Earning Trust: ENISA on eID and Trust services

Back to News

eID: Extending the role of ENISA

In a shift of scope from mere electronic signatures to developed Trust services, the eIDAS Regulation has enabled the use of electronic identification and trust services by citizens, businesses and public administrations alike, to access online services or manage electronic transactions. Both interoperability and mutual recognition of electronic identification schemes across borders have been further enhanced to include five types of trust services, namely, electronic:

  • Signatures;
  • Seals;
  • Time stamps;
  • Registered delivery services;
  • Website authentication certificates.

Since 2013 ENISA has been in the forefront of the developments in eIDAS and has been supporting the Commission and the Member States in the area of trust services by:

  • Making available security recommendations for the implementation of trust services;
  • Mapping technical and regulatory requirements;
  • Promoting the deployment of qualified trust services in Europe;
  • Supporting relying parties and end users to secure their electronic transactions using trust services.

The recently enacted Cybersecurity Act provides ENISA with an extended mandate to explore the area of eIDs included in the eIDAS regulation. Therefore, in 2019 ENISA produced two reports on assessing the relevance of specific standards to the implementation of eIDAs and two reports exploring the harmonisation of security requirements for QTSPs and the technological landscape for eID schemes. 

Towards a harmonised Conformity Assessment Scheme for QTSP/QTS

The eIDAS Regulation requires CABs to be accredited in the framework of Regulation (EC) No 765/2008 [Reg.765, 2008], which is the generic European regulation in relation to accreditation. It furthermore requires that the conformity assessment scheme (CAS) used by the CAB is eIDAS specific.

A specific feature of the eIDAS accreditation scheme recommended by EA, and intrinsically of the eIDAS Regulation as the normative document, is that the requirements against which the QTSP/QTS must be certified are technology neutral legal requirements, expressed in terms of functional objectives. Furthermore, no standard may be mandatorily imposed upon the QTSP for providing QTS in conformance with the Regulation in order not to negatively impact innovation and/or harm competition. In addition, no eIDAS secondary legislation has been adopted to date to reference any standard that would create a legal presumption of compliance with any requirement of the eIDAS Regulation for the QTSP.

As a result, there is a significant margin for policy choices in creating, interpreting and applying accreditation and certification approaches. The difference in the approach and in the assessment effort for accreditation of CABs and for the certification of QTSP/QTS is reported by a vast majority of stakeholders (including EA) as hindering the mutual recognition of accredited certification of electronic trust services.

The report of ENISA aims to propose ways in which the eIDAS assessment regime can be strengthened based on the current regime of the eIDAS Regulation, the stakeholders’ concerns and the legitimate need to move towards a more harmonised approach with regards to the assessment by CABs of the conformity of QTSP/QTSs with the requirements of that Regulation. It focusses in particular on actions towards a harmonised conformity assessment scheme for QTSP/QTS. Proposed actions consider legal instruments, the design of a harmonised CAS, continuous improvement of CAS and recommendations that can be implemented in the short term.

ENISA Report - Overview of standards related to eIDAS

The shift to eID

Under the eIDAS Regulation, Member States have to notify electronic identification (eID) schemes to a designated service of the European Commission. Since 29 September 2018, mandatory mutual recognition of notified eID schemes has come into force. As a notified Member State’s scheme should currently be used to access online public services provided by another Member State, consistent security across these eID schemes is critical.

The study of ENISA provides an overview of the technological landscape for the eID schemes. Such an overview can underpin the development of a framework that will take into account security considerations that are required throughout the electronic identification process, including the enrolment phase, the eID means management, authentication and providers’ management and organisation. The paper also elaborates on topics worth being developed into guidelines to ensure homogeneity and consistency across Europe, including for instance remote identification (which is also a key topic for trust services), the security of mobile-based eID solutions, use of smartphones built-in biometric sensors, admissibility of SMS OTP and certification frameworks. Given the new mandate that stems from the Cybersecurity Act, this report also describes the role of a ENISA in the area of eID schemes.

ENISA Report - eIDAS compliant eID Solutions

Overview of standards: specifying formats of advanced electronic signatures and seals

The eIDAS Regulation provides the regulatory framework in the EU for electronic identification and trust services for electronic transactions in the internal market.  The creation, verification, validation and preservation of electronic signatures or electronic seals relies (among others) on standards specifying electronic signatures and seals formats to guarantee interoperability and their general usability within the Member States and across borders. 

Member States can recognize XML, CMS or PDF advanced electronic signatures based on the formats respectively named XAdES, CAdES or PAdES, or associated signature containers based on ASiC if they meet technical specifications issued by ETSI. ETSI has published a set of European standards (ENs) taking into account the eIDAS Regulation requirements and addressing a number of issues that have been identified, based on the feedback received from the stakeholders, for example during CAdES/XAdES/PAdES/ASiC ETSI Plugtests™ events.

The scope of this document is to assess the suitability of the recently published ENs to meet the eIDAS Regulation requirements for the purpose of updating the list of standards referenced. It also aims at evaluating the consequences of such update and defines the timeline for a possible transition to the exclusive usage of the new ENs.

ENISA Report - Overview of standards relate to eIDAS

Assessment of the eligibility of referencing ETSI TS 119 403-3 in eIDAS

The eIDAS Regulation introduced provisions at the EU level in relation to qualified trust service providers (QTSPs) listed in the Regulation, and to the qualified trust services (QTSs) they provide. Supervisory bodies in the Member States scrutinise and approve Trust Service Providers and the Qualified Trust Services available.

The eIDAS Regulation does not specify any particular accreditation scheme or any conformity assessment (or certification) scheme against which a CAB must be accredited. This results in practice in divergence across conformity assessment schemes used by CABs.

This report concludes that a suitable candidate standard pursuant to Art.20(4) is [ETSI TS 119 403-3], which sets additional requirements for CABs assessing EU QTSPs in addition to [ETSI EN 319 403], and [ISO/IEC 17065] to specify requirements for CABs assessing TSPs.

ENISA Report - Assessment of ETSI TS 119 403-3 related to eIDAS

Trust Services Forum – save the date!

On the 22nd September, ENISA in collaboration with the European Commission is organizing, for the sixth consecutive year, the Trust Services Forum, collocated with D-TRUST/TUVIT CA Day. The event will take place in Berlin, Germany, provided that the current traveling and gathering restrictions are lifted. As in the previous years, the Forum will focus on emerging issues related to trust services across Europe, in the period of the first review of the application of the eIDAS Regulation, and in particular will aim to:

  • Share good practices and experience on the implementation of trust services;
  • Discuss the latest developments on the framework surrounding trust service providers including standards, implementing acts and technical guidelines;
  • Exchange views on identified implementation and operational issues of qualified trust services;
  • Discuss strategies to promote the adoption of qualified trust services.

For more information: Trust Services Forum - CA Day 2020

 

Further Information:

ENISA Report - eIDAS compliant eID Solutions

ENISA Report - Overview of standards related to eIDAS

ENISA Report - Recommendations for technical implementation of the eIDAS Regulation

ENISA Report - Assessment of ETSI TS 119 403-3 related to eIDAS

ENISA website page on Trust Service

For interviews and press enquires, please contact press@enisa.europa.eu