This year, the final week of October marked two key events for trust service providers. The Trust Services Forum was organized by ENISA and the European Commission on the 27th, and the CA day was set up by D-TRUST, TÜViT and ESMT on the 28th. Taking place back to back, both events presented a clear picture of upcoming regulatory developments and challenges that will affect the implementation of trust services in the near future.
ZealiD's Chief Product Officer Tomas Zuoza and CTO / Security Officer Robert Hoffmann were there to discuss those updates with other trust service providers first hand. Reflecting on the conference from a practical standpoint, they highlighted three issues that are challenging trust service providers today.
Upcoming launch of eIDAS 2 directive
When it comes to eIDAS 2, one of the main talking points is the implementation of digital identity (EUDI) wallets. Allowing users to store documents and other personal information locally and decentralized on their smartphone is a strong and necessary shift towards data privacy. Even so, in their present state, mobile operating systems can't guarantee the level of security that this shift needs. That is a major security concern for trust service providers who are expected to establish and support the new model from day one.
As it is an entirely new concept, collaboration and transparency within the field of trust services are essential to success. "This is a dynamic challenge, too. As the newly introduced Digital Markets Act lessens the presence of app stores and other gatekeepers, it brings yet another variable to the table that we can't overlook. Creating a trust base for documents and other items in digital wallets is a tough nut to crack. But the systems that the industry often has in place today makes it very easy for users to lose control of their personal information, and that needs to change", notes Tomas.
The identity industry as a whole is already taking a crack at solving EUDI Wallet by introducing so called Verified Credentials that take form as an OpenID specification or are powered by a Self-Sovereign Identity solution. That even extends to a global business identifier named Gleif, which is emerging as an inclusion into qualified eSeal naming. It is refreshing to see how an updated regulation is driving innovation and search for the most user-friendly implementation. Especially that the proposal to use only eID High for QES is going to only increase trust within an already quite trustworthy environment.
NIS2 directive and additional security requirements for trust service providers
The new version of the NIS directive comes in response to a heightened exposure to cyber threats. It introduces new cybersecurity requirements, raising the regulatory bar for trust service providers in the EU. The big challenge surrounds new vetting requirements for supply chains and supplier relationships.
"NIS2 will bring a new level of complexity to our vetting process. But when it comes to the big picture of trust service providers in the EU, the difficulty of meeting the new requirements is a matter of maturity. We established a vetting process of our own from the get go, so for ZealiD NIS2 comes as an update rather than an entirely new process. For trust service providers who don't have that base, the new requirements will pose a significantly bigger challenge", says ZealiD's Security Officer Robert Hoffmann.
Misaligned QWAC certification procedures and auditing schemas
eIDAS Regulation and ETSI standards have been championing a consistent and unified regulatory network in all EU member states for years now. But in reality, national regulatory differences still pose operational challenges to service providers in many industries. Reflecting on the conference, Robert highlighted two key aspects that came up:
QWAC certification criteria
Displaying Qualified Website Authentication Certificates (QWACs) in a clear and visible way is crucial for establishing a trust base with European citizens. Even so, for this to happen, CAs need to be trusted by the web browser in the first place. And that's where regulatory misalignment comes in. The root cause for this is that, to this day, each browser has their own CA store where they add/remove CAs that they consider trustworthy. Also, since browsers operate on a global scale, aligning certification criteria with the EU is a complex matter. Together, these issues make up a multi-layer disagreement between EU regulatory authorities and the CA/Browser Forum. "This disagreement has not been dissolved yet, but both sides have a common goal: to make the experience on the web for all the users as smooth as possible. There is a strong interest for them to cooperate and find a solution", Robert notes.
Auditing framework for trust service providers
As regulatory requirements keep coming in, the need for auditing is also growing. Even so, auditing schemes still differ from one EU member state to another, causing cross-border trust issues along the way. "As necessary as it is, auditing is also expensive and time consuming. So there is a common interest in making it as smooth as possible. Aligning against what should be audited and how those audits should be carried out will benefit everyone involved, so driving a constructive conversation on this matter is absolutely necessary", according to Robert.
Reflecting on the situation in a broader sense, ZealiD’s Chief Product Officer Tomas Zuoza also notes the additional challenge of sustaining a user-friendly approach. “As regulatory updates continue to raise the security bar for trust service providers, delivering full compliance without compromising on user experience is tough. But it’s a challenge that comes with the field we’re in. Taking a user-centric approach from day one, we've already built a strong foundation to rely on in the face of change", he notes.