The eIDAS Regulation

Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) adopted on 23 July 2014 provides a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities.

The [eIDAS] Regulation mainly concerns public sector organisms and trust service providers established on the territory of the European Union. It establishes a European framework on electronic identification and trust services, in order to facilitate the emergence of the digital single market. It particularly covers the subject of the electronic signature and repeals Directive 1999/93/EC. ANSSI is one of the national bodies in charge of the implementation of this regulation.

Summary

BACKGROUND

The European Parliament and the European Council adopted, on 23 July 2014, the Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation).

The adoption of this regulation followed the relative lack of success of Directive 1999/93/EC on electronic signature. Several differences in the implementation of this Directive as well as technical choices made by Member States prevented the emergence of a common ground of interoperability which is necessary to ensure the development of cross-border interactions. This was stressed by the Commission at two different times in 2010 which led the European Council to invite the Commission to create a digital single market by 2015.

In June 2012, the Commission initiated works aimed at encouraging digital commerce in the Union with the purpose to adopt a regulation that would directly apply in Member States, without a implementation in their domestic law. More than two years of discussions have been necessary in order to achieve the final text of the regulation.

The eIDAS Regulation was published in the Official Journal of the European Union (OJ) on 28 August 2014, and it entered into force on 17 September 2014.
The eIDAS Regulation entered into force, for the majority of its provisions, on 1 July 2016. Mutual recognition of electronic identification means is mandatory since 29 September 2018.

SCOPE AND RECIPIENTS

The eIDAS Regulation applies to electronic identification, trust services and electronic documents, expanding the scope of Directive 1999/93/EC on electronic signature which it repeals. It aims at establishing an interoperability framework for the different systems implemented in Member States in order to promote the development of a digital trust market.

The Regulation provides requirements relating to the mutual recognition of electronic identification means as well as electronic signatures, for the transactions between public authorities and private users. It excludes internal transactions of administrations that have not a direct impact on third parties as well as private deeds.

PRIMARY MEASURES OF THE REGULATION

The eIDAS Regulation is essentially dedicated to electronic identification and trust services. It also deals with, to a lesser extent, electronic documents by granting them a legal effect.

The involvement of ANSSI in the implementation of the regulation is two-fold: as entity in charge of assessing the security for the “electronic identification” part and as the supervisory body for the “trust services” part.

Electronic identification

Purpose and principles of the “electronic identification” chapter of the regulation.

The eIDAS Regulation aims at establishing a mechanism of mutual recognition of identification means of Member States on all online services of others Member States.
In order to beneficiate from this mutual recognition, an identification means must:

Have been issued in accordance with an electronic identification scheme notified by the Member States concerned and appearing on the list published by the Commission.
According to the regulation, an electronic identification scheme is a system for electronic identification under which electronic identification means are issued to natural or legal persons. Member States can notify electronic identification schemes since September 29 , 2015.
Have an assurance level equal or superior to the one required by the public authority concerned to access this online service, provided that this level is “substantial” or “high”.
This mutual recognition only concerns public authorities which require, to access to one of their online services, the implementation of a notified electronic identification means.

Requirements applicable to the different assurance levels which are provided in the regulation are detailed in the Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015. These levels are granted according to the compliance with specifications, norms and minimal procedures. Three assurance levels are provided in the regulation:

Low: at this level, the purpose is simply to decrease the risk of misuse or alteration of the identity;
Substantial: at this level, the purpose is to decrease substantially the risk of misuse or alteration of the identity;
High: at this level, the purpose is to prevent misuse or alteration of the identity.

Mutual recognition of electronic identification means became mandatory since 29 September 2018.

Competent national bodies

In France:

the Direction interministérielle du numérique et du système d’information et de communication de l’État (DINSIC) ensures the unique point of contact regarding electronic identification ;
the National Cybersecurity Agency of France (ANSSI) is responsible for establishing the specifications for the requirements applicable to each assurance level as well as assessing the assurance level of electronic identification means.

Moreover, the eIDAS Cooperation Network has been implemented by the Commission Implementing Decision (EU) 2015/296 and provides notices following the peer reviewing process on electronic identification schemes notified by Member States. The notices are public and available via this link:
https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Opinions+of+the+Cooperation+Network

Trust services

Purpose and principles of the “trust services” chapter of the regulation.

The eIDAS Regulation also aims at establishing a legal framework for the use of trust services. It provides for requirements for trust services relating to electronic signature, electronic seal, electronic time stamp, electronic registered delivery and website authentication.

The Regulation sets a distinction between qualified trust services and non-qualified trust services. Qualified trust services fulfil particular requirements and can benefit from specific legal effects. Qualified trust services are provided by qualified trust service providers.

Qualified trust service providers are subjected to regular audits by conformity assessment bodies, accredited in accordance with the Regulation 765/2008 of 9 July 2008.The eIDAS Regulation applies since 1 July 2016 for trust services.

The list of qualified products and services by ANSSI is accessible on the tab “French trusted list”.

Qualified trust services provided in the regulation

Qualified trust services provided in the eIDAS Regulation are the following:

Qualified certificates issuance service for electronic signatures, electronic seals and website authentication;
- Qualified certificates for electronic signatures make it possible to certify the identity of the natural persons to who they have been issued, when the latter acts as the signatory.
- Qualified certificates for electronic seal make it possible to certify the identity of the legal persons to who they have been issued, when the latter acts as the creator of a seal.
- Qualified certificates for website authentication make it possible to certify the identity of the natural or legal persons to who they have been issued, as well as the name of the corresponding websites.

Qualified validation services for qualified electronic signatures and qualified electronic seals;
- Qualified validation services for qualified electronic signatures and qualified electronic seals make it possible to ensure the legal security of an electronic signature or seal by supplying a validation proof by a qualified third party.

Qualified preservation services for qualified electronic signatures and seals
- Qualified preservation services for qualified electronic signatures and seals make it possible to extend their reliability beyond the period of their technological validity.

Qualified electronic time stamp services;
- Qualified electronic time stamp services make it possible to certify the existence of an electronic data at a particular time. Such process can be used to create a shipping or reception date to a mail but, more broadly, to attest the existence of a data at a particular time, or the date of an action completed by an electronic means.

Qualified electronic registered delivery services;
- Qualified electronic registered delivery services make it possible to transmit data between third parties by electronic means providing proofs regarding the processing of the transmitted data, including their proof of sending and reception, and by protecting these data against the risk of loss, theft, alteration or any unauthorized modification.

The creation of a qualified “remote” electronic signature (or “server signing”) is not considered as a qualified trust service under the regulation.

Qualified products for electronic signature or electronic seal

The regulation specifies that qualified electronic signatures and qualified electronic seals are respectively created by means of:

Qualified electronic signature creation devices;
Qualified electronic seal creation devices.

In each Member States, the certification of conformity of these products to the requirements of the regulation is certified by a certification body designated at the European Commission.

The regulation provides for, in certain cases, the creation of signature or seal can be delegated to a trust service provider which ensures, for the signatory or the legitimate creator or a seal, the generation or the management of creation data of signature or seal. In this case, this trust service provider must be a qualified trust service provider under one of the qualified trust service provider cited above.

Competent national bodies

In France, the role of supervisory body for trust services is ensured by ANSSI. As such, it:

defines the technical modalities allowing the compliance with the regulation requirements;
ensures the qualification of trust service providers established on the French territory.

In addition, ANSSI ensures two others roles provided in the regulation:

It formulates and maintains the trusted list which classifies the qualified trust service providers and the services that they provide;
It ensures the conformity certification of qualified electronic signature or seal creation devices.

TECHNICAL DECLENSIONS OF THE REGULATION

Regarding its technical aspects, the eIDAS Regulation refers to implementing acts (listed in “Documentary databased related to the eIDAS Regulation”).

As part of Mandate M/460, which is an initiative of the European Commission aiming at providing a coordinate response on the subject of the deployment of a digital European single market, the ETSI (European Telecommunications Standards Institute) and the CEN (European Committee for Standardization) have been designated to create norms relating to trust services provided by eIDAS.

Some of these norms have already been published, others are still under development. When necessary, implementing acts refer directly to some existing norms (especially the ETSI norms regarding signature profiles and trusted lists).

Furthermore, the competent bodies in Member States can specify the technical modalities allowing to ensure the compliance with the regulation, in regards to electronic identification means and qualified trust services.

Documents published by ANSSI, specifying the technical modalities for electronic identification means notified by France as well as qualified trust service providers in France, are available in the dedicated section.

IMPACTS ON THE GENERAL SECURITY BASELINE

The General Security Baseline is still completely effective to exchanges between administrative bodies.

The General Security Baseline also applies to exchanges between administrative bodies and users, with an exception relating to the obligation of the mutual recognition of electronic identification means and of electronic signatures and seals provided in the eIDAS Regulation.

Further information relating to the articulation of the General Security Baseline with the eIDAS Regulation are available in the FAQ.

CONTACT

For any questions relating to a requirement rule set published by ANSSI, the point of contact is the one indicated in the respective document.

Preliminary questions relating to a conformity certification or qualification application shall be addressed to the Industrial Policy and Assistance Unit of ANSSI.

Questions relating to a conformity certification or qualification shall be addressed to the IA Products and Services Approval Unit of ANSSI.
Email addresses of these points of contact are available in the FAQ.