1. “Attack vectors”, the new kid on the block
2023 will be the year where your average company realizes that cybersecurity is a top priority and concern. It will no longer be a CISO or CTO discipline, but management boards all around will need to learn what “attack vectors” are and spend considerable time discussing major changes in organization, process and product to quickly close information security gaps constituting major risks to reputation, revenue and compliance.
This will also be reflected in management. The U.S. Securities and Exchange Commission has proposed this year to mandate cyber security expertise up to the Board of Directors of public companies, and it can be expected that the EU will follow with similar requirements.
As a result, ZealiD expects that we will see companies scrambling to regulated trust services thanks to their solid standards foundation (through ETSI standards), guaranteeing not only organizational and procedural information security but also technical security, public oversight and liability.
2. EU member states shape remote identification requirements
Although eIDAS is a regulation forming national law in all member states, 2023 will see continued activity from different EU member states in forming national regulation supporting eIDAS.
Until mid 2021, the German VDG was the state-of-the-art legislation in the EU on remote identification requirements to meet qualified certificate and signature standards. In 2021, French ANSSI launched their PVID regulation, bringing not only standards to a new level, but also shaping an entirely new state of the art. For the first time, we received legislation that defines methods for AML-KYC, Qualified Certificate Identification, and eID identification for both levels of assurance “substantial” and “high”.
Member states will increase their national eID activities, frameworks and identification requirements, to be expected to confirm with new ETSI standards on remote identification where ZealiD projects everything will converge in 4-5 years.
3. Public sector is challenged by citizens in 2023
The public sector in many EU member states is delayed and unfocused when it comes to eIDAS - despite the fact that they are regulated by it. With a lack of online identity schemes proliferated to citizens in the EU, there has been little pressure to actually solve eIDAS-type authentication and e-signing in the public sector.
In Sweden for example, the Company Registration Authority (Bolagsverket), has taken 6 years from the time eIDAS came into force until their services permitted someone to upload a PDF signed with a qualified signature. And even then an eID is still required for the login and upload itself, which defeats the purpose of the PAdES standard and qualified signing. Countless lawyers and administrators have not yet grasped that eIDAS and EU trust services are perhaps the most powerful tool at their disposal.
In 2023, citizens and private companies will start to pressure the public sector and challenge them on service levels and ease of use, and will start sending them documents signed with qualified signatures.
4. Machine identification is the future - if it is done manually
With the state-of-the-art French PVID requirements launched, we can see three important trends that will change how the identity industry works:
Remote identification is now officially regulated. Forget all black boxes. Bet on eIDAS and ETSI, nothing else.
Pure machine identification is not permitted. The regulator does not trust machines to issue qualified certificates or electronic identities. The fact that this is currently somewhat permitted under the Autoident “innovative methods” provision by the German Bundesnetzagentur should be seen as a local outlier and not state of the art.
France has solely its government agency in the certification position - this is a very new approach. Under PVID, the actual testing of biometric identification functions by trust service providers is performed by Police Nationale and La Gendarmerie.
5. EU Wallet Confusion Continues
In the latest ENISA Trust Services Forum in Berlin (22. October 2022) there was an emerging realization on the detailed effects, if the EU Wallet indeed is to be decentralized. The idea that the citizen will carry their data physically on their phone - this reminded ZealiD participants of the age of smartcards and readers.
Which is confusing, given that so much of eIDAS trust services is CA-centric, with qualified signature creation standards aiming for centralized certificates on the server side.
In discussion with the Swedish legislative office in charge of eIDAS, ZealiD learned that “politicians are not interested in identity”. And that they were well aware of the acute issue that Sweden and many other EU countries don’t have an eID scheme that qualifies for level “high” - which is one of the key requirements of the EU wallet.
Add to the wallet confusion that many countries don’t allow for remote onboarding to LOA (Level of Assurance) “high” - although note, PVID elegantly does. So citizens would have to first get an eID through a physical visit to a police station.
With the public sector so far behind, and the foundations of the EU wallet relying on national eID schemes that lack standards (no ETSI standard behind the Swedish eID scheme and no legislation to define remote identification such as VDG or PVID), and a common ban in national eID schemes on remote identification for level “high” assurance: ZealiD can see a big crash coming in 2023 - more than 95% of the EU population not having a digital eID with LOA “high”, while trying to get an EU wallet that is localized.