Business Prep for 2024 eIDAS Update: Key Changes Explained

First introduced in 2016, eIDAS is an EU regulation that provides a framework for secure electronic interactions between businesses, citizens, and public authorities across EU member states. 

eIDAS enables conducting transactions and requesting public and private services online, such as obtaining benefits or allowances. For instance, in the Dutch housing domain, the majority of buyers and sellers use Vidua for AML identification and signing AML self-declarations. Additionally, electronic identification can be used in a variety of sectors, including financial and professional services, transport, and online retail.

This system is based on two components:

• Qualified trust services provide technologies for verifying users’ identities and authenticating their identification proofs. These include identification, electronic signatures, qualified digital certificates, electronic seals and timestamps, and more. Each country in the EU maintains a list of accredited trust service providers and the trust services they provide. Any trust service provider on the list is acknowledged within the entire EU.

• Digital identification and authentication mechanisms enable cross-border recognition of various national eID schemes, facilitating seamless interactions across member states.

Despite numerous advances, the first version of eIDAS had its limitations. 

First, digital identification systems provided by EU member states weren’t available to the entire population. In countries like Italy or Spain, less than half of the population currently have biometric IDs.  

Second, eID implementations were often limited to online public services and didn’t allow seamless cross-border access to online platforms. 

Third, the introduction of trust services such as qualified signatures needed some time to become acknowledged as valuable. 

In other words, the readiness for full-scale use was yet to be achieved. To address the challenges, most of all the readiness to scale, eIDAS 2.0 was introduced on May 20, 2024. The updated framework includes a lot of innovations and new trust services. There are two that we will highlight in this article:

• Unified digital identity wallets. A digital wallet is a secured mobile application where users can store their identity details, documents, transaction records, etc. in a digital form. The regulation mandates the use of interoperable standards for digital wallets issued by EU member states to establish seamless interaction between national electronic identification systems within the region. 

• Enhanced security. The regulation contains stricter requirements for data protection and verification to prevent identity theft by better detecting fraudulent attempts.

It’s expected that these innovations will help expand current use cases and provide EU citizens with more power over their personal data. 

The implementation period of eIDAS 2.0 will be about two years. Member States and the Commission have various deadlines to apply the new measures: 

• The Commission must adopt implementing acts for technical specifications and procedures of the European digital identity wallet by November 21, 2024 and of the qualified certificates for website authentication by May 21, 2025. 

• Member States must provide at least one European digital identity wallet within 24 months of the date of entry into force of the implementing acts.

Businesses and organizations should be prepared to revise their processes to meet new standards set by eIDAS 2.0. This goes for businesses that have their own ID verification solutions as well as businesses that are looking to source Qualified Trust Services. Here are the major considerations:

Qualified Trust Services will become crucial in digital interactions to ensure that business processes meet the required level of assurance. This includes the use of services like digital identity wallets, qualified electronic signatures (QESs), Electronic Attestation of Attributes (QEAA), and Archiving. 

By adopting trust services, businesses not only improve the (legal) certainty of digital interactions but also improve user experience, ensuring smoother and more efficient digital transactions.

From eIDAS2, it is clear that the bar will be raised for the assurance required in initial identity verification (IDV). Although the implementing acts are yet to be formalized, a few trends can be seen.

For ID document verification, optical verification will be supplemented with NFC verification. Digital companies have already harnessed NFC during customer onboarding in recent years. It involves submitting an electronic machine-readable travel document (eMRTD) with an embedded RFID chip that can be scanned with an NFC-enabled device like a smartphone. 

The RFID chip is secured with sophisticated cryptography and digitally signed by the ID issuing authorities. Plus, NFC verification often involves the zero trust to mobile concept, in which all verification checks are conducted (or re-verified) on the company’s server. This makes using eMRTDs in remote verification scenarios more reliable than in the case of non-biometric IDs.

To establish liveness and bind a user to a verified identity document, hybrid solutions that combine live video calls aided with biometrics analysis will probably turn out to be the most future-proof. Biometrics, such as face image comparison (face match), provide consistent quality. Algorithms don't get tired or distracted, nor do they have the same biases as humans.

On the other hand, a human operator has a significant advantage in spotting anomalies, nuances, and non-verbal queues. Human operators are also vital for informed consent,  belehrung*, and detecting social engineering.

*Belehrung (origin: German)—the duty to inform and educate, even when the information has not been requested.

As trust solutions like digital wallets, IDPs, and QESs become more common, users will expect a consistent and streamlined experience. They will become frustrated with multiple custom onboarding and IDP schemes for different partners. 

This brings about two important considerations.

First of all, users might already have an eID or wallet that they also want to use in your context. To prevent your user experience from becoming a hassle for these users, make sure to allow other trust service solutions in addition to the one you want to present to your customers. 

Second, it’s essential to remember that digital wallets and electronic identification are new concepts for many customers. While focusing on overall performance, companies often overlook small details that are critical for end-users.

For example, an RFID chip can be located in different parts of an electronic passport, causing friction during ID scanning. Without clear guidance on how to tap their document to their NFC-enabled smartphone, users can become confused and disappointed. This negatively impacts key metrics such as conversion and abandonment rates. Therefore, the UX of new systems should be treated seriously.

When considering identity proofing, inclusiveness is a crucial factor. eIDAS 2.0 promotes deeper digitalization, but not all customer groups are prepared for it. Many EU citizens do not possess the necessary mobile technology to utilize these solutions. The availability of NFC-enabled devices varies significantly across different EU countries, ranging from low to high.

Additionally, some people use budget smartphones with limited functionality, particularly regarding cameras. These cameras might struggle to deliver the required quality during an active liveness check, especially in low-light conditions. This can create barriers for users.

It is essential to ensure that these new technologies are accessible and inclusive, providing all users with a secure and seamless mobile experience. Balancing advanced security measures with the capabilities of users' devices is key to achieving this goal.

Finally, the need for electronic IDs as a critical part of remote identification excludes users with non-biometric documents. Some EU countries still issue conventional identity documents; for example, Switzerland has non-biometric national identity cards. In Bulgaria, where biometric ID cards have been issued since the summer of 2024, many non-electronic versions of the document remain in circulation. 

Despite electronic IDs having more advantages compared to non-biometric identity documents, they still have their downsides. Frequently, these drawbacks can be detected only after the deployment of the IDV system which obtains and processes data from millions of users daily. 

For instance, RFID chips can be mechanically damaged or blockedby local authorities. There are also difficulties associated with the verification of the chip's integrity and authenticity using trusted certificates issued by countries. This system can sometimes fail due to untimely updates of one of the critical elements like CSCA master lists.

Additionally, scaling the system to cover non-EU citizens with temporary residence in the region can introduce potential issues.

eIDAS 2.0 is designed to improve the reliability of the current system, with qualified trust services playing a crucial role during its deployment. The compliance and expertise required to maintain a trust service ecosystem make substantial in-house development and maintenance nearly impossible. When selecting the right partners to be eIDAS 2.0-ready, the following aspects can be good to take into account:

→ Prevent technology focus: While technology is important and demos can showcase impressive features, it is not the only consideration. Implementing the technology within a robust and efficient identity validation process is far more critical. Ensure that your partner focuses on practical and effective solutions rather than just technological innovations.

→ Transparent eIDAS compliance: Any qualified trust service provider should be able to transparently demonstrate their eIDAS compliance and specify the services to which it applies. Avoid partners that claim “eIDAS compliance” without referencing the EU trust list or listing the ETSI norms they have been successfully audited against by a CAB auditor. Verify that the qualified services offered are truly what your business needs.

→ Make sure your partner clearly understands your business and its needs: Introducing trust services into your business processes can impact their functionality and practical application. A partner who understands your business will ensure that changes are beneficial and seamlessly integrated.

Partnering wisely ensures that your business is ready for eIDAS 2.0, with the expertise and compliance required to excel in this regulatory framework.