Regulation 2014/910 - Electronic identification and trust services for electronic transactions in the internal market

1.

Summary of Legislation

More secure transactions on the Internet

SUMMARY OF

Regulation (EU) No 910/2014: on electronic identification and trust services for electronic transactions in the internal market

SUMMARY

WHAT DOES THIS REGULATION DO?

  • The Electronic Identification and Trust Services (eIDAS) Regulation creates a new system for secure electronic interactions across the EU between businesses, citizens and public authorities.
  • It aims to improve trust in EU-wide electronic transactions and to increase the effectiveness of public and private online services and e-commerce. It applies to:
    • electronic identification (eID)* schemes notified to the European Commission by EU countries;
    • trust service providers based in the EU.
  • It removes existing barriers to the use of eID in the EU. For instance, it would now be straightforward for a Portuguese firm to tender for a public service contract in Sweden, while EU funding grants can be managed wholly online.

KEY POINTS

Electronic identification

  • eID issued in one EU country must be recognised in all others. This applies only if the eID meets the regulation’s requirements and has been notified to the Commission and published in a list. Mutual recognition of eIDs will be mandatory from 28 September 2018 and will facilitate secure electronic transactions across the EU.
  • An eID scheme must specify one of three levels of assurance (low, substantial and high) for the form of electronic identification issued under that scheme. Mutual recognition is mandatory only when the relevant public sector body uses the ‘substantial’ or ‘high’ levels for accessing that service online.

Notification

  • When notifying the Commission of eID schemes, EU countries must provide information on aspects such as:
    • the level of assurance and the issuer of eID under that scheme;
    • the applicable supervisory and liability systems;
    • the body managing the registration of unique personal ID data.
  • In the event of a security breach of the eID scheme or authentication, the notifying EU country must:
    • quickly suspend/revoke the EU-wide authentication or the compromised parts of the scheme; and
    • inform other EU countries and the Commission.

Liability

  • In any transaction between EU countries where there is a failure to comply with the regulation’s obligations, the following parties can be held liable for any damage caused intentionally or negligently to any person or body:
    • a notifying EU country;
    • the party issuing the eID;
    • the party managing the authentication procedure.

Cooperation and operability among EU countries

  • National eID schemes notified must be interoperable. The interoperability framework must be technology-neutral, not favouring any specific national technical solutions for eID.

Trust services

  • The regulation defines trust services as paid-for services that include:
    • the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services; or
    • the creation, verification and validation of certificates for website authentication; or
    • the preservation of electronic signatures, seals or certificates related to those services.
  • Trust service providers based in the EU are considered ‘qualified’ if they meet the regulation's applicable requirements. They are legally entitled to provide qualified trust services (e.g. qualified electronic signatures, seals or certificates) in all EU countries. Trust services offered by service providers from non-EU countries can be considered legally equivalent to qualified ones, but only after an agreement between the EU and the non-EU country or an international organisation.

Supervision

  • EU countries must select one or more bodies for the supervisory activities under this regulation. These bodies must cooperate with data protection authorities where appropriate.
  • All trust service providers are subject to supervision and to risk management and security breach notification obligations.
  • Non-qualified trust service providers are subject to ‘light-touch’ supervision, i.e. the supervisory body only reacts if the provider is suspected of misconduct.
  • Qualified trust service providers based in the EU are subject to strict supervision. This includes prior authorisation by supervisory bodies and auditing at least once every 2 years by an organisation that assesses whether they meet regulation requirements.
  • A new, voluntary EU trust mark will identify the qualified trust services provided by the relevant providers.

A series of acts adopted by the European Commission in the course of 2015 set out:

FROM WHEN DOES THIS REGULATION APPLY?

It applies from 17 September 2014.

KEY TERM

*electronic identification (eID): tangible or intangible forms of identification containing personal ID data as used for authenticating an online service.

ACT

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73-114)

The successive amendments to Regulation (EU) No 910/2014 have been incorporated in to the original document. This consolidated version is of documentary value only.

last update 17.03.2016

This summary has been adopted from EUR-Lex.

2.

Legislative text

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC