ehealth Governance Initiative eid Workshop Brussels, 11-12th February 2013 Proposal for a Regulation on Electronic identification and trust services for electronic transactions in the internal market Gábor Bartha Policy Officer Legislation Team (eidas) European Commission - DG ConNECT gabor.bartha@ec.europa.eu 1
What is the proposal's ambition? Strengthen EU Single Market by boosting TRUST and CONVENIENCE in secure and seamless cross-border electronic transactions
Who will benefit from the proposal? 13 million EU citizens work in another EU country 21 millions of SMEs of which a significant part is working internationally Some 150 million EU citizens shop online. However, only 20% of them buy goods and services from another EU state
How? 1. By ensuring that people and businesses can use and leverage across borders their national eids to access at least public services in other EU countries.
How? 2. By removing the barriers to the internal market for e-signatures and related online trust services across borders i.e. by ensuring that trust services have the same legal value as in traditional paper based processes.
What is our political commitment? Digital Agenda for Europe, 19.5.10, COM(2010)245 European egov Action Plan 2011-15, 15.12.10, COM(2010)743 Single Market Act, 13.4.11, COM(2011)206 A roadmap to stability and growth, 12.10.11, COM(2011)669 Commission Work Programme 2012, 15.11.11, COM(2011)777 6
Consultation process Informal consultations and discussions: from launch of Action Plan on esig. and eid, 28.11.08, COM(2008)798 European Parliament EU Member States Multialteral meetings Services Directive technical group on e-procedures Stakeholders FESA (Forum of European Supervisory Authorities) meetings Public online consultation Feb-Apr 2011 SME survey Oct-Dec 2011 Liaison with large scale project, especially STORK Participation to public conferences Numerous bilateral meetings with stakeholders Studies (IAS Study, Crobies, IDABC studies, ) 12 years of operation of esig Directive (infringements, ) 7
What is the scope of the proposed Regulation? 1. Mutual recognition of electronic identification 2. Electronic trust services: Electronic signatures interoperability and usability Electronic seals interoperability and usability Cross-border dimension of: 1.Time stamping, 2.Electronic delivery service, 3.Electronic documents admissibility, 4.Website authentication. 8
Mutual recognition and acceptance of eid A EU Member State: 1. May notify to European Commission the national electronic identification scheme(s) used at home, at least, for access to public services; 2. Must recognise and accept notified eids of other Member States for cross-border access to its online services which require e-identification by national law; 3. Must provide online free ID data authentication facility; 4. Is liable for unambiguous identification of persons and for authentication; 5. May allow the private sector to use notified eid 9
What is not covered? eid Member States are not obliged to have an e- identification scheme Member States are not obliged to notify their e- identification scheme(s) «Notified» eids are not necessarily ID cards No "EU database" of any kind No "EU eid" No coverage «soft ID» (ex. Facebook); only «official eid» 10
Why will it make a difference? Comprehensive toolbox of trust building instruments One single legislation across EU Foster eid usage ( world premiere ): Leverage eid cards and mobile ID infrastructure Reliable eid to allow cross border ebusiness and enable egov services Private sector is invited to build on «notified» eid schemes Leverage Large Scale Pilot project STORK 11
Electronic identification Art 5: Mutual recognition and acceptance Mutual recognition and acceptance Art. 5 Subsidiarity respected, not harmonisation but mutual recognition Mandatory acceptance if electronic identification is required by law Only on-line use (not on the spot) Trust model: between Member States, therefore no minimum technical requirements, no supervision at EU level 12
Electronic identification Art 6: Conditions of notification of electronic identification schemes (1/2) Conditions Art. 6(1) a) Art. 6(1) b) Issued by, on behalf or under the responsibility "issued by" a Member State if a public body is responsible for the issuance "on behalf of" refers to the issuance under the control and in the name of the Member State. "under the responsibility": the Member State recognises the existence and the legal effect of the electronic identification means issued by the issuer and takes the responsibility for damages and ensures that the other conditions are fulfilled Used to access at least public services in the notifying Member State Use for private services is not excluded Art. 6(1) c) Unambiguous identification Does not require a single "unique" identifier, Citizens (businesses) can possess multiple eid means if those are unambiguously linked to that person Details of how unambiguous attribution is provided remains within 13 Member State competence
Electronic identification Art 6: Conditions of notification of electronic identification schemes (2/2) Art. 6(1) d) Authentication Free online authentication business model national competence, avoid barriers Prohibits the introduction at national level of any additional specific technical requirements (such as certificates or hardware) on relying parties established outside of their territory necessary for cross border authentication Member States are free to choose if cross border authentication is through gateways, middleware (like in STORK) or any other national solution In case of compromise of the whole scheme: withdrawal Partial data compromise: negative result of validation Member States cannot refuse accepting an eid scheme in case of data compromise 14
Electronic identification Art 6: Conditions of notification of electronic identification schemes (2/2) Art. 6(1) e) and (2) Liability not an absolute one (fault based) no responsibility for the whole transaction, only for unambiguous attribution and authentication liability remains regulated by national law 15
Electronic identification Art 7: Notification Notification Art. 7 (1) Basic information on the eid scheme Art. 7 (2)- (3) Commission publishes, but checks only formalities 6 months first bunch then within 3 months 16
Electronic identification Art 8: Coordination Coordination Art. 8(1) All MSs cooperate, in a free form Art. 8(2) Peer review modalities facilitated by Commission through a formal expert group as per C(2010)7649 of 10.11.10 Art. 8(3) Minimum technical requirements if necessary Security levels if necessary different assurance levels for various sectors possible 17
Indicative process Legislative process Commission Proposal 4.6.2012 Cyprus Presidency report Parliament + Council adoption Standardisation mandate m460 Standards Delegated/Implementing acts Commission Decisions 2011 2012 2013 2014 2015 2016 NB. Dates are indicative 18