Agreement on an expanded European legal framework for electronic authentication: Digital Identity Wallets are coming!

Electronic identification, electronic signatures and trust services in Europe

When engaging in electronic interactions, a multitude of authentication services are often used behind the screens to ensure their trustworthiness. Users need to identify themselves, sign transactions, transmit documents securely, and the time of the transaction needs to be appropriately logged.

Within the European Union, the principal legal framework for such authentication services is the eIDAS Regulation (EU) No 910/2014. The eIDAS Regulation entered into force in 2016 as a modernization and expansion of its predecessor, the eSignatures Directive 1999/93/EC, which mainly (but not exclusively, as the name would suggest) focused on electronic signatures.

The eIDAS Regulation overhauled the European legal framework in three ways:

• Firstly, it provided a mechanism to ensure the mutual recognition of certain means of electronic identification across the EU for e-government services. As a result, the legal validity of digital identification solutions (such as the Belgian eID card, or the mobile itsme service) cannot be denied in e-government services in other Member States.
• Secondly, it created a legal framework for certain trust services, namely electronic signatures, seals, timestamps, delivery services, and website authentication. Unlike the electronic identification pillar of the eIDAS Regulation, the legal framework for trust services is not focused on e-government services; and as such it has a more direct legal authority in the private sector.
• Thirdly, it strengthened the non-discrimination of electronic documents, postulating the general rule that the legal validity of an electronic document cannot be denied simply because it is in electronic form, rather than on paper.

While the eIDAS Regulation had some beneficial impacts on the European market, it none the less had several shortcomings. The singular focus on e-government for electronic identification services limited the practical relevance of the framework for most citizens. Moreover, the Regulation did not particularly take into account the importance of mobile solutions – while they were not forbidden by any means, the general phrasing and standardization framework at the EU level was more conducive to smart cards than to smartphones. Additionally, the list of trust services covered by EU law was quite narrow, and didn’t incorporate important building blocks such as electronic archiving, which remained largely regulated at the national level. Clearly, room for improvement existed.

eIDAS 2 - EU Digital Identity Wallets for EU citizens

In June 2021, the European Commission proposed an amendment to the eIDAS Regulation (often referred to as the eIDAS 2 proposal), which foresaw significant innovations. Likely the most impactful of these – and certainly the most frequently discussed – was the intention to introduce European Digital Identity Wallets across the EU.

Wallets represent a step forward in many ways. They are mobile-native, consisting essentially of an app that citizens can choose to install on their smartphones. While citizens are free to choose whether they want a Wallet or not, Member States have no discretion on whether they wish to offer one: where the original eIDAS Regulation allowed Member States to decide whether they were at all interested in EU-wide recognition of their national identity schemes, the eIDAS 2 proposal requires all Member States to ensure that they have at least one type of Wallet that their citizens can use. In practical terms, the original eIDAS allowed Member States to opt in to the rules on electronic identification to some extent, while the eIDAS 2 amendment leaves the choice with the citizens. Moreover, to further encourage adoption, Wallets must be free of charge to the citizens, unlike traditional e-government means of identification that often imply an administrative charge.

The minimum functionality of the Wallets is also explicitly described in the amendment: they must of course allow electronic identification and electronic signing at the highest EU level of trustworthiness (so-called qualified signatures); and they must allow the storage and sharing of electronic attribute attestations. The latter is in practice any digital document that provides information on certain characteristics of the Wallet holder – diplomas, driving licences, memberships of professional associations, and so forth. Attestations can also be used to minimise disclosure of information – e.g. by revealing that a person is an adult, or that they are a lawyer, without revealing any other identity information. In that way, the Wallet can also enable privacy protection.

Technical and architectural standardisation efforts on the Wallet have been ongoing in parallel with the legislative work for a long time already, and should ensure that all EU Wallets will be interoperable. This does not imply that they will be identical: Member States are free to develop their own Wallets (or to endorse the use of Wallets created by private companies), provided that they offer the core functions required under EU law, and that they are interoperable.

In November 2023, a consensus position was achieved on the eIDAS 2 proposal, and final adoption is anticipated around April 2024. Member States will then be obliged to ensure the availability of Wallets within 24 months after the completion of the legal framework.

New trust services: electronic archiving, ledgers and electronic attestations of attributes

In tandem with the Wallets, the eIDAS 2 proposal also expands the range of trust services covered by EU law:

• The issuance of electronic attestations of attributes will be considered a trust service as well. As noted above, Wallets will be required to support the storage and sharing of such attestations, but they can also be created and used outside of any Wallet. This allows e.g. professional bodies or public administrations to issue electronic documents in a way that ensures legal validity of the documents across Europe.
• Secondly, a legal framework is introduced for electronic archiving. As a somewhat odd gap in the European legal framework, archiving had never been regulated in general, meaning that electronic documents could be created, signed and exchanged, but their long term validity and usefulness could not be ensured, at least not at an EU wide level.
• And finally, electronic ledgers (such as blockchain solutions) would also be regulated, albeit in a relatively lightweight manner that principally focuses on permissibility and recognition of ledgers as a viable authentication solution, without tying any standardised legal value to them.

Collectively, the eIDAS Regulation should create a more consistent and comprehensive legal framework for electronic identification and trust services in Europe, and the focus on mobile Wallets is expected to improve effectiveness and actual usefulness in day to day life, compared to the old framework.

The Belgian perspective

Once adopted, Belgium will of course need to adhere to the eIDAS 2 Regulation as well. However, it is interesting to note that Belgium is, both legally and operationally, already something of a frontrunner on this point. Next to the eID card, Belgians can already use the itsme mobile solution both for electronic identification and for electronic signing. Belgium has also adopted specific legislation on electronic identification that allows the recognition of private sector solutions.

Moreover, the federal government has initiated development on a Belgian Identity Wallet, under the name MyGov.be. Already announced in October 2021 – discussions and studies in Belgium actually preceded the eIDAS 2 proposal – the Belgian Wallet entered small scale testing in January 2024, and could be rolled out well before EU law requires it.

With respect to trust services too, Belgium may have a slight lead, since it already adopted legislation on electronic archiving many years ago, that follows the general EU model for trust services – and indeed, a first electronic archiving company, Docbyte, has been recognised as recently as November 2023 as being compliant with Belgian law.

While European rules will undoubtedly require updates and overhauls in Belgium, both legally and operationaly, it is at least good to know that from a European perspective, Belgium is ahead of the pack!

Author : Hans Graux, Timelex