Home » Regulations » eIDAS 2.0: what it says, what’s new, and the roadmap
Regulations
17.06.2024
| Reading time: 10 min

eIDAS 2.0: what it says, what’s new, and the roadmap

17 June 2024

The revision of the regulation is proceeding swiftly. Here is where it has reached and the points still to be clarified.

The European Union also has to deal with a market and socio-economic fabric that are constantly changing, revising its objectives and directives in light of these transformations.

In questo articolo scoprirai:

In 2014, when the European eIDAS regulation (electronic IDentification, Authentication and trust Services) was established, one of the EU’s objectives was to provide all citizens with access to highly secure digital trust services and digital identities that could be used across Europe.

This goal has been achieved, but in a very uneven manner: despite Italy being among the “virtuous” countries where digital identity is more widespread among the population, only 14 EU member states have notified at least one digital identity system to the Commission. Currently, only 59% of European citizens possess a digital ID. Moreover, within the European context, there is little interoperability or consistency in both the accreditation methods for Qualified Trust Service Providers and the delivery methods of services.

The revision of eIDAS: why?

On a broad scale, the goal of revising eIDAS is much broader: in addition to unifying the landscape of digital identities in terms of adoption, user experience, and security, the new eIDAS regulation also aims to restore sovereignty over personal data to citizens—aligned with GDPR principles and in contrast to how big tech companies manage information. Furthermore, it aims to ensure equal conditions for the use of trust services across the EU: while Italy leads in terms of Qualified Trust Service Provider presence, in other countries, this number is very limited.

In essence, the ultimate purpose of revising eIDAS is to increase interoperability and integrability of trust services within the EU, taking another step toward the unification of member states and laying the foundation for creating the European digital market.

The roadmap of eIDAS 2.0: where do we stand?

For these reasons, in June 2021, the Commission announced the revision of the eIDAS regulation, with the most anticipated and discussed updates focusing on the implementation of the European Digital Identity Wallet and the inclusion of compliant archiving among qualified trust services. Since the June announcement, the revision has made rapid progress: in early February 2022, a public hearing on the topic was held at the European Parliament, and on February 22 of the same year, the Union launched a call for proposals for the implementation of the European Digital Identity Framework.

On February 29, 2024, the revision was officially approved by the European Parliament and published in the Official Gazette on April 30, 2024.

Subsequently, within 12/24 months, the so-called “Implementing Acts” are expected to be published, and the new eIDAS regulation will officially come into force.

The most anticipated innovation: the EUDI Wallet

The European Digital Identity Wallet, as mentioned, is the most anticipated and “discussed” innovation of this regulation, or at least the one that will have the broadest impact on citizens’ lives beyond sector-specific operators. It will be a fully-fledged digital identity, similar to SPID (the Italian digital identity system), but mandatory across the EU and structured as a digital “wallet” where verifiable and certified documents and attributes such as passport details, birth certificate, driver’s license, and voter card can be stored.

Furthermore, adopting a model similar to Self Sovereign Identity based on Blockchain, the EUDI Wallet will enhance privacy and data protection, returning control over identity and shared information to users.

Coming soon: “qualified e-archiving”

The second major innovation of eIDAS 2.0 involves digital service providers and Qualified Trust Service Providers to a greater extent. Specifically, it introduces digital preservation (or “qualified e-archiving”) among trust services. This choice will certainly promote interoperability across countries, surpassing national regulations, and will also open up a new market within trust services.

From what has been published so far, there appear to be many points of intersection between eIDAS 2.0 and the CAD regulation on digital preservation that qualified archivers must adhere to. This presents a significant competitive advantage for all Italian service providers holding this certification.

The other innovations

As mentioned, to achieve the goal of European digitalization, the revised eIDAS not only maintains existing provisions but also adds to those already regulated in the first version (electronic signature, electronic seal, timestamp, website authentication certificate). It introduces additional trust services and expands the ecosystem to include:

  • Management of signature devices and Hardware Security Modules (HSMs), which will become a separate trust service;
  • The option for registration and storing of data on electronic ledgers (blockchain), already introduced in the first version;
  • “Validators” of certificates, electronic signatures, seals, and attestations will become fully qualified services;
  • Issuance of electronic attributes and attestations (which can then be used with the digital wallet).

Moreover, the new regulation will require all European countries to provide national databases to obtain reliable information about citizens, addressing current deficiencies or unreliability in Italy.

The elephant in the room”: the role of SPID in the Digital Wallet

What sparks the most discussion at the eIDAS revision working tables, however, is the issue related to the levels of security (Level of Assurance, LoA) of digital identities currently in use across European countries (including SPID and CIE) for citizens’ access to the European Digital Wallet. SPID, for instance, can be used with all three security levels provided (Low, Substantial, and High), but the majority of SPID identities currently in use in Italy are limited to the level 2 of substantial. Conversely, some European countries other than Italy require access to the wallet to be limited to digital identities with a high level of assurance, which is already achieved by CIE.

Moreover, a recent decree will modify the user experience of CIE, making it much more similar to SPID. The concern is that with the eIDAS revision, a significant portion of SPID users widespread in Italy today might not be accepted to access the digital wallet, a decision that could severely limit SPID’s future and potentially dissipate part of the investments, including private investments, made over these years.

In a recent article for Agenda Digitale, Matteo Panfilo, Chief Solutions Officer of Intesa, hopes that an Italian model for digital identities will finally be defined and that the Italian experience will be adequately valued.

“The legislative process will conclude in 2023 and – whether we like it or not – it could have significant impacts for our country, which, for what has been built in recent years, we hope can continue to be a European reference point in the future.”

However, the EuDI wallet is already shaping up to be a major innovation in the field of digital identities, not only due to the numerous areas and use cases it can apply to but also due to its high attention to citizens’ privacy. The wallet will allow users to share only the necessary information to access the service. This represents a new paradigm in privacy management, far exceeding the experience of current use cases and approaching the model of Self Sovereign Identity.

Therefore, an absolutely crucial theme, considering SPID’s experience in Italy, is tied to the economic sustainability of the model. Specifically, it will be important to understand what opportunities the legislator intends to provide for the remuneration/costs for the various actors involved with the wallet (Wallet providers, PID, QTSP, Attribute Authorities, and Relying parties), and the related accounting/convention rules, considering the constraints imposed by privacy and the confidentiality of the information exchanged between the parties.

In summary, it is certain that a significant change in the management of digital identities will occur. For private service providers, it is time to initiate investments and strategies for adopting this tool.

The revision of eIDAS: why?

On a broad scale, the objective of the eIDAS revision is much broader: in addition to unifying the landscape of digital identities in terms of adoption, user experience, and security, the new eIDAS regulation aims to restore sovereignty over personal data to citizens – aligning with GDPR principles and contrasting with how big tech companies manage information. It also aims to ensure equal conditions for the use of trust services within the EU. Italy stands out as the most advanced country in terms of Qualified Trust Service Provider presence, whereas in other countries, this presence is very limited.

In essence, the ultimate goal of the eIDAS revision is to enhance interoperability and integration of trust services within the EU, taking a further step towards unifying member states and laying the groundwork for creating the European digital market.

Potrebbero interessarti

Intesa, a company located in Turin and born in 1987, that has been an IBM Company for over 15 years, is now beginning a new journey as a Kyndryl company. Kyndryl is a spin-off of the IBM's Managed Infrastructure Services division.

Success Stories: Experiences in the Digital Sphere told by Businesses Themselves.

Humans on one side, technology on the other. How can we combine them and how do companies are handling the evolution of the Business-Consumer relationship? Humanizing customer experience through digital is possible, yet it is necessary to have an innovative model

How is the digital identity ecosystem changing in Italy? We talked about it with Giuseppe Mariani and Matteo Panfilo

Voglio essere informato su prodotti, servizi e offerte di INTESA.
Ho letto e accetto l'informativa sulla privacy.

È possibile ritirare il proprio consenso in qualsiasi momento inviando una e-mail al seguente indirizzo: privacy_mktg@intesa.it. Oppure, se non si desidera ricevere più le e-mail di marketing, è possibile annullare la sottoscrizione facendo clic sul relativo link di annullamento sottoscrizione, in qualsiasi e-mail.
Per confermare l'iscrizione, controlla la tua email!
Share