From Vision Towards Reality: The Journey of Establishing a European Digital Identity
The EU's ambitious agenda for a digital single market
From the humble origins of Bank IDs and government-issued eID cards around the turn of the century, European digital identity has been evolving fast during the last years. A big contributor to this progress has been the EU Commission’s ambitious digital agenda. Programmes like Europe’s Digital Single Market and Digital Decade aim to set targets, incentivise multi-country projects and measure progress towards everyday use of digital services by 2030.
The first step towards defining and regulating electronic identification, authentication, and trust services (eIDAS) within the EU came into force in 2014. eIDAS 1 was successful in defining the Levels of Assurance (LoA) for identification and digital signatures and regulating the provisioning of trust services. Where it did not live up to its full promise was pushing EU member states to create national eIDs or a cross-border digital single market. The challenges were well documented in the arguments for launching the eIDAS update and the first eIDAS cross-border pilots by GSMA in 2015 and 2017 [1].
Upgrade and reboot of the existing regulation
The importance and need for a digital single market in the EU have increased over time. Given the shortcomings of eIDAS 1 and the slow progress of digital identity in most EU countries, a newly updated eIDAS 2 [2] regulation was introduced with the renewed ambition of bringing identity to Europe.
The aim is to deploy a national eID scheme in all EU member states, secure the acceptance of eIDs by the public and private sectors, enhance usage of cross-border authentication and data sharing and improve the user experience of eIDs and digital services.
EU Digital Identity (EUDI) wallets will be made available to all EU citizens, residents, and businesses by the Member States. The EU Commission’s initial target timeline is for the first wallets to be available in early 2025. The expectation today looks more like 2026 at the earliest and mass-market adoption takes time even in the best case.
EUDI wallets should enable easy authentication into public services, even across borders. Also, many important private services will be obliged to accept EUDI wallets. These include banking, payments and other use cases requiring strong authentication. In addition to authentication, the wallets will have electronic signature capabilities and be able to receive, store and share credentials such as a driver’s license, work permit, insurance cards, et cetera.
Universally adopted, accepted and interoperable digital identities in Europe will increase cross-border activity in the EU and improve its economic competitiveness. It would also help citizens’ lives when accessing services both at home and abroad. eIDAS 2 and other accompanying digital regulations [3] are meant to create a digital single market whilst safeguarding user rights and privacy. For the whole EU, the challenge is about the control of key digital infrastructure in the face of global competition from USA-based digital players.
Key elements of the new regulation
One fundamental, and often overlooked, element of the new eIDAS 2.0 regulation is bringing clarity on where EU citizen’s identity originates from. It comes from the national government, not the EU or private sector players. National identity is the anchor identity which private identity services can leverage for compliance and acceptance. This is already a major achievement.
The updated regulation issues detailed requirements, guidelines, and timetables on how and when all EU countries must have digital identity solutions available for citizens. It also defines and regulates authentication and Qualified Trust Service Providers (QTSPs) that are certified to meet the highest security standards. The scope of QTSP operations now covers e-signatures, electronics seals, timestamps, and certificate issuing. To support wallets, this list will be extended to include the issuing of attribute attestations.
A key part of the new regulation package is the development and piloting of EUDI wallets. Technical definitions, specifications, and the development of a reference implementation are ongoing and expected to be completed by early 2024. Four large-scale pilot consortiums formed by both governmental and industry organisations were approved for EU funding. Within these pilots focus use cases range from card and account payments to travel, organisational identities, healthcare, and driver licenses (more details on participating countries and use cases can be found here).
After piloting, the EUDI wallets will come into everyday use across the EU. EU member-states are obliged to make them available and issue LoA High digital identity attributes to their citizens and residents. These wallets can be government-issued or certified and must be accepted across countries. For users, wallets are free and enable authentication into public services. Private services are allowed and, in some cases, obliged to use the EUDI wallet and the attributes stored there. National implementations will differ. The long-term aim of the EU Commission is to reach 80% citizen coverage by 2030.
Impact for companies
Many of the goals of eIDAS 2 are still far in the future and awaiting implementation. There are several ways in which EUDI wallets may fail. Further discussion of the risks can be found in Jon Ølnes’ blog post from 2022. There are a lot of details that are still being worked at and therefore, discussing the impact for companies today is somewhat of a speculative endeavour.
One obvious area of impact is that digital identity will become more widely available and used in the EU. Several countries have existing Electronic Identity (eID) schemes that compete in the Identity Provider (IDP) market and charge service providers for user identification. These IDPs will face competition from the EUDI wallets and successful wallet solutions can be highly convenient, secure, and cost-efficient competitors.
It is also likely that EUDI wallets can and will be widely used for onboarding into private identity and payments wallets and other digital services. This “reusable onboarding” will be easier and cheaper than current KYC processes, especially in countries that do not have eIDs yet in wide use. It could mean considerable change for identity verification (eIDV) service providers.
Easier and cheaper onboarding of users across borders will increase competition in private digital services within both consumer and B2B domains. Digital challengers can attract and serve customers better within the whole EU single market, leaving slow-moving competitors at a disadvantage in scale and cost-efficiency. The use of electronic signatures, e-seals, e-timestamps and e-delivery solutions will increase in line with overall digital identity use due to the increasing security needs and requirements of service providers. Altogether, the EU will become a more unified, efficient, and competitive digital market if eIDAS 2 is successful.
What is Signicat doing to deliver the benefits to the customers?
Signicat is a leading digital identity service provider in Europe. Our services cover the full identity lifecycle – from onboarding and trust orchestration to authentication and signatures. Our ambition is to build technology that allows people to trust each other in the digital world.
The growth of the digital market holds great promise for Signicat’s customers. Companies that develop compelling digital services can expand their market focus to the whole of Europe on the back of eIDAS 2 changes. Cross-border identity proofing, authentication and digital signatures can deliver revenue growth and improve profitability. Signicat is already developing integrated digital identity solutions that cover all of Europe and with a global reach in identity proofing (KYC/KYB), trust orchestration, authentication, and digital signatures. One early example is Signicat Mint, a drag-and-drop solution for building secure business flows.
To prepare for this future, Signicat is actively participating in two of the four EUDI wallet large-scale pilots – the EU Digital Wallet Consortium (EWC) and the NOBID consortium. This allows us to work together with governments, wallet issuers, companies, and the wider ecosystem to develop and deliver the services needed by our customers in tomorrow’s digital single market.
Written in cooperation with Esther Makaay, Vice President Digital Identity at Signicat, and Jon Ølnes, Tribe lead and Product Manager at Signicat.
Sources:
[1] GSMA https://www.gsma.com/identity/mobile-connect-makes-headway-with-launch-of-cross-border-pilot and https://www.gsma.com/identity/wp-content/uploads/2018/02/Mobile-Connect-for-Cross-Border-Digital-Services-Lessons-Learned-from-the-eIDAS-Pilot_Feb2018.pdf
[2] European Commission https://digital-strategy.ec.europa.eu/en/policies/discover-eidas
[3] Other key digital regulations in the EU include the General Data Protection Regulation (GDPR) 2018, Cybersecurity Act 2019, Digital Services Act (DSA) 2023, Digital Markets Act (DMA) 2023