eIDAS Regulation

    Europe

    eIDAS Regulation

    Regulation (EU) No 910/2014

    This Regulation was adopted on 23 July 2014, it entered into force on 17 September 2014, and started applying from 1 July 2016. On 8 September 2015, the European Commission completed the adoption of all the implementing acts. In addition, starting September 29, 2018, all organizations delivering public digital services in any EU Member State must recognise electronic identification from all other Member States, and shall provide universal online access for EU citizens and organisations.

    Last Updated: July 30, 2019


  • General

    Building trust in the online environment is a cornerstone of economic development as it lays the foundations for electronic transactions that are necessary to foster efficient and trustworthy relationships between users and providers of public services. Electronic identification (eID) and trust services are considered key enablers for secure cross-border electronic transactions. However, as the Regulation states in recital 9, there is an electronic barrier that must be removed in order to allow users of electronic service providers to enjoy the benefits of the internal market: ‘in most cases, citizens cannot use their electronic identification to authenticate themselves in another Member State because the national electronic identification schemes in their country are not recognised in other Member States’. For this reason, one of the aims of this Regulation is to remove those barriers and to ensure cross-border access to services offered by Member States across the EU.

    The use of eID and trust services can provide a wide range of benefits to organisations across different sectors. For example, application of eID and trust services can benefit: financial services (e.g., to leverage on-boarding opportunities); online retail (e.g., to carry out stronger identification checks, provide the possibility of eSignatures and eTimestamps, and to increase consumer trust through qualified website authentication certificates); transport (e.g., providing a means for safeguarding secure business processes whilst eliminating redundant steps); professional services (e.g., using eID for a trusted verification of the identity of clients, to certify certain documents like sworn translations, or to send important documents through an electronic registered delivery service).

    Thus, the purpose of the eIDAS Regulation is two-fold: a) ensure that people and businesses can use their own national eID schemes to access public services in other EU Member States where eID schemes are also available; and, b) to create a pan-European internal market for electronic trusted services by providing laying the necessary conditions for providing legal certainty, (i.e.), ensuring that these services will work across borders and have the same legal status as traditional paper based processes.

    Trust services are defined in Art. 3 of eIDAS Regulation. These are electronic services that are normally provided for remuneration, which consist of: the creation, verification, validation, and/or preservation of specific trust services. There are five specific types of trust service covered by the Regulation:
    1. electronic signatures;
    2. electronic seals;
    3. electronic time stamps;
    4. electronic registered delivery services; and,
    5. website authentication certificates.

    To say that a trust service is qualified means that a specific trust service meets the applicable requirements laid down both, in the eIDAS Regulation and the European Commission implementing Decisions and Regulations.

    The relevant implementing Regulation concerning eTrust Services is:
    Commission Implementing Regulation (EU) 2015/806 of 22 May 2015 on the form of the EU Trust Mark for Qualified Trust Services (which objective is to foster transparency and confidence in the market by clearly distinguishing between trusted services in general from qualified trusted services). The relevant implementing decisions for eTrust Services are:

    • Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists (trusted lists are essential for ensuring certainty and to consolidate trust among the market operators);
    • Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies (which, facilitates cross-border transactions with public sector bodies in a different Member State and sets a method for the use of non-standardised formats); and,
    • Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices (which, lists the standards for the security assessment of qualified signature and seal creation devices).

    Due to the fact that proper identification is required in order to consolidate trust, the European Commission also issued two implementing Regulations in this regard: 1) Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification (which aim is to enable EU citizens to do cross-border interaction with their own national eID means); and, 2) Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework (fostering practical connectivity and interoperability among Member States).

    The implementing decisions concerning eID means are:
    • Commission Implementing Decision (EU) 2015/296 of 24 February 2015 on procedural arrangements for Member States cooperation on eID; and,
    • Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust


OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.