Microsoft to adopt ZealiD qualified signature solutions for HR in Europe
By Philip Hallenborg, CEO, ZealiD
As the unified digital identity ecosystem takes shape, qualified certificates and the digital identity wallets will play a growing and crucial role. With the evolving eIDAS landscape, the European framework for electronic identification, authentication, and electronic signatures, the journey of eIDAS and its significance in creating a unified digital identity ecosystem across the European Union is an increasingly important topic for companies. There are important questions to answer on the current state of eID adoption, the challenges faced, and the ambitious goals set by the EU. We will explore the private sector’s growing interest in regulated identities, the importance of digital trust, and the urgent need to combat cybercrime through secure digital identities, alongside companies’ crucial role proposing solutions to accelerate eID adoption and promote collaborative efforts to shape the future of a digital EU.
The Global Impact of eIDAS and ETSI Technical Standards on Identity, Authentication, and Electronic Signatures
eIDAS, in conjunction with the European Telecommunications Standards Institute (ETSI) technical standards, has emerged as a global standard for identity, authentication, and electronic signatures. Originating from the European Union’s commitment to fostering a secure and efficient digital environment, eIDAS provides a regulatory framework that harmonizes electronic identification and trust services across the EU member states. As part of eIDAS, the EU commission designates technical standards. The Commission has pointed to ETSI that has played a pivotal role in shaping the technical specifications and interoperability requirements, ensuring that digital identities and electronic signatures are globally recognized and accepted, thus establishing a benchmark for secure and seamless online transactions and interactions.
Two distinct categories of digital identities fall under the eIDAS framework: 1) national eIDs, as exemplified by systems in place in certain EU countries like Italy and Estonia, and 2) qualified certificates. Even though seven years have passed since eIDAS was introduced, the adoption of eIDs among EU citizens remains limited. The prevailing form of national eID typically consists of a traditional physical identification document with an embedded chip housing an electronic certificate. When combined with a citizen’s PIN code, this chip-based system serves as an electronic means of verification. Using a smartphone, one can access and transfer their electronic identity stored on the card for online authentication.
Challenges of eID Adoption and relief from qualified certificates
EU member states, barring a few exceptions, have been notably inadequate in providing both eIDs and the essential services that would generate demand among citizens, such as online access to public health, social services, and tax-related functions. Conversely, the qualified certificate, granted by the most reputable trust service providers accredited by the EU, is swiftly gaining prominence. Differing from an eID, it can be remotely issued to individuals of any nationality, seamlessly integrates into the EU trusted list’s validation processes (allowing anyone to verify the authenticity of a PDF’s signature), and exhibits true interoperability.
The EU digital wallet
Add to that the idea of a unified digital ID solution – the European digital identity wallet – has been around since 2021. In theory, the Digital Identity Wallet effectively acts as a cross-border wallet that enables national identities to be recognised across all EU states. The Wallet is proposed on a voluntary sign-up basis, allowing any citizen of an EU state to register and access public services or store documentation. This means that citizens could open bank accounts, enroll in educational programmes, and even sign property leases and contracts in foreign member states as easily and quickly as in their home country.
In reality, the problem with the EU wallet is already on the design table. It requires the highest level of eID assurance (“high”), and they are not only very scarce in the EU but moreover they require diligent and effective work from nation states to become proliferated in the majority of EU countries. This will take many years and unless eID is proliferated and working in most of EUs member states, there will be no successful wallet.
There is also ongoing uncertainty about future regulation – in practice an eID high, and thus access to the EU wallet, will require physical presence registration via a visit to e.g. a police or other public office. At the moment, many EU member states have no law or decree on remote identification in place. That leaves many unanswered questions about using cryptographically supported ID Documents and biometrics. It’s also unclear how to meet different requirement levels (low-substantial-high) for eIDAS remote identification. To find examples of countries that face such issues, one doesn’t have to look far. The problem is obvious even in well-established member states like Germany and France.
One of the key challenges to overcome is the disconnect between national and intranational (or EU) regulation. Regulation remains fragmented. Without any state of the art legislation, compromise is very hard to reach. Besides, member states may come up with very different agendas, causing even more trouble when it comes to using eID at an international level. In many countries, eID providers are only allowed to provide eID to nationals. Providers would like to provide their product to more than one EU country, but to do so they would need to apply for an eID ship in every country. If the regulations are very different and unpredictable, no management will do this. For example, the Italian government regulator AGID requires €5M of capital and an Italian subsidiary. Who would venture into a new market with such conditions?
Opportunities and benefits of digital identity
The EU viewpoint
As the EU sees it, remote identity, signature and authentication show a clear path towards the future digital EU. It would allow free movement of goods and services across member states. However, to build this central role for digital identity, governments must ensure there are clear, consistent guidelines for building and using digital identity tools and we must build digital trust within our society. The EU has set an ambitious goal of achieving 80% legal digital identity by 2030. The first step towards this was the eIDAS regulation that affects qualified and notified trust service providers described above.
Private Sector momentum
In the private sector, the realm of regulated identities is rapidly evolving, particularly within the human resources domain due to the stipulations set forth by EU member states regarding qualified signatures in employment contracts. Prominent global corporations are elevating their prior basic e-signature practices to encompass certificate-backed “digital e-signatures.” These predominantly qualify as signatures, primarily hinging on eIDAS-regulated identities. Furthermore, an emerging imperative is the utilization of regulated identities within the financial sector. Executing digital agreements entails long-term validation readiness, employing genuine identities and the most robust cryptographic standards to protect the intrinsic value of financial instruments such as credit notes or guarantees. These use cases, along with remote identification prerequisites stipulated by anti-money laundering regulations, underscore the growing importance of alternative qualified certificates and associated qualified signatures. Finally, many public authorities are also elevating their e-signature requisites for both citizens and companies, emphasizing the transition to qualified signatures. This shift is observable in company authorities’ practices and public Request for Proposals (RFPs).
Establishing a reliable legal framework for digital identities is also crucial as cybercriminals are finding new ways to obtain and exploit private information. When it comes to identity theft, the stakes are very high, ranging from heavy financial damage to legal issues and more. From a security standpoint, smartphones the ubiquity of smartphones provides a great deal of support for adoption of digital identity – both in terms of software and hardware. To tell it slant, smartphones are loaded with sensors that detect thermal energy, recognize human faces, read fingerprints etc. And from a software perspective they are highly regulated by the supplier, meaning that it is difficult to modify what an app does or how it works on our phone.
In the meantime, here are several potential solutions to kick starting eIDs and driving qualified certificate adoption:
- Align remote identification standards for eID, TSP and EU wallets across member states. eIDAS 2.0 shall allow the European commission to confirm a comprehensive ETSI standard.
- Following 1, conformity assessment bodies (governed by ETSI standards) should review those standards. Potentially, this responsibility could belong to biometric conformity assessment bodies as well.
- eID providers shall be allowed to issue identities to any EU citizen. This would be a tipping point for innovation, inviting the private industry to drive eID adoption in a more consistent and efficient way than states do it.
In a rapidly evolving digital landscape, eIDAS and its associated standards have the potential to shape a secure and efficient digital environment in the EU. By harnessing the cost, productivity, effectivity, and information security benefits of regulated identity, we can not only facilitate seamless online interactions but also fortify our defenses against cybercrime. While challenges remain, fostering the widespread adoption of eIDs and qualified certificates is essential to achieve the EU’s ambitious goals for a digital future and to combat cybercrime effectively.