The eIDAS regulation stands for “Electronic Identification, Authentication, and Trust Services.”
eIDAS was initially established in 2014 as “Regulation 910/2014” and was later implemented across the entire EU on July 1, 2016.
The regulation sets a common legal basis for electronic identification and trust services throughout European Union member states.
Some of the trust services eIDAS governs include:
- Electronic identification (eID)
- Advanced and qualified electronic signatures
- Electronic transactions and seals
- Electronic time stamps
- One-time passwords (OTPs)
- Qualified website authentication certificates (QWACs)
- Electronic registered delivery services (ERDS)
- Validation services
- Qualified electronic seals
Let’s explore the key components and technical aspects of the eIDAS regulation.
Key takeaways
- eIDAS strengthens digital security through advanced electronic signatures, multifactor authentication (MFA), and precise time stamps. This ensures data integrity and origin verification, making electronic transactions more secure.
- The eIDAS regulation unifies electronic identification schemes across the EU and internal markets, enabling efficient cross-border transactions through standardized processes.
- eIDAS relies on accredited certificate authorities to validate the authenticity and security of signatures, seals, and certificates.
- Trust service providers must undergo regular audits to certify their eIDAS compliance, ensuring the legality and security of their services.
- This EU regulation streamlines interactions with public administrations and government agencies by providing standardized, user-friendly processes that reduce bureaucracy and simplify tasks such as tax filing, permit applications, and healthcare requests.
- eIDAS divides electronic signatures into three types: simple electronic signature (SES), advanced electronic signature (AES), and qualified electronic signature (QES).
How does eIDAS work?
In practice, eIDAS is a foundational framework for digitalizing cross-border interactions and transactions.
To truly grasp its inner components, we must dive deeper without getting lost in jargon.
Authentication procedures
eIDAS demands specific security checks to validate any data’s origin and integrity.
For instance, the MFA approach requires users to provide at least two different identification factors to access their accounts.
When you log into your online banking platform, you may be required to enter a combination of something you know (a PIN or secret word) and something you have (a smart card or mobile device).
OTPs are generated and sent to users via SMS or dedicated apps.
When individuals initiate transactions, they receive an OTP to enter within a limited timeframe.
These methods add an extra layer of security to electronic identification.
Trusted service providers (TSPs)
These entities offer validation services to confirm the authenticity and integrity of electronic time stamps, e-signatures, e-seals, and website authentication certificates.
A practical example of trustworthy service providers is the use of accredited certificate authorities (CAs).
These organizations follow strict security protocols to issue digital certificates for secure electronic transactions.
The protocols include the following key steps and types:
- Digital identity verification. CAs verify the identity of certificate applicants to ensure legitimacy.
- Key generation. CAs use highly secure methods to generate cryptographic keys for digital certificates.
- Certificate issuance. Upon verification, CAs issue digital certificates with the applicant’s public key and the CA’s digital signature.
- Key storage. Private keys are stored in highly secure hardware security modules (HSMs) to prevent theft or compromise.
- Certificate revocation. CAs maintain mechanisms for certificate revocation. Revoked certificates are added to certificate revocation lists (CRLs) and Online Certificate Status Protocol (OCSP) to exclude further usage.
- Compliance with standards. CAs adhere to industry standards defined in Certificate Policy (CP) and Certification Practice Statement (CPS) documents.
- Secure communication. All interactions between users and CAs are encrypted for data security.
When you encounter a website with a certificate from a qualified CA, you can be certain your data is encrypted and secure during online interactions.
DigiCert is a globally recognized CA that provides a wide range of digital certificates, including SSL/TLS certificates for website security and code signing certificates.
Their certificates are widely trusted and used by various websites and organizations to secure online communications.
GlobalSign is another prominent CA offering a variety of digital certificate solutions.
They are known for focusing on compliance with eIDAS and other global regulations, making them a trusted provider for organizations conducting business in Europe.
EU-based interoperability
Mutual recognition ensures that various electronic identification schemes from EU member states can coexist seamlessly.
This technical feat allows EU citizens to access online services and participate in cross-border business transactions with the utmost efficiency.
In the context of seamless interactions, eIDAS-compliant solutions facilitate the digital signing of contracts between companies in different countries.
For example, let’s say one company is located in France, and the other is in Germany.
Users from these diverse locations can easily sign documents online by receiving a notification, clicking a link, and securely signing the document with their qualified electronic signature.
Enhanced user experience
User experience is central to eIDAS’ technical approach.
The eIDAS regulation streamlines interactions with public authorities, government agencies, and other entities, making these services intuitive and secure.
As a citizen, when accessing public services, you can use your electronic IDs for a smooth and hassle-free experience.
This includes filing taxes, applying for permits, or accessing healthcare services with minimal effort.
Compliance and audits
Maintaining the integrity of eIDAS relies on compliance checks and in-depth audits.
Strict adherence to established rules and standards guarantees that electronic transactions are legally valid and secure.
These are the steps of a typical audit process for trust service providers:
- Engagement. Trust service providers hire accredited auditors from external, independent agencies to conduct eIDAS compliance audits.
- Preparation. Providers collect documentation, including policies, procedures, and security measures, to ensure they comply with eIDAS standards.
- On-site audit. Auditors visit the trust service provider’s facilities to review operations and assess security measures.
- Document review. Auditors scrutinize the provider’s policies, procedures, and documentation to ensure eIDAS compliance.
- Testing. Auditors perform security tests to evaluate the provider’s systems and ensure their reliability.
- Findings and recommendations. The audit results and recommendations are shared with the trust service provider.
- Report. Auditors generate a comprehensive audit report detailing the assessment and findings.
- Compliance certification. Providers receive certification, affirming their compliance with eIDAS regulations.
Electronic signature types and other critical components under eIDAS
First, it’s essential to clarify the difference between a digital and an electronic signature.
The key distinction lies in the level of security and authentication they provide.
- Digital signatures employ advanced cryptographic techniques to create a unique digital fingerprint for each document, ensuring its integrity and origin. They require the signer’s private key and provide a higher level of security, making them suitable for legally binding transactions.
- Electronic signatures encompass a broader range of methods, including scanned images of handwritten signatures or simple checkbox confirmations. They offer a lower level of security and are often used for less critical documents.
eIDAS classifies electronic signatures into three distinct types, each with varying levels of legality and security.
Simple electronic signature (SES)
A simple or basic electronic signature, often known as eSignature, is a digital way to say “I agree” or “I verify” agreement, authorization, or verification in digital form.
It can be as simple as typing your name in an email or sharing a scanned image of a handwritten signature.
Advanced electronic signature (AES)
An advanced electronic signature is a specific type of eSignature that meets certain regulatory criteria for enhanced security.
It typically involves a unique identifier associated with the signer.
It’s like having a unique secret code that proves you really signed a document.
AES can also be considered legal for some scenarios and applications.
Qualified electronic signature (QES)
A qualified electronic signature is the only signature type that holds a unique legal status within EU member states.
It’s considered the same as signing a document with a pen on paper.
To be considered a QES, it must meet the requirements of an advanced electronic signature and be supported by a certificate issued by a trust service provider listed on the EU Trusted List (ETL) and accredited by a European Union member state.
Feature | Simple electronic signature (SES) | Advanced electronic signature (AES) | Qualified electronic signature (QES) |
---|---|---|---|
Security | Basic level of security | Enhanced security | Highest level of security |
Legal validity | Widely accepted for general use | Widely accepted for most purposes | Legally equivalent to a handwritten signature |
Use cases | Common for non-critical documents | Suitable for most business needs | For highly sensitive and legal documents |
Authentication | Minimal digital identity verification | Stronger digital identity verification | Stringent digital identity verification |
Signature types accepted | Scanned images, simple checkmark | Advanced digital signatures | Qualified digital signatures |
Regulatory compliance | May not meet certain legal requirements | Compliant with many legal standards | Compliant with EU eIDAS regulations |
Recommended for | Informal agreements, basic document signing | Business contracts, financial transactions | Legal agreements, business contracts, government documents |
Electronic seals
Just as with electronic signatures, eIDAS establishes guidelines for electronic seals.
Electronic seals are exclusively used by legal persons, such as corporations and government entities.
They employ advanced cryptographic methods to validate the origin and integrity of electronic documents, making them suitable for official communications and data protection.
Qualified certificates
The eIDAS regulation defines the criteria for qualified certificates.
Qualified certificates link an individual’s or entity’s digital identity to their public key.
Issued by TSPs, qualified certificates ensure the trustworthiness of signatures and seals.
QWACs, or qualified website authentication certificates, are a specific type of qualified certificate utilized to secure communication between websites and users.
They are essential for ensuring secure online interactions.
* A public key is a cryptographic key shared publicly and used in asymmetric encryption systems. It allows for data encryption and decryption, with the public key being used for encryption and the private key for decryption.
** Linking an individual’s or entity’s identity to their public key involves verifying the certificate holder’s identity before issuing the qualified certificate. This verification process may include identity checks, such as confirming the person’s identity with official documents or verifying the legitimacy of a business entity.
Trusted lists
Trusted lists are updated directories of accredited TSPs, detailing service types and certificates, helping users make informed choices.
Secure signature creation devices
An SSCD is a tool for generating legally valid electronic signatures andprotecting private keys to ensure signature integrity, and used by trust service providers for transactions requiring qualified signatures.
How do I comply with eIDAS?
First, you need to understand its technical requirements and standards.
You may also want to explore electronic signature software solutions.
Their functionality features can help you on your journey:
- It offers seamless integration with eIDAS compliance
- You can collect eSignatures from anywhere
- Ensures document security and compliance with ESIGN, and SOC 2 Type II standards
- No important moments missed thanks to detailed notifications
- Streamlines your document creation with a vast template library
- Integrates e-signatures seamlessly into your existing tools
Let’s now delve into the technical details of each step.
Define eIDAS components
The first step is to gain a comprehensive understanding of the eIDAS regulation elements.
This includes the different types of signatures, seals, and their legal implications.
Organizations looking to provide qualified electronic signatures must ensure that a secure signature creation device (SSCD) complies with specific security requirements.
Adopt secure authentication methods
Ensure the implementation is both secure and reliable.
- For hashing, SHA-256 (or the more advanced SHA-3) provides robust security. Public-key cryptography relies on algorithms like RSA or ECC, with ECC gaining popularity due to its efficiency and security.
- Hardware security modules (HSMs) offer tamper-resistant storage and ensure that private keys remain confidential.
- Biometrics such as fingerprint scanning, facial recognition, or iris scans offer a multi-factor, highly secure authentication method.
*Think of hashing as creating a unique digital fingerprint for data, ensuring its safety. For another layer of security, companies rely on public-key cryptography. It’s like having a super-secure lock and key system for your digital world.
**SHA — secure hash algorithm, ECC — elliptic curve cryptography
Only qualified trust service providers
When acquiring digital certificates or trust services, ensure you work with qualified trust service providers recognized by eIDAS.
They must meet the strict criteria defined in eIDAS, including the issuance of qualified certificates (QCs) and adherence to associated technical standards.
Standards such as ETSI EN 319 401 are essential for ensuring the proper issuance of qualified certificates, while ETSI EN 319 411-1 specifies certification service requirements.
Check the legal validity of electronic signatures
While qualified electronic signatures have a high level of legal recognition, other types may also be legally binding in specific situations.
Each state may have specific requirements or regulations concerning the use of electronic signatures, making it essential to stay informed.
Data protection compliance
Implement secure data storage and transmission techniques.
Transport layer security (TLS) and secure sockets layer (SSL) are commonly used for encrypting data during transmission.
You can think of them as technologies that act like secure tunnels, ensuring your data travels safely over the internet.
TLS is considered more secure than SSL due to stronger cipher suites, improved cryptographic hash functions (like SHA-256), and enhanced security features in protocol versions, providing better resistance to known vulnerabilities and attacks.
When developing electronic identification solutions, adhere to privacy by design principles.
Privacy by design means proactively integrating data protection measures into every stage of system development.
It ensures privacy is the default setting, is user-friendly and transparent, adhering to principles like end-to-end security and user empowerment.
- Issues anticipated and addressed before they arise
- No extra steps — privacy is automatically embedded in the system
- Privacy measures throughout the entire data lifecycle
- Clear and transparent info about privacy practices
- Users have control over their own data and can make informed choices
This approach aligns your systems with General Data Protection Regulation (GDPR) requirements and ensures that personal data is handled securely.
Stay tuned
Regularly monitor updates to eIDAS technical standards and guidelines issued by the European Telecommunications Standards Institute (ETSI).
And subscribe to official EU notifications and eIDAS publications to stay informed.
Perform audits
Undergo regular audits and certifications to demonstrate your commitment to eIDAS compliance.
These audits evaluate your systems and services against the technical and legal standards specified in the regulation.
They provide a higher level of trust to users and partners.
For example, ISO 27001 is an internationally recognized standard for information security management systems (ISMS) that demonstrates your commitment to comprehensive security.
Consult legal experts
Collaborate with legal experts who possess a deep understanding of both EU law and the technical intricacies of eIDAS compliance.
Legal experts can navigate complex legal frameworks while ensuring you meet technical requirements.
Disclaimer
Parties other than PandaDoc may provide products, services, recommendations, or views on PandaDoc’s site (“Third Party Materials”). PandaDoc is not responsible for examining or evaluating such Third Party Materials and does not provide any warranties relating to the Third Party Materials. Links to such Third Party Materials are for your convenience and do not constitute an endorsement of such Third Party Materials.