Full Expert Analysis: The EU's Secure European e-Identity Initiative
Full expert analysis on the EU's Secure European e-Identity Initiative
On 16th September 2020, in her “State of the Union” speech to the European Parliament, EU Commission President Ursula von der Leyen proclaimed that “the Commission will soon propose a secure European e-identity”. In another statement, it was made clear that EU leaders “will ask the Commission to put forward a proposal for a ‘European Digital Identification’ initiative by mid-2021”.
Expert analysis by Jon Ølnes, Product Manager Nordics, Signicat
In this guide, we will cover the EU electronic identification (EU eID) from various angles and answer among others, the following questions:
- What is the EU electronic identity (eID) initiative?
- Will the EU issue an eID to all persons in the EU?
- Why is this idea coming up now?
- Will this, or when will this this happen, and will it work?
To summarize the key developments, the questions above are answered briefly below:
The target is an electronic identity (eID) scheme, meaning a system where eIDs from several issuers can work in an interoperable way. The EU eID will therefore not be a centrally issued eID to everyone in the EU. The timing for initiating the EU eID project is a due to the EU regulation which covers eID, the eIDAS Regulation, which is up for revision. The truth is that the eID part of eIDAS has not been that successful since it has been limited to public sector services and with very little practical use.
The “EU eID” initiative comes from the very top of the EU system, so it is clear that an EU eID will materialize however we anticipate, based on nearly two decades of experience following eID initiatives from a close distance, that the success will largely depend on the EU's ability to bridge the eID scheme with practical use cases. In any case, Signicat and our customers surely must have this on the radar on the 2-3-year horizon.
Until the proposal is published (this is expected to happen around summer 2021) we do not know with any certainty what the EU eID will look like. Some information and directions is however provided. Below, we look at direction and challenges for an EU eID, providing Signicat’s viewpoints and recommendations. The EU Commission will seek comments and inputs based on the initial proposal that will be published mid-2021 in which Signicat will take an active approach in the development of the EU eID.
Legal ground for an EU eID scheme
The eIDAS Regulation (Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market) separates electronic identity and eID from trust services, where trust services are mostly related to signing. At the time when eIDAS was approved, the viewpoint was that there was no EU mandate to regulate national identity. Thus, formally, the eIDAS part on eID only applies to public services and only for cross-border interaction. The EU clearly had hopes that the eID setup created to support eIDAS (notification of eIDs and an infrastructure consisting of national nodes) should be used in a broader scope but that never happened. One major outcome of eIDAS eID still remains: the assurance levels “substantial” and “high” for eID are to a large extent adopted by Member States in their national eID frameworks to effectively create a pan-European standard for eID assurance levels.
eIDAS is currently up for revision with a draft revised regulation expected to be published first quarter 2021. The rest of 2021 will be spent on consultations and revisions with a final version planned to be approved early 2022. It seems clear that a major proposed change will be “eID as a trust service”. This means that there will be “qualified eID service providers”. It remains to be seen if the output of these providers will be “qualified eID”, and in case what this will mean, or eIDs according to the current “substantial” and “high” levels. A trust service in eIDAS is “an electronic service normally provided for remuneration” and the trust service part of eIDAS is founded on the treaty of the internal market. This means that if eID services become trust services, the intention will be that services can be provided by commercial actors competing freely within the EU, as well as by public agencies.
To explicitly create a legal foundation for the EU eID, the Commission has indicated that a separate European digital identity act may be proposed. Presumably, this depends on whether or not a revised eIDAS regulation is sufficient to regulate the EU eID and cross-border eID in Europe.
Signicat strongly supports such a change in the eIDAS regulation. A major comment from our side is that the upcoming eID legislation must consider an ecosystem of actors and not only the eID issuers. We are ourselves a good example of an ecosystem actor with our Digital Idenity Hub integrating over 30 eIDs and eID schemes and making them available to Signicat customers over one API. This “broker” role may today be regulated at national level, thus Signicat is undergoing a broker certification in Denmark even though we have an existing certification in Finland. If the broker role is covered by a revised eIDAS, Signicat should be able to obtain one single “qualified broker certification” and use that to provide broker services anywhere in the EU. The role of broker/ecosystem provider must be defined in an abstract way to cover more than the hub model applied by Signicat.
Principles of the EU eID
Based on a presentation by Norbert Sagstetter, acting Head of Unit for eGovernment and Trust at the European Commission, the proposed EU eID will adhere to the following:
- Self-sovereign identity (SSI) inspired: meaning it will provide user-controlled release of information, but not necessarily be “pure SSI” the way this is usually defined, and it need not be based on blockchain technology.
- Attributes from trusted information sources: a study is ongoing to map availability of sources in Member States.
- Mobile-first and based on common standards: the EU Commission is considering if a secure identity wallet app shall be provided as a building block.
- Both public and private providers can participate.
- Universally available and universally useable: the EU Commission considers proposing a legal obligation for services to accept it.
Signicat supports the cautious approach to an SSI eID. While we fully support the principle of user control and ownership to data, a “pure SSI” solution that is practically useful and user friendly is still to be seen. Signicat has previously advocated the usefulness of an “identity custodian” approach, SSI with a trusted service provider for user support and recovery. Exposing ordinary users to an SSI approach where they are all on their own, will likely not to work.
A legal requirement for service providers to accept the EU eID should be carefully considered. Again, Signicat points to the need to regulate not only the eID provisioning, but the entire ecosystem consisting also of “broker-type” services. A common mistake, not least for SSI-based eID schemes, is to assume that this will be the only eID, so everybody will have it and every service provider will accept it. The reality is that many eIDs already exist in parallel and will continue to do so, probably for many years. As an example, the deployed eIDs of the Nordic and Baltic countries will need considerable change to fit with the above-mentioned principles of an EU eID. Since these eIDs today cover 95 % of the adult population and are used “everywhere”, the EU eID will not in the short term replace them. These and other eIDs and eID schemes will continue to exist, meaning a service provider either must integrate with many different eIDs or rely on “ecosystem providers” that can mediate access to many eIDs within one system.
Availability of trusted information sources may turn out to be a challenge. When asked, Mr. Sagstetter of the Commission replied that they assume that information is available in all Member States. This is no problem in countries such as the Nordics and Baltics that have population registers and otherwise a well-developed register infrastructure. But in other countries, trusted sources of personal data are today not readily available due to technical characteristics (e.g. distributed with no co-ordinated access) and legal obstacles (e.g. no access for actors in private sector). The quality of personal data can also be questioned, e.g. the ability of different Member States to uniquely identify their residents (see below for a discussion).
Through the Connecting Europe Facility (CEF) Digital initiative, the Commission has an established approach of making available building blocks for trust services and other services. Adding a wallet app for an EU eID scheme to the portfolio, can be a useful approach.
Architecture and technical realisation
Ronny Khan, Senior Innovation Manager at DNB, has published two articles on LinkedIn that in our view can be good references on the direction forward. The figure below from Ronny’s articles is based on a drawing presented by the Commission. This shows eID providers with access to trusted information sources on the left, and services on the right, with the user in control in the middle. Presumably, the eID providers will with the revised eIDAS be “qualified eID providers” that also adhere to the specifications for the EU eID scheme.
Signicat believes, as Ronny also shows in another figure, that an identity custodian role should be added to aid the user. Signicat also believes, in line with what we state earlier in this article, that there is a need for further ecosystem components between the user and the services meaning broker-type components that can integrate the EU eID and other eIDs in parallel and make these work together in a seamless way.
Signicat already integrates many trusted information sources in our broker platform and has a strong focus on such integrations. While the main purpose currently is on providing relevant information for KYC (Know Your Customer) and AML (Anti-Money-Laundry) for financial services, an observation is that with access to the same information sources as EU eID issuers, we can add attributes at the broker level of an identity ecosystem even for eIDs that do not adhere to the EU eID scheme.
Articles by Ronny Khan, Senior Innovation Manager, DNB:
There will be an EU eID but will there be an EU identity?
Identity today is a national matter in the EU. There is no “EU identity”. National identity is determined by citizenship, residency, rights, and obligations that a person has, meaning a person can have an identity in several Member States. Many Member States today in practice have no reliable way of uniquely identifying their residents in connection with electronic identity. Today, there is no way of linking national identities cross-borders. The only initiative we know of isThe Nordic-Baltic eID Project (NOBID) that aims to solve this within this region. This initiative solves the issue by registering foreign identifiers in population registers linked to the domestic national identity number. Obviously, this only works between countries that have national identity numbers.
The EU eID initiative should come up with a compelling way of solving the situation of linking national identities cross-borders, but it is going to be difficult. This links to the issue of trusted data sources, where data must be linked to a person that is uniquely identified even across data sources. The legal obstacles, sucah as in Germany for example, will be challenging and a European digital identity act overruling national principles will face opposition.
Cross-border eID work today – the problem is national deployment and use
Signicat’s eID hub today integrates over 30 eIDs and eID schemes covering 13 countries and territories. All these IDs are available over one Signicat API cross-border to customers in all markets that Signicat serves, in principle they are available globally. Expanding this to cover several times the number of eIDs is doable, if the eID providers use standard protocols such as today OIDC or SAML. Looking under the hood, the ecosystem approach has more layers; among the eID schemes integrated at Signicat are services like Yes (Germany), iDIN (Netherlands), and France Connect (France) which themselves serve as hubs for multiple eID issuers.
The challenge for EU eID today is that many Member States lack deployment of eIDs to a sufficient part of the population, or that deployed eIDs are not used in practice, or both. In Signicat’s view, a good benchmark can be that 90 % of the adult population possess a reusable eID and use it at least two times per week. This benchmark is met only by 5-6 countries in the EU/EEA area. Some more countries and regions, like the Benelux and Austria, are on their way and other countries, like Germany, France, and Italy, have a rapid increase in deployment. Then, there are countries like Spain with huge deployment of DNIe on the national ID card, but very limited use. All in all, there is a long way to go.
Are there other challenges? Certainly! Just to mention one, we are in this article looking at identity only from a combination of EU, national, and EU cross-border points of view. But the EU is only one region of the world, and there are other players out there looking at identity provisioning and use. Maybe the users and service providers will look elsewhere for their identity needs? The future will show.
A possible arrangement for an EU eID is that the role “qualified eID provider” is defined in the revised eIDAS regulation with mandatory acceptance of the related services all over the EU. Linked to the eIDAS rules applying to a qualified eID provider, there may be an implementing act specifying the EU eID scheme. This means one can become a qualified eID provider if one adheres to eIDAS and the scheme. And a rule can be stated in eIDAS that status as qualified eID provider will imply that one is allowed to integrate to the necessary information sources.
While this is a compelling way to get everything standardised on the EU eID scheme, it is also dangerous. If other eID providers, not adhering to the EU eID scheme, are not allowed to become qualified, their business will be seriously hampered. This includes actors that today offer solutions that are in practice critical society infrastructures of some Member States.
Signicat’s recommendation is to not limit a “qualified eID provider” to follow the EU eID scheme but open this role also to actors following other identity schemes. This should include an ecosystem approach where also “brokers”, in a broad interpretation of this term, can become qualified providers and get access to the defined information sources. The result will be a legal framework that enables innovation and scaling.
Signicat looks forward to further information on how the EU eID scheme will be specified and we are eager to actively contribute to making the initiative work in the best possible way.