Registration for eIDAS Qualified Trust Services: A Look into the Regulatory Landscape
In the world of eIDAS, understanding the basic concepts of public key infrastructure (PKI) is essential to comprehend the process of registration for eIDAS type services. The eIDAS regulation designates the European Commission to point to technical standards, making it a de facto PKI legislation. The ecosystem of parties that solve the problem of encrypted communication requires an actor that registers, or identity proofs a natural person. These actors are called Registration Authorities (RAs), which work closely with the most important actor called a certificate authority (CA) that provides the technical infrastructure to create the encryption infrastructure and hosts the digital identity in what is referred to as a certificate.
The Role of CAs and RAs in eIDAS
Under the eIDAS regulation, there are certification schemes for Trust Service Providers (TSPs) that offer eIDAS-compliant services, including electronic signatures, seals, time-stamping, and electronic delivery services. CAs issue digital certificates that bind public keys to the identity of individuals or entities, while RAs are responsible for verifying the identity of individuals or entities before a digital certificate is issued. RAs perform functions such as identity verification, credential management, and enrollment, and are often intermediaries between CAs and end-users.
Regulatory Landscape of eIDAS Qualified Trust Services
At ZealiD, a frequently asked question is about the regulation that governs identity proofing and registration, and the RA side of things when it comes to qualified trust services. The answer is that eIDAS does not formally address the registration part. This falls under the responsibility of the CA, and it is thus unregulated in the eIDAS regulation. However, by using a regulated CA, customers can be sure that the RA method is compliant with eIDAS and meets the provisions of eIDAS regulation article 24.
National Legislation on Registration
The way EU member states have chosen to address registration differs largely from country to country. In most cases, it is unregulated, as registration is highly technology-driven.
In France, the PVID is a certification scheme for identity verification services that could be used by RAs to provide eIDAS-compliant services. This is arguably the most sophisticated national legislation scheme in the EU, providing quality, clarity, and advanced supervision for all actors in the trust service ecosystem.
In Spain, video identification is regulated under Royal Decree 8/2021, which establishes the legal framework for remote identification and includes specific requirements for video identification processes. The regulation applies to both public and private sector entities and allows for the use of video identification as a means of verifying the identity of individuals remotely. However, Spanish legislation is not technology-neutral and does not promote the Spanish technology sector's innovation.
In Italy, video identification is regulated under Legislative Decree No. 217/2018, which allows for remote identification through electronic means, including video identification. The regulation applies to financial institutions and other entities subject to anti-money laundering regulations and establishes specific requirements for video identification processes. The Italian approach has the same issues that Spanish regulation has.
In Germany, video identification is regulated under the German Anti-Money Laundering Act (Geldwäschegesetz), which allows for remote identification through electronic means, including video identification. Germany was pioneer in publicising video legislation. Some say it was a political move, the product of a million refugees from Syria needing to register for bank accounts remotely within Germany. As such an exemption to a highly security focused technocratic tradition. The regulation applies to financial institutions and other entities subject to anti-money laundering regulations and establishes specific requirements for video identification processes. The German Bundesnetzagentur has historically maintained a list of trust service providers that meet the video ident (VDG) legislation and thus deemed it in compliance with eIDAS.
Remote registration standard ETSI EN 419 261
With the publication of the remote registration standard ETSI EN 419 261, Europe now has a standard for remote identification. This standard provides guidelines for remote identity proofing and registration, and it helps ensure that these processes are secure, reliable, and compliant with eIDAS. The standard covers a range of topics, including registration processes, evidence of identity, and security requirements.
The introduction of this standard is expected to have a significant impact on the registration of qualified trust services in the EU. National legislators and supervisory authorities can now use this standard as a basis for their own legislation and regulatory frameworks. This will help to harmonize the regulation of registration across the EU and provide a level playing field for all actors in the trust service ecosystem.
Germany's adoption of the ETSI EN 419 261 standard
Germany is one of the first EU member states to adopt the ETSI EN 419 261 standard for remote registration. The German Federal Office for Information Security (BSI) has included the standard in its technical guidelines for the implementation of the eIDAS regulation.
The BSI's guidelines provide detailed instructions on how to implement the standard in practice. They cover topics such as the identification of the natural person, the technical infrastructure required for remote registration, and the documentation that must be provided by the registration authority.
The adoption of this standard by Germany is likely to have a ripple effect throughout the EU. Other member states are likely to follow suit and adopt the standard in their own legislation and regulatory frameworks. This will help to harmonize the regulation of registration across the EU and provide a more level playing field for all actors in the trust service ecosystem.
In conclusion, while eIDAS does not formally address the registration part of qualified trust services, the registration methods used by CAs are regulated by supervisory authorities. This means that a relying party looking for a qualified trust service, need not assess the registration solution or provider. Once the service is deemed a qualified trust service, this meets all relevant compliance demands on the relying party.
In addition, some member states have their own national legislation on registration. However, with the publication of the remote registration standard ETSI EN 419 261, Europe now has a standard for remote identification that can be used as a basis for national legislation and regulatory frameworks. The adoption of this standard by Germany is likely to have a significant impact on the regulation of registration across the EU, leading to a more harmonized and level playing field for all actors in the trust service ecosystem.