eIDAS states that by the end of September 2018, all governmental organisations must accept all identification methods within the European Union for international services. As can be imagined, many questions arise on what this entails exactly and what effect eIDAS has on companies worldwide.
What is eIDAS?
First, let’s explain in a bit more detail what eIDAS is. This new regulation is to replace the more outdated eSignature Directive and STORK levels. eIDAS allows citizens and companies within Europe to digitally do business with governments, local and abroad, using their national identification tools. This should provide a common basis for safe electronic interactions. eIDAS is a set of standards for electronic identification and applies to customers and business when doing electronic transactions with public services and government.
eIDAS’ three levels of assurance
Allowing the use of your familiar authentication tool should improve the level of trust in login procedures. However, all these login tools come with different levels of assurance. EIDAS divides these levels of assurance as follows:
- Low: Providing limited confidence in the signer’s identity. This level may only prove ownership of an email address and is used for instance by web shop owners.
- Substantial: Stricter methods of identity verification for which must be determined whether the user has a valid, official document with the same identity data that can be checked in a basis registration. In the Netherlands, iDIN is an example of an identification method that has a substantial level of assurance.
- High: In addition to the demands for substantial assurance, for high assurance the user needs to appear physically at least once and the tool must be well protected from abuse by others. The high assurance applies when professional secrecy, for instance in healthcare, is exchanged.
Whatever tools used, the eIDAS regulation defined Advanced Electronic Signatures (AdES) and Qualified Electronic Signatures (QES) to provide consistency in document signing across Europe.
The role of eIDAS in your company’s future
Though eIDAS is aimed at governmental organisations, it is expected that this regulation indirectly concerns all other internationally operating companies. Much of these identification methods operate both in the public as the private sector, which makes them applicable for international companies. The regulation in the Netherlands aims to put into law, the so-called Generic Digital Infrastructure Law.
Ecosystem in authentication methods
This law aims to create an ecosystem in authentication methods that can be used by governments and organisations that use social security numbers when administrating for instance pension funds, health care and income insurances. With adding this, the Dutch regulation reaches beyond the eIDAS regulation.
For more information on eIDAS or de law GDI, please contact our identity services specialist Thea van Oosterhout.