Remote Identity in the EU: 3 Takeaways from ENISA Workshop on Remote Video Identification
Taking place on the 10th of May, the ENISA workshop on Remote Video Identification gathered remote identity proofing providers and representatives of regulatory bodies in the EU. It was a unique opportunity for industry players to network, discuss regulatory and operational challenges they’re currently facing, and learn about future developments. But according to our Chief Product Officer (CPO) Tomas Zuoza, instead of bringing along a diverse spectrum of challenges and nuances, this event revealed several key limitations and struggles that are, to a varying extent, currently affecting every remote identity proofing provider in the EU.
1. Remote ID proofing providers are experiencing more pressure in terms of security and user experience than ever before
Starting with the urgency to ensure complete data security, which is a key concern for everyone involved, remote identity proofing providers are witnessing a big shift in the state and scope of cyber attacks. The main reason for it is malware availability: according to the iProov Biometric Threat Intelligence 2023 Report, just 2-3% of threat actors today are advanced coders. Nowadays plug-and-play kits are available to everyone (most of them at a low cost, too), and it’s up to ID service providers to stay one step ahead.
As for the user experience part, by now it’s very clear that remote services are here to stay. Digital methods are being prioritized over processes with manual elements in them, and solutions for 100% remote, self-service identity verification is, quite frankly, the only way forward for remote ID proofing providers. That said, many providers within the trust services industry don’t have such methods in place yet as the process of introducing them comes with regulatory limitations and nuanced security concerns.
2. Current regulations no longer reflect the current state of affairs in the industry, causing limitations to service providers
New regulations come in on a somewhat regular basis, urging trust service providers to continuously update their practices for compliance purposes. But according to Tomas, the ENISA workshop clearly showed that, in practice, the regulatory network is focused on keeping up with the current state of affairs, with little to no attention being paid to the future. That leads to an outdated regulatory network, leaving gaps and putting extra pressure on service providers to fill them as user expectations evolve and new security concerns come in.
Another key concern here is the misalignment between national regulations in EU member states. According to our CPO, despite being under the umbrella of EU regulations, member states still have different certification schemes for trust service providers, allowing them to “shop around” and get certified wherever the requirements for it are the more favorable.
But the real pain point here are national limitations to identification methods - especially NFC-based identity proofing. “Everything can run smoothly as long as users present passports, which are very similar in every EU member state. ID cards are an entirely different story - every country has its own version, and some countries (France, for instance) don’t allow NFC-based identity proofing by law. Trust service providers want to move to NFC-based identity proofing because it’s secure and reliable, but at the moment designing an identification process that would work for all EU member states just isn’t possible,” Tomas notes.
3. Networking and open discussions are crucial for putting industry players and regulatory bodies on the same page
As this event clearly showed, remote ID proofing providers are facing similar challenges and seeing similar tendencies. Having open conversations about them is essential for progress and effective problem solving - both in terms of regulatory alignment and future-proofing. “Seeing how quickly this industry evolves, every event is a unique opportunity to grasp the big picture and come back to work with new insights and lessons,” our CPO says.
Protecting remote identity across EU is a matter of consistency and collaboration, in turn giving such events the power to inspire, or even directly influence future developments. Following up on the conversations that took place during this event, we will share further, more in-depth insights on the current state and future of fraud in our blog shortly.