Wrapping-up eIDAS 2.0

“Perfection is the enemy of progress” said Churchill and couldn’t find a better statement to picture the whole eIDAS 2.0 movement. Rivers of words and articles have flooded the virtual space during 2023, pointing out more or less legitimate observations to what the European Union is trying to achieve and how.

“80% of EU citizens being able to use a digital ID by 2030, to be able to prove who they are cross-border, to be able to give the explicit consent for sharing pieces of their personal information, to know exactly with whom they’ve shared personal information and for what purpose. A technology where we can control ourselves what data and how data is used.” – Ursula von der Leyen, President of the European Commission, in her State of the Union address, 16 September 2020.

In the beginning was eIDAS and the ambition to strengthen the EU Single Market by boosting TRUST and CONVENIENCE in secure and seamless cross-border electronic transactions, built on a common legal framework foundation across all Member States. Since the entering into force the regulation became a benchmark and set the global approach to trust services provisioning and supervision. The term “qualified” as the highest assurance level for a service has been adopted widely and many third countries transposed the definition into national legislation.

Source: Andrea SERVIDA introducing eIDAS Regulation in November 2014, right after the official launch

With the rapid technological developments, market evolution and increased daily time spent on online interactions, our needs and expectations changed. Digital identity in first place? Yes, but there is much more out there, such as professional qualifications, medical certificates, proof of residence, payroll, electronic prescriptions, travel tickets and boarding passes, payments.

How can we have all what we need from one single app, at a fingertip distance? All secure, privacy protecting, guaranteeing our civil liberties and rights, cross-border legally valid. Here comes eIDAS 2.0 proposal, introducing the digital wallet to support citizens and businesses’ needs, fostering interoperable e-government services across the EU, putting for the first time the citizens in control of their data.

This timeline translates into 1010 amendments in total to the initial eIDAS 2.0 proposal: 139 amendments by the rapporteur in first draft, 653 amendments in ITRE committee, 75 amendments in IMCO committee, 35 amendments in LIBE committee and 108 amendments in JURI committee. Comparing to the initial proposal of the European Commission, there are several points deserving attention into the compromise text adopted on 7th December by the ITRE committee:

  • The source code of the software components for EUDI Wallet must be published under on open-source license
  • Free-of-charge mechanisms for verification of the authenticity and validity of EUDI Wallets, as well as for the identities of Relying Parties
  • EUDI Wallet dashboard where users can access all their transactions, allowing them to report to the competent national authority any violation of their privacy
  • EUDI Wallet providers are prevented from collecting users’ data and from having visibility of their transactions; the same applies to Trust Service Providers
  • Establishment of the European Digital Identity Cooperation Group (EDICG) supporting and facilitating the cooperation between Member States

Countless meetings, hearings, experts and stakeholders opinions have been examined in these 2 years by the Commission, members of the Parliament or Council. But the hard work was carried out by the principal rapporteur – MEP Romana Jerković and her head of staff – Vedran Lalic; they deserve our admiration and gratitude!

What’s next?

The final text of eIDAS 2.0 is under linguistic revision and translation into all EU Member States languages, scheduled for the adoption by the European Parliament plenary and the Council of European Union in February. So we can expect the publication in the Official Journal of the EU in the first quarter 2024. After the publication, eIDAS 2.0 will enter into force in 20 days, applicably directly in all Member States as is.

Is that enough from regulatory standpoint? Well, partially: the European Commission should issue 45 implementing acts and 3 delegated acts in the coming 6-12 months. These acts are necessary to assure a proper implementation of eIDAS 2.0.

In parallel with the legislative process, we have the European standardization bodies (ETSI and CEN) working on elaborating technical standards in support of the new services: EUDI Wallet interfaces, Relying Party authorization for EUDI Wallet access, Profiles for Electronic Attestation of Attributes, Policy and Security Requirements for the provisioning of these services, update to Trust List to support the new EUDI framework.

A lot to do and to implement, to reach the deadline: at least one digital wallet provided by each Member State two years after the adoption of implementing acts corresponding to the technical specifications and certification requirements for EUDI Wallet.

eIDAS Regulation was digitally signed into force by the representatives of the EU Parliament and Council of EU on 14th October 2014. Will eIDAS2 be digitally signed with the EUDI Wallet?

Brussels, 14th October 2014 – Signing ceremony of eIDAS Regulation

When it comes to technology in continuous evolution, we cannot run after perfection. We would end up in overthinking and overwhelmed by complexity. We have a pretty good governance for EUDI Wallet, let’s continue together our journey with an improvement mindset!

by Viky Manaila