Electronic identification, signatures and trust services: Questions & Answers
European Commission - MEMO/12/403 04/06/2012
Other available languages: none
Brussels, 4 June 2012
Electronic identification, signatures and trust services: Questions & Answers
See also IP/12/558
Contains sections on:
Terminology, Basic facts, Objectives, Examples, Security and Privacy
Financial, Impact on private sector.
What is eSignature?
e-Signature is the electronic equivalent of a handwritten signature.
What is eIdentification (e-ID)?
eIdentification is the process of unambiguously determining a person/entity 's identity by using electronic means. In Europe many Member States provide their citizens with electronic IDs via smart cards, mobile phones, or other technologies: some Member States combine an e-ID with the function of an identity card used also as a travel document, others have a citizen card to access public online services, others work with mobile devices, or a combination of card and phone.
What is time stamping?
An electronic time stamp is the date and time on an electronic document which proves that the document existed at a point-in-time and that it has not changed since then. For example, a student is entering a competition which closes at midnight, and sends his entry by email at 23:55 but its delivery is delayed due to some technical problems. A time stamp would prove that his entry existed at 23:55 and the delivery problems would have no consequence.
What is an electronic seal?
An electronic seal is the electronic equivalent of a seal or stamp which is applied on a document to guarantee its origin and integrity. An electronic seal means that a company could issue millions of authentic invoices matching EU legal requirements.
What is website authentication?
It is trusted information on a website (e.g. a certificate) which allows users to verify the authenticity of the website and its link to the entity/person owning the website. Organisations can be also sure that that they are protected from hackers setting up a fake website. Website authentication is becoming fairly common: when the address of a website becomes green in the browser, it means that the website is authenticated with a certificate.
What is ‘electronic delivery’?
It is a service that, to a certain extent, is the equivalent in the digital world of registered mail in the physical world. At the moment the legal effect of the "registration" of an email stops at the border of the Member State of origin of an e-mail unless the Member State of destination recognises the registered nature of the email.
Which countries have e-ID already?
Electronic ID cards exist in: Belgium, Estonia, Finland, Germany, Italy, Portugal and Spain.
Other forms of e-ID, like citizen cards and access tokens are used in: Austria, Czech Republic, Denmark, Lithuania, Luxembourg, The Netherlands, Slovakia, Slovenia and Sweden.
17 EU countries also participate in a project called STORK which has proven that e-IDs can be safely recognised across borders.
Who issues official electronic ID?
Official electronic ID in most of the Member States is issued directly at state level, in others they are issued by the private sector under the responsibility of the state (e.g. Austria, Sweden).
What is the current issue?
While hundreds of millions of European are now able to use electronic identification for services like online shopping, and have received better services as a result, these benefits are much less commonly achieved with public services, and especially not outside one's home country.
Citizens can rarely, if ever, use their e-ID to interact online with public administrations of other EU Member States. This undermines our rights as Europeans, and causes inconvenience and extra costs associated with time delays and the hassle of maintaining multiple identity documents.
The absence of common EU rules on legal recognition of e-ID acts as a brake on those citizens who need to be mobile or undertake business or work activity outside their home country.
Equally, the lack of an EU legal framework for essential trust services like time stamping (legally proving the time), electronic documents (legal effect and acceptance), registered electronic delivery (legal proof of a communication channel), and electronic seals (which legally link a person or a company to a document) also means lots of companies divert resources from their key functions to standing in queues, waiting for forms and stamps.
When was this proposal planned / decided?
From 2010 onwards the Digital Agenda for Europe (see IP/10/581, MEMO/10/199 and MEMO/10/200), listed a revision of the eSignature Directive and legal measures to ensure mutual recognition of eIdentification (e-ID) and eAuthentication as an objective.
This call was repeated as one of 12 elements of the Single Market Act (SMA) (see IP/11/469) The European eGovernment Action Plan 2011-2015, and various Council Conclusions both call for legislation "to ensure mutual recognition of eIdentification and eAuthentication across the EU".
Finally, the Roadmap for Stability and Growth, underlines this measure as key to the development of the digital economy.
Why not just update the eSignature Directive?
The eSignature Directive (Directive 1999/93/EC) has been in place for over 12 years. The Directive has gaps, such as undefined obligations for national supervision of service providers, which are holding back cross-border eSignatures, and it does not cover many new technologies.
Given the demand for greater trust in electronics services, these issues are best addressed by an evolution to more comprehensive legislation.
Objectives and benefits
Why extend use of electronic identification?
e-ID is convenient and cost-effective compared to most paper-based or face-to-face transactions with government.
e-ID is a popular form of identification already, for example on social networking, shopping and banking websites.
Who is this Regulation aimed at?
eSignatures trust services and eIdentification are largely relevant for businesses (legal persons), and individuals (natural persons) as they will lead to new opportunities within the EU.
For example, this will affect the 13 million EU citizens who work in another EU country and the hundreds of thousands of students studying in other EU countries. Wider use and improved eSignatures and trust services would help Europe's 21 million SMEs, many of whom work across borders.
What does the Regulation actually do?
There are three key elements.
1. It upgrades the legal framework of electronic signatures replacing, the existing eSignature Directive. For instance, it allows you to "sign" with a mobile phone; it requires higher accountability for security; and it provides clear and stronger rules for the supervision of eSignature and related serviecs.
2. Through requiring mutual recognition between various national eID systems (different to harmonisation or centralisation), the Regulation extends the capabilities - the opportunities available with your existing eID - by making it functional across EU borders.
3. Other trust services are included in the Regulation for the first time, meaning there will be a clear legal framework and more safeguards through strong supervision services of electronic seals, time stamping, electronic document acceptability, electronic delivery and website authentication.
What are the key benefits of this proposal?
What is the Commission NOT proposing?
The Commission's draft Regulation does NOT make it obligatory for all citizens to have an eID card. The European Commission does NOT have the right to legislate on the management of electronic identities; this is a matter of national sovereignty. It is up to Member States to decide whether to have such a form of identification, when it is required, and what technology to use. The Commission's proposal aims only to ensure that where these electronic identifications exist, they can be used across borders fully respecting privacy and data protection rules.
This proposal does NOT create or propose the creation of a new 'European eID' or European database of any kind.
It does NOT set European standards for security, supervision or enrolment for electronic identification.
It will NOT lead to new exchanges of personal data across borders.
Finally it does not oblige Member States to notify their eID schemes to the European Commission.
Is this linked to other Commission initiatives?
Yes. Several other EU policy initiatives (e.g. the Services Directive, the Public Procurement Directives, the eCommerce Directive, the VAT (e-invoices) Directive and the Data Protection Directive) will have a greater impact if there is a consistent legislative framework for easy-to-use, trustworthy and secure electronic transactions in the Digital Single Market.
Why choose “mutual recognition” of e-ID over “harmonisation”?
Member States are solely responsible for the management of their electronic identities, so direct harmonisation is not an option. Direct harmonisation is also unnecessary, given that mutual recognition will achieve most of the same benefits, and quicker.
Mutual recognition is also clearly more politically acceptable and the Commission respects this.
Why choose “harmonisation” for eSignatures?
eSignatures are a single and relatively simple trust service, for which we need to ensure a well functioning internal market. The 1999 eSignature Directive already aimed at harmonisation. eSignatures mostly benefit and affect legal persons (companies) rather than individuals.
How eIdentification revolutionised banking
Today, because of effective electronic identification, banking takes place 24/7 at cash machines, in restaurants and shops, and online in all countries. e-ID removed artificial barriers from banking transactions and is now an accepted and essential part of our daily life.
By comparison, government services tend to be much more cumbersome. They are often not available online, they are available at limited times and places and at far greater cost – either to the individual or company or indirectly via the taxpayer.
Services likely to see greatest positive impact of greater e-ID use:
Online tax collection, education courses and other social services, eProcurement and eHealth.
Case studies of specific, typical current problems
Elisa, a Belgian student, wants to enrol at a university in Italy. She logs on to the university website but cannot use her Belgian electronic identification when she is asked to identify herself. Why? Her Belgian eID is neither recognised nor accepted in Italy. Elisa has to buy a train ticket to Italy and queue up to do the necessary paperwork in person.
A small company based in Hungary wants to bid online for a contract being tendered by a Portuguese local administration. However, the electronic signature used to seal the bid is denied because of specific national requirements and interoperability problems. The Hungarian company has to submit the bid on paper, print copies and send them by courier to Portugal, which costs lots of extra time and money.
A French multinational wants to sign contracts electronically with a counterpart based in Latvia. This is technically possible, but the two countries have different legal requirements for trust services like electronic seals, electronic documents, time stamping. The French company will need to invest time and money to assess whether it is legally possible to use electronic documents and processes.
An Estonian bank wants to send a notice of default to a borrower based in Germany. The Estonian bank wants to use an electronic document, but is this legally valid under Estonian and German law? The bank will examine the applicable laws in both countries. If in doubt, the bank will probably opt to send the document by traditional mail.
General impacts on stakeholder groups
All citizens will be able to carry out secure and trustworthy cross-border electronic transactions and take full advantage of their rights across the EU.
Workers who get a job in another Member State, or who are residents but not EU citizens, will get more readily the transfer formalities electronically. Businesses will suffer less from red tape and literally from less paperwork. The gains can be enormous for large scale businesses, and can be the difference between profitability and difficulty, and expansion or stagnation for small and medium sized businesses.
Public administrations will save taxpayer's money through reduced administrative burdens and will be able to provide better, more efficient services. Environmental benefits will accrue through reduced travel and paper use.
Private sector companies will be able to use and accept eIDs opening up new e-Business, eCommerce and eGovernment service possibilities.
Real-world examples of e-ID in practice today
The STORK project has technically proven that e-IDs work across borders. 17 EU countries (and a total of 35 partner organisations from private, academic and civil society sectors) with many different approaches to identification systems have developed an interoperable platform to enable cross-border identification and authentication without disruption of national systems. This work was jointly funded by participating Member States and the EU (€26 million since 2008) and members include those who do not have an ID card system, such as the United Kingdom.
The Connecting Europe Facility proposed by the Commission would enable further cross-border digital service infrastructures.
Examples of current cross-border e-ID enabled services
Through the Estonian e-Business portal, a simple limited liability company can be set up online in 18 minutes. Creating a company via the internet can be done with either an Estonian ID card, or one from Belgium, Portugal, Lithuania or Finland. Estonia hopes to extend this service to other ID card systems.
Around 500 students studying in Austria, Estonia, Spain, Italy and Portugal have participated in a student mobility pilot project, where their national e-ID-card gives access to online enrolment, access to online courses or tutorials, and computing infrastructures in other countries.
An interoperable Change of Address framework has been created for Estonian, Portuguese, Slovenian, Spanish and Swedish citizens. This enables foreign citizens to notify all relevant entities in government (and, for example, water and electricity companies) of an address change in one-step and has been used more than 25,000 times in early testing.
German and Polish pension and social care services now provide for recognition of each other’s e-ID. This is an example of a bilateral cross-border mutual recognition. This provides a lower level of functionality compared to EU-wide mutual recognition, but shows the value of such services for communities living close to each other but on either side of national borders.
National examples of the positive impact of e-ID
In total, Estonia has issued approximately 1.2 million e-ID smartcards, and conducted 52 million electronic signatures to authenticate more than 88 million electronic transactions. Private sector organisations use the authentication mechanism widely for their own services.
Submitting company balances sheets in Estonia was streamlined from a 3-month long paper process to a 20 minute electronic process. Countless hours for printing, sending, scanning and manually inputting data has been saved.
Austria and Iceland enable 'Safer Chat' for 14-18 year olds where users need their e-ID card to enter chat rooms for 14-18 year olds. This means much greater safety with only minimal disclosure of data.
In Austria the delivery time for a document confirming an individual does not possess a criminal record was reduced to 2 minutes.
What is the cost burden of this change on Member States?
Both eSignature and eIdentification systems come with an initial upfront cost, but far greater financial returns in the medium and long term.
Much of the technical work has already been done in the STORK large scale pilot project, and further development costs can be largely absorbed through a small portion of the funding being made available by the Connecting Europe Facility, which is designed to support cross-border digital services
The best large scale analogy for the cost-benefit ratio of electronic identification and other trust services is the changes in banking in recent decades. Today a far greater range of services is provided more cheaply and often 24/7 compared with banking based on paper and face-to-face transactions. This has been good for banks and good for their growing number of customers.
Privacy and security
What about my privacy?
Your privacy can be enhanced by electronic identification and authentication as they limit the need to always, and repeatedly, provide personal data
Secure eIDs combine state of the art cryptography with common security practices such as PIN-codes or passwords. This means they are as strong and private as typical bank solutions, which are already widely and safely used.
How will my data be protected?
Under these proposals no unnecessary data is revealed or exchanged.
For example, if a teenager wanted secure access to a chat room for 14-18 year olds, or a gambler needed to prove they were of legal age, the website should only check information about their age from the e-ID card. Other details such as nationality and address would not need to be revealed.
When relying on other forms of identification – for example a person volunteering information that cannot be verified, or a physical photo ID, the result is either lower security or more data being revealed. e-ID avoids this problem.
What are the key safeguards in the eID proposal?
The proposals are designed to avoid the centralisation of information. There is no aggregation of information, beyond the aggregation that already takes place in national systems. However there is one key additional safeguard.
Data protection regimes already apply to national eID schemes. In addition, Member States assume liability for their participating systems. That means you will have the right to sue your government if there is a problem with your data or access to services. This new right, to make one’s government liable, is a clear incentive against lax behaviour; it will provide an effective lock on the ‘door’ of your data file.
What are the key safeguards for other trust services?
Trust service providers already have to comply with EU and national data protection legislation. In addition to this, the mandate of supervisory bodies, which already exist for eSignatures, will now be extended to other trust services.
What about levels of security?
The proposals provide for clear and unambiguous identification and proof of identity. For many public services, users and administrations alike prefer higher levels of security than is necessary, say, for online shopping. For example, using an electronic token with an access code to complete a tax declaration online.
Other security services include electronic signatures, electronic seals or time stamping. These enable online transactions to be concluded with the same legal validity as in the physical world. Such use of the Internet can speed up enormously the time it takes for small companies to carry out their business.
What about data storage?
These proposals do not create new databases or deliver personal information to other databases.
All people using mutual recognition and other services must strictly comply with EU data protection legislation.
Impact on the private sector
New business opportunities
The new rules require governments to recognise any eSignature provider that meets the standard. Equipment makers therefore have significant new opportunities.
In Estonia the government has not placed any restrictions on the use of eID in the private sector and the authentication mechanism is available to any outside developer. Currently, applications exist for using eID to authorise online bank transactions, to sign contracts and tax declarations, to authenticate to wireless networks, to access government databases, and for automated building access.
The Commission's proposal will now be passed on to the European Parliament and the Council of Ministers for scrutiny and debate. This process may take between one and two years, but is impossible to give an accurate estimate.
The Regulation would take effect immediately in all EU Member States as soon as it has been formally approved by the European Parliament and Council and 20 days after publication in the Official Journal.