX SPOCS e-SENS New LSP … 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020
CIP /
LSPs
H2020
Connecting Europe Facility (CEF)
Digital Service Infrastructures: Provide basic functionality: -e EID -eSignature -eDelivery …
•
Signature Creation & Validation 1 Signature Creation Devices 2 Cryptographic Suites 3 Trust Application Service Providers 5 TSPs supporting eSignature 4Trusted Lists Providers
6
• Rules & procedures
• Formats • Signature Creation / Validation Protection Profiles •XAdES (XML) •CAdES (CMS) •PAdES (PDF)
•AdES in Mobile envmts
•ASiC (containers) Common Criteria Protection profiles • Smart Cards • HSMs • Signing services • Key generation • Hash functions • Signature algorithms • Key lengths • ... • Certificate Authority • Time-stamping • Signing Servers • Validation Services • List of TSP services approved (supervised) by National Bodies (e.g. Trusted Lists)
Standardisation mandate m460
by CEN and ETSI•
ENISA
(European Agency for Network and Information Security):• 2012 Report on the implementing eIDAS art. 15
• 2013 Guidelines for Trust Service Providers
• 2014
Common audit schemes for trust services providers in MS. Technical guidelines for independent auditing bodies and supervisory authorities
• 2015 focus on:
Technical guidelines for Implementation of Art 19
ENISA Forum for trust service' stakeholders (1st meeting 30/6/15)
Evaluation of standards
Introduction of qualified website authentication certificates
Awareness raising - European Cyber Security Month (Oct 2015)
ENISA Support for eIDAS
For further information on eIDAS Regulation:
Web page on eIDAS
http://ec.europa.eu/digital-agenda/en/trust-services-and-eid
Impact assessment
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012SC0135
Text of eIDAS Regulation in all languages
http://europa.eu/!ux73KG
