Senior Adviser, Strategy and Reform um Support for Improvement in Governance and Management SIGMA
1. Jun 2023•0 gefällt mir•18 views
1 von 74
PPT - SIGMA-GIZ Academies - Topic 2 - eID_Kask
1. Jun 2023•0 gefällt mir•18 views
Downloaden Sie, um offline zu lesen
Regierungs- und gemeinnützige Organisationen
Presentation given at the Service Design and Delivery in a Digital Age - Academies for EaP countries organised by the SIGMA Programme and the GiZ Eastern Partnership Regional Fund. Topic 2: Digital transformation.
EU. Table of contents
2 Key Principles of Trusted eID
3 Building Blocks of Trusted eID
4 eID Transformation Process
5 eID organizational structure
6 European legal framework for eID and trust services
Estonian national framework for eID and trust services
What have been the challenges?
8 Cross-border implications of eID and trust services
8. 2005 2006 2007 2008 2010
9. 2011 2012 2013 2014 2015
e-service of the
10. 2017 2018 2019 2020
17. Legal framework
• Population registry and its legal significance
• Regulation of trust services
• Electronic signature and its significance
• Dealing with legacy
• Education of legal practitioners
• Revamping regulations requiring paper-based processes
• Cybersecurity to
• drive requirements for eID and validate deliverables
• monitor the ecosystem
• execute incident response
• Cryptography to keep the ecosystem developing
• Legal to drive legal changes
• Architecture to define, manage and develop the technical ecosystem
19. Trust services
• Trust services create and operate services underpinning the trust in eID
• Certification Authority and Registration Authority
• Time Stamping Authority
• Signature creation and validation
• Trust must stem from audited, regulated and supervised adherence to standards
20. The ecosystem
• It is not possible for a
• single government authority to build eID due to the range of capabilities and
• single private sector organization to build eID due to the lack of critical mass in
terms of customers and services
• Create and manage an ecosystem of service providers, integrators, technology
providers, researchers, cybersecurity practitioners, trust service providers etc.
• Alternatively make sure to participate in one
30. Mandatory recognition of electronic identification for
1. May ‘notify’ the ‘national’ electronic identification scheme(s) used at for
access to its public services
2. Must recognise ‘notified’ eIDs of other Member States for cross-border
access to its online services when its national laws mandate e-identification
3. Must provide a free online authentication facility for its 'notified' eID(s).
4. May allow the private sector to use ‘notified’ eID
NB! No obligation to recognize eIDs outside EU
NB! Only EU level agreement between a third country is a possibility (there is now an option to
overcome the legal gap)
31. Trust Services
eIDAS creates an European internal market for electronic trust services by ensuring
that they will work across borders and have the same legal status as traditional paper
32. Trust Services
When the public sector accepts a document being signed electronically, they must
accept documents signed electronically in the same format from the other member
states or with the service offered by the other service providers.
33. Trusted List
• Member states maintain and publish trusted lists where they have all the necessary
information about the qualified service providers acting inside the EU.
• Trust services provided by trust service providers established in third country shall
be recognised legally once there is an agreement between the EU and the third
• Trust services provided services provided by trust service providers established in
third country shall be recognized when they are in the trusted list and audited in
the EU, provided by EU located service provider.
34. Principles of trust services
• Technological neutrality.
• Mutual recognition of «qualified» electronic trust services.
• Ensuring validity and legal certainty of cross-border electronic
transactions through the impossibility to reject a document on the grounds
that it is in electronic form.
35. Levels of e-signature (electronic signature)
• The simple e-signature has a low level of security and assurance. It cannot
guarantee that the person signing the document is who he pretends to be.
• It does not provide details on the signing event (such as time, date etc.) either. For
example, when ticking the “Accept terms & conditions” box of an online
transaction, using stylus etc.
36. Levels of e-signature (advanced e-signature)
• Advanced electronic signature – an electronic signature is considered advanced if it meets
a. it is uniquely linked to the signatory;
b. it is capable of identifying the signatory;
c. it is created using electronic signature creation data that the signatory can, with
a high level of confidence, use under his sole control; and
d. it is linked to the data signed therewith in such a way that any subsequent
change in the data is detectable.
• Certificate for electronic signature – electronic proof that confirms the identity of the
signatory and links the electronic signature validation data to that person.
37. Levels of e-signature (qualified e-signature)
• Meets the requirements of advanced electronic signature and in addition, it is
created based on the use of a qualified signature creation device (QSCD) and relies
on a qualified certificate for electronic signatures.
• These two extra features ensure that the qualified e-signature is unique,
confidential and secure.
• Only electronic signature that is equal to handwritten signature (wet signature) and
there cannot be exceptions in national law
38. Legal consequences
• Qualified electronic signatures are equal to handwritten signatures (eIDAS article
• Usage in private sector?
• Usage in public sector?
39. How to become a qualified trust service provider?
• Apply to a conformity assessment body assessing compliance against the
requirements for qualified trust service providers and qualified trust services.
• The conformity assessment body will produce a conformity assessment report,
demonstrating how the requirements have been met.
• Submitting the report to national supervisory authority who will grant you qualified
status if appropriate – service will be added to the national trusted list and will be
able to use the eIDAS EU trust mark.
• There is a requirement to undergo the conformity assessment process every two
years, at your own expense.
• The eIDAS Regulation:
• ensures that people and businesses can use their own national electronic identification schemes
(eIDs) to access public services in other EU eID are available;
• creates an European internal market for eTS - namely electronic signatures, electronic seals, time
stamp, electronic delivery service and website authentication - by ensuring that they will work
across borders and have the same legal status as traditional paper based processes;
• consists of regulation, implementing acts, standards (ETSI), national laws and implementing acts;
• sets rules for mutual recognition of eIDs and cooperation between the member states;
• regulates trust service providers and trust services to be recognized across EU.
Do we actually know who
is behind the computer?
published by The New Yorker on July 5, 1993
Justification for amendments: about 60% of the EU
population in 14 Member States are able to use their
national eID cross-border.
Only 14% of key public service providers across all Member
States allow cross-border authentication with an e-Identity
Aim of eIDAS 2.0: by 2030 80% of the EU population are
equipped with a digital wallet that will allow them to prove
their identity and authenticate themselves on public
services in all EU countries and the UK, regardless of their
Article 3 (42):
is a product and service that allows the user
to store identity data, credentials and
attributes linked to her/his identity, to
provide them to relying parties on request
and to use them for authentication, online
and offline; and to create qualified
electronic signatures and seals
What is an European
45. Main challenges
+ The proposal offers no rationale how the obligation to issue and recognise the wallet helps to overcome the
shortcomings of the current eIDAS regulation. The obligation to accept the wallet also degrades the proven
value of existing electronic identity schemes and results in unfair competition.
+ Proposed 24 months` timeframe for implementation is complicated, as there is no solution that meets the
requirements of the wallet and wallet-like products have to be developed from the ground up, also there are
no technical standards and/or comprehensive technical descriptions that would correspond to the proposal.
+ Concept of unique and persistent identifier has been left aside and have been replaced with record matching.
+ “The Digital Wallet will become a reliable, all-in-one identity
gateway that puts citizens in full control of their own data and gives
them the freedom to decide exactly what information to share, with
whom, and when. From social, financial, medical, and professional
data, to contacts and much more, it will make it possible to store
personal credentials within a single digital ID.”*
+ Although technically feasible, it puts even harder responsibility on
the human side for various fraud.
+ The concept of decentralized data collection is heavily influenced.
* eIDAS 2.0 rapporteur Romana Jerković (S&D, HR)
48. Mutual Recognition of trust services from third
53. eID in Estonia
High level government provided identity
based on identity nr that is unique (eID,
• electronic signing
• business, banking
• state and healthcare
• public transport
• loyalty card
High level private sector provided identity
based on identity nr that is unique (Smart
• electronic signing
• business, banking
54. Two main legal principles in national law
• Electronic identification is as good as face-to-face identification
• electronic signature of certain level is equal to handwritten one.
NB! Although the framework exists there is no actual use of the concept of
professional certificate (e.g electronic seal)!
55. The hierarchy of norms
eIDAS implementing acts
National level laws on the
implementation of eIDAS regulation
59. Nature of the security risk
The private key can be computed from the public key, which means that
• it was possible to digitally sign a document in the name of another person
• it was possible to enter e-services in the name of another person
• it was possible to steal a digital identity without having the physical card
• decrypt documents encrypted with the ID card
61. Lessons learned
• eID is more important than we knew AND we cannot go back on paper
• Map cross-dependencies of critical services
• Certified does not mean secure
• Have alternatives – eID card and mobile-ID, private sector solution
• Pool of experts is limited – duplicate, if possible
• How to handle a non-incident?
• Nobody wants to go back to paper, even if they could
• This will not be the last such event
62. →In the rapid technological change the product standards and audits based on standards might not
give the guarantees for a liable product
→ 2 years for the audit period is too long period, BUT the audits are expensive and there are not
many auditors for the specific topics
→The notification system is too vague, but the only solution in those cases is tight cooperation
→The next crisis can be different, the legal framework in place enabled finding solution, but from
learnings we never know what the next crisis will look like
63. Identity thefts: suspension vs declaring invalid
• If the person who has stolen/found your card does not know your PIN and/or PUK
codes, they can only obtain information that is visually printed on the card (name,
personal identification code, validity period of the card), except your photo and
• If the person also has your PIN and/or PUK codes, they can use the card to access
e-services and give digital signatures if the owner has not suspended the
• On September 22, a woman contacted a 64-year-old woman living by phone, informing them about the
maintenance work at Swedbank and the problems with her woman's Smart-ID.
• The woman was then called by a man who introduced himself as a maintenance technician, asked for the
applicant's personal identification number and Smart-ID PIN codes to check that the Smart-ID application
• After a few moments, the call was made again and the petitioner was asked to authenticate himself in
the Internet bank via Smart-ID, under the pretext of completing the maintenance work.
• Misled in this way, the applicant initiated authentication in the internet bank and entered the PIN1 and
PIN2 codes, during which an unknown person gained access to the woman's bank account and made
payments to five people for a total of EUR 12,184.23, of which the bank recovered EUR 609.00.
• What could be the solution in your country?
67. Barriers based on the example of NOBID countries
• Although authenticating a citizen (i.e. allowing a person to prove they are in control of a
particular national identifier) is technically possible, the semantic interoperability between
the identities is said to be lacking.
• On the EU level, there appears to be a stalemate where the services are not accepting
foreign electronic identities because there is no demand and the lack of demand is in turn
caused by the lack of services.
• There is no concept of shared physical identity between the NOBID countries and
therefore the sharing of electronic identity is hindered.
• The lack of technical and legal standards around the identity codes appears to be a barrier.
68. Barriers based on the example of NOBID countries
• Authentication services are significantly linked to interoperability services.
• Lack of cooperation in software and service development was seen to be a cross-border barrier.
• The vast majority of citizens currently do not need cross-border services.
• Difficulties in determining the level of trust in trust services and alternatives thereof is a barrier to their use
between NOBID countries.
• The extent of the cross-border demand, challenges or potential use is difficult to estimate since there is a lack
• Despite international standards being present, technical compatibility in terms of the ASiC-E signature
container compatibility between NOBID countries remains a challenge as countries differ in the precise way
standards are utilised
• Electronic services are dependent on a personal identification codes both in terms of technological solution as
well as service design.
• All countries, quite naturally, prioritise their national services and compliance over cross-border compliance
69. Potential use of cross-border trust services and alternatives
• There is strong preference among Nordic countries (clearly expressed by Finland, Sweden,
Norway and Denmark) to focus on authentication in the cross-border dimension and only
then on trust services. All people should be able to have strong authentication mean to
• Cross-border trust between eID schemes would be the most important element as more
than 90% of the population have the means available. Many interviewees pointed out that
the first step would be for each country to have their national eID notified - this would
raise confidence in the ability to issue national eIDs in the reliable way.
• A deliberate effort must be made to start trusting identification by other countries.
70. Other observations
• The COVID-19 pandemic was seen as a major driver of eID adoption and trust
services in general.
• Personal identity tends to be under tight control of national governments while
other trust services are commonly procured within an international context (e-
delivery, timestamping, web certificates).
• Different requirements for assurance level of eIDs create interoperability problems.
• Banking is a significant driver of eID use (Bank-initiated schemes in Sweden,
Norway, Finland; respective mentions in Latvia and Estonia, Bank-owned or
operated TSPs in the Baltics, Iceland and elsewhere).
71. Other observations
• Cooperation and cross-border use are to a very large extent driven by corporate strategy of a much
wider group of organisations than just trust service providers
• Large multinationals tend to utilise centrally developed solutions using a corporate trust network
rather than adopting the local one (Latvia, Estonia)
• Integrators, document management service providers and other parties operate internationally
and bring their international cooperation networks into local context (Latvia)
• Large Relying Parties often operate internationally and seek to unify solutions at least on a
regional basis (Telia, Swedbank, SEB in the Baltics but also in other NOBID countries)
• Trust service providers operate internationally and, seeking to minimise cost, will unify solutions
creating interoperability in the process (SK ID Solutions in the Baltics, Nets, Signicat and others in
the Nordics, Dokobit)