What will it take to implement eIDAS eIDs in the EU?
The idea of implementing electronic identity cards (eIDs) EU-wide sounds very promising. Even at a basic level, eIDs allow thousands of service providers to offer their services online with relative ease. In fact, some EU countries - such as Italy and Estonia - already have such systems in place. The result? It works, it's safe, and it's very efficient.
That leads to one simple question: when and how will eIDAS eIDs become mainstream? Why don't private companies invest more, and why are some countries staying behind? While the vision remains clear, there are plenty of obstacles in the way.
eID guidelines are a national affair
One part of the problem is the disconnect between national legislation and the EU/eIDAS regulation. In the eID space, eIDAS expects member states to set up the regulations and standards for remote identification. Following that, member states should peer review each others' systems and synchronise them.
In essence, this system invites representatives from Government agencies to set up clear and consistent guidelines in cooperation. Even so, without any state of the art legislation, compromise is very hard to reach. Besides, member states may come up with very different agendas, causing even more trouble when it comes to using eID at an international level.
Unclear national legislation on remote identification
In Sweden, the Agency for Digital Government (DIGG) has created a requirement for eID service providers. It's a proprietary high level interpretation of PKI and ETSI standard. Even so, it features few or no explicit requirements similar to ETSI. Adding to the challenge for national or international service providers, Swedish DIGG frameworks also protect national schemes like BankID by inventing ad-hoc principles that ban the creation of a certificate based on another certificate. This goes against the foundational TSP principle of re-using certificates in eIDAS art 24, 1b and 1c.
The legislation issue is just as serious on a broader scale. At the moment, many EU member states have no law or decree on remote identification in place. That leaves many unanswered questions about using cryptographically supported ID Documents and biometrics. It's also unclear how to meet different requirement levels (low-substantial-high) for eIDAS remote identification. To find examples of countries that face such issues, one doesn't have to look far. The problem is obvious even in well-established member states like Germany and France.
Low appetite for funding and innovation
With all the issues we just addressed, Sweden is hardly an exception - more like the rule.
Providers with clear remote identification regulation do exist, but few member states take action to support them. Even so, in the era of digitalization, remote registration is - and will continue to be - a key competitive area. It will affect the business models, pricing and adoption of digital methods, but we're not doing enough to navigate those changes. This creates an environment with little predictability, clarity and investment appetite.
In Germany, the liability aspect of eID interpretation is in the hands of the state. This leaves little room for private actors, who could invest and drive innovation. It also goes against eIDAS principles that promote cooperation by framing eIDs as a national affair.
In Sweden (and most other EU member states), eID providers are only allowed to provide eID to nationals. If an eID provider would like to provide their product to more than one EU country, they would need to apply for an eID ship in every country. If the regulations are very different and unpredictable, no management will do this. For example, the Italian government regulator AGID requires €5M of capital and an Italian subsidiary. Who would venture into a new market with such conditions?
Sweden has only confirmed one new eID provider since eIDAS came into force in 2016 (excluding incumbent BankID). Adoption of eIDs is equally slow in other EU member states as well. In practice, so far it only tends to happen when bank systems migrate to eID (Nordics, Baltics and Italy).
The solution exists, but we need change
Legislating and implementing eID is a complex task, but it’s not rocket science. In fact, the EU has already designed part of the solution in its latest wallet proposal.
In the meantime, here is ZealiD’s solution to kick starting eIDs:
- Align remote identification standards for eID, TSP and EU wallets across member states. eIDAS 2.0 shall allow the European commission to confirm a comprehensive ETSI standard.
- Following 1, conformity assessment bodies (governed by ETSI standards) should review those standards. Potentially, this responsibility could belong to biometric conformity assessment bodies as well.
- eID providers shall be allowed to issue identities to any EU citizen. This would be a tipping point for innovation, inviting the private industry to drive eID adoption in a more consistent and efficient way than states do it.