European Union introduces new legal framework for identity management

Back to homepage

Click here for an overview of all news articles

On 1 July 2016, the EU Regulation on Electronic Identification and Trust Services will enter into force. The new Regulation will replace the current legislation, which is based on the 1999 Directive on Electronic Signatures. The new Regulation will be the main legal framework regulating identity management services.

In this IDnext newsletter, I will look back on the current legislation and offer some glimpses into the new Regulation. In the next two issues of the newsletter, I will discuss the Regulation’s two domains: Electronic Identification for eGovernment services and Trust Services.

The problem with the 1999 Directive

The main rule of the 1999 Directive is that an electronic signature has the same legal effect as a handwritten signature. Although this may have made sense at the time, in hindsight it is questionable whether this is the best approach. Although there is common ground, identification & authentication and signing are not the same. So if in practice only identification & authentication needs to be performed, the Directive would have no added value. Confusingly however, the Directive defines the electronic signature in part as a “method of authentication”, thereby mixing up identification & authentication and signing. Furthermore, from a legal point of view, signatures are only needed in specific situations. Merely stating that an electronic signature is “legally valid” is meaningless.

The fact that the Directive mixes up identification & authentication and signing can also be illustrated by the fact that the ETSI Technical Specification on qualified electronic signatures (ETSI TS 101 456) was quickly followed by the ETSI Technical Specification on the use of PKI certificates in general (ETSI TS 102 042).

The 1999 Directive also combines two complex subjects: PKI technology and the legal status of the signature. It is not easy to combine these two subjects in a meaningful way. This can be illustrated by the following. According to Dutch legislation, corporate board members need to file their signatures at the Chamber of Commerce’s commercial register. Pursuant to the 1999 Directive, Dutch law states that either a handwritten signature or an electronic signature can be filed. It makes no sense, of course, to file an electronic PKI signature: these signatures are unique for every message that they are attached to. Obviously, it might make more sense to file the certificate containing the public key.

The Trust Services according to the Regulation

The Regulation introduces a catalogue of Trust Services. Trust Services are:
The electronic signature as introduced by the 1999 Directive will remain intact under the Regulation, but I feel some of the newly introduced Trust Services will be more useful than the electronic signature.

Cross-border authentication for eGovernment services

Recently, eGovernment services have been a driver for new developments in identity management. Specifically, there is a need for authenticating citizens and companies in cross-border eGovernment services. For instance, according to the EU Services Directives, EU companies must be enabled to provide services in any other EU Member State. Any formalities (permits, licences etc.) need to be dealt with online. This introduces a demand for reliable cross-border identification/authentication. After all, the government body receiving a request for a permit or a licence needs to be able to authenticate the identity of the company requesting the permit or licence. However, neither the Services Directive nor the 1999 Electronic Signatures Directive provides a solution to this. The new Regulation makes it mandatory for public bodies to accept cross-border identification/authentication services that are provided under a scheme that has been properly notified to the European Commission. The Regulation also aims to support cross-border data transfers in healthcare.

The DigiNotar incident woke everybody up to the question whether our system of supervision on certificate service providers is adequate. Shockingly, DigiNotar was in possession of an audit statement promising that DigiNotar was compliant with parts of ETSI TS 101 456 and ETSI TS 102 042. This revealed that the system of supervision under the 1999 Directive might be considered inadequate.

Under the new Regulation, qualified Trust Service Providers have to provide the supervisory authority with a conformity report before they can provide Trust Services. After the initial report, qualified Trust Service Providers have to be audited at least every 24 months. The supervisory authority can also impose ad hoc audits. The European Commission is authorised to set standards as to how Trust Service Providers will be audited.

Marten Voulon

Marten Voulon is a legal researcher at Leiden University’s Center for Law in the Information Society (eLaw@Leiden), and a member of the Complaints & Disputes Committee of eRecognition (eHerkenning).