Decoding eIDAS

Decoding eIDAS – Key Concepts & Obligations for Trust Service Providers in the EU

In an ever-evolving digital age, the eIDAS (electronic Identification Authentication and Trust Services) Regulation provides a framework for secure electronic transactions across the European Union (EU). The eIDAS Regulation focuses on improving the functionality of online services and e-commerce by tackling obstacles related to electronic identification (eID) and trust services among EU member states. The European Digital Identity Regulation (eIDAS 2.0), effective from 20 May 2024, expands on this foundation by standardising digital identification, safeguarding user data, and promoting interoperability.

This article explores the key concepts and obligations outlined in eIDAS and examines their implications for individuals and entities within the EU.

1. KEY CONCEPTS IN eIDAS

The essence of eIDAS lies in understanding several key concepts:

Trust Services: Electronic services generally provided for a fee, encompassing electronic signatures, electronic seals, electronic timestamps, electronic registered delivery services, website authentication, electronic attestation of attributes, electronic archiving services, and electronic ledgers.

Qualified Trust Services: Trust services that meet the specific legal and technical requirements established by the eIDAS Regulation to be approved as qualified. These services are only permitted to be provided by Qualified Trust Service Providers (QTSPs), which are classified and supervised by the relevant national authority.

Trust Service Providers (TSPs): Includes both natural persons and legal persons that provide one or more trust services, operating as either qualified or non-qualified providers.

Qualified Trust Service Providers (QTSPs): TSPs that provides one or more qualified trust services and are accredited by a supervisory body. In Cyprus, this supervisory body is the Department of Electronic Communications.

2. KEY DIFFERENCES BETWEEN QUALIFIED AND NON-QUALIFIED TRUST SERVICE PROVIDERS

Qualified and non-qualified TSPs differ in their regulatory oversight, legal standing, and assurance levels. While both types of TSPs can offer various trust services, only QTSPs can provide “qualified trust services”. Consequently, QTSPs must adhere to stricter standards and undergo regular audits, thereby enjoying a presumption of legal validity across the EU, with qualified electronic signatures, for example, carrying the same legal effect as handwritten signatures. Non-qualified TSPs, on the other hand, are subject to fewer regulations, meaning that their services lack automatic legal recognition and may often require additional verification.

Qualified Trust Services under eIDAS are distinguished from non-qualified Trust Services in the following ways:

Highest level of assurance: Qualified Trust Services under eIDAS provide the highest level of assurance and legal recognition within the EU.

Presumption of authenticity and integrity: The output from a Qualified Trust Service is presumed to be genuine in any legal proceeding within the EU.

Cross-border recognition: A Qualified Trust Service from one EU country must be recognised in another, facilitating seamless digital transactions across borders.

3. AUTHORISATION

QTSPs obtain qualified status from the supervisory body following an initial audit by a national conformity assessment body. In Cyprus, the competent body is the Cyprus Organisation for the Promotion of Quality (Κυπριακός Οργανισμός Προώθησης Ποιότητας). Regular audits are required to maintain the qualified status. In contrast, non-qualified TSPs are not obliged to notify the supervisory body of their activities but must still fulfil general security and risk management requirements, which will be addressed next. It is important to note that each trust service has its own specific requirements, which are not covered in this article. Granting of qualified status depends on compliance with eIDAS standards, which are outlined below.

4. GENERAL OBLIGATIONS FOR TRUST SERVICE PROVIDERS (TSPs)

With the aim to ensure secure, integral, and reliable electronic transactions, TSPs are subject to obligations:

Liability for Damages: TSPs are liable for damages caused by non-adherence to eIDAS obligations, irrespective of intent or negligence. While, in relation to non-qualified TSPs, the person claiming damages bears the burden of proof to show intent or negligence to establish liability, QTSPs face presumed liability and must themselves show that no fault occurred on their part. QTSPs must have sufficient financial resources and appropriate liability insurance to cover such damages as required by national law.

Security Measures: TSPs must implement adequate technical and organisational measures to mitigate security risks associated with the provision of trust services. The security measures should correspond to the degree of risk and aim to prevent and minimise incidents. In the case of significant security breaches or loss of integrity, TSPs must notify the relevant supervisory body, any other relevant authority and affected users within 24 hours.

Risk Management and Incident Notification: TSPs must have adequate policies and measures in place to manage legal, business, operational, and other risks associated with providing either non-qualified trust services (for non-qualified TSPs) or qualified trust services (for QTSPs). This includes establishing registration and onboarding procedures, conducting administrative checks, and managing and implementing trust services.

In the event of a significant security breach or service disruption, TSPs are required to notify the relevant supervisory body, any other competent authorities, affected individuals, and if needed, the public, within 24 hours.

In accordance with this obligation, TSPs must implement appropriate cybersecurity risk-management measures. These include adopting technical, operational, and organisational measures such as policies on risk analysis and information system security, incident handling, business continuity, and supply chain security, to reduce the consequences of potential incidents.

5. SPECIFIC OBLIGATIONS FOR QUALIFIED TRUST SERVICE PROVIDERS (QTSPS)

In addition to the general obligations, QTSPs face stricter requirements, including:

Frequent Audits: QTSPs must undergo audits every 24 months by a conformity assessment body to confirm compliance. Reports must be submitted to the supervisory body within three working days of receipt. QTSPs must also inform the supervisory body one month in advance of any upcoming audits and must allow participation by the supervisory body upon request.

Service Changes: QTSPs must inform the supervisory body one month prior of any change in their services or provide three months’ notice if they intend to cease services.

Personnel Requirements: QTSPs must employ reliable, experienced and qualified personnel, and where necessary subcontractors, ensuring that they are trained in security and personal data protection.

Transparency of Terms and Conditions: QTSPs must provide users with clear, comprehensive and easily accessible terms and conditions, including limitations on use of service, before engaging contractually.

Data Storage: QTSPs must store data on a trustworthy system in a verifiable manner, ensuring public access when user consent is obtained, restricting data changes to authorised personnel, and allowing verification of data authenticity.

Record Keeping: QTSPs must maintain records of all relevant data issued and received for future legal proceedings and to ensure service continuity, even after services have ceased.

Termination Plan: QTSPs must establish a termination plan to ensure the continuity of service, in line with the supervisory body’s provisions.

Certificate Revocation: QTSPs that issue qualified certificates must register and publish the revocation status of any certificate within 24 hours of receiving the request, ensuring this information is accessible, reliable and free to the public.

EU Trust Mark: QTSPs using the EU trust mark, which indicates compliance with eIDAS standards, must provide a link to the relevant trusted list on their website.

6. CONSEQUENCES OF NON-COMPLIANCE AND IMPLICATIONS FOR INDIVIDUALS AND ENTITIES

In addition to any liability for damages that TSPs may face, non-compliance by TSPs can result in administrative fines of up to €5 million for natural persons. For legal persons, the fine may be up to €5 million or 1% of the total worldwide annual turnover from the prior financial year, whichever is higher. These penalties highlight the importance of compliance with the obligations of the eIDAS Regulation for both non-qualified TSPs and QTSPs.

7. CONCLUSION

The eIDAS Regulation is instrumental in creating an internal market for digital services within the EU by introducing qualified trust services and setting clear standards that foster trust, transparency and accountability in digital transactions for businesses and individuals alike. This framework enables the mutual recognition of qualified trust services across EU member states, facilitating smooth cross-border transactions and enhancing interoperability, which in turn strengthens the overall EU digital economy. In the next article of this series, we will continue our exploration of the eIDAS framework and its impact on the digital landscape.