The State of eIDAS eID and impact on the EU wallet

Exec summary

Today, the EU is divided by progressive countries like France, launching clear legislation on remote identification mapped to eID, and other countries like Sweden lacking remote onboarding legislation all together. 

One of the main issues for the EU to solve is that many countries will not accept eID at the highest level of assurance “high” when users register remotely. And there is further discrepancy in whether or not member states allow for private initiatives on the eID side. 

There will be no successful roll-out of the EU Wallet unless there is successful provisioning of eID, in specific eID High and even more so eID High remotely. 

We cannot expect users in 2023 to acquire, maintain and reset passwords, so biometrics at the time of onboarding (smartphone) is key. And no one will benefit from a hybrid approach where member states try to upgrade level of assurance substantial by means of extra security measures.  

Remote onboarding is a must. And allowing for private companies to bring the necessary innovation, to satisfy consumer and corporate needs. And finally, EU needs one technical standard that clearly defines information security, biometric and liveness requirements of remote onboarding. 

Ideas for improvement:

• The EU needs to adopt one ETSI standard and regulation making the eID as standardised as qualified trust services. The private sector won’t support legally uncertain and fragmented 
• The EU has to get the innovation provided in the private sector to solve eID high and to solve the EU wallet. That is not what we are seeing in the market.
• The EU must allow, similar to France and the latest ETSI standard 119 461, remote identification, for the EU wallet to have any chance of being adopted. 
• The EU needs to prevent individual member states make a big mess out of “one digital identity” and put significant pressure on public digital service offerings. An unscientific guess is that although required by law to accept them, 50% of EU public authorities don’t know what a qualified signature is when they receive a pdf via email from an EU citizen. 

How eID developed since eIDAS inception 2016-2021

eIDAS (Electronic Identification, Authentication, and Trust Services) is a regulation put in place by the European Union to ensure secure and trustworthy electronic transactions within the EU. The regulation was adopted in 2014 and came into force on July 1, 2016. Its main goal is to facilitate e-commerce and e-government services by creating a single market for trust services, by establishing common technical standards for electronic signatures and seals, and by setting up a framework for mutual recognition of electronic identification schemes among EU Member States.

In the years following the implementation of eIDAS, electronic identity (e-identity) has become an increasingly important topic in the EU. The regulation has played a crucial role in promoting the development and use of e-identity systems across the EU, with an emphasis on secure and user-friendly systems that protect citizens' personal data and rights.

In Germany, the development of e-identity has been driven by the federal initiative "Ausweiss" which was launched in 2017. The initiative aims to provide citizens with a secure and efficient way to identify themselves online, for example when accessing government services, and to ensure that personal data is protected. The initiative is being developed by the German Federal Ministry of the Interior, Building and Community (BMI) in cooperation with the Federal Office for Information Security (BSI) and the German states. At the moment, "Ausweiss" is still in development and the initiative is expected to be implemented gradually over time, with an emphasis on involving citizens in the process and ensuring that their data is protected and their rights are respected. The penetration of e-identity as an online eID tool for citizens in Germany is not publicised but a ZealiD guesstimate is that it is still very low given that citizens need a PIN code second factor and some kind of mobile app to read the RFID chip on the physical identity card. Generally, Germany is considered less open to digital from a privacy point of view. 

In Italy, the development of e-identity has been driven by the Italian Digital Agenda, which aims to promote the use of digital technologies in government and business. The Italian government has implemented a number of initiatives to support the development of e-identity, including the development of the "SPID" (Public Digital Identity System) which is a system for secure and user-friendly access to online public services. The SPID system allows citizens to use a single set of credentials to access multiple online services, including those provided by the government and private sector. The penetration of e-identity SPID in Italy is said have 33 million users reaching 63% of the adult population in Italy. One of the reasons it is so high is the predominant eIDAS eID Substantial (SPID Level 2) which can be relatively created with an Italian ID document. 

In France, the development of e-identity has been driven by the French Digital Republic Act, which was adopted in 2016. The Act aims to promote the use of digital technologies in government and business, and to ensure that citizens' rights and personal data are protected. The French government has implemented a number of initiatives to support the development of e-identity, including the development of the "France Connect" system, which allows citizens to use a single set of credentials to access multiple online services, including those provided by the government and private sector. It is difficult to understand what the penetration is, some French Government sources state that there are approx 10 million users.  

In Spain, the development of e-identity has been driven by the Spanish Digital Agenda, which aims to promote the use of digital technologies in government and business. The Spanish government has implemented a number of initiatives to support the development of e-identity, including the development of the "Cl@ve" system, which allows citizens to use a single set of credentials to access multiple online services, including those provided by the government and private sector. The penetration of e-identity in Spain is low but very difficult to understand what is the physical DNI card and how much of users have access to a second factor PIN code to unlock an eID. 

In Holland, the development of e-identity has been driven by the Dutch Digital Identity program, which aims to provide citizens with a secure and efficient way to identify themselves online, for example when accessing government services, and to ensure that personal data is protected. The program is being developed by the Dutch government in cooperation with the private sector.

In Sweden, the development of e-identity has been driven by the Swedish e-Identification program, which aims to provide citizens with a secure and efficient way to identify themselves online, for example when accessing government services, and to ensure that personal data is protected. The program is being developed by the Swedish government (DIGG) in cooperation with the private sector. In reality, the Swedish eID scheme is owned by the private sector (“BankID”) with a whopping 90% of adults having a BankID. BankID became and eIDAS eID only as late as 2020. In general Nordics and Baltics are best of breed in eID usage (especially the rare case of Estonia), but this is not due to the government being successful (except for in Estonia), but to banks proliferating smartphone based PKI schemes to their users over the past decades and then after adoption transforming these into eIDAS type national eID schemes. 

Enter the EU Wallet in 2022

The EU commission proposes a new legislation package on an EU wallet. The commission states that “Every EU citizen and resident in the Union will be able to use a personal digital wallet.” The thought is that thanks to a proliferation of EU eID in the hands of all citizens, a combination of public and private services shall make a wallet available where a citizen can store digital attestations e.g. a driver’s licence, vaccine and more. The Council has now based on the 2022 summer proposal to amend eIDAS with the EU wallet adopted a “General Approach”. 

Fast forward into the inner workings of the proposal and we all of a sudden realise that the EU is proposing that citizen’s use an eIDAS identity of highest level of assurance: “high”. The penetration (actual digital usage) of eIDs of any level in the EU is already low. Requiring eID high to identify for the EU wallet makes the EU penetration dismal. 

So bottom line, the EU wallet is dependent upon an eID high which exceptionally few EU citizens have adopted e.g. Estonian eID with high adoption but less so German ausweis with ID card chip and PIN code that nobody can remember. And many EU citizens don’t even have access to eID high (e.g. in Sweden the proliferated eID “BankiD” and its competitor is only substantial). 

My conclusion? Perhaps creating the EU wallet is a way to create a citizen need i.e. “pull” and a smart way by the commission to push member states to digitise their identities. On the other hand, if member states cannot get the schemes, usability and use cases around eID sorted, why would they succeed in adding an additional service layer, involving multiple public and potentially private parties in this ecosystem?

Part of the problem lies in that the eID schemes is a national affair under eIDAS legislation (albeit some quasi standardisation in so called “peer group” reviews and interoperability nodes cross border). And that the commission, unlike in the trust service provider field, has simply allowed member states to define what the national eID should be. Some examples of diverse approaches to eID: 

• France has launched in 2021 state-of-the-art regulation for public and private, requires certification PVID conducted by the state, and adopts ETSI standards and includes the latest on remote identification for eID level high. Anssi, Police National and Gendarmerie perform tests on suppliers and products before certification. Most suppliers that have applied for PVID are struggling with the excruciating requirements. 
• Germany continues in 2022 to struggle facilitating for citizens to get a PIN to be sent to home address and other smartphone app initiatives. Not to mention the supply side of public use cases - where to sign in, what services to interact with? Playing around with https://verwaltung.bund.de/ didn’t convince me that Germany is on track with eID supported use cases. 
• And Sweden, that has no state backed scheme, but the most successful private initiative in the EU, the Government doesn’t allow remote identification for eID high, and has a loosely held ad hoc framework (originally tailored to the private incumbent BankID).  The Swedish national requirements on eID providers look like someone took the headers only of the ETSI/PKI requirements standard and published it leaving room for lots of discretion and little legal certainty for the private sector. Pressured by the EU Wallet’s upcoming eID High requirement, the Swedish government is scrambling to create a Swedish level high eID. Building it will take years, proliferating it may take decades if it follows the German Ausweiss development.