Search form

eID and trust services regulation

eid

This page is a document with the full set of amendments, the various documents from interest groups that I have received over the year with links to the webpages of those interest groups, as well as an explanation in summary form of the changes I have introduced and why I believe that they enhance the regulation.

The regulation has three parts: one part regulates electronic identification and authentication, the other trust services, and a third part contains various technical requirements for the activities undertaken by parties engaging in the activities regulated in the first two parts.

 

My proposals for strengthened security and improved privacy

I believe that specifying technical requirements is not a good political activity. It is better that politicians decide on general frameworks and principles for technology rather than specifics of their technical implementation.

Much like the Commission, I have identified the following political topics to be discussed inside the framework of this regulation: transparency issues (who needs to be transparent about what, and when), liability issues (who carries the responsibility when something goes wrong), data protection issues (what are the principles of privacy by design that we would like to see in this sector) and accountability issues (how do we ensure that all parties have the competencies they need to ensure that the previous three requirements are upheld).

Summary of changes:
  • Stronger preference for privacy enhancing technologies added.
  • The notion of qualified trust service providers, and qualified trust services is removed.
  • Transparency requirements and market division on trust service providers are increased.
  • There has been a focus shift from technical requirements to political considerations.

 

My amendments

Full set of amendments:

 

Stronger preference for privacy enhancing technologies added

One major change in articles 3-7, and many of the recitals, is that I have backed an authentication model. More specifically, I have tried to amend the regulation to leave space and encourage the introduction of attribution-based credentials based authentication. This seems to be a result of the European research projects FIDIS, PRIMELife and abc4Trust, all of whom have been led from Germany but that nevertheless carry larger interest for the European Union because of its data minimizing and privacy friendly approach.

While it can not be mandatory for member states to implement privacy friendly systems, it makes sense to encourage at a European level the adoption of privacy friendly systems. Recital 5, 6, 9, 11, 12, 13, 14 and 16, as well as articles 1(1), 1(2), 3(3), 6, 6(1)(a), 6(1)(b), 7, 7(1)(a), 7(1)(b) and 7(1)(e) are amended to place emphasis on authentication rather than identification while leaving open the possibility of identification. Articles 3(1), 3(1a), 3(1b), 3(2), 3(4a), 3(4b), 3(4c), 3(4d), 3(4e), 3(7)(a), 3(7)(b), 5, 6(1)(d), 6(1)(da) and 6(1)(e) are amended or introduced to place further emphasis on (voluntary) privacy friendly electronic authentication mechanisms.

 

Transparency requirements and market division on trust service providers are increased

I have amended articles 7, 9, 10, 13, 15 and 16 to include better transparency in the operations and auditing of trust service providers and identification providers. This will ensure public awareness and provide a helpful tool to quickly remedy security failures. It introduces a better defined liability. Recital 24a proposes better distribution of trust chains used in eGov services and electronic authentication mechanisms.

 

The notion of qualified trust service providers, and qualified trust services is removed

I have taken out the concept of qualified trust service provider, qualified certificate, qualified electronic seal, and other qualified concepts from the regulation. Trust in a system is built by making it transparent and accountable for its failures. It is unlikely that a government authority by providing an entity or service with a seal of qualification will effectively replace the transparency and accountbility provided for in articles 7, 9, 10, 13, 15 and 16 as amended.

This removal is consistent throughout the regulation and causes amendments to recitals 19, 22, 28, 31, 33, 34, 35, 36, 37, 40, 41, 42, 49 and 53, as well as articles 3(8), 3(11), 3(13), 3(15), 3(18), 3(22), 3(24), 3(26), 3(29), 3(30), 9(2), 10(1), 10(2), 13(2)(b), 13(2)(c), 13(3)(c), 16(1), 16(2) and 16(4). Also articles 17 and 18 that are connected only to the process whereby each member states becomes obliged to trust each others qualified trust service providers can be deleted.

 

Focus shift from technical requirements to political considerations

Articles 19, 21, 22, 25, 26, 27, 29, 30, 31, 33, 35, 36 and 37 are deleted to ensure that the focus of the regulation is not technical standards but the political principles enshrined in articles 3-7 and 9-16. This removes also the need for annexes with further technical specifications that are not suitable for a regulation.

 

Administrative measures and technical standards development mechanisms

Article 20 is preserved to ensure that forged electronic signatures are declared null and void, much like handwritten signatures. It is altered so that it does not interfere with other signature requirements in member states.

Article 23 and 24 are kept, with an added feature that technical standardisation and requirements is left to a new standard setting mechanism for the European union based on article 37(a)(new), a new article which subjects electronic devices and signature technologies to the Union standard making mechanism already present in, for instance, the New Approach. However, article 37a(new) also specifically makes use of the more flexible system for ICT standardisation enabled by the new Standards Directive as approved by the Parliament in 2011, and which entered into effect in the beginning of 2013.

Articles 28, 32, and 34 are deleted because there is no need to harmonize this at the European level at this time. The technologies are not spread and premature codification at the EU level may hold back technology development.

 

Stakeholder documents

Various papers from interest groups: