What to do: the European Electronic Identification Regulation eIDAS
On July 1, 2016, the eIDAS (electronic IDentification, Authentication and trust Services) regulation on electronic identification and trusted services began to work in the EU countries . It became effective after the adoption of Regulation (EU) N ° 910/2014 and the abolition of the 1999 eSignature Directive. The regulation establishes a common standard for electronic signatures, electronic stamps, time stamps, eDelivery services and website authentication certificates.
Mandatory mutual recognition of electronic identifiers by EU countries is valid from September 29, 2018 .
It would seem that the regulation is an internal affair of the EU, but in reality foreign counterparties who deal with European organizations face it. Not only legal entities, even students entering European universities register and sign documents on eIDAS regulations. The standard also applies to the activities of certification centers.
Compliance with eIDAS is important for any natural or legal person who works in the European Union, using electronic signatures for identification and electronic transactions.
Interactive map of trusted service providers in the European Union (Trust Service Providers). GlobalSign passed certification in Belgium and became one of the first global centers that issues qualified certificates for eIDAS standards
Although each country has its own identification and EDS standards, eIDAS is a set of “best practices” that guarantees EDS compatibility at the European level, because all public organizations of the European Union are obliged to recognize qualified EDS from other countries. In the future, it is likely that eIDAS will expand its operation beyond the EU.
What is eIDAS
In short, eIDAS sets a single standard that hardware and software must meet for generating digital signatures. All tokens are subject to mandatory certification. For individuals, such a token can be, for example, an electronic passport or a smartphone, and for organization, smart cards, USB tokens and other devices.
Common European EDS should have a single logical data structure. The token should be able to work with the EU Single Points of Contact, which conduct online business operations between the countries of the Union. That is, documents that have been submitted to one of the interaction points will be accepted and processed properly. For example, in this way a citizen of one EU country can submit a tax return or execute other documents in any other EU country by signing them with his eID token.
Article 22 of the eIDAS regulation obliges Member States to publish information related to qualified Trusted Service Providers (QTSP) for which they are responsible, along with information relating to qualified trusted services provided by them. This information is published in the so-called "trusted lists", and the commission implementing the decision (EU) 2015/1505 determines the technical characteristics of these trusted lists.
Major changes in electronic signature law after the adoption of eIDAS:
- The legal status of a law (instead of a directive) makes it directly applicable across Europe without the need for incorporation into national law. Thus, all European digital signatures are now consistent and implemented according to a single standard.
- The possibility of introducing new technical solutions remote signature. Electronic documents cannot be invalidated simply because they are electronic.
- The introduction of electronic stamps available to legal entities, technically similar to the electronic signature. They ensure the identity and integrity of documents.
- Introduction of timestamps.
- Inclusion of national Trusted lists.
- Qualified electronic signature verification service.
Although the eIDAS regulation has actually entered into force, its individual provisions will be adjusted as practical experience is gained.
Reinforced and qualified signatures
elDAS defines 3 types of electronic signatures:
- Simple : it serves to ensure that the user can agree with the content of the document or contract, there is no identification of the user.
- Enhanced or Advanced (Advanced Electronic Signature, AdES): allows you to identify the signer and is associated with the signed data so that any subsequent changes can be detected.
- Qualified (Qualified Electronic Signature, QES): created by a qualified device for creating electronic signatures and is based on a qualified certificate for electronic signature.
The difference between a strengthened signature and a qualified signature is that reinforced signatures can be accepted in other countries, and qualified signatures must be accepted in all EU countries (since September 29, 2018).
In conjunction with eIDAS, the European Commission's decision 2015/1506 defines minimum formats for enhanced electronic signatures and enhanced stamps, which can be recognized by government agencies to ensure cross-border compatibility of online services.
- The base profile XadES (ETSI TS 103171 v.2.1.1)
- The basic profile of SadES (ETSI TS 103171 v.2.2.1)
- Base profile PadES (ETSI TS 103171 v.2.2.2)
Digital stamps work as EDS, but they can only be owned by legal entities. In addition, the seal can be assigned to a specific organizational unit: it is a suitable solution for certifying documents in electronic document management systems.
However, the eIDAS law does not allow recognizing qualified signatures that are considered qualified under Russian law.. It “contains a number of additional requirements, the compliance with which allows the electronic signature to be qualified (and which are not provided for by Russian legislation, written on the basis of the early version of the European Directive). For example, the use of a highly secure signature device is required. From the point of view of European law, Russian qualified signatures are regarded precisely as enhanced electronic signatures on the basis of a qualified certificate. ”
By implementing the eIDAS requirements and passing the compliance check, the trust service providers can obtain the status of qualified suppliers (QTSP) and enter the EU Trusted List. In October 2018, GlobalSign became one of the first global certification authorities to become a qualified supplier.. Accreditation issued by the Belgian supervisory authority (FPS Economy) on October 11.
As defined in Section 3 of the eIDAS law, “trusted service” means an electronic service, usually provided for payment and includes:
- a) the creation, verification and validation of electronic signatures, electronic stamps or electronic time stamps, delivery registration services and certificates associated with these services; or
- b) the creation, verification and validation of certificates for the identification of websites; or
- c) the preservation of electronic signatures, seals or certificates associated with these services.
New qualified certificates for electronic signatures and stamps from GlobalSign will be available in December 2018, at the same time more detailed information will appear on this topic.
Qualified certificates for electronic signatures and stamps will be available to individuals and organizations through the deployment of a system based on GlobalSign tokens. In accordance with the requirements of eIDAS, a qualified certificate is stored on a qualified signature creation device (token).
QTSP status is the highest level of guaranteed signatures. Qualified Supplier (QTSP) can provide qualified certificates for electronic signatures and stamps. They have the same legal force as handwritten signatures, and assume the integrity and origin of the document. As noted above, these qualified certificates are required to recognize and accept in all EU member states.
Thanks to the adoption of eIDAS, electronic document management is gradually becoming the standard in the European Union. It is expected that by 2020 the EDS will overtake ordinary signatures as the main means of signing documents in the EU.