ZealiD Blog

What eIDAS 2 Means for Trust Service Providers

Written by ZealiD Team | Sep 06, 2024

Executive Summary

The European Union's introduction of eIDAS 2 (Electronic Identification, Authentication and Trust Services) represents a significant evolution from the original eIDAS regulation implemented in 2014. The revised framework aims to enhance cross-border digital transactions by broadening the scope of digital identity and trust services across the EU. For trust service providers (TSPs), eIDAS 2 introduces new challenges and opportunities, mandating technological updates and operational adjustments to stay compliant and competitive. This article explores the key changes brought by eIDAS 2, comparing them to the original regulation, and provides actionable insights for trust service providers to adapt to the new regulatory environment.

 

Introduction

The eIDAS regulation, initially established in 2014, set a foundational framework for secure electronic interactions across Europe. It provided legal recognition for electronic signatures, seals, timestamps, and other trust services, enabling a secure digital single market. However, with the digital landscape continually evolving, the European Union has introduced eIDAS 2, which expands and updates the regulatory framework to address the needs of a more interconnected digital economy.

For trust service providers, eIDAS 2 represents not only regulatory compliance but also an opportunity to innovate and expand their services. This article discusses the significant changes introduced by eIDAS 2, highlighting the operational and technological impacts on trust service providers.

Key Differences Between eIDAS and eIDAS 2

  1. Expansion of Digital Identity Scope

    One of the most prominent changes in eIDAS 2 is the introduction of the European Digital Identity Wallet. Unlike the original eIDAS, which primarily focused on electronic identification (eID) and trust services, eIDAS 2 expands its scope to include a comprehensive digital wallet. This wallet allows citizens to store and manage a variety of digital credentials, such as driver's licences, diplomas, and bank account information, alongside their eID. For trust service providers, this means developing and supporting technologies that are compatible with a broader range of digital credentials and ensuring seamless integration with the new digital wallet infrastructure. Key for trust service providers is to find use cases that work, scale and can become profitable so not to build for the sake of hype or technology. A good place to start is eyeing what Microsoft and others are doing with verified credentials.

  2. Mandatory Digital Identity for All Member States

    While the original eIDAS regulation did not require all EU member states to offer eID schemes, eIDAS 2 mandates that every member state provide its citizens and businesses with access to a government-issued digital identity. This requirement increases the potential user base for trust services significantly. Trust service providers must now prepare for increased demand and scalability, ensuring their systems can accommodate a higher volume of users and transactions while maintaining high levels of security and privacy. The prime candidate for initial increased volume will be qualified certificates and signatures.

  3. Enhanced Security and Privacy Measures

    eIDAS 2 places a stronger emphasis on security and privacy, reflecting the increasing importance of these aspects in the digital age. It introduces stricter requirements for trust service providers to protect user data and ensure secure transactions. This includes more robust encryption standards, improved incident response procedures, and more rigorous auditing and compliance checks. Adding to it through the requirement of following NIS2 Directive, the providers will have to improve their supply chain security as well. Trust service providers will need to invest in advanced security technologies and adopt more comprehensive privacy measures to comply with these new requirements. Qualified trust service providers will experience less change as they already are required to meet very high information security standards.

  4. Broader Recognition of Trust Services

    Under the original eIDAS, only certain trust services, like electronic signatures and seals, were granted cross-border recognition. eIDAS 2 expands this list, offering mutual recognition of a wider array of trust services across the EU. This change provides trust service providers with an opportunity to expand their offerings and market reach. However, it also requires them to adapt their services to meet the varying legal and technical standards of different member states, which may involve significant operational adjustments.

  5. Support for Emerging Technologies

    eIDAS 2 acknowledges the rapid development of new technologies and includes provisions to accommodate advancements such as blockchain, biometrics, and artificial intelligence. Trust service providers are encouraged to innovate and integrate these emerging technologies into their offerings. This could mean investing in new infrastructure, retraining staff, or partnering with tech companies to develop compliant solutions that leverage these technologies. 

    Remote identification is probably one of the areas that will see the most emerging technology. Citizens expect mobile first, user friendly, localised onboarding experience that balances fraud prevention with simplicity.

Calls to Action for Trust Service Providers

  1. Upgrade Security Protocols and Infrastructure

    In light of eIDAS 2’s enhanced security requirements, trust service providers should conduct thorough audits of their existing security protocols and infrastructure. Upgrading to the latest encryption standards and implementing robust cybersecurity measures are critical steps in maintaining compliance and ensuring the protection of user data. ETSI standards will lead the way as usual. 

  2. Develop and Test Compatibility with the European Digital Identity Wallet

    Trust service providers should focus on developing solutions compatible with the new European Digital Identity Wallet. This includes ensuring seamless integration and interoperability with the wallet’s functionalities and supporting a wide range of digital credentials. Focus on finding volume use cases before building though. 

  3. Prepare for Increased Demand and Scalability

    With eIDAS 2 mandating digital identity for all EU member states, trust service providers must prepare for a significant increase in users. This involves scaling their operations, enhancing server capacities, and optimizing performance to handle higher transaction volumes without compromising service quality. This should also involve enablement of major platform players in Document Management and eSigning.
     
  4. Expand Service Offerings to Align with Broader Recognition

    Given the broader recognition of trust services under eIDAS 2, trust service providers should consider expanding their range of services. This could include offering additional trust services that are now eligible for cross-border recognition, thereby tapping into new markets and increasing revenue streams.

  5. Invest in Emerging Technologies

    To stay competitive and innovative, trust service providers should explore the integration of emerging technologies like blockchain and AI into their services. By investing in these technologies, providers can offer cutting-edge solutions that meet eIDAS 2 requirements and provide added value to their clients.

Conclusion

eIDAS 2 marks a significant evolution in the EU's digital landscape, introducing new opportunities and challenges for trust service providers. By understanding and adapting to the key changes brought by this regulation, providers can not only ensure compliance but also position themselves for growth and success in an increasingly digital economy. The key to thriving under eIDAS 2 lies in proactive adaptation, technological innovation, and a commitment to security and privacy.