Blog: Trust and electronic identity: staying secure in the digital world

Met dank overgenomen van A. (Andrus) Ansip i, gepubliceerd op vrijdag 4 mei 2018.

I have often talked about the need for trust in the online environment. It is a basic condition that must exist within any digital economy or society, and of course for the Digital Single Market (DSM) that we are now building in Europe.

The principle of online trust applies across the digital world: to the constant battle against cybercrime, to preventing the misuse of people's personal data, to strengthening the rights of online shoppers.

It is closely linked with secure digital identity and authentication.

Around the world, governments and businesses use tens of millions of digital identities.

When you add in consumer and social activities, that number gets a lot larger.

It has never been so important to share information, and to do so securely.

One of the best ways to achieve this is to use trusted electronic identification (eID) and trust services, like e-signatures and e-seals.

People should be able to use their e-signature across the entire EU single market, in both public and private sectors. And companies should have confidence in the parties they are doing business with.

The EU designed the eIDAS regulation for this very purpose.

eIDAS provides the legal environment for people in the EU to shop online safely and conveniently, use online financial and public services, set up a business - all beyond their own countries.

Companies and individuals can then use national eIDs when they do business or reside in another EU country.

It is important to remember that eIDAS does not aim to align national eID systems.

But it does make sure that other countries have to recognise national systems which are already notified - and comply with eIDAS. This will apply across the EU from September 29 this year.

The key word here is 'notified'.

For national eID to make a real difference to people's lives, eIDAS requires a government to notify its eID system to other EU countries which must then work together to review it.

Germany was the first country to notify, in August 2017. Italy followed a couple of months later with a pre-notification.

Croatia, Estonia, Luxembourg and Spain came next, in February 2018 - including the first ever mobile eID to be notified. This is significant - because while eID needs to be safe, it should also be easy to use, especially given today's prevalence of mobile devices.

In Europe, 84% of the population were unique mobile subscribers at the end of 2016, according to GSMA figures.

This is why the European Commission encouraged the GSMA to work on a pilot project to link eIDAS with its multi-purpose identity Mobile Connect and the convenience of using a mobile device.

Mobile Connect is now supported by 60 mobile operators in more than 30 countries, and available to more than three billion people.

The GSMA report showed that trusted eID under eIDAS can be used as a basis for secure access to digital services with authentication credentials in mobile environments.

eID: the sooner, the better

To return to eID notifications in the EU, this is all good news from the countries concerned.

But given the looming end-September deadline for cross-border mutual recognition under eIDAS, six countries out of 28 is just not enough.

We need to speed up. More EU countries need to present their eID systems, and as soon as possible.

I cannot underline enough how important this is for building the wider DSM - which will become more integrated as more eID systems and trust services are recognised across EU countries.

The sooner they do this, the quicker life becomes easier for everyone.

More people, businesses and public administrations will be able to access and use online services conveniently, reliably and responsibly - everywhere in Europe.

Banking, corporate and public services, domestic utilities. Filing tax returns, authorising access to electronic medical records, enrolling at university.

Given how many sectors and areas of daily life are affected by eIDAS, the European Commission is working hard to incorporate its principles as broadly as possible.

The Single Digital Gateway and "once only" principle are good examples. In addition, the Commission has just published a marketing plan to stimulate uptake of eID and trust services for the DSM.

On the more immediate and practical side, I would mention the EU Student eCard that is being planned (you can the feasibility study here): the "once only" principle applied to higher education.

It will rely on trusted eID to support students applying to any school or university in the EU.

It will use secure exchange of data - like student records and academic attributes - and allow access to services such as course materials and online libraries in hosting institutions and countries.

The idea is to launch a pilot project next year and be able to offer it to all mobile students by 2025.

With online platforms, whenever strong authentication is needed for access, people can use their eID to control and limit sharing of personal data to the minimum.

Of course, technical compatibility is vital - and the European Commission is working on a set of principles and guidelines on eID interoperability via a public consultation.

Congratulations to all the countries that have already notified their eID scheme, an encouraging example for others to follow - and I hope that is soon.

You can read more about eIDAS and eID here. Another blog soon.