eIDAS is short for ‘Electronic Identification, Authentication and Trust Services’. It was introduced in 2014 to help remove digital borders between countries in the European Economic Area (EEA), while ensuring the security of digital systems and protecting people’s privacy. Now, the amendment of this regulation has been accepted, officially known as European Digital Identity regulation. Trust services and Digital Identity Wallets are a part of this. How are these related to European Digital Identity regulation? And what does this mean for data spaces and data sharing initiatives? Yekaterina Travkina, Consultant at INNOPAY and associated with the CoE-DSC, shares some insights (which she also shared during our Community Meeting of April).
What is the European Digital Identity (EUDI) regulation?
Yekaterina explains that the EUDI regulation aims to dismantle existing barriers hindering seamless use of trust services and eID usage across EU member states. It consists of three pillars. “The electronic identification (eID) Schemes and Trust Services have existed since 2014. There are various national eID Schemes, which allow citizens and businesses to log in to the public services online and carry out secure (cross-border) transactions. The Netherlands is quite far in this journey, we have two schemes. DigiD is the national eID and we also have eHerkenning for businesses. Once a national electronic identification scheme has been notified and recognised at European level, it can be used in other EEA countries. This is set out in the EU’s eIDAS Regulation. With the amendment of the regulation, it is now no longer optional to notify at least one eID per Member State. The notified eID schemes will allow citizens to access both public and private services, cross-border.”
The second pillar is Trust Services, which ensure secure and reliable delivery of electronic messages, data, or documents and provide evidence of the time of sending, receipt, and content integrity. Currently available trust services include electronic signatures, seals, timestamps, website authentication certificates and delivery services. “A list of trusted service providers in the EU is essential in building trust among electronic market operators. It allows users to determine the qualified status of trust service providers and the services they offer.” You can find the list of trusted service providers for the Netherlands here. Yekaterina reflects on the upcoming changes: “The legal framework for trust services has been updated, built upon acceptance, mutual recognition, and equal conditions. New trust services that will be added are: eAttestation of attributes, eArchiving, and eLedger.”
The third pillar, EU Digital Identity Wallet (EDIW), is new. It will enable you to safely obtain, store and share important digital documents and verifiable credentials about yourself and electronically sign or seal documents. “EU Digital Identity Wallets aim to harness and build on Member States eID schemes and contain attributes issued by Trust Services providers. Member States will be mandated to provide citizens an EDIW, to: 1) guarantee access of trusted digital identities for all Europeans and 2) to access services, present attributes and electronically seal or sign documents.” By the end of 2026, wallets should be issued by Member States, and by 2027 various sectors will prepare to accept the wallets. “This is crucial, because it is difficult to share information if designated parties (private service providers) in different sectors don’t accept the wallets that people use. That’s why the regulation points out a list of sectors that are mandated to accept the wallet.1”
What do EU Trust Services and Wallets bring to data spaces?
Yekaterina continues: “The general idea is that data providers and data consumers of a data space obtain a signature or a seal. When requesting data, this seal will be attached to the message request. The data provider can see that the request came from an authenticated, trusted party and can securely share the requested data. You can compare it to the Middle Ages, when people went to a castle with a sealed message – just the digital version of this.”
eIDAS Trust Services offer trusted methods to securely link the content of a message to its sender. “An organisation (data consumer) can send a data request, the request can be sealed and the data provider will know with a high level of assurance that it came from a party that they know and trust.”, Yekaterina explains. “They know the party is who they claim to be. This means, for example, that sensitive data is accessed only by intended parties, which opens possibilities to share more information than is possible now. It also enables trusted data sharing with other sectors, since eIDAS is a common EU digital identity framework and not sector specific. Furthermore, it reduces the need for bilateral arrangements, which helps initiatives to scale their identification and authentication processes.”
Alternatively, the new EDIW enables holders to share information obtained at issuers with verifiers. Yekaterina: “You have a triangle of trust between a holder, verifier and issuer. Electronic attestations of attributes are issued by someone into the wallet, the issuer. The holder can show this as proof to a verifier. In daily life, this can be used for example in stores to prove that someone is over 18, when accessing online car rental services to provide a proof of a valid driver’s licence. Another example, when a person is asking for a mortgage, they send their information to the bank and to the notary. An employee from the notary can seal the mortgage package with their qualified electronic signature. So then, the bank opening the mortgage can see that the information was sealed by a professional notary and that the information inside the package can be trusted.”
Examples of initiatives in the Netherlands engaging with Trust Services and exploring the use of wallets are DSGO, MFF BAS, HDN, BDI DIL, SCSN, SBR Nexus, supported by iSHARE and eHerkenning.
According to Yekaterina, Trust Services and EDIW bring value for data spaces by providing a common EU Digital Identity framework for trust and interoperability: “If someone requests certain data, Digital Identity helps to reassure that this is the right person and that (s)he is properly identified, and authenticated to get access. Because it’s a European regulation, you can trust digital identity means from any European country, whether it’s a trusted service provider from for example Italy or Spain.”
Main takeaways and potential next steps for data spaces
What next step can you take? Yekaterina suggests to think about the following points:
- Assess use cases of your data sharing initiative/data space
- Assess what data needs to be exchanged by parties involved in the use cases
- Decide on the viability of using the EU Digital Identity Wallets for identified use cases
- Decide on suitable Trust Services for the identified use cases
- Decide on a Trust Service Provider to apply at for a chosen service
- Overtime, assess the DI fit in your data space
- Continuously stay informed about (regulatory) changes
“To conclude, data spaces and data sharing initiatives can look into EUDI regulation as an opportunity to enhance trusted and scalable digital identity, to boost data sharing.”
Do you want to read more?
- In January, the CoE-DSC wrote a whitepaper addressing changes in the EU digital identity landscape, which stem from the revision of the eIDAS regulation. The paper covers what Digital Identity is and why it is relevant for data spaces.
- Yekaterina hosted a session about the EUDI regulation at our Community Meeting of April. You can either download her presentation slides, or watch the recording.
Download the slides or Watch the recording
In 2024, the CoE-DSC will organise co-creative workshops on DI solutions as part of Data Spaces Interoperability Compass (DSIC) activities. Reach out via dsic@coe-dsc.nl to join this exploration.
- Note, the list of sectors for mandatory acceptance of EDIW is: transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education, telecommunications.
