Interoperability academy 2024 - Day 2 - Digital transformation and interoperability_eID.pdf
SIGMA2013
444 views
74 slides
Jun 27, 2024
Slide 1 of 74
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
About This Presentation
Presentation given at the Cross-regional exchange and learning week on Interoperability and Digital Transformation in the Western Balkans and Eastern Partnership region that took place 24-28 June 2024 in Brussels.
Slide Content
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Laura Kask, CEO Proud Engineers, eID ans trust services legal expert
Brussels 25.06.2024
Cross-regional exchange between
Western Balkan and EaPcountries on
DIGITAL
TRANSFORMATION
and INTEROPERABILITY
Restricted Use - À usage restreint
Laura Kask, CEO Proud Engineers, eID ans trust services legal expert
Brussels 25.06.2024
Cross-regional exchange between
Western Balkan and EaPcountries on
DIGITAL
TRANSFORMATION
and INTEROPERABILITY
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Laura Kask
-Former Chief Legal Officer for the CIO
of the Estonian Government.
-Led developments on the legislative
framework of the Estonian information
society and was involved in many
innovative government projects,
including data embassies and digital
continuity.
-Responsible for implementing the
main EU level regulations (e-
authentication, electronic signature,
cybersecurity, data protection) into the
Estonian legislative framework.
-Currently obtaining a PhD in IT Law at
Tartu University.
-CEO of Proud Engineers, a leading
multi-disciplinary consulting company
with experience in supporting digital
transformation reforms
Restricted Use - À usage restreint
Laura Kask
-Former Chief Legal Officer for the CIO
of the Estonian Government.
-Led developments on the legislative
framework of the Estonian information
society and was involved in many
innovative government projects,
including data embassies and digital
continuity.
-Responsible for implementing the
main EU level regulations (e-
authentication, electronic signature,
cybersecurity, data protection) into the
Estonian legislative framework.
-Currently obtaining a PhD in IT Law at
Tartu University.
-CEO of Proud Engineers, a leading
multi-disciplinary consulting company
with experience in supporting digital
transformation reforms
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Agenda for today
1
10.15 –11.30 “Building the eIDSystem Based on eIDAS”
Laura Kask & Stephanie De Bruyne, CEO at Belgian Mobile ID - Itsme
2
11:45 –13:00 “New Framework for eID,EDIWand trust services”
•Detailed review of the main provisions of eIDAS 2.0, Laura
Kask
•Case study from BIH regarding e-Wallet, AlmirBadnjevic,
IDDEEA, director
eIDAS2.0: in EU and Adopting it to the National Context
3
14.00 – 15.15 Mutual Recognition of E-Signatures
•Lessons Learned, and How to Move Forward - Necessary
preconditions for mutual recognition of e-signatures, Laura
Kask
•Agreement on mutual recognition of trust services
Montenegro-Serbia- North Macedonia, Danilo Racic, Ministry
of Public Administration, Senior Civil Servant
•Moderated talk on the status and plans of mutual recognition
4
15.30-17.00 Group Work
•Group 1: Adapting eIDAS2.0 to National Contexts:
Challenges and Opportunities
•Group 2: Ensuring Mutual Recognition of E-Signatures:
Challenges and Opportunities
Restricted Use - À usage restreint
Agenda for today
1
10.15 –11.30 “Building the eIDSystem Based on eIDAS”
Laura Kask & Stephanie De Bruyne, CEO at Belgian Mobile ID - Itsme
2
11:45 –13:00 “New Framework for eID,EDIWand trust services”
•Detailed review of the main provisions of eIDAS 2.0, Laura
Kask
•Case study from BIH regarding e-Wallet, AlmirBadnjevic,
IDDEEA, director
eIDAS2.0: in EU and Adopting it to the National Context
3
14.00 – 15.15 Mutual Recognition of E-Signatures
•Lessons Learned, and How to Move Forward - Necessary
preconditions for mutual recognition of e-signatures, Laura
Kask
•Agreement on mutual recognition of trust services
Montenegro-Serbia- North Macedonia, Danilo Racic, Ministry
of Public Administration, Senior Civil Servant
•Moderated talk on the status and plans of mutual recognition
4
15.30-17.00 Group Work
•Group 1: Adapting eIDAS2.0 to National Contexts:
Challenges and Opportunities
•Group 2: Ensuring Mutual Recognition of E-Signatures:
Challenges and Opportunities
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Do weactuallyknowwhois
behindthecomputer?
Justification for amendments: about 60%
of the EU population in 14 Member
States are able to use their national eID
cross- border.
Only 14%of key public service
providersacross all Member States allow
cross- border authentication with an e-
Identity system.
AimofeIDAS2.0:by203080%oftheEU
populationareequippedwithadigital
walletthatwillallowthemtoprovetheir
identityandauthenticatethemselveson
publicservicesinallEUcountriesandthe
UK,regardlessoftheirnationality.
*https://commission. europa.eu/strategy-and-
policy/priorities-2019-2024/europe -fit-digital-
age/european- digital- identity_en
Peter Steiner
published by The New Yorker on July 5, 1993
Restricted Use - À usage restreint
Do weactuallyknowwhois
behindthecomputer?
Justification for amendments: about 60%
of the EU population in 14 Member
States are able to use their national eID
cross- border.
Only 14%of key public service
providersacross all Member States allow
cross- border authentication with an e-
Identity system.
AimofeIDAS2.0:by203080%oftheEU
populationareequippedwithadigital
walletthatwillallowthemtoprovetheir
identityandauthenticatethemselveson
publicservicesinallEUcountriesandthe
UK,regardlessoftheirnationality.
*https://commission. europa.eu/strategy-and-
policy/priorities-2019-2024/europe -fit-digital-
age/european- digital- identity_en
Peter Steiner
published by The New Yorker on July 5, 1993
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Restricted Use - À usage restreint
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
* https://gataca.io/blog/eidas2- explained/
Restricted Use - À usage restreint
* https://gataca.io/blog/eidas2- explained/
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
“Building the eIDSystem Based on eIDAS”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
and
Stephanie De Bruyne, CEO at Belgian Mobile ID -
itsme
Restricted Use - À usage restreint
“Building the eIDSystem Based on eIDAS”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
and
Stephanie De Bruyne, CEO at Belgian Mobile ID -
itsme
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
“New Framework for eID,EDIWand trust services”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
Restricted Use - À usage restreint
“New Framework for eID,EDIWand trust services”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
* https://gataca.io/blog/eidas2- explained/
Restricted Use - À usage restreint
* https://gataca.io/blog/eidas2- explained/
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Restricted Use - À usage restreint
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eIDASRegulation from 2014 (electronic identity)
>Mutual recognition system for eIDsthat are notified by Member States:
▪High
▪Substantial
▪Low
Article 6 of eIDASRegulation:
1.May ‘notify’ the ‘national’ electronic identification scheme(s)
used at home for access to its
public services
2.Must recognise ‘notified’ eIDs of other Member States for
cross- border access to its online
services when its national laws mandate e-identification
3.Must provide a free online authentication facility for its 'notified' eID(s).
4.May allow the private sector to use ‘notified’ eID
Restricted Use - À usage restreint
eIDASRegulation from 2014 (electronic identity)
>Mutual recognition system for eIDsthat are notified by Member States:
▪High
▪Substantial
▪Low
Article 6 of eIDASRegulation:
1.May ‘notify’ the ‘national’ electronic identification scheme(s)
used at home for access to its
public services
2.Must recognise ‘notified’ eIDs of other Member States for
cross- border access to its online
services when its national laws mandate e-identification
3.Must provide a free online authentication facility for its 'notified' eID(s).
4.May allow the private sector to use ‘notified’ eID
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eIDASRegulation from 2014 (trust services)
>Market regulation, Member States cannot impose rules that are in
conflict/more strict than eIDASregulation;
>An electronic signature shall not be denied legal effect and admissibility as
evidence in legal proceedings solely on the grounds that it is in an
electronic form or that it does not meet the requirements for qualified
electronic signatures. (Article 25)
>When the public sector accepts a document being signed electronically,
they must accept documents signed electronically in the same format
from the other member states or with the service offered by the oth er
service providers. (Article 27)
>Memberstatesmaintainand publishtrustedlistswheretheyhave all the
necessaryinformationaboutthequalifiedserviceprovidersactinginside
theEU.(Article 22)
Restricted Use - À usage restreint
eIDASRegulation from 2014 (trust services)
>Market regulation, Member States cannot impose rules that are in
conflict/more strict than eIDASregulation;
>An electronic signature shall not be denied legal effect and admissibility as
evidence in legal proceedings solely on the grounds that it is in an
electronic form or that it does not meet the requirements for qualified
electronic signatures. (Article 25)
>When the public sector accepts a document being signed electronically,
they must accept documents signed electronically in the same format
from the other member states or with the service offered by the oth er
service providers. (Article 27)
>Memberstatesmaintainand publishtrustedlistswheretheyhave all the
necessaryinformationaboutthequalifiedserviceprovidersactinginside
theEU.(Article 22)
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Shortcomings of eIDASRegulation
•Previously the eIDmanagement has been the sole discretion of the Member States. eIDASregulation did not
interfere with the eIDmanagement and set up.
•EU citizens possessing a notified eIDshould be able to use their national identity to access public services online,
BUT:
•mutual recognition requirement is only for access of the e-service, but not for the service delivery
itself;
•regulation did not introduce harmonization of digital identities of Member States, but rather
established cooperation mechanisms and interoperability;
•the focus on public sector as there are no clear incentives for the private sector to use national eIDs.
WHY all governments did not notify?
>One of the reasons could be the compulsory liability clause of eIDAS Regulation. Article 11 states that the notifying
Member State shall be liable for damage caused intentionally or negligently to any natural or legal person due to a
failure to comply with its obligations in a cross-border transaction.
13
Restricted Use - À usage restreint
Shortcomings of eIDASRegulation
•Previously the eIDmanagement has been the sole discretion of the Member States. eIDASregulation did not
interfere with the eIDmanagement and set up.
•EU citizens possessing a notified eIDshould be able to use their national identity to access public services online,
BUT:
•mutual recognition requirement is only for access of the e-service, but not for the service delivery
itself;
•regulation did not introduce harmonization of digital identities of Member States, but rather
established cooperation mechanisms and interoperability;
•the focus on public sector as there are no clear incentives for the private sector to use national eIDs.
WHY all governments did not notify?
>One of the reasons could be the compulsory liability clause of eIDAS Regulation. Article 11 states that the notifying
Member State shall be liable for damage caused intentionally or negligently to any natural or legal person due to a
failure to comply with its obligations in a cross-border transaction.
13
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eIDAS2.0: new amendments (principles)
1.Extension of scope:eIDAS2.0 extends the scope to new types of trust services,
including electronic delivery services, electronic documents. This extension is in
response to the increasing use of electronic documents and seals in business
transactions.
2.Improved cooperation:A key element of eIDASis interoperability, which is
further strengthened by the new regulation and simplifies the exchange of digital
trust services across national borders.
3.Increased security:eIDAS2.0 introduces stricter security and data protection
requirements for trust service providers to ensure the confidentiality, integrity
and availability of trust services as well as the protection of personal data in
accordance with the GDPR.
4.New rules for electronic identification (eID):These rules are intended to make
the use of eID more secure and user-friendly. In particular, the possibility of
remote identification, e.g. through video identification, makes access to online
services considerably easier.
Restricted Use - À usage restreint
eIDAS2.0: new amendments (principles)
1.Extension of scope:eIDAS2.0 extends the scope to new types of trust services,
including electronic delivery services, electronic documents. This extension is in
response to the increasing use of electronic documents and seals in business
transactions.
2.Improved cooperation:A key element of eIDASis interoperability, which is
further strengthened by the new regulation and simplifies the exchange of digital
trust services across national borders.
3.Increased security:eIDAS2.0 introduces stricter security and data protection
requirements for trust service providers to ensure the confidentiality, integrity
and availability of trust services as well as the protection of personal data in
accordance with the GDPR.
4.New rules for electronic identification (eID):These rules are intended to make
the use of eID more secure and user-friendly. In particular, the possibility of
remote identification, e.g. through video identification, makes access to online
services considerably easier.
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Mutual Recognition of eIDs
+ notified eIDs
+ up to Member States to decide which schemes to notify
+ country should accept notified eIDs that are equal of higher
level than the eID used in their country (public sector)
+ Mutual recognition of electronic identities is not considered in
eIDAS(although, being an exclusive competence of the EU could
be the object of international agreements under
art. 218 TFEU)
eIDAS 2.0:
+The right of every person eligible for a national ID card to have
a digital identity that is recognisedanywhere in the EU
+Operated via digital wallets available on mobile phone apps
+ MS are obliged to notify at least one “Wallet” under a national
eIDscheme to make them interoperable at EU level.
© copyright
Restricted Use - À usage restreint
Mutual Recognition of eIDs
+ notified eIDs
+ up to Member States to decide which schemes to notify
+ country should accept notified eIDs that are equal of higher
level than the eID used in their country (public sector)
+ Mutual recognition of electronic identities is not considered in
eIDAS(although, being an exclusive competence of the EU could
be the object of international agreements under
art. 218 TFEU)
eIDAS 2.0:
+The right of every person eligible for a national ID card to have
a digital identity that is recognisedanywhere in the EU
+Operated via digital wallets available on mobile phone apps
+ MS are obliged to notify at least one “Wallet” under a national
eIDscheme to make them interoperable at EU level.
© copyright
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
New Amendments
•A shift from mutual recognition of national eIDs to a system that allows eID users to exchange electronic
attestations of attributes that are authenticated by trust service providers.
•Scope is wider (eID , EIDW, trust services).
•Requirement for Member States to offer and notify a digital identity solution, offering EDIW in addition
to storing their eIDs, users shall be able to add other electronic attributes and credentials to their
wallets, such as university degrees, diplomas, student IDs or driver`s licenses.
•The sectors that must accept EIDW are limited to those where it is required by national or EU law
•eIDAS2.0 Article 11 (a) wanted to add introduction of a persistent and unique identifier for all EU
citizens and residents, but this is a controversial issue as some Member States have seen this in violation
with the constitution.
•Introduction of corporate digital identities.
•Creation of European Digital Identity Board is aimed to facilitate the consistent application and sharing
of best practices and would consist of competent authorities of Member States and European
Commission.
16
Restricted Use - À usage restreint
New Amendments
•A shift from mutual recognition of national eIDs to a system that allows eID users to exchange electronic
attestations of attributes that are authenticated by trust service providers.
•Scope is wider (eID , EIDW, trust services).
•Requirement for Member States to offer and notify a digital identity solution, offering EDIW in addition
to storing their eIDs, users shall be able to add other electronic attributes and credentials to their
wallets, such as university degrees, diplomas, student IDs or driver`s licenses.
•The sectors that must accept EIDW are limited to those where it is required by national or EU law
•eIDAS2.0 Article 11 (a) wanted to add introduction of a persistent and unique identifier for all EU
citizens and residents, but this is a controversial issue as some Member States have seen this in violation
with the constitution.
•Introduction of corporate digital identities.
•Creation of European Digital Identity Board is aimed to facilitate the consistent application and sharing
of best practices and would consist of competent authorities of Member States and European
Commission.
16
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
What is an European Digital Identity Wallet?
>Article 3 (42):
is a product and service that allows the user to store identity data,
credentials and attributes linked to her/his identity, to provide them to relying
parties on request and to use them for authentication, online and offline; and
to create qualified electronic signatures and seals
Restricted Use - À usage restreint
What is an European Digital Identity Wallet?
>Article 3 (42):
is a product and service that allows the user to store identity data,
credentials and attributes linked to her/his identity, to provide them to relying
parties on request and to use them for authentication, online and offline; and
to create qualified electronic signatures and seals
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
European Digital Identity Wallet
•All Member States must provide their citizens and legal entities with eID Wallets
and recognisethose of the others.
•With the European Digital Identity Wallet (EUDIW), citizens will be able to
authenticate themselves online for private and administrative services in the
future.
•Other digital credentials, such as driving licences or training certificates, can also
be stored in the Wallet and shared as required.
•To ensure thatWallets
and digital identities can be used and recognised
throughout Europe, the amendment sets out requirements regarding the interoperability, data protection and security of Wallets as well as the verification of digital attributes.
•The specific requirements for the Wallets are being worked out by the European standards committees.
Restricted Use - À usage restreint
European Digital Identity Wallet
•All Member States must provide their citizens and legal entities with eID Wallets
and recognisethose of the others.
•With the European Digital Identity Wallet (EUDIW), citizens will be able to
authenticate themselves online for private and administrative services in the
future.
•Other digital credentials, such as driving licences or training certificates, can also
be stored in the Wallet and shared as required.
•To ensure thatWallets
and digital identities can be used and recognised
throughout Europe, the amendment sets out requirements regarding the interoperability, data protection and security of Wallets as well as the verification of digital attributes.
•The specific requirements for the Wallets are being worked out by the European standards committees.
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
What can be done with Digital Identity Wallet from users perspective
>Stores your digital identity and other important documents and enables
you to present them as part of electronic transaction, via QR (offline
verification);
>“verified credentials” – government signed credentials showing they are
trustworthy (passport, driving license);
>Other credentials they are signed by the relying party
>You can choose which credentials to present and the use is not connected
to the issuer
>You may want to share other personal information
Restricted Use - À usage restreint
What can be done with Digital Identity Wallet from users perspective
>Stores your digital identity and other important documents and enables
you to present them as part of electronic transaction, via QR (offline
verification);
>“verified credentials” – government signed credentials showing they are
trustworthy (passport, driving license);
>Other credentials they are signed by the relying party
>You can choose which credentials to present and the use is not connected
to the issuer
>You may want to share other personal information
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
How far will the regulation go?*
>H????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????’????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? The main shift in the
new regulation is the creation of a European Digital Identity Walletthat will enable
citizens and businesses to have greater control over their data whenever they are
involved in identification and authentication processes. No longer will we be solely
dependent on the entity which provides the identification services in that very moment.
This will certainly change the way we think of identities.
>????????????????????????????????????????????????????????????????????????-????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? By 2026, all states must issue wallets
available for all residents free of charge to get and use. What’s more, by 2027 basically all
public entities and private businesses must enable the usage of said wallet. Online
platforms defined as "gatekeepers" under the EU Digital Markets Act must accept Wallets
for user authentication, including social networks, search engines and marketplaces with
significant influence in the EU single market.
*
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL AMENDING REGULATION (EU) No 910/2014 AS
REGARDS ESTABLISHING THE EUROPEAN DIGITAL IDENTITY FRAMEWORK
Restricted Use - À usage restreint
How far will the regulation go?*
>H????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????’????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? The main shift in the
new regulation is the creation of a European Digital Identity Walletthat will enable
citizens and businesses to have greater control over their data whenever they are
involved in identification and authentication processes. No longer will we be solely
dependent on the entity which provides the identification services in that very moment.
This will certainly change the way we think of identities.
>????????????????????????????????????????????????????????????????????????-????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? By 2026, all states must issue wallets
available for all residents free of charge to get and use. What’s more, by 2027 basically all
public entities and private businesses must enable the usage of said wallet. Online
platforms defined as "gatekeepers" under the EU Digital Markets Act must accept Wallets
for user authentication, including social networks, search engines and marketplaces with
significant influence in the EU single market.
*
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL AMENDING REGULATION (EU) No 910/2014 AS
REGARDS ESTABLISHING THE EUROPEAN DIGITAL IDENTITY FRAMEWORK
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Where to get information?
>LinkedIn European Digital Identity Wallet community
>European Digital Wallet Consortiums –test different use cases (large-
scale pilots)
>www.globaltrustfoundation.org–online courses for DIW
Restricted Use - À usage restreint
Where to get information?
>LinkedIn European Digital Identity Wallet community
>European Digital Wallet Consortiums –test different use cases (large-
scale pilots)
>www.globaltrustfoundation.org–online courses for DIW
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Challenges for Member States (1)
•Identity theft risk and introduction of EDIW – not only eIDcredentials but all
the information the person has in the EDIW;
•EIDW shall be issued under a notified electronic identification scheme of
level of assurance high. Therefore, it can also be assumed that the
corresponding high scheme would be a prerequisite for the EIDW and
should exist first.
•Countries must decide which route of the eIDAS 2.0 Article 6a (2) to take:
issuing their own EIDW, under a mandate or independent, but recognised
EIDW.
22
Restricted Use - À usage restreint
Challenges for Member States (1)
•Identity theft risk and introduction of EDIW – not only eIDcredentials but all
the information the person has in the EDIW;
•EIDW shall be issued under a notified electronic identification scheme of
level of assurance high. Therefore, it can also be assumed that the
corresponding high scheme would be a prerequisite for the EIDW and
should exist first.
•Countries must decide which route of the eIDAS 2.0 Article 6a (2) to take:
issuing their own EIDW, under a mandate or independent, but recognised
EIDW.
22
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Challenges for Member States (2)
•In countries with the eID scheme with assurance level high would make
possible the remote issuance with a secondary device, but it will be a
challenge for countries where no eIDmean is issued or this is not recognised
on level high.
•the challenge of issuing EIDW for legal persons. In many countries, only
personal eIDsexist in the market. This means legal person representation is
a role that is connected to the private eID(more precisely with identity code)
and serves more as an access right. This means countries should decide
what and on which circumstances the professional EIDW can be issued and
how this can be used in national services.
23
Restricted Use - À usage restreint
Challenges for Member States (2)
•In countries with the eID scheme with assurance level high would make
possible the remote issuance with a secondary device, but it will be a
challenge for countries where no eIDmean is issued or this is not recognised
on level high.
•the challenge of issuing EIDW for legal persons. In many countries, only
personal eIDsexist in the market. This means legal person representation is
a role that is connected to the private eID(more precisely with identity code)
and serves more as an access right. This means countries should decide
what and on which circumstances the professional EIDW can be issued and
how this can be used in national services.
23
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Conclusion
•The obligation to accept the EIDW also degrades the proven value
of existing eIDschemes and might results in unfair competition.
•The proposed timeframe for implementation is complicated, as the
implementing acts are on the way for EIDW (the deadline is Nov
2024).
•As the concept of unique and persistent identifier has been left
aside and have been replaced with record matching, it will be
difficult for the e- services of the member states there the
persistent unique identifier is needed to log in and use the service,
to offer the service with the same quality also for cross-border
EIDW users.
•Cybersecurity and resilience risks.
•Trust establishment plays a key role in scalability of the eID
solutions, but trust is built over time and adoption is a lot more
complex than legislative or technical framework.
© copyright
Restricted Use - À usage restreint
Conclusion
•The obligation to accept the EIDW also degrades the proven value
of existing eIDschemes and might results in unfair competition.
•The proposed timeframe for implementation is complicated, as the
implementing acts are on the way for EIDW (the deadline is Nov
2024).
•As the concept of unique and persistent identifier has been left
aside and have been replaced with record matching, it will be
difficult for the e- services of the member states there the
persistent unique identifier is needed to log in and use the service,
to offer the service with the same quality also for cross-border
EIDW users.
•Cybersecurity and resilience risks.
•Trust establishment plays a key role in scalability of the eID
solutions, but trust is built over time and adoption is a lot more
complex than legislative or technical framework.
© copyright
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Case study from BIH regarding e-Wallet,
AlmirBadnjevic
IDDEEA, director
Restricted Use - À usage restreint
Case study from BIH regarding e-Wallet,
AlmirBadnjevic
IDDEEA, director
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
“eIDAS2.0: in EU and Adopting it to the National
Context”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
Restricted Use - À usage restreint
“eIDAS2.0: in EU and Adopting it to the National
Context”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
WHY?
Restricted Use - À usage restreint
WHY?
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Key principles
of trusted eID
Without these, success is unlikely
Restricted Use - À usage restreint
Key principles
of trusted eID
Without these, success is unlikely
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Strong eID is based on
strong physical identity
eIDsmust only be issued using a carefully
secured process involving capture of biometrics
Restricted Use - À usage restreint
Strong eID is based on
strong physical identity
eIDsmust only be issued using a carefully
secured process involving capture of biometrics
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Unique and
ubiquitous
identifier
of citizens
Most business processes in the country must use
the identifier, assumes a robust population registry.
Restricted Use - À usage restreint
Unique and
ubiquitous
identifier
of citizens
Most business processes in the country must use
the identifier, assumes a robust population registry.
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Breaking the
stalemate
The citizens will not take the ID or remember the PIN codes, when there are
no services. There will be no services built for no customers.
Restricted Use - À usage restreint
Breaking the
stalemate
The citizens will not take the ID or remember the PIN codes, when there are
no services. There will be no services built for no customers.
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
The eID
must have a
legal
meaning
Without a legal framework, the eID is simply people doing complex math
Restricted Use - À usage restreint
The eID
must have a
legal
meaning
Without a legal framework, the eID is simply people doing complex math
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Building blocks
of trusted eID
These need to be built
Restricted Use - À usage restreint
Building blocks
of trusted eID
These need to be built
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Legal framework
>Population registry and its legal significance
>Regulation of trust services
>Electronic signature and its significance
>Dealing with legacy
›Education of legal practitioners
›Revamping regulations requiring paper-based processes
Restricted Use - À usage restreint
Legal framework
>Population registry and its legal significance
>Regulation of trust services
>Electronic signature and its significance
>Dealing with legacy
›Education of legal practitioners
›Revamping regulations requiring paper-based processes
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Capabilities
>Cybersecurity to
›drive requirements for eID and validate deliverables
›monitor the ecosystem
›execute incident response
>Cryptography to keep the ecosystem developing
>Legal to drive legal changes
>Architecture to define, manage and develop the technical ecosystem
Restricted Use - À usage restreint
Capabilities
>Cybersecurity to
›drive requirements for eID and validate deliverables
›monitor the ecosystem
›execute incident response
>Cryptography to keep the ecosystem developing
>Legal to drive legal changes
>Architecture to define, manage and develop the technical ecosystem
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Trust services
>Trust services create and operate services underpinning the trust in eID
›Certification Authority and Registration Authority
›Time Stamping Authority
›Signature creation and validation
>Trust must stem from audited, regulated and supervised adherence
to standards
Restricted Use - À usage restreint
Trust services
>Trust services create and operate services underpinning the trust in eID
›Certification Authority and Registration Authority
›Time Stamping Authority
›Signature creation and validation
>Trust must stem from audited, regulated and supervised adherence
to standards
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
The ecosystem
>It is not possible for a
›single government authority to build eID due to the range of capabilities and changes
necessary
›single private sector organization to build eID due to the lack of critical mass in terms
of customers and services
>Create and manage an ecosystem of service providers, integrators,
technology providers, researchers, cybersecurity practitioners, trust
service providers etc.
›Alternatively make sure to participate in one
Restricted Use - À usage restreint
The ecosystem
>It is not possible for a
›single government authority to build eID due to the range of capabilities and changes
necessary
›single private sector organization to build eID due to the lack of critical mass in terms
of customers and services
>Create and manage an ecosystem of service providers, integrators,
technology providers, researchers, cybersecurity practitioners, trust
service providers etc.
›Alternatively make sure to participate in one
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eIDtransformation
process
Restricted Use - À usage restreint
eIDtransformation
process
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eID transformation process
Restricted Use - À usage restreint
eID transformation process
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eID transformation process
Restricted Use - À usage restreint
eID transformation process
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Supporting the vision execution
Restricted Use - À usage restreint
Supporting the vision execution
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eIDorganizational
structure
Restricted Use - À usage restreint
eIDorganizational
structure
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Restricted Use - À usage restreint
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
“Mutual recognition of e-signatures”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
Restricted Use - À usage restreint
“Mutual recognition of e-signatures”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Same eIDAS-based legislative framework, BUT how to prove your intent
online?
Restricted Use - À usage restreint
Same eIDAS-based legislative framework, BUT how to prove your intent
online?
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Mutual Recognition for Third Countries
>eIDASRegulation is seen as a standard across the globe;
>Article 14 of eIDASregulates the recognition of qualified electronic
signatures between the EU and a third country.
>Currently, the only option to have mutual recognition of qualified signatures
is through an agreement concluded between the EU and the third country
in accordance with Article 218 of the Treaty on the Functioning of the
European Union (TFEU).
>There is a “roundabout” through MRA process.
Restricted Use - À usage restreint
Mutual Recognition for Third Countries
>eIDASRegulation is seen as a standard across the globe;
>Article 14 of eIDASregulates the recognition of qualified electronic
signatures between the EU and a third country.
>Currently, the only option to have mutual recognition of qualified signatures
is through an agreement concluded between the EU and the third country
in accordance with Article 218 of the Treaty on the Functioning of the
European Union (TFEU).
>There is a “roundabout” through MRA process.
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Pilot for the International Compatibility of Trust Services
>MRA Cookbook (explanatory memorandum of eIDASArticle 14,
description of MRA process flow and methodology, minimum requirements,
technical recommendations)
>eIDASArticle 14 Assessment Check-List (benchmarking laws)
>Tools (trusted list browser and validation of trusted lists outputs)
Restricted Use - À usage restreint
Pilot for the International Compatibility of Trust Services
>MRA Cookbook (explanatory memorandum of eIDASArticle 14,
description of MRA process flow and methodology, minimum requirements,
technical recommendations)
>eIDASArticle 14 Assessment Check-List (benchmarking laws)
>Tools (trusted list browser and validation of trusted lists outputs)
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Mutual Recognition Process
>A third country’s signature solution can be recognisedas an advanced
signature under eIDAS .
>The European Commission has created atrust list
for advanced signatures
from third countries’ trust services and prepared the tools needed for
validating the signatures.
>An official request should be made to the European Commission.
>The trust list provides a tool for validating the signatures, but the legal
effect and the trustworthiness of a signature still must be agreed
separately between interested parties.
Restricted Use - À usage restreint
Mutual Recognition Process
>A third country’s signature solution can be recognisedas an advanced
signature under eIDAS .
>The European Commission has created atrust list
for advanced signatures
from third countries’ trust services and prepared the tools needed for
validating the signatures.
>An official request should be made to the European Commission.
>The trust list provides a tool for validating the signatures, but the legal
effect and the trustworthiness of a signature still must be agreed
separately between interested parties.
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
MRA process flow I
>Scope and objective of MRA (selection of trust services and service
providers)
>Feasibility study and self-assessment (4 pillars: legal or regulatory
framework, supervisionand auditing systems, technical or best practices
aspect, trust representation model)
>Technical pilot with the EC (optional)
>Formal negotiations will be opened after the feasibility study, optional pilot
and self-assessment have positive outcomes
Restricted Use - À usage restreint
MRA process flow I
>Scope and objective of MRA (selection of trust services and service
providers)
>Feasibility study and self-assessment (4 pillars: legal or regulatory
framework, supervisionand auditing systems, technical or best practices
aspect, trust representation model)
>Technical pilot with the EC (optional)
>Formal negotiations will be opened after the feasibility study, optional pilot
and self-assessment have positive outcomes
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
MRA processflowII
>Together with its formal request, the 3rd country submits to the EC the detailed
documentation for assessment:
1)A general description of the trust services framework, covering legal, supervisory,
technical and trust representation aspects
2)The legislative documents, including primary and secondary legislations concerning
trust services and other relevant legislations (data protection, consumer rights, privacy,
freedom of expression)
3)Links to the relevant trust services framework resources, such as existing or draft
trusted list, the list of approved secure devices, the list of approved conformity
assessment bodies and a description of the underlying approval rules
4)An eIDASArt 14 self-assessment
5)The list of standards the trust services framework refers to/uses and a description of the
way these standards are used/complied to
Restricted Use - À usage restreint
MRA processflowII
>Together with its formal request, the 3rd country submits to the EC the detailed
documentation for assessment:
1)A general description of the trust services framework, covering legal, supervisory,
technical and trust representation aspects
2)The legislative documents, including primary and secondary legislations concerning
trust services and other relevant legislations (data protection, consumer rights, privacy,
freedom of expression)
3)Links to the relevant trust services framework resources, such as existing or draft
trusted list, the list of approved secure devices, the list of approved conformity
assessment bodies and a description of the underlying approval rules
4)An eIDASArt 14 self-assessment
5)The list of standards the trust services framework refers to/uses and a description of the
way these standards are used/complied to
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
MRA processflowIII
>EC evaluates the global compatibility of the 3rd country 4- pillar system
with the EU system, based on the provided documentation (preliminary
assessment and detailed assessment)
>EC submits the preliminary assessment report to the EU Member States
and consults them on interest in engaging further with the aim to perform a
detailed (mutual) assessment as the next step
Restricted Use - À usage restreint
MRA processflowIII
>EC evaluates the global compatibility of the 3rd country 4- pillar system
with the EU system, based on the provided documentation (preliminary
assessment and detailed assessment)
>EC submits the preliminary assessment report to the EU Member States
and consults them on interest in engaging further with the aim to perform a
detailed (mutual) assessment as the next step
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
MRA processflowIV
>The drafts of MRA associated execution plan, monitoring plan (including
the exchange of annual reports, e.g. reports on changes in the respective
frameworks, supervisory activities and known litigations, notified security
and/or personal data breaches, and annual surveillance review and the
frequency of a formal in- depth review of the MRA implementation), and
termination plan will be prepared
>Technical and/or legal pilot may be conducted
Restricted Use - À usage restreint
MRA processflowIV
>The drafts of MRA associated execution plan, monitoring plan (including
the exchange of annual reports, e.g. reports on changes in the respective
frameworks, supervisory activities and known litigations, notified security
and/or personal data breaches, and annual surveillance review and the
frequency of a formal in- depth review of the MRA implementation), and
termination plan will be prepared
>Technical and/or legal pilot may be conducted
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
MRA processflowV
>EC launches Art218(TFEU)procedureand MRA will be drafted
>MRA needs the consent of the European Parliament and the approval of
the Council, before the MRA could be signed
>As part of the MRA drafting, or in parallel, the drafted MRA execution,
monitoring and termination plans shall be finalized
>The finalisationof the MRA may include one or more negotiation rounds
Restricted Use - À usage restreint
MRA processflowV
>EC launches Art218(TFEU)procedureand MRA will be drafted
>MRA needs the consent of the European Parliament and the approval of
the Council, before the MRA could be signed
>As part of the MRA drafting, or in parallel, the drafted MRA execution,
monitoring and termination plans shall be finalized
>The finalisationof the MRA may include one or more negotiation rounds
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Procedure of Article 218 of TFEU I
>Negotiations:
1)Council of EU authorisesthe opening of negotiations (EC, or the High
Representative of the Union for Foreign Affairs and Security Policy
submits recommendations to EC, which adopts a decision authorising
the opening of negotiations and nominating the negotiator or the head of
the negotiating team)
2)EC may address directives to the negotiator and designate a special
committee in consultation (content of such directives is not public)
Restricted Use - À usage restreint
Procedure of Article 218 of TFEU I
>Negotiations:
1)Council of EU authorisesthe opening of negotiations (EC, or the High
Representative of the Union for Foreign Affairs and Security Policy
submits recommendations to EC, which adopts a decision authorising
the opening of negotiations and nominating the negotiator or the head of
the negotiating team)
2)EC may address directives to the negotiator and designate a special
committee in consultation (content of such directives is not public)
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Procedure of Article 218 of TFEU II
>Concludingagreement:
1)On a proposal by the negotiator, EC adopts a decision authorisingthe
signing of the agreement or in case where the agreement relates to the
common foreign and security policy, EC adopts the decision concluding
the agreement after consulting or obtaining the consent of the European
Parliament
2)EC acts by a qualified majority throughout the procedure and
unanimously when the agreement covers a field for which unanimity is
required (if the agreement covers EU accession, finances, or common
foreign and security policy unanimous vote is required)
Restricted Use - À usage restreint
Procedure of Article 218 of TFEU II
>Concludingagreement:
1)On a proposal by the negotiator, EC adopts a decision authorisingthe
signing of the agreement or in case where the agreement relates to the
common foreign and security policy, EC adopts the decision concluding
the agreement after consulting or obtaining the consent of the European
Parliament
2)EC acts by a qualified majority throughout the procedure and
unanimously when the agreement covers a field for which unanimity is
required (if the agreement covers EU accession, finances, or common
foreign and security policy unanimous vote is required)
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Procedure of Article 218 of TFEU III
>Notification:
1)The European Parliament must be informed at all stages of the
procedure and is required to give its consent to any international
agreement
2)A Member State, the European Parliament, the Council of EU or EC may
obtain the opinion of the Court of Justice
Restricted Use - À usage restreint
Procedure of Article 218 of TFEU III
>Notification:
1)The European Parliament must be informed at all stages of the
procedure and is required to give its consent to any international
agreement
2)A Member State, the European Parliament, the Council of EU or EC may
obtain the opinion of the Court of Justice
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
New Regulation
>Trust services provided by trust service providers established in a third
country or by an international organisationshall be recognisedas legally
equivalent to qualified trust services;
>recognisedby means of implementing acts
or an agreement concluded
between the Union and the third country or the international organisation
pursuant to Article 218 TFEU.
Restricted Use - À usage restreint
New Regulation
>Trust services provided by trust service providers established in a third
country or by an international organisationshall be recognisedas legally
equivalent to qualified trust services;
>recognisedby means of implementing acts
or an agreement concluded
between the Union and the third country or the international organisation
pursuant to Article 218 TFEU.
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
What will change with eIDAS2.0?
+ Trade agreement or Implementing Act for recognition
+ Non-EU should meet requirements for qualified TS/TSP
+ Should follow trusted list MRA Cookbook
58
Restricted Use - À usage restreint
What will change with eIDAS2.0?
+ Trade agreement or Implementing Act for recognition
+ Non-EU should meet requirements for qualified TS/TSP
+ Should follow trusted list MRA Cookbook
58
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
“Mutual recognition of e-signatures”
Agreement on mutual recognition of trust services
Montenegro- Serbia-North Macedonia
Danilo Racic
Ministry of Public Administration, Senior Civil
Servant
Restricted Use - À usage restreint
“Mutual recognition of e-signatures”
Agreement on mutual recognition of trust services
Montenegro- Serbia-North Macedonia
Danilo Racic
Ministry of Public Administration, Senior Civil
Servant
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
“Group Work”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
Restricted Use - À usage restreint
“Group Work”
Laura Kask, CEO Proud Engineers, legal expert on
eIDand trust services
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Group Work (45 min) + Group Work Presentations (15 min per group)
>Group 1: Adapting eIDAS2.0 to National Contexts: Challenges and Opportunities
›Which countries were represented?
›What are the main challenges in implementing eIDASto National Context in terms of eID/ in terms of trust services (e-
signatures and e-seals)?
›What are the opportunities implementing eIDAS to National Context would bring?
›How to overcome the challenges?
›What kind of support would be needed from local / international communities?
>Group 2: Ensuring Mutual Recognition of E-Signatures: Challenges and Opportunities
›Which countries were represented?
›What are the main challenges ensuring mutual recognition of e-signatures?
›What are the opportunities mutual recognition would bring?
›Is there a difference / more opportunities with other third countries / with EU?
›How to overcome the challenges?
›What kind of support would be needed from local / international communities?
Restricted Use - À usage restreint
Group Work (45 min) + Group Work Presentations (15 min per group)
>Group 1: Adapting eIDAS2.0 to National Contexts: Challenges and Opportunities
›Which countries were represented?
›What are the main challenges in implementing eIDASto National Context in terms of eID/ in terms of trust services (e-
signatures and e-seals)?
›What are the opportunities implementing eIDAS to National Context would bring?
›How to overcome the challenges?
›What kind of support would be needed from local / international communities?
>Group 2: Ensuring Mutual Recognition of E-Signatures: Challenges and Opportunities
›Which countries were represented?
›What are the main challenges ensuring mutual recognition of e-signatures?
›What are the opportunities mutual recognition would bring?
›Is there a difference / more opportunities with other third countries / with EU?
›How to overcome the challenges?
›What kind of support would be needed from local / international communities?
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
“Group Work Presentations”
Restricted Use - À usage restreint
“Group Work Presentations”
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Thank you!
Laura Kask
[email protected]
proudengineers.com
Restricted Use - À usage restreint
Thank you!
Laura Kask
[email protected]
proudengineers.com
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Estonian national
framework for eIDand
trust services
Restricted Use - À usage restreint
Estonian national
framework for eIDand
trust services
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
+electronicID iscompulsory
+64% useID-cardregularly
+19% peopleusemobile-ID
+51% usesmart-ID
+100,000+ e-Residents
electronicID
thestrongestidentitysince2002
Restricted Use - À usage restreint
+electronicID iscompulsory
+64% useID-cardregularly
+19% peopleusemobile-ID
+51% usesmart-ID
+100,000+ e-Residents
electronicID
thestrongestidentitysince2002
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
eIDin Estonia
Highlevelgovernmentprovidedidentitybased on identity nr that is unique
(eID, mID).
›authentication
›electronic signing
›encryption
›i-voting
›business, banking
›state and healthcare
›public transport
›loyalty card
Highlevelprivate sectorprovidedidentitybased on identity nr that is unique
(Smart ID).
›authentication
›electronic signing
›business, banking
Restricted Use - À usage restreint
eIDin Estonia
Highlevelgovernmentprovidedidentitybased on identity nr that is unique
(eID, mID).
›authentication
›electronic signing
›encryption
›i-voting
›business, banking
›state and healthcare
›public transport
›loyalty card
Highlevelprivate sectorprovidedidentitybased on identity nr that is unique
(Smart ID).
›authentication
›electronic signing
›business, banking
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Two main legal principles in national law
>Electronic identification is as good as face- to-face identification
and
>electronic signature of certain level is equal to handwritten one.
NB! Although the framework exists there is no actual use of the
concept of professional certificate (e.gelectronic seal)!
Restricted Use - À usage restreint
Two main legal principles in national law
>Electronic identification is as good as face- to-face identification
and
>electronic signature of certain level is equal to handwritten one.
NB! Although the framework exists there is no actual use of the
concept of professional certificate (e.gelectronic seal)!
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Plans for EDIW
>First pilot project done (MVP);
>eID+ driver`s license;
>Estonia will probably launch own EDIW that is procured from the private
sector and will be used across sectors
Restricted Use - À usage restreint
Plans for EDIW
>First pilot project done (MVP);
>eID+ driver`s license;
>Estonia will probably launch own EDIW that is procured from the private
sector and will be used across sectors
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
What have been the challenges?
Restricted Use - À usage restreint
What have been the challenges?
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Restricted Use - À usage restreint
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Nature of the security risk
The privatekey can be computed from the public key,
which means that theoretically:
>it was possible to digitally sign a document in the name
of another person
>it was possible to enter e-services in the name of
another person
>it was possible to steal a digital identity
without having
the physical card
>decrypt documents encrypted with the ID card
Restricted Use - À usage restreint
Nature of the security risk
The privatekey can be computed from the public key,
which means that theoretically:
>it was possible to digitally sign a document in the name
of another person
>it was possible to enter e-services in the name of
another person
>it was possible to steal a digital identity
without having
the physical card
>decrypt documents encrypted with the ID card
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Restricted Use - À usage restreint
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
Lessons learned
>eIDis more important than we knew AND we cannot go
back on paper
>Map cross- dependencies of critical services
>Certified does not mean secure
>Have alternatives – eIDcard and mobile- ID, private sector
solution
>Pool of experts is limited –duplicate, if possible
>How to handle a non-incident?
>Nobody wants to go back to paper, even if they could
>This will not be the last such event
Restricted Use - À usage restreint
Lessons learned
>eIDis more important than we knew AND we cannot go
back on paper
>Map cross- dependencies of critical services
>Certified does not mean secure
>Have alternatives – eIDcard and mobile- ID, private sector
solution
>Pool of experts is limited –duplicate, if possible
>How to handle a non-incident?
>Nobody wants to go back to paper, even if they could
>This will not be the last such event
A joint initiative of the OECD and the EU, principally financed by the EU.
Restricted Use - À usage restreint
In the rapid technological change the product standards and audits based on
standards might not give the guarantees for a liable product
2 years for the audit period is too long period, BUT the audits are expensive and
there are not many auditors for the specific topics
The notification system is too vague, but the only solution in those cases is tight
cooperation
The next crisis can be different, the legal framework in place enabled finding
solution, but from learnings we never know what the next crisis will look like
Restricted Use - À usage restreint
In the rapid technological change the product standards and audits based on
standards might not give the guarantees for a liable product
2 years for the audit period is too long period, BUT the audits are expensive and
there are not many auditors for the specific topics
The notification system is too vague, but the only solution in those cases is tight
cooperation
The next crisis can be different, the legal framework in place enabled finding
solution, but from learnings we never know what the next crisis will look like
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 444
- Slides 74
- Age 522 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views