So after this really threatening, threatening, scaring presentation about risk, about the internet of things, let's move back to something real well, this is real real, but to activities that we can actually follow and see what happens. And one of the areas where we need to get more traction and more activity being successful is the interoperability across not only organizations, but also countries in the terms of authentication and identity management. Please welcome Andrea. Avida from the European commission. Nice to see you again, long time I see you. Right.
I think we met the last time at, when I was in the,
I was 12 kilos more
I was in, I think it wasn't directly on yes. A long time time ago. Yes. Yes.
So no, you are the head of the taskforce legislation team either sounds right. How to
Pronounce it. Being an engineer. I can do
This in. Did you connect, did you connect meaning communication networks, content and technology, absolutely. Of European commission.
What, what is E
IDAs a piece of law, which is setting the framework to promote cross border mutual recognition of electronic identification means and trust services. So we believe that it is somehow providing the legal bearing to what the technology is delivering sincere in relation to, you know, boosting trust.
But, you know, in a framework that would somehow support legal certainty. If con if, if transaction are concluded based on such type of digital credential digital services.
Okay.
So it's a, it's a legal framework.
Absolutely. It's a legal framework which builds on quite a huge investment that has been made by member states and commission through the years. So it provides the overarching framework to what technology has shown could be done already now.
Okay. So I'll be interested to hear what you're going to say.
Thank you very much. Thank you very
Much.
Let me get, I suppose, it's this so good afternoon. This is really my pleasure to be here and to share with you, I would say few information on where we stand with our legal framework. A does.
ADA is the Ackerman that was coined in 2009. When we started looking at what should be done in order to upgrade the legal framework, which is supporting was supported that moment in time recognition of electronic signature, mostly in Europe and data stands for European, for electronic identity authentication and signatures.
Of course, I mean, we were then taken, I would say very much by what we finally proposed as a result of the discussion with member states, which is a legal framework to support a mutual recognition of electronic identification means and trust services where trust services are indeed those type of services that we have seen emerging in member states since the adoption of the electronic signature directive, back in 99 in those days, I was myself as an engineer.
I'm an engineer, but I've managed these legal negotiation.
Don't, don't ask me how and why. I suppose that I could manage that because I under, I pretended to understand a bit, what was the technology baseline? That was to some extent that there been in the legal, and this wasn't easy because, I mean, when you have culture clashes in relation, for instance, what is an online service, you know, in our league of framework in Europe, we don't have a definition of what is an online, of course, as an engineer.
When I discovered this, I was, you know, jumping on my chair, how comes, you know, an online services is clearly, I would say something that is, you know, crystal clear to me, but, you know, in legal terms, we don't have a definition of what is an online service, or we don't have a definition of what is, you know, other type of engineering concept, which underpin the technology.
We are talking about, why we look at this, we look at this because we wanted to make sure that we would somehow provide a tool set of legal rules that would make it possible for relying parties.
And I would say users to rely on trust services, electronic signature, electronic sales time, stamping, electronic register delivery services, and website authentication and electronic identification authentication for them to organize as they like their business relations in the digital without having a need to go through very complicated, I would say prior registration type of things, or prior, I would say bootstrapping type of activities that would indeed establish the relations between the parties. Of course.
I mean, where would apply would apply to things like this, which is, I would say the, the workflow that you can imagine for the submission of tender, but of course, I mean, we believe that this is to some extent to be seen in the context of what is the cross border.
The keywords here are two, actually three cross border mature recognition and convenience. We will not be doing our work.
If the legislation will not be supporting the development of convenient and simple solutions that will carry everything that a user or line party may desire, namely, the certainty of what is indeed being done in the line of what is the risk they are prepared to take. And even more importantly, that what they're doing is not introducing huge cost to the transaction and to the parties.
Why indeed the cross border, because I mean, the experience of an 99 with the directive led to quite an important, I would say set of silo type of solution at the national level with countries, introducing variation of what would've been in the mind of the legislator back in the late nineties, the ideal situation for a directive electronic signature, which means an piece of load that will support interoperability and mature recognition, cross border, and cross sector.
None of this was delivered at the cross border level.
And of course, I mean, when we say cross border is not that we just want to do it because we are 28 member states, but there are reasons for things to be thought of in the real, in the cross border dimension, we have about 14 million people who are today, resident, another member states who therefore may be entitled to be using services that he have got access to in their own countries. But they may like to keep using them, has the move to another countries. But even more importantly, we have an excess of 20 millions, more than medium enterprises, 40% of which I have core board activities.
And part of them only very small part of them has digital activities. And let's not forget the EU 28 is, is a market of 500 million people is a market that is among, among the largest one in the world.
And tomorrow our vice president, Andrew sane is going to announce Tove the digital single market strategy, which will not talk about ADAS. Why is not going to talk about ADAS being trust?
One of the key components of the digital single market, because our challenge now is to make it to work and to make, to works means to make the legal framework and the technologies that is underpinning it to deliver for the provision of a services. Why I'm saying the technology, because I mean the legal framework didn't just fall from the sky. We have been investing.
I gonna say we, I mean the European commission and the member states huge amount of, of money and intellectual resource in looking at what is to be pursued in order to preserve of the one on the one hand, the legitimate aspiration of member states and ambition of member states to be able to D mine, what is the policy about electronic identity in relation?
What is indeed the constitutional right that member states may have at the national level to provide identity and therefore electronic identity, and even more importantly, what is indeed that is going to be possible to make different instantiation of electronic identification schemes, and means at the national level to work cross border, which means to be inter parable to find the type of trade off that will make a trusted credential to work across border. Is this something that is an opportunity? Of course it is.
If you look at, for instance, few of the points that are there in particular, in relation to lowering the risk and ensuring that transaction will be more convenient because the user will have a seamless experience while moving from one sector, one transaction, one environment to another then of course, I mean the business case is there how the business case is to be turned into something that will trigger investment and even importantly, integration of electronic identification tools in business processes.
That depends very much on what is the scope of the reachability that you can ensure.
And there is where the cross border comes. If I am a big bank that I have to do integrate, or I want to integrate electronic identification services in the provisioning of the services. So to be able to offer online services across Europe, I should be somehow considering this opportunity only if first I know that this is possible for everybody in Europe. And I have not to deal with 28 different type of instantiation of the legal framework, which will make our, the, my lawyers to be, to get crazy. And my technologies that we even go more mad than they should.
But even more importantly, I should be allowed to do it. When I say I should be allowed to do it. It means that what we look at the legal framework here is the recognition of electronic identification means, which have been rolled out or recognized at the national level as the suite vote means for persons, legal person and nature person.
So people and companies to be able to access services provided by public bodies. This is something that was the starting point of the legislation.
Why, because this is happening. We have been seeing these type of projects to be rolled out since the early nineties in different regions, in different sectors in the member states. And this investment has not led to any somehow scalable. I would say fruition of the services, which we want indeed to overcome with the legislation. What is indeed the type of principle that we have been looking at in the in, and we have casted in the regulation.
First demand, cross border recognition of electronic identification means for public sector access, which means that member states are obliged, even though they don't themselves notify any electronic identification means to the commission, to the other member states, but they are obliged to accept electronic identification means, which are in the hands of person, legal person or HR person in other countries provided that those means schemes will meet certain benchmarks and the benchmark that we will talk about them later in my presentation, in order for this to do, to, to help.
And of course we should leave full autonomy to the member states. Why? Because the member states are those who are entitled to decide what may or may not be recognized at the national level for their citizen, their companies, to be able to access services provided by public administration. So in these respect, they're free to decide to go for, I would say, offering their citizen the possibility to use as such means also for cross board access to public services, but leaving them, I would say this possibility means also that they are entitled not to notify anything.
But then of course, I mean, I suppose that the political blame not to be open and not to offer such a possibility to their citizen would be very high. However, such means, which are being rolled out. I'm Italian in Italy. We have projects on electronic identity since years, and now you are rolling it out on a scale.
The use of such means by the private sector is not granted. We have still countries where the electronic means, which are in the hands of citizen for them to access public services or for them even to move from one country to another.
So electronic identity card such means I are not have somehow usable by private sector because the countries, the member states government do not let the private sector to, to use them. Is this, does this make sense? I'm not sure actually the commission, we believe that doesn't make sure doesn't make any sense.
However, we don't have the legal basis to impose the opening of, to private sector of this type of schemes. Nevertheless, there is an encouragement in the regulation which somehow push the member states to really consider the opportunity to open such the use of such electronic identification means to private sector.
Why we are taking this approach, I thought was only on the ID part and what is the driver behind our driver behind is to make trust, to be, I would say, a tool for convenience delivery of services.
And we do look at the, a in sample of, of services, including electronic identifications as the key enablers for, I would say parties to be able to build the trust between them themselves in relation, in relation to the transaction they want to, to conduct is this to be based on a single level of security or, or a single provisioning of security. Not at all. I heard earlier, the issue of, I would say making the security decision be based on risk assessment on risk identification, on risk evaluation here is the case. The underlying party are free to decide what to use and how to use it.
However, once they have defined, what is the type of risk they are prepared to take?
Therefore, what is the level of assurance that they may like to see meeting to met by the electronic identification means dirty rely upon then of course, I mean the country that we've lower level of will lower security levels type of, of means. And that is where indeed we, we see the trust to be built on transparent and the clarity type of, of statements that will make it possible for the relying party.
And the user of electronic identification means to be conducting transaction in full, with full knowledge of what they're doing, what does means, what, what doesn't, what is the meaning of all this? It means that, you know, the user should be empowered. We need to make it possible for the user to understand that when it gives up something that is a piece of information, trust the credential to be provided by the identity provider, it gives something to receive something else.
It should not be requested as a user just to unveil or disclose or share all the possible data related to identity.
Just for sake of, I would say providing information that might not somehow bring back an value to, to him or to her. This is just to give you a bit of, I would say snapshot of what is the type of architecture that we have. I think for the electronic identity part, what is I think is important is the overarching elements of the recognition, the mandatory recognition, that to some extent, triggered the photos on what should be the elements, the components of the governing frameworks for such recognition. And there we have liability rules.
We have assurance level interoperability framework, but above all is cooperation. This is going to happen only if the trust is built between the parties, which are taking the responsibility to notify electronic identification means for what concern trust services.
The situation is a bit different because there we have already market, which is to some extent, working at the national level market players are providing services.
And due to the fact that the piece of load that we have adopted easy regulation, the same code, the same set of rules do apply across all the 28 member states, which means that the company could set up a business in Estonia and reach out all customer, all customers across all the 28 member states. There is, should not be any interoperability legal or, or jurisdictional requirements that willed a qualified electronic signature, for instance, to be accepted by an administration in another member states or private sector. But their private sector is to be, I would say, is left.
I would say open the option for the private sector to decide because private sector may always decide what are the terms of engagement in contract?
Where do we stand? We stand that, you know, at the level that of finalizing the legal framework, the legal framework enter into application will enter into application for trust services on the 1st of July, 2016. So in about a year time, and for what concern electronic identification in about a three years time by September, this year, we are going to adopt, I would say a number of implementing acts, which will spell out even more clearly.
What is indeed that the benchmarks that have been set in the regulation are about, and this is where I think I would like to concentrate the remaining part of my, of my presentation in particular relation to the assurance level and interpretability framework. First, I would like to say that we are not setting with these implementing standards in terms of technical standards.
We are setting the criteria in a way that is outcome based for what are indeed the articulation of the credit of the concept that should be associated to the three assurance level that have been identified in the regulation low, substantial, and high.
The definition of which is set in the regulation and the element constitute that will constitute the assurance level are also defining the regulation, what we are doing in implementing act. And to end, we are working with the member states.
We are articulating what is indeed the type of elements and requirements that they should be made for each of the different components that we have defined for such authentication.
In particular, we do have the elements of enrollment, issuance management, all the technical aspect that you may think and organizational aspect that you may think would be needed for such implementing out same approaches for the interoperability framework, where in connection with the work that is being conducted by our colleague in, in the implementation of, on implementation of the technical infrastructure, we are defining the key elements of the architecture that will make a system to be work together.
Last point that I would like to say is, is this, we are about, we are working on legislation, but the uptake of services in this area would only happen if the private sector is engaged. This is why we are, I would say, working with the member states and with private sector, innovative sectors to see what are indeed the needs, what are the requirements that will make them to be able to leverage and rely upon electronic identification means as provided by, by the regulation and as being rolled out by the member states.
In this respect, we are targeting few sectors in particular financial sector, banking sector, sharing economy, sector, electronic commerce, because we came to the, to the realization that the underpinning needs on the trust infrastructure that they have to have in place and met for them to operate is exactly the same. Last on the 20 on the 31st of March, we had this event with banking sector and sharing economy sector.
And actually we were told, you know, how comes, you know, you bring this community together. We have a very heavily regulated environment. That is the banking sector.
We've a new environment, new business sector, which is actually developing the market where the rules are still to be seen or to be proved to work in the same way. But actually when we talk about electronic identification, the needs to empower the user, the transparency elements of the seamless integration, disservices and business process, the needs were the same. Of course.
I mean, those who have more solidly, I would say established illegal framework where a bit more into the needs of ensuring the regulatory, I would say alignment would exist to make them able to move digital, but for the rest, I think the needs is the same. So I think I stop here and I thank you very much for your attention.
Thank you, Martin.
Andrea, this is, I think this is a very interesting topic. It seems at the first, I think for most of you probably here in the room seems a little bit wide way because most of us are dealing with identity management systems for harmonizing intercompany processes and getting identities sorted out internally in the first place. But this is about integrating external processes in the first step business to government in the second, probably consumer to government, as well as you mentioned, 40 million people. Yes. Europeans being, not in their home country. Absolutely.
And third it's about harmonizing the identity management systems on the long run. I mean, even if you say you are, you're talking about mutual recognition in the first place.
I, from a, from a market perspective, I, I perceive that this is going to put pressure on the government and also manufacturers to harmonize their processes. What's your view on this?
I think of course, I mean the legal basis is internal market. So the internal market legal basis means harmonization.
However, the harmonization here is more on the way in which it should approach the problems and the way which you have to look at the problem. So we is more promoting the good practices.
Of course, you may have technical solutions, which will defer already. Now we have countries where you have electronic identity card in others where you have citizen cards. So in the first case is travel documents. So you can go around Europe as carry it as your identity card for the last for the latter is actually something that you only use to access. Governmental services are different based, but at the same time, in relation to accessing digital services, they should deliver the same type of situation. There is where the common point comes.
Of course, with the assurance level, we have to, to take all the very big problem of identity proofing because I mean, registration of identity member states is different. There is where we can, perhaps I would say foster good understanding of what might be needed in order to ensure that when you have trusted credential cross border, they can really be trusted. And this is why there, we had quite a bit of discussion with the member states, but the issue is not to harmonize. This is why the approach we take is outcome based. So we harmonize the outcome.
So what you want and you have to deliver in order to map your system to a certain level, how you do it. It depends on the way in which the government is organized. The state is organized, what are the administrative infrastructure that you have in place, but you can reach the same outcome in a different way. And that is, I think the very lesson that we have learned with the, I would say preparative projects like store and store two, that we have been funding since 2008.
And the benefit for the companies is practically speaking.
If they have existing E government services working now with their home country, they could, they should be able to use the same identification, authentication processes with external service.
Absolutely. And even more importantly, if the identification part is to some extent, a precondition for the delivery of a service, but is not in itself related to the business model, but is just to fulfill legal obligation, like the anti-man laundry directive for bankings or certain requirements for security payment associated to the payment service directive.
Number two, to some extent by decoupling, what is to be done for identification from what is the business transaction that you want to accomplish? You may even save resources because you fortune are your business, but you have to be reassured that what you're doing by relying on this type of credential is not something that works between the two of us. But then if we trespass, you know, the territory and we go to, or the boundary, we go to another 30, it doesn't work, or even only with you, but not with another, I would say industry sector.
And there is where the regulation provide the legal ground, but it's up to the member states to make sure that private sector could really benefit from
This data. So the member states need to implement need
To open up. And because they're implementing, they're rolling out, they're recognizing they are somehow fostering the use, or the understanding that using electronic credentials is good for consumers and businesses when dealing with public services, of course, I mean, this should, I would say, become an opportunity also for business to deal with consumers.
So once you have business to government, to consumer, to government, you have to have business to business, business to consumer. I'll give you an example in my country, Italy, the business of electronic signature is very rich, but since they have introduced the obligation to business to use electronic register, electronic delivery service, which is equivalent to the register surface carrier, and this has been introduced as an obligation for company to deal with public administration.
Of course, I mean, now they use it business to business because they have the certainty of what is the deliver to an extent that the business of electronic ed electronic delivery service is now higher than electronic signature.
Would anybody would've bet this, you know, five years ago?
No, but this is it. The business is 1.5 times the business of electronic signature.
You know, something that, you know, I would've never bet myself, but this is it because the opportunity comes there. They're fully integrated.
You know, insurance, consumer, consumer created for instance is where this is booming. Why? Because you do everything on the, on, in the shop.
You do, you sign, you deliver, you get everything and you get the register delivery at home. And when, when you have done it, you have done it, you know, in two hours, not in five days. Thank you very much.
And Leah, thank you very much, second.
