The European digital identity in active implementation
2022, a pivotal year: this year marks a high point in the constitution of the European Digital Identity, which is being implemented with the aim of facilitating and securing the daily activities of hundreds of millions of people and businesses.
In cooperation with industry partners, the European Commission and 27 Member States of the Union are in the process of defining the technical toolbox and regulatory framework for deploying the new digital identity by 2025.
The regulatory base
The regulatory base for the new digital identity is being developed from a revision of the eIDAS regulation – composed of 26 delegated or implementing acts – with a view to creating an eIDAS v2 that allows for European harmonisation.
The eIDAS regulation on electronic identification services was established in 2014 as the first identity legislation to introduce common standards for electronic identity in Europe, thereby enabling the mutual recognition of this type of identity among all countries in the Union. However, the actual application of eIDAS regulations across Member States has been mitigated, with clear differences observed between countries. A European Commission evaluation of eIDAS subsequently highlighted the need to modify the regulation.
On 3 June 2021, the Commission presented a proposal to revise the eIDAS framework, with the aim of enabling, by 2030, at least 80% of citizens to use a digital identity, between EU borders, to access public and private services.
The changes made to eIDAS 2 are substantial and complementary to electronic identification schemes developed by Member States, thereby allowing them to capitalise on investments already made.
The eIDAS regulation is a central element of digital identity, while also being closely linked to legislation related to digital services and markets, and cyber security (DSA, DMA, SRI 2). Indeed, such legislation will enable the creation of services based on digital identity, within a secure environment and under fair competitive conditions. For example, the legislation will allow the “EU ID Wallet” mobile application to have contactless access to external identification credentials, such as the French national electronic identity card.
The eIDAS 2 framework is open to all countries of the Union as well as to all businesses, in addition to offering the possibility of using mobile phones and apps as access tools. Once the new regulation is in place, natural persons and legal entities will be able to establish a link between their national digital identity and the proof of identity offered by other attributes or certificates. The wallets that will incorporate this identity will be provided by public authorities or private organisations that have been recognised by Member States.
Three key conditions have been defined by the European Commission for stakeholders of the future digital identity (namely, the Directorates-General of the European Commission, the Member States and their advisers):
- Improve mutual recognition between national digital identity schemes, as well as the sharing of notifications among Member States.
- Impose a condition whereby natural persons or legal entities have the sole power of controlling the storage and use of their digital identity, either through a phone or application, in accordance with common standards for identity data.
- Authorise private companies to offer digital identity services, provided that they apply the “trusted service” rules specific to each country of the Union in which they operate.
The new eIDAS proposal will require every nation to define at least one digital ID scheme within twelve months of the legislation taking effect.
The technical base
The second fundamental base for establishing the new digital identity consists of defining a technical “toolbox” for ensuring the deployment of viable, long-lasting solutions that respect fundamental European values: better protected personal data, interoperable solutions in line with international standards, access for all citizens. This toolbox supports the regulatory framework in that it aims to avoid issues of fragmentation and barriers arising from diverging standards.
The schedule for implementation is as follows:
- Since September 2021, the European Commission, through DG CONNECT, has been coordinating efforts to define the ARF technical framework (Architecture and Reference Framework) between the General Directorates of the Commission (DG Move, DG Home, DG Sante, ENISA, etc.), and Member State experts (eIDAS Expert Group), with support from the private sector.
- From the start of 2022, the general architecture, preferred standards, and main security requirements began to be defined, with a view to enabling the Commission to launch a call for projects in April. The aim of the call is to create a technical and functional basis that serves as a reference for future digital identity wallets implemented by Member States. In parallel, the definition and implementation of experimental use cases will begin.
- By mid-2022, specific details, standards, guides and best practices will be finalised, in particular with regard to four aspects:
- Activation and exchange of identity attributes between Member States and duly selected and authorised service operators.
- Functionality and security of the digital identity wallet.
- Reliability of the system, particularly in terms of the concordance of identity between countries and public authorities.
- Governance and security certification schemes.
- By the end of 2022, a complete toolbox and development framework will have been adopted by the countries of the Union and the European Commission. Each State of the European Union will then be free to develop its own projects, using the framework and tools defined by the ARF and eIDAS 2.
- In 2023, the definition of the implementing and delegated acts of eIDAS V2 will begin. These acts will specify the regulatory and technical frameworks for sectoral or technical specificities: for example, trusted services for the health and transport sectors, driving licences, border control, payment systems and financial transactions, diplomas, and certifications or attestations related to education or training.
The call for project of 15 February 2022
To facilitate the implementation of the European digital identity framework, the European Commission published, on 15 February, a call for project funding, titled “DIGITAL-2022-DEPLOY-02-ELECTRONIC-ID”. The objective is to develop and implement interoperable solutions in pre-production mode, by conducting transnational use case experiments, as well as prepare Member State deployment of EU ID wallets, with the involvement of public and private services and the exchange of qualified attributes. The call for projects also includes a standardisation and services component of the first European public blockchain (“DIGITAL-2022-DEPLOY-02-EBSI-SERVICES").
The European digital identity will therefore materialise in the coming months for many European citizens.
The future European digital identity:
- Lays the foundation for a digital identity wallet for all EU citizens, residents and businesses.
- Is based on legal identity characteristics defined by Member States.
- Covers the different uses of identification (in the public and private sectors) as well as activation of digital certificates (with Europe-wide validity and based on a set of minimal and essential verified attributes).
- Extends the list of eIDAS trusted services to three new areas: electronic archiving, electronic registers, and remote electronic signature management and seal creation systems.
- Transforms identification schemes that are difficult to interoperate into standardised schemes on a European scale.
- Provides a toolbox and framework for identity development that share common standards, high security levels, and respect for privacy.
The role of IN Groupe
As a global specialist in identity and secure digital services, IN Groupe supports European institutions and French state services involved in the future European digital identity. As a member of the Alliance for Digital Trust (ACN), IN Groupe advises on issues of technical architecture, technological choices, and interoperability between digital identification and authentication systems. And as a member of the Eurosmart Association, IN Groupe participates in European debates on digital security.