19.10.2023 01:59 AM

Unveiling eIDAS 2.0: The Dawn of the EUDI Wallet Era

Introduction to eIDAS

In an age where digital interactions have become the norm, unlocking a secure, efficient, and legally sound way to navigate the online world has never been more critical. The conception of digital identity solutions dates back to the early 2000s, when several European countries started adopting initiatives to facilitate electronic interactions and e-government services. However, those early prototypes were often fragmented and lacked cross-border interoperability, urging the European Commission to eventually consolidate a unified approach to digital identity and trust services. As a result, The “Digital Agenda for Europe” was introduced in 2010, outlining the vision for a single European digital market. Two years later, the first proposal of eIDAS (electronic IDentification, Authentication, and trust Services)  regulation was released, aiming to provide a common framework for electronic identification and transactions within the internal market. The revised version of the regulation became fully applicable in 2016 with the member states being required to implement it into their national laws. However, it was not until 2018 that eIDAS was finally extended to include the provisions on electronic identification (eID). While the previously established framework recognized a limited range of electronic documents, such as signatures, seals and time stamps, the expansion allowed for the mutual recognition of national eID schemes across EU member states, enhancing cross-border interoperability.

In practice, the significance of this initiative conveys into implementation of services like DigiD. This particular electronic authentication system used in the Netherlands allows Dutch residents and businesses to securely access various online services provided by government agencies and other organizations from the European Economic Area (EEA) countries. Similarly, SPID, the Public System for Digital Identity in Italy, makes it possible for a citizen to use their username and password to access public services online in the Netherlands, and vice versa.

Aside from an obvious feature of providing the users with a unique digital identity and  subsequent access to a range of online government services, such software programs offer an array of key functions. For instance, multi-level assurance allows users to opt for a level of security that fits the requirements of a specific online transaction. The higher the level, the more secure the identification and authentication process. Services such as SPID and DigiD were designed to promote the interoperability of digital identity, ensuring that users can access the platforms seamlessly across European borders. At the same time, user privacy and data protection are also being considered. These useful digital intermediaries strictly comply with relevant regulations to safeguard personal information and digital interactions.

All of these advantages are owed to the eIDAS regulation that has been changed since 2014 and continues to evolve until the present day as digital technologies and practices advance. The key objective behind the regulation is building a seamless and trustworthy digital environment in the EU, supporting e-commerce, e-government, and numerous other online applications. Nonetheless, some would argue that the roll-out of eIDAS as the first pan-European identity scheme has not been wildly successful. Some of the challenges associated with the hindrance in wider implementation include overly complex technical architecture, restricted private sector use, a poor user interface, additionally to a small and inflexible data set.

Fortunately, the recent updates and amendments were made to address emerging challenges and align with new technological developments, as the European Commission published the latest proposal for a revised eIDAS 2.0. The improved regulation is projected to facilitate more widespread acceptance of electronic services across all EU members. Particularly, there has been some reluctance to adopt the use of electronic signatures, especially by financial institutions. Recently, however, there has been a rise in the use of digital signatures with the global eSignature market projected to reach almost 26.6% CAGR over the next nine years, according to Prescient & Strategic Intelligence. Consequently, eIDAS2 has set the objective of increasing the current adoption rate of digital identity services by citizens from 59% to 80% by the year 2030.

Furthermore, the updated regulation also includes additional types of electronic trust services. While the original regulation only applied to e-signatures, electronic seals, and electronic timestamps, eIDAS 2.0 has been expanded to cover e-registered delivery services, e-certificates for authentication, and seals for electronic documents.

Unveiling the EUDI Wallet: Characteristics and Impact

A central part of eIDAS 2.0 is the European Digital Identity (EUDI) Wallet, a mobile app that has to be made available to all EU citizens around two years after the revision of the regulation has been ratified. The primary objective of the proposed EUDI Wallet is to guarantee access to trusted digital identities for all Europeans, allowing users to be in control of their own online interactions and presence. In other words, the EUDI Wallet enables users to securely store and use their digital identities throughout Europe, with full and sole control over their data.  Users will be then able to access  services from any Member State’s public institutions without the need for additional physical documentation. According to the eIDAS 2.0 proposal, authenticity and integrity of attributes will be confirmed by using electronic attestation of attributes. The EUDI Wallet will also cover attestations of credentials such as driver’s licences, university diplomas, and personal information like banking cards and services. The EUDI Wallet should also allow users to access a variety of online private and public services and sign documents with qualified electronic signatures and seals (QES).

The EUDI Wallet can be issued directly by a government department or a private-sector provider commissioned by the government. The pilot implementation suggests the coverage of various sectors, such as healthcare, financial services, education, and transport. Based on those prospects, the future users can expect the Digital Wallet service to be integrated by banks, telecoms, and utilities.

There are several issuers of identity information, as illustrated by the figure above. The EUDI Wallet has the functionality of receiving, storing, and presenting this data. Public institutions, their representatives, or commercial enterprises, such as banks or airlines, that are obligated by law to identify their clients may ask a citizen to provide such information.

In short summary, the EUDI wallet will enable:

  • both identification and authentication
  • the verification of third parties
  • the storage and presentation of verifiable identity data
  • the creation of qualified electronic signatures

With digital identity wallets being an integral part of the new eIDAS 2.0, it is clear that the regulation is moving from primarily focusing on G2B to include a stronger emphasis on the private sector. The refined objective is to provide an increased level of control over personal information and the data that can be shared with a service requesting the users’ identity attributes. Currently, the ambition set for EUDI is to attain the “high” level of assurance (LoA). The LoA indicates how much a provider of a credential is confident in that credential’s validity and reliability.

Impact of eIDAS 2.0 on Larger Corporations

The latest eIDAS 2.0 draft was released on June 3, 2021, to address the former version’s deficiencies and implement a process that will make it much simpler to create a recognized digital identity. However, the implementation of the new regulation has yet to be carried out. It is expected to come into effect by the end of 2026, when all EU Member States will be directly bound by and must comply with the regulation to ensure that a Digital Identity Wallet is available to all EU citizens, residents, and businesses, there are several things to look out for already.

One of the main challenges faced by eIDAS 2.0 is the need to ensure that the regulation is implemented consistently across all EU member states. The original eIDAS implementation has varied across different member states, which has led to inconsistencies and difficulties in using electronic identification and trust services. When it comes to cross-border business opportunities, eIDAS 2.0 offers increased efficiency and security, alongside improved user experience. Given that the regulation promotes interoperability across the 27 EU Member States, the list of additional benefits that could be of interest for enterprises extend to the following groups:

  • Reduced administrative burden is required when conducting business electronically with other companies, clients, and regulatory bodies.
  • Business processes additionally become more efficient, resulting in significant cost savings and increased profits.
  • Safer electronic transactions further enhance trust among consumers and expand the potential customer base.

Both large and small businesses can use eIDAS systems to facilitate business-to-business and business-to-consumer transactions. Enterprises have the chance to conduct more reliable documentation verification checks on clients and fellow companies thanks to the strengthened regulation.

This is especially beneficial when trading restricted goods, like alcohol, for high-value transactions, like the sale of artwork, and transfers of sizable sums of money. Additionally, it gives customers and businesses in other EU nations a reliable way to be identified, enabling firms to access new markets and increase the size of their customer base.

We have already laid out general benefits of introducing electronic identification and trust services into your business. Those come in the form of better user experience and consequent increase in customer loyalty, improved security and liability standards, topped off by greater efficiency gains through reduced process cycles and large-scale automation. The next question that is raised is which eID and trust service solutions best suit your business needs. For that purpose, below we have listed the core trust services covered by eIDAS 2.0 that might be useful for better interpretation of the framework:

  • eID is used for a trusted verification of the identity of clients in order to establish a contractual relationship and comply with Know Your Customer requirements.
  • eS (Electronic Signature) captures the signatory’s intent to be legally bound by the signed document.
  • eT (Electronic Timestamp) helps bind other electronic data to a particular time, establishing evidence that the latter data existed at that time; both eSignature and eTimestamp allow lawyers to perform digital contractual agreements that are legally binding.
  • eSe (Electronic Seal) is typically attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity
  • ERDS (Electronic Registered Delivery Service) electronically transmits data between third parties, leaving traces of evidence regarding the handling of the said data; allows any professional to share important documents with minimised risk of loss, theft, damage, or alterations.
  • QWAC (Qualified Web Authentication Certificate) comes in a form of attestation that allows for authentication of a website, linking it to the natural or legal person to whom the certificate has been issued; “qualified” in this context implies that the service meets the applicable requirements laid down in the eIDAS Regulation.

How Lissi will help Companies comply with eIDAS 2.0

From electronic attribute attestations (EAAs) to versatile use cases, the EUDI Wallet is poised to transform the way businesses manage digital credentials and access management. To further dissect its key advantages and primary functions, we will be taking at a look at one such software tool that positions itself as a valuable addition to the digital toolkit of forward-thinking organisations.

Lissi provides software applications for companies and organisations to receive, organise and issue verifiable credentials. This includes applications for organisations and the Lissi Wallet for end-users.

Currently, the tool offers the issuance of electronic attribute attestations, also known as verifiable credentials. This aligns with the architecture reference framework established as the common EU Toolbox. By providing a trusted and standardized way to issue EAAs, Lissi Wallet ensures that your organisation can operate in compliance with regulatory requirements while fostering trust and reliability.

Additionally, to issuance, Lissi makes it possible to verify the authenticity and validity of EAAs, a crucial step for secure and efficient operations. The tool offers robust verification capabilities for various credentialing processes, including employee credentials, customer cards and access management.

The versatile deployment options of the Wallet make it so that a Software as a Service (SaaS) solution can be easily tested, allowing organisations to explore its capabilities without the need for extensive infrastructure investment. For productive use cases, Lissi can also run on-premise, catering to diverse operational requirements.

The software has already made significant strides with 35 successful pilots. In the near future, Lissi Wallet will offer productive software that aligns with the current eIDAS Architecture Reference Framework (ARF), scheduled for release in Q2 2024. With proven pilots and a commitment to compliance with the evolving eIDAS framework, companies can rely on Lissi as a trusted solution to drive efficiency, security, and innovation for businesses in the digital age.

Further Opportunities of eIDAS 2.0

If properly implemented, eIDAS 2.0 offers a wealth of potential for the use cases of digital wallets and electronic attribute attestations, which will further expand the architecture of digital trust. In this section, we discuss the affirmative outlook that might be eventually realized by the revised regulation:

  • Revenue potential

While the EC regulations often tend to be regarded as intimidating, due to their costly and time-consuming nature. The case of eIDAS 2.0 does not necessarily have to follow that pattern. Businesses now have the chance to completely reinvent their online user interfaces and switch from multistep form filling to a single-step onboarding. In terms of benefits, that suggests that the number of abandoned checkouts will decline while the costs for onboarding will decrease. Fraud rates can be expected to fall as well. Additionally, user experience will be far more simplified. Naturally, businesses that implement these new capabilities will have a substantial advantage to outperform their competitors.

  • Person-to-person verification 

There should be more to eIDAS 2.0 than just governmental and organisational applications — the regulation is ought to increase interpersonal trust as well. The technology and protocols that will enable eIDAS 2.0 can be used for person-to-person verification just as readily as they can be applied for person-to-organisation verification. The confidence between individuals could be fostered, as you would be able to verify the identity of the utility person when they knock on your door and while confirming that they are duly employed and trained. Similarly, you should be able to verify a photographer’s credentials and that they are authorised to work with minors when you engage them to document your kids’ birthday celebration. It is important to know, that as of the current status, there is no definite specification for the person-to-person use cases included in the eIDAS.

  • Secure messaging 

The safe, mutually verified relationships that the technologies underlying digital credentials establish between two parties allow for much more than merely the exchange of information, which is a sometimes underappreciated feature of these technologies. Without a third party, like WhatsApp, Google, or Apple, in the middle, the respective parties can exchange messages via peer-to-peer encrypted connections. Additionally, one would have control over who may send them messages and be able to determine right away if there is a risk of falling victim to a scam scheme.

Conclusion and Outlook

Observing the global consequences sprung by the introduction of the GDPR, it would appear that eIDAS trust framework is anticipated to have an even more significant impact on the daily lives of European citizens and beyond. Given that the publication of the toolbox has already laid out the key technical elements along with more thorough legal and business conditions, one thing is obvious: EUDI Wallets are the way of the future. Similar to how GDPR forced the internet to recognize the data protection rights of users, the eIDAS regulation will set the foundation for digital identity and identity wallets on a global scale.

While the majority of citizens in a few European Member States, including Sweden and Estonia, already employ an advanced framework for digital IDs, this doesn’t reflect the reality for the fellow EU members.  Thanks to the eIDAS 2.0, those that fall behind have the opportunity to catch up with the current structures. The digital markets act classifies a platform as such, once they reach 45 Million monthly active users in the European Union, which is equivalent to 10% of the European citizens. This resolves the fundamental challenge of a two-sided market in which both issuers and consumers seek the presence of the other party prior to entering. The phenomenon is knows as the network effects. In multi-sided platforms, it occurs when one side of the platform is hesitant to adopt or use the platform until there is a critical mass of users or participants on the other side. For instance, both Facebook and Google rely on network effects, where the more users they have, the more valuable they become to advertisers. As such, attracting and retaining users is crucial. If users leave due to a poor experience, it can lead to a cascading effect of advertisers reducing their investment. At the same time, unless both platforms manage to offer a substantial value to the users,  they are jeopardizing their business model that is primarily based on generating revenue through advertising.

As mandated by the revision of eIDAS regulation, the acceptance of EUDI Wallet will be tested in a number of Large Scale Pilots that cover all the major sectors, including healthcare, financial services, education, and transport.

Additionally, there is an immense potential for Europe as a whole to standardise user-centric identification and authentication procedures while upholding privacy and citizen control. This will make it easier for both the public and private sectors to capitalise on digital services. Public organisations and commercial market players will be able to better connect with customers as a result of the harmonisation of legislation and technology on a pan-European scale.

Through automation, verifiable data, adaptability, and the availability of a shared infrastructure, the legislation has the potential to greatly improve processes. Overall, the holistic solution provided by the European Commission to the eIDAS framework deems it a global vanguard in forging trustworthy interactions between all stakeholders while also preserving privacy, security, and transparency for its citizens.

Yet, despite the positive advancements brought by the revision of the eIDAS regulation, it is essential to acknowledge that some uncertainties still persist. While the regulation aims to enhance digital identity services across the European Union, certain restrictions and challenges need careful consideration. These include concerns about the potential for monopolistic practices by a Member State, which could stifle competition and innovation by not enabling private enterprises to offer EUDI Wallet services.

Additionally, there is a concern about the regulatory overhead for organizations seeking to participate in the ecosystem, especially as relying parties. The framework’s flexibility to adapt to rapidly changing market needs is another point of scrutiny.

Building and maintaining trust in the government and the eIDAS framework as a whole also remains a critical challenge, as public confidence is paramount for the successful adoption and utilization of these digital identity services. Addressing these issues will be crucial in ensuring that the eIDAS regulation achieves its intended benefits for both users and businesses across the EU.

Lastly, eIDAS 2.0 will face identical difficulties as its predecessor, if continuous obstacles are put in the way of the private sector’s use cases. The reality is that people rarely interact with the governing bodies.  And when they do, it’s typically for a reason they are not necessarily fond of, like paying taxes, penalties, or some other  administrative duty. Despite their undeniable significance, many government use cases don’t excite or intrigue individuals. That is why the European Commission is urged to include the private sector as another central actor in the eIDAS framework, providing advantage of this novel, extremely liberating prospective.  Something that will make it possible for people to operate digitally in both a safe and effective manner.