In June 2021, the European Commission published a proposed revision of the existing eIDAS regulation aimed at increasing availability and adoption of digital identity, curbing the increasingly dominant role of platforms, and meeting changing user expectations. While the revision is still at the draft stage and the specifics are currently being discussed, the potential impact on citizens, businesses and digital identity in Europe cannot be overlooked. This article provides an overview of some key eIDAS developments and their potential impact on the private sector.
What is eIDAS?
eIDAS is the EU regulation on electronic identification and trust services for electronic transactions in the EU, which entered into force in 2014. It was created as a means to facilitate secure and seamless electronic transactions within the European Union. eIDAS is seen as a key enabler for the Digital Single Market in Europe to facilitate the flow of commerce.
The original eIDAS falls short
Currently, only 14 EU member states have made their national digital identity solutions available for cross-border use within the EU through a process called ‘notification’, covering roughly 59% of the EU population. With the annual number of cross-border authentications only in the thousands, compared to millions at domestic level, the cross-border usage of the national solutions has been low. In addition, the role of platforms in online authentication has grown substantially in recent years. With the eIDAS revision, the EU aims to mitigate the risk of further market dominance of large online platforms, user lock-in and loss of control over data. The European Commission also acknowledges that the existing user-friendliness is poor. The lack of a common user interface, redirections in the authentication process and denial of service situations are all examples of a service that does not meet high user expectations on security and convenience.
Mandated availability and acceptance of wallets should drive the use of Digital Identity
The most significant change in the proposed eIDAS revision is the introduction of EU Digital Identity Wallets, which must be made available for all EU citizens. In contrast to the current situation under eIDAS, in which notification of an eID scheme by member states is voluntary, it will become mandatory for member states to provide EU Digital Identity Wallets to their citizens free of charge. Not only does the draft revision contain such a measure for providing EU Digital Identity Wallets, but it also extends mandated acceptance of such wallets beyond the public sector to private sector relying parties:
“Where private relying parties providing services are required by national or Union law to use strong user authentication for online identification, or where strong user authentication is required by contractual obligation, including in the areas of transport, energy, banking and financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications, private relying parties shall also accept the use of European Digital Identity Wallets issued in accordance with Article 6a”.
(proposed new article 12b pt. 2 in eIDAS revision)
In addition, the draft mentions that very large online platforms – i.e. online platforms that reach at least 45 million monthly active users in the European Union (which represents 10% of the 450 million consumers in the EU market) – will be mandated to accept the wallets at the user’s request. They will also have to respect the minimum attributes necessary for the specific online service for which authentication is requested, such as proof of age. Very large online platforms include marketplaces like eBay, Amazon and Zalando, and social media such as Facebook, YouTube, Twitter and Reddit, to name but a few.
Private sector may face major changes in digital identity implementation
If the above aspects of the draft revision proposal remain unchanged and the EU succeeds in realising its ambitions with the EU Digital Identity Wallet:
- All of the 27 member states will have to offer at least one wallet to their citizens
- Government-issued attributes (such as name, date of birth or a unique identifier) will be available for these wallets
- Mandated acceptance means that many public and private sector services will be accessible using these wallets.
Needless to say, this will create both opportunities and challenges for the private sector. The full impact for private sector is not yet entirely clear but relying parties should be aware of a number of points, as outlined below.
Standardisation efforts in the EU will determine the complexity of relying parties integrating with all wallets
Each member state is required to notify wallets. Three options exist: they can decide to do so by providing a wallet issued by the member state’s government, by the private sector or both. To foster competition and freedom of choice for citizens, it is likely that some member states will notify multiple wallets from private-sector providers. This means there will be multiple wallets (more than 27) available in the EU for relying parties to accept. To prevent a heavy integration burden for private sector relying parties, it is likely that current EU discussions on technical architecture will result in a single connection interface for relying parties. It remains to be seen how complex this connection interface is and how it will affect the integration efforts for private sector relying parties.
Without EU harmonised legal conditions, contracting between wallets and relying parties will be cumbersome
The second big obstacle for acceptance of wallets by private sector relying parties is contracting. Will numerous bilateral contracts be required between wallet providers and relying parties, or will the EU converge to a single or standardised legal contract that covers acceptance of all wallets? This is an important point to watch out for in further publications.
Exact scope of impacted relying parties is still uncertain as legislative wording leaves room for interpretation
It is still unclear which private relying parties will ultimately be subject to the mandated EU Digital Identity Wallet acceptance, since the scope of the revision refers only to relying parties that are required by national or Union law or have a “contractual obligation” to use “strong user authentication”. While legal obligations that follow on from existing EU laws and regulations like GDPR and PSD2 are usually pretty straightforward for those parties involved, the scope of the term “contractual obligation” still requires clarification. For example, does a SaaS accounting product that applies strong user authentication than is contractually agreed with the client need to accept all EU Digital Identity Wallets for authentication? Such an interpretation would mean that a huge number of businesses would be impacted by the eIDAS revision.
Without harmonised business models for wallets, relying parties can be confronted with unknown transactional costs
Another key point that will have to be clarified in the final regulation is the business model for wallet providers within eIDAS. As the wallet must be made available free of charge to citizens, wallet providers will likely turn to relying parties for generating revenue. Combining a mandatory acceptance of all wallets by relying parties with unrestricted business models (and pricing) for wallet providers is definitely not a desired situation as it will only result in high prices.
Keep an eye on the upcoming developments
For many relying parties, the eIDAS revision will have an impact on how they currently approach the digital identity of their customers. The topics covered in this article are some key examples of the current eIDAS discussion that could strongly impact relying parties. The exact extent of the impact depends largely on choices that still need to be made. Although the eIDAS revision itself is still at the draft stage, the European Commission has set an ambitious timeline for the implementation of the revision. The current deadline for publishing a toolbox for a European Digital Identity Framework – which should include the technical architecture and reference framework, common standards, guidelines, and best practices for EU Digital Identity Wallets – is in October 2022. This new initiative is highly likely to affect the business of relying parties in due course. Therefore, they should monitor the possible impact of the revision closely to avoid being blindsided by its implications.
With INNOPAY’s experience in bringing digital identity to life and our clear view on the current eIDAS revision, we are ideally placed to help relying parties prepare for the upcoming regulation which is set to change the identification and authentication landscape in Europe.