What is the eIDAS (electronic identification and trust services) regulation?

In the fast-growing digital world, trust is essential to facilitate exchanges and many regulations are now emerging to secure them.

The eIDAS Regulation is part of this. It aims to enhance trust in electronic transactions within the internal market. This regulation applies to electronic identification, trust services and electronic documents. Its purpose is to establish an interoperability framework for the different systems in place in the Member States. It also promotes the development of a market for digital trust.

The eIDAS Regulation replaces Directive 1999/93/EC, which scope was limited to electronic signatures. Effective from July 2016, the eIDAS aims to establish a common basis for secure electronic interactions between citizens, businesses and public authorities.

eIDAS Regulation: what are the security levels concerning the electronic signature?

The eIDAS Regulation standardised electronic transactions in the Member States by providing three levels of reliability and assurance for electronic signatures :

Simple electronic signature: allows the authentication of documents that present a risk assessed as low or medium (insurance contract, expense account, subscription to a service, etc.).
Advanced electronic signature: offers the same level of reliability and assurance as a simple signature but increases the confidence level by incorporating systematic verification of the signatory’s identity[1] .
Qualified electronic signature: this enables the authentication of high-risk documents (invoices, responses to public tenders, B2B banking validation, etc.). The signing process must provide the same guarantees as for a face-to-face signature.

The eIDAS regulation also introduced a fourth type of signature: a “digital seal”. Reserved for legal entities, it guarantees the origin and integrity of the associated data. For more information on our eIDAS-compliant electronic signature service, please visit Check’nSign.

eIDAS Regulation: what are the security levels regarding identification?

As far as identification schemes are concerned, eIDAS defines three levels of assurance :

Low: reduction of the risk of usurpation, with a limited confidence level, as login and a password are the only requirements.
Substantial: improvement of the risk posture; the signatory must have an identity document issued by a member state and have demonstrated its possession, as well as proof that it belongs to him.
High: total reduction of the risk of fraud. This level of assurance requires to verify that the person is in possession of a biometric or photographic identification element recognised by the Member State receiving the application for an electronic identity. Of course, this element needs to match the alleged identity.

security levels regarding identification

Which companies are affected by the eIDAS Regulation?

The eIDAS regulation mainly affects public sector organisations and trusted service providers established in the European Union. The regulation enables to control trusted service providers, and ensures secure transactions between users, providers and administrative authorities.

If your company uses an electronic signature or an identity verification solution[1], then the eIDAS Regulation has a direct impact on you. To guarantee the legal value of your KYC or electronic signature processes, you must ensure that the solution you use complies with the requirements of the eIDAS Regulation. In other words, that the trusted service provider you chose has all the relevant authorisations.

What are the requirements of the eIDAS Regulation?

The eIDAS Regulation defines obligations for all trusted service providers or Certification Authorities, whether qualified or not. Member States established sanctions in case of non-respect. These service providers must:

Ensure lawful processing of personal data in accordance (repealed by the General Regulation on Data Protection)
Make accessible to persons with disabilities, where feasible, trust services they provide and end-user products used in the provision of those services
Take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide
Notify to the supervisory body (and, where the breach of security is likely to adversely affect them, the natural or legal person concerned) any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein

Trust service providers are liable for damage caused intentionally or negligently to any natural or legal person due to a failure to comply with their obligations. The burden of proving intention or negligence of a non-qualified trust service provider shall lie with the natural or legal person claiming the damage.

How do our IDCheck.io services comply with the eIDAS regulation?

ARIADNEXT is recognised as a trust service provider in accordance with Article 3 (paragraph 19) of the eiDAS Regulation. The conformity of our services is regularly assessed by the ANSSI (National Cybersecurity Agency of France) and the certifications obtained are publicly available.

Our Check’nSign electronic signature solutions are fully compliant with the eIDAS regulation at LCP level (ETSI EN 319 411-1).

Our automated identity verification solutions IDCheck.io are currently being evaluated by the ANSSI services for a substantial level of assurance.