Digital Identity Wallet
The proposal for a revision of the eIDAS Regulation introduces the European Digital Identity Wallet (EUDIW) and defines the Wallet as ” is a product and service that allows the user to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request and to use
them for authentication, online and offline, for a service in accordance with Article 6a; and to create qualified electronic signatures and seals; “
The draft Regulation requires Member States to issue a European Digital Identity Wallet under a notified eID scheme to common technical standards following compulsory compliance assessment and voluntary certification within the European cybersecurity certification framework, as established by the Cybersecurity Act. It includes provisions to ensure that natural and legal persons shall have the possibility to securely request and obtain, store, combine and use person identification data and electronic attestations of attributes to authenticate online and offline and to allow access to goods and online public and private services under the user’s control. This certification is without prejudice to the GDPR in the meaning that personal data processing operations relating to the European Digital Identity
wallet can only be certified pursuant to Articles 42 and 43 GDPR.
The proposal sets out in Article 6b specific provisions on the requirements applicable to relying parties for the prevention of fraud and to ensure the authentication of personal identification data and electronic attestations of attributes originating from the European Digital Identity Wallet.
Chapter III of the draft proposal introduces three new sections:
Electronic Identification Means
The eIDAS Regulation establishes a general legal framework electronic Identification Means and (the notification of) Electronic Identification Schemes by Member States.
An Electronic Identification Means is a material and/or immaterial unit containing person identification data and which is used for authentication for an online service. The Person Identification Data is set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established. The Electronic Identification Means can be used to perform Electronic Identification, which is the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;
In context of eIDAS cross-border identification, a Member State can notify an Electronic Identification Scheme to enable Member State interoperability and allow citizens to authenticate and access e-Government application in another Member State. An Electronic Identification Scheme is a system for electronic identification under which electronic identification means are issued to natural or legal persons, or natural persons representing legal persons.
The European Commission maintains the list of pre-notified and notified Electronic Identification Schemes, which can be consulted here.
Electronic Identification Means need to meet a Level Of Assurance which are defined in COMMISSION IMPLEMENTING REGULATION (EU) 2015/1502 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means. The Implementing Regulation defined 3 Levels Of Assurance for Electronic Identification Means (Low, Substantial and High) for which the requirements are defined in the ANNEX of the Implementing Regulation: Technical specifications and procedures for assurance levels low, substantial and high for electronic identification means issued under a notified electronic identification scheme.
Trust Services
The eIDAS Regulation establishes a general legal framework for the use of trust services and trust service providers where a Trust Service means an electronic service normally provided for remuneration which consists of:
A Qualified Trust Service means a trust service that meets the applicable requirements laid down in the eIDAS Regulation. Trust Services are provider by Trust Service Providers, where Qualified Trust Service Providers provides one or more qualified trust services and is granted the qualified status by the supervisory body.
The eIDAS Regulation aims to ensure a coherent framework with a view to providing a high level of security and legal certainty of trust services.
The eIDAS Regulation defines 3 types of Qualified Certificates:
- Qualified certificate for electronic signature is an electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person, that is issued by a qualified trust service provider and meets the requirements laid down in Annex I of the Regulation
- Qualified certificate for electronic seal is an electronic attestation that links electronic seal validation data to a legal person and confirms the name of that person, issued by a qualified trust service provider and meets the requirements laid down in Annex III;
- Qualified certificate for website authentication means an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued, is issued by a
qualified trust service provider and meets the requirements laid down in Annex IV;
The eIDAS Regulation also defined provisions for the Qualified Preservation and Qualified Validation for Qualified Electronic Signatures and Qualified Electronic Seals.
The eIDAS Regulation defines a Qualified Electronic time stamp as:
electronic time stamp means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time and meets the following requirements:
- it binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably;
- it is based on an accurate time source linked to Coordinated Universal Time; and
- it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method.
The eIDAS Regulation defines a Qualified Electronic Registered Delivery Service as:
Electronic Registered Delivery Service means a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations, which meets the following requirements:
- they are provided by one or more qualified trust service provider(s);
- they ensure with a high level of confidence the identification of the sender;
- they ensure the identification of the addressee before the delivery of the data;
- the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably;
- any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;
- the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.