In the first quarter of 2024, the final draft eID Regulation amending eIDAS (formerly eIDAS2) was published by European Parliament and the Council of the European Union as file 2021/0136(COD) and documents PE 68 2023 INIT and PE 68 2023 COR 1. As this published draft is not a merged text, it is difficult to review the final text. In order to improve the clarity of the changes, Microsec has produced a consolidated version (in English), so that it is easy to see which article is being changed and how, by tracking changes.
In addition, the downloadable material provides a brief summary of the most significant new features, changes, errors and deadlines in the draft. (pdf)
The final draft eID Regulation has been amended to make it compatible with eIDAS as follows:
- eIDAS originally consists of 52 Articles.
- Of these, 37 are not or minimally modified, 2have been deleted and 11 have been significantly modified.
- The new draft regulation adds 33 new Articles, so in the end the draft eID regulation has
82 Articles.
The requirements for new services are covered in 2/3 of the new parts. The new services are:
- EDIW (European Digital Identity Wallet)
The EDIW is a mobile Wallet service that allows you to share your identity (to identify, authenticate yourself) and other attributes, from your mobile phone, primarily for public administration and connected services. It is planned to be used for both online and offline transactions. Such a Wallet is required to be developed in all EU Member States.
The requirements will cover the following areas: requirements for the Wallet itself, requirements for Relying parties where we can use EDIW, requirements for certification, requirements for the Wallet Trust List and mandatory acceptance at EU level.
- attribute attestation service
A qualified attribute service certifies our attributes, its electronic attestation (attribute attestation) is legally equivalent to its paper form. This means that we can obtain a valid electronic attestation from a qualified service provider, for example, about our personal data, education, age, marital status, driving licence, identity cards, etc.
A special case of attribute services is the Public Sector Body attribute service, which is an attribute service provided by an administrative manager of a given authentic data source (e.g. a government agency), which returns the data it manages in the form of an attribute attestation. The attestation issued is legally equivalent to a qualified attribute attestation, and its technical security requirements are as strong as required for a QTSP.
- archiving
This differs from preservation in that it is no longer just digitally signed data that can be accepted for archiving, but anything. (The Preservation Service, on the other hand, is the preservation of digitally signed data.)
- ledger
The ledger service verifies the chronological order and integrity of the data entered.
In terms of amendments to the eIDAS version , the most significant changes are:
- Managed Remote Qualified Signature Creation Device (RQSCD) is now a separate service.
- Requirements are introduced for non-qualified trust services.
- Qualified trust services are also supervised by the NIS2 supervisory body, NIS2 requirements must be met.
- The identification and verification requirements for qualified certificate issuance are changed:
- EDIW is introduced as a possible identification method.
- For remote identification, a high-level identification solution is required, but it is not necessary for the solution to be recognized at national level.
- A certificate issued with remote identification becomes eligible for a certificate with qualified signature.
- Depending on the results of assessment by the Commission, it is possible that there will be implementation regulation from the Commission on the standard for advanced electronic signatures (in 24 months)
- The validity of the certification of Qualified Signature Creation Device (QSCD) devices should not exceed 5 years and a vulnerability assessment is required every 2 years.
- There will be regulation of the verification of advanced signatures based on QSCD.
- Devices with SSCD certification can be used only for 36 months after the Regulation enters into force.
- RQSCD services already in operation at the date of entry into force of the eID Regulation can be considered compliant without a compliance assessment for 24 months.
- Member States have 24 months to give qualified service providers access to a credible source of the data listed in Annex VI.
- In the 6th month after the Regulation entry into force for 10 Articles and in the 12th month after the Regulation entry into force for 21 Articles are expected to be referenced to a standard or process in the framework of a Commission implementing regulation.
The proposed amendment contains errors, perhaps the most disturbing of these:
- In Article 24, the regulation does not allow attributes to be verified using the Public Sector Body attribute attestation, because it is missing from the list.
- There are few paragraphs that shall be repealed by the amending regulation but stay in force.