On 9th February 2023, the ITRE commission of the approved eIDAS2. EU MEPs passed the regulation to make eIDAS Identification schemes have to use LoA ‘High’ rather than any other. MEPs gave their green light to enter into inter-institutional negotiations, pending formal approval during the 13-16 March plenary session. It will be interesting to see the final adopted version as it might change during inter institutional negotiations.
Moreover, the European Commission has published the first version of the Architecture and Reference Framework (ARF) under the Commission’s guidance. This document includes concepts derived from the eIDAS 2.0 legislative proposal and outlines the requirements, recommendations, and specifications for the European Digital Identity (EUDI) Wallet. Methics will write a detailed blog on ARF and proposed model for EUDI Wallets.
Key points coming into force are:
- The European Digital Identity Wallet: it will have to be certified at level ‘high’ and built on ‘privacy-by-design’, ‘security-by-design’ & open source architecture.
- Zero Knowledge Proof (ZKP) & ‘selective disclosure’ will be core functions of the wallet, as is the use of pseudonyms.
- All EUDI Wallets need to act as a QSCD be able to provide Qualified Electronic Signature or Seal
- Member states will have now 18 months (not 12 months) to make EUDI Wallets available for their citizens/residents. Usage by citizens/residents is optional.
- Every member state has to notify at least one wallet, providing the option to recognise multiple wallets from one member state.
- Apart from Member state e-gov services, Big platforms (acc. to Digital Markets act) are mandated to support the wallet for authentication.
The electronic identification of individuals or legal entities have been tackled over the years in different pan-European projects. Few of the most used eID systems throughout Europe are working with a LoA substantial. Some examples of LoA substantial systems are:
- The SPID identification scheme in Italy, with 33 million active citizens;
- The Swedish BankID and FrejaID+1, with over 8 million users;
- The Danish NemID/MitID, with more than 5 million citizens;
- And the French FranceConnect, with over 41 million users, which is also in the phase of update from LoA low to LoA substantial.
‘Substantial and High are two levels in discussion for the ID Wallet scope. It is not completely resolved yet. What is clear that Wallet will be on High level of assurance to have mutual recognition among member states. As cybersecurity risks are not decreasing, it is good to aim for high level of security. Moreover there is a plan in discussion for path member states with substantial LoA can follow to achieve high LOA.’
Gregory Kuhlmey, Digital Identity programme manager at IDEMIA. IDEMIA is currently leading the consortium behind EUDI Wallet pilot 2
At Methics we believe, this is an incredible step by EU to make High LoA mandatory for the Wallets. As pointed out by Eurosmart in their position paper, EUDI Wallets should be reliant only on High LoA.
As a non-venture capital backed product development house, Methics has a unique approach to the business of technology creation. Our technology is based on open-standards. Methics has supplied its award-winning Kiuru MSSP platform as a solution for critical business applications and several national identity management systems for mobile devices, SIM cards, eSIM devices as well as smartphone apps. The platform orchestrates services like Mobile ID, eIDAS QTSP, strong authentication, and high LOA digital signatures. Methics’ products offered under ‘Kiuru’, and ‘Alauda’ products provide multiple digital identities and certificates, support remote and local key stores, and smartphone app keystores. Methics’ technology offers complete and flexible implementation of ‘high’ and ‘substantial’ LoA PKI solutions. Feel free to get in touch with us if you want to discuss the presented model and how SSCD/QSCD can be provided from EUDI wallet to European residents.
Publish Date: 10 February 2023
Written and Edited by: Ammar Bukhari & Jarmo Miettinen
References:
- https://www.europarl.europa.eu/news/en/press-room/20230206IPR72110/meps-back-plans-for-an-eu-wide-digital-wallet
- https://www.euractiv.com/section/digital/podcast/the-european-digital-identitys-pilot-project/
- https://thepaypers.com/digital-identity-security-online-fraud/cloud-signature-consortium-warns-on-eidas-2-risks–1260176
- ARF: https://drive.google.com/file/d/1cAOx1TaPJaWlsDxDZxieUQaDB2ZwagpE/view