Cloud Signature Consortium warns on eIDAS 2 risks


The Cloud Signature Consortium (CSC) has issued an open letter to warn on the risks for consumers and the trust services sectors of the proposed amendments in the eIDAS 2 regulation

The Cloud Signature Consortium (CSC) has issued an open letter to warn on the risks for consumers and the trust services sectors of the proposed amendments in the eIDAS 2 regulation. Issued together with other organisations that represent stakeholders in the qualified trust services sector, the letter expresses their concerns over the risks in article 24 of the eIDAS 2 regulation Council’s general approach.

In the Council’s general approach, Member States mandate that the assurance level ‘substantial’ in article 24 of the eIDAS 2 regulation be eliminated. The original text of the regulation proposal allowed the user identity verification for the issuance of a qualified electronic signature and a qualified electronic attestation of attributes by making use of an eID scheme with an assurance level that is either ‘substantial’ or ‘high’, whereas the final version of the text adopted by the Council of EU has the references to ‘substantial’ removed. LoA substantial eID vs.

LoA high eID The qualified trust services sector has expressed concerns over the move and the consequence for citizens, as a number of extensively used eID schemes within Europe not only have an assurance level ‘substantial’, but are also the preferred method of identity verification for citizens, due to their increased user-friendliness. Even for countries with notified eIDs level of assurance (LoA) high, the most predominantly used eID systems throughout Europe are fully digital and with a LoA substantial. As detailed in the open letter, some examples of successful LoA substantial systems are: The SPID identification scheme in Italy, with 33 million active citizens; The Swedish BankID and FrejaID+1, with over 8 million users; The Danish NemID/MitID, with more than 5 million citizens; And the French FranceConnect, with over 41 million users, which is also in the phase of update from LoA low to LoA substantial.

The numbers and statistics highlight that countries with a LoA substantial eID scheme saw a growing adoption and use of it, creating value to citizens and a rich environment for Qualified Trust Service Providers (QTSPs) for the issuance of Qualified Certificates that help enhance the overall security level of electronic transactions. Even though LoA high schemes of the likes of the Italian Electronic Identity Card CIE and the German Personalausweis exist, they are restricted by a lack of user-friendliness, with a multitude of citizens having these identity cards, but not using them actively for qualified signatured or for accessing public services. Relying on a physical card with a chip, generally with NFC function, a LoA high eID scheme can be read with compatible handsets or smart-card readers only.

This implies a complex process both on the side of the user and of the maintenance teams, a fact highlighted by statistics that show how in Germany each citizen has an identity card (over 60 million), while the eID function has been used only 11 million times in 2021, as opposed to the usage of SPID, which saw 1 billion transactions. The eIDAS 2 regulation amendments and the risks entailed Members of the organisations that have issued the open letter have the concern that should the LoA ‘substantial’ be removed, existing popular schemes will have to stop being used. The EU direction is that Qualified Electronic Signatures (QES) are the preferred signature level nationally and for cross-border communication.

The current text proposed for Art. 24 is believed to jeopardise the mainstream availability of QES with severe consequences for both citizens and stakeholders. In spite of policy makers’ expectation that the move will result in increased adoption of LoA high schemes of the likes of the eIDAS 2 wallet, the CSC’s and other organizations’ experience suggest that citizens and the market will opt for user friendliness and move from qualified trust services, which are believed will become less easy to obtain, towards less regulated options with a reduced level of security (advanced signatures).

The belief is that the predominant driver behind the shift will be simplicity within the identification process, although at the expense of security. For the above-mentioned reasons and more, delineated in the open letter, policymakers are urged by the CSC together with the other organisation to have the assurance level ‘substantial’ in article 24 reinstated (in line with the Commission’s initial proposal), and to revisit the issue in the time to come, following further assessment of the LoA ‘high’ feasibility. As stated in the open letter, the companies are at the disposal of policymakers for any clarifications and look forward to working with them to ensure a balanced text that provides strong consumer protection together with user-friendliness, a balance that is believed to be necessary to make eIDAS 2 goal of boosting the rollout of electronic identity schemes in Europe successful.

.


Feb 03, 2023 11:52
Original link