Thank you very much. I think a round of applause and then we'll do intros. Thank you. Thanks very much.
So, the panel today is all about what's happening with the eIDAS regulation, the legislation, what's coming next and what are governments going to do. So, I'll ask everyone to introduce themselves and when I say we're in the presence of eIDAS royalty, I mean that.
So, Vedran, would you like to do a quick intro for us? Yes, of course. Good morning, everyone. My name is Vedran. I'm coming from the European Parliament and over the last three years I was working on the new eIDAS proposal, on the new digital identity framework. My task was in the Parliament to basically prepare the Parliament's position vis-a-vis the Council and the European Commission and basically help support the political masters in their work.
So, that's surely. Thanks very much. And Viky?
Hi, everyone. I'm Viky Manaila, Trust Service Director with Intesi Group, an Italian qualified trust service provider with a strong background in eIDAS and everything around ever since. And I'm happy to be on stage today with these brilliant people. Thank you.
Thanks, Viky. And Rob? Good morning, everyone. I'm from the Ministry of Economic Affairs and Climate Policy in the Netherlands. We are responsible for the policy on trust services in the Netherlands and besides that, our directorate is responsible for the strategy for digital economy, which also is very important with eIDAS.
Thanks, Rob. And Moritz, lastly.
Yeah, my name is Moritz Heuberger. I'm from the German Federal Ministry of the Interior and for Community and I'm working in the unit for digital identity and authentication and I'm responsible for the implementation of the new eIDAS regulation for, on the one hand, the testing and LSP potential, which is the consortium we lead and together with France and for the German UDI wallet project.
Thanks, Moritz. So, what you have here is two government representatives, the European Parliament and Vicky, who has been in this space for so long and is particularly involved in the standard side of things as well.
So, these are the folks who are involved in actually deciding what eIDAS is and how it's going to be delivered in different countries. So, let's kick off with Vedran first of all. I gave a little bit of a briefing this morning on some of the regulation, but could you just tell us a bit of background as to what has been signed off so far and what is the next bit of process to come? Sure.
So, I think it goes without saying in recognizing that basically Europe has gone a long way in building a respectable digital identity ecosystem, but obviously, you know, it's not enough. I think the current situation is that only 14 member states have actually notified working national identification scheme and only 60 percent of EU citizens today actually have access to a national identification scheme, which is a suboptimal result.
So, also there is, I think, on the market today many issues that pertain to different technical standards implemented in different member states, which obviously is not also good from the aspect of interoperability, especially in the context of cross-border, because ultimately eIDAS is there to enable cross-border identification and authentication. It's there to provide for provision of trust services cross-borders, and I think this is like one of the major issues that eIDAS is trying to solve, basically to go from 27 national markets to one European single market for trust services.
So, obviously in that sense, the new eIDAS is really there to first and foremost create a level playing field for all the market participants, be it the private sector, be it the public sector, and it's doing that by creating a set of joint specifications, technical standards that everyone needs to comply with in order to participate in this market. So, I think the biggest benefit of eIDAS is that it's really harmonizing the game for everyone, and it's making sure that all the market players are abiding by the same rules and playing by the same rules.
This is something that's currently not the case, and obviously we also saw during the pandemic that there was a huge boost and demand for trusted and safe identification services, and I think this is really kind of the moment where I think it demonstrated the value of these tools and technologies in our daily life, and the fact that you can remotely talk to a doctor, that you can remotely conduct a financial service, that you can do a lot of things remotely that previously were seen as something happening in the next 10-20 years, and then basically things have shifted overnight.
Exactly, and I think just to maybe close it off, I know there was a study by McKinsey that basically said that globally speaking, the digitalization has been accelerated by seven years, so something that these processes that are kind of long and painful, first and foremost for companies, they somehow happened overnight, so we see that when there is a push, when there is a need, we can act. Yeah, and the COVID certificate was a really good example of how fast that could be done.
Exactly, yeah. So Vicky, what's still to come then? We've got more regulation, legislation, what is it that's happening next? Because this is not, you know, the thing that has been signed is not the first, is not the finish, is it? You have some way to go.
Exactly, well, I'm talking from the trust services provisioning perspective. The regulation is setting the framework, but we still need some additional by-laws, let's say, the implemented, the so-called implementing acts issued by the Commission that are establishing an equal play field for everybody, so in all member states we'll have the same way of applying the regulation.
For the trust services provisioning, we are waiting those implementing acts, we are waiting for standards, technical standards, to adapt the existing services, for instance the electronic signature, or to implement and to establish the new services, so-called electronic attestation of attributes.
While the public sector is evaluating how and when to implement EIDAS regulation, to put it on the ground effectively, we as trust service providers, for us the clock is ticking, because we have two years precisely as a transitional period and in this time frame we should adapt existing services to the new requirements, we should pass through a recertification program process that is complex and costly and time consuming, also we should take care of our customers that need to change their existing services in order to be compliant. And two years is not long, is it?
No, two years, think about banking sector, there are a lot of banks already implementing generation of signatures and onboarding of customers based on electronic identification means level of assurance substantial that will no longer be acceptable for generation of qualified electronic signatures, so they need to change those processes. And do they know they have to do that? They are not aware of that.
Yeah, so there's a big education. Yes.
Okay, let's come on to Rob and let's get the Dutch government's view as to what's coming next for yourselves. You've got two years as well.
Yes, thank you. In a way we have two years, but in a way we are already starting, because basically we are doing two things. First of all the trust services, and like well the Olympic Games, the trust service is not as sexy maybe as the basketball competition and the 100 meter yard dash, but we are doing the decathlon. And right now we have finished one stage, we have done research on the market of trust services as a consequence of the IDES revision, and to see what necessary steps we should take as a government.
And one of the other competitions parts of the decathlon we are working on is the national legislation, which has to be adopted according to the regulation. And there are several more things to come that we have to decide on as a ministry. For instance, the game of the free signatures for citizens. Just explain that a bit more. What do you mean by free signatures?
Well, in the regulation it is stated that every citizen within Europe can have a qualified electronic signature when onboarding at a wallet. And then there is one of the clauses where member states can take measures in order to limit it to only free use by citizens for non-professional situations. So as a member state we can decide on which things should we do in order to limit that and not having businesses use the free signatures. And that is a very difficult game to win. So that is one of the parts we have to do.
We also, of course, trust services in the internal market situation, where in essence companies can have a share and can play a role. And it will be interesting to see whether we can maintain that situation and not having others cheat in that part of the decathlon. So those are interesting parts. And we have the QX game, of course, where Team USA or Team Big Tech, I should say, and Team Europe still are trying to get on the podium. So that is one part. And the other part is nobody knows about the Olympic Games, in your analogy this morning, where the sailing competition will be.
Obviously not in Paris. Everybody pays attention to Paris. But in Marseille there will be the sailing. And we are also, in the same analogy, focusing on the legal person wallet, which is not having that much attention right now. And that is a part of the digital economy. And a legal person wallet, the terminology can be confusing. Just describe a legal person wallet and how it differs from any other wallet.
Yeah, well, the concept of legal person wallet is not as clear for everybody as you would think. Some people say, well, it's a natural person wallet and you have representation that you can represent the company. But also it can be a different form. For instance, it can be server-based, where nobody has the gen digital wallet on his phone. So there is something in the cloud or on the server that contains your attestations that you want to share. So that concept of the legal person wallet is not as far evolved. And we are cooperating, for instance, in the EWC to work on that.
And that essentially is going to give businesses a digital identity they can share throughout whatever it is they do, which is a huge gap that needs to be filled. Exactly.
Yeah, fantastic. And Marius, let's come to you on the German government side of things. Here we are in Germany, fantastic Berlin. What's happening with EIDAS in Germany? And particularly, how are you going to engage citizens and tell them about what's happening? So we have similar challenges, the same questions when it comes to the free of charge signatures and things. So we have this process. I just presented this process yesterday as an open and participative process to create a concept of an EIDAS to infrastructure of an ecosystem. And we're discussing different parts of it.
So not only the wallet or wallets as one central part, but also like the governance potential like roles in the ecosystem. We try to identify the models, like the operating models behind it. So which part of the ecosystem could be private, because maybe there is a market for it and for which parts there is maybe no market, because there is no expected profits. Or where are points where we don't want to be a market, because out of sovereignty reasons, for example.
So the discussion when it starts, who should do the PID issue, to who will issue the EIAS, like the public body EIAS, from the authentic sources. Is this the responsibility of each authority? I just said yesterday we have 11,000 municipalities, so should I ask every municipality to issue their attestations? Or is there some central body who collects the information from the registries and then issues electronic attestations? So we have to discuss this. So that's the one field.
So within the administration and the wallet thing, and we also have a process on organizational identities, because before we talk about legal person's wallet, we have to talk about organizational identities, because something like this does not exist in a uniform way in Germany. Because in Germany you have identities for like companies, for different kind of companies, for the different legal persons. So when it comes to, like you may know GBRs, they don't have any registry where you write down that you have a GBR as a legal person.
So that's quite difficult, and overall we try to engage citizens, civil society, science industry, to get not only their expertise, but also to increase acceptance by transparency, by participation, and to make the whole process understandable. And do you plan a big citizen engagement program to tell them about the benefits of EIDA wallets and what's coming up? Or do you think it'll wait for two years and then you'll do that? Or will it just happen by osmosis? It depends.
So for now we have this process which is public, but not many people in general public are interested in it, because it's quite specific. But still we try to reach out to specific interest groups to tell them what will come, and to ask them okay what's your opinion on it, and what do you think about it. And this reaches from like representatives from migrant groups when it comes to migrant identities, immigrant identities, when it comes to like special interest groups, like accessibility issues.
So these are different focus groups we already have, but for the more general public I think it's very important not only to make it more popular, but also to educate people, because we will not only face adoption issues, but we will also face issues and questions when it comes to over-identification, because we make much more possible compared to the status quo, and we have this responsibility that we ensure user consent, and that people don't get in this trap of what I call the cookie banner problem nowadays.
You have these cookie banners and out of being overwhelmed with it, you just accept all. And I don't want to have this in the IDAS world, so people just share everything because it's easier, because they don't want to select what they want to share, so we have to educate people, we have to strengthen and make them do responsible choices, so it's a lot about empowering and educating.
Yeah, I think it's going to be a huge task to get everyone up to speed about how to use it, but if the user interface is beautiful, they'll just use it anyway, because it'll be simple, so that's a big challenge as well. Vedran, coming back to yourself, there's this big jump into this new world of digital wallets and the more decentralised approach, it's very different from IDAS V1, and that brings in immediate parallels with Apple and Google wallets, and this is something that I get asked lots of questions about, and there's some on the Q&A coming in.
If you've got any questions, I can see them on here, so make them good and I'll pick them. What's the view with Apple and Google Big Tech, and the question asked to me this morning was if Google gets certified as an IDAS wallet, is that okay? So what's your view and how will Europe handle Big Tech?
Yes, this is one of the, I think, most sought questions around the table. People are trying to see how Big Tech fits into this narrative, and rightly so. I think it's fair to say that one of the reasons for this proposal was also to really curb the power of big platforms in the European Union, while they did bring a lot of benefits, I think, to European citizens and consumers.
Also, I think in this process we lost out a lot, especially in respect to privacy and protection of our personal data, and I think also one of the attempts of EIDAS is really to curb this kind of wild, wild west of data processing without any kind of legal remedies in place. So I think in that respect EIDAS complements GDPR and really puts it into practice. It operationalizes GDPR. This is something that we needed.
I understand that from the perspective of business, GDPR compliance is difficult, but at the same time I just see no other way but to have such a robust and resilient piece of legislation as GDPR does. That really sets a high bar for protection of personal data, and this is something that is very much needed in Europe, but I also think beyond. I think also in these discussions a lot of times you will hear that it's hard to build business around GDPR, but I think the fact that Apple is now positioning itself as a champion of privacy speaks volumes about the impact of GDPR globally.
So I think obviously it's resonating beyond the European borders, and companies are taking, I think, strategic business decisions how to position themselves and how to use GDPR to their advantage. I think they will have to do the same in respect to EIDAS. Stop seeing it as an obstacle. One of the examples was given by, I think it's a small example, but it's a telling example of free signatures and how this could maybe disrupt the current market of signatures. Actually this proposal came from the European Parliament.
We wanted to give the citizens basically a basic function of signing through the wallet. Luckily now it's there, but I think we also need to acknowledge that most of the business when it comes to qualified signatures doesn't come from the consumers, it comes from the businesses. So I think in the context of signatures, it's the member states who will have to take on the costs for the provisioning of these free signatures. And just to also give you one example, in Estonia they save around two percent of their annual GDP just by using electronic signatures.
So if we talk about what is the business model for EIDAS, obviously I think the business model is in increasing efficiencies, it's in accelerating processes, it's in making things more simpler. So I think also this is kind of where the e-signatures can fit in and then the wallet as a tool can help facilitate this process. Very interesting. So I think different to GDPR, which is a bit like you must comply with limited upsides, with EIDAS there are many, many upsides, aren't there? I think we're going to hear later on today about more of those.
But interested in your view, Vicky, on business models for private companies. So as a QTSP you're under threat, presumably, because these signatures are all free and that's how you get some money at the moment. So how can businesses benefit and what should they be doing, do you think?
Well, the first threat is not necessarily from not having longer money from generation of signatures, but there is another threat of market fragmentation between trust service providers, because in one country the member state may decide to have their own infrastructure to generate those signatures through the wallet. In other countries, other member states may decide to have all trust service providers together pushing certificates for signatures. Some other member states may decide something different.
What is going on with those citizens that already have a signature from one country and they cannot use it with the wallet in another country? And this will create, for sure, friction. And this is a signal to member states to evaluate very carefully these aspects, because we'll touch not us as trust service providers, but citizens in first place. And before the EIDAS we had a European Directive on Electronic Signature and we know how fragmented was the market and the frictions we lived before. So we don't want to get back there from a simple thing like having free signatures for citizens.
So it's quite a lot of business model change. Yes. And actually, let's come to Rob about the business identity piece and what that could mean for organizations and how would they get to know about it and what sort of benefits could they get? How could they use a legal person identity?
Yeah, well, first of all, I think we have in the Netherlands a very good starting point for the wallet for legal persons. It's like Moritz said, you need an identity for company, business identity. In the Netherlands, we introduced 50 years ago something called AR-canning, e-recognition, which is an identity for legal persons. It has been notified, so it is a notified identity means at a level high within the EU.
And that, of course, lays the floor for building a wallet upon it because you have to, when you're on board on a wallet, you have to identify on a level high with an identity means. So for businesses, we could use that. So I think that is one of the things that member states, like Moritz said in Germany, they are looking for is that you have to start somewhere that is identity for businesses. So I think we have a jumpstart and a lot of companies in the Netherlands already are used to that. I think one million identities for businesses already have been issued in those past 15 years.
So that is one thing. And I think the other thing, different from the natural person wallet, is that with businesses, I think the business case will decide whether they will use it. You don't have to make them use it like what's in it for us, what citizens will ask. And we have done, or there has been a research in the Netherlands, done in quite some years ago, where the identity for businesses costs like thousands of euros per business every year. And for instance, in the payment industry, it costs billions of euros every year to have the background check on companies.
And there, the wallet could be a big driver for what we say, the digital economy. So I think when, and that's what we are trying to explain to, for instance, the financial industry, but also for logistics, the importance of the wallet it can have on their business, having a positive business case. I think when we can show them, and for instance, we do that by participating in the EWC consortium, but also trying to continue it in the next round, then I think the buy-in for businesses will be much earlier.
Of course, when we have wallets for businesses, it will be much earlier than for a natural person. So we are trying to communicate and to show them the examples and, well, having them participate also in those examples. It is a great way of thinking about it, because there's so much focus on citizen ID, but there's huge benefits for business ID as well. Audience question has come in.
Thanks, Etienne, in the audience, who has asked, it seems that Germany and Netherlands are struggling to solve the same technical challenges. What level of cooperation is there between member states? And is there a possibility to have a generic technical solution shared by all? There are not only talks within the existing context, such as the large-scale pilot potential consortium, where we work together, for example, with the Netherlands, but also with 18 other states. So we lead the work package 2, which is the work package looking for the technical interoperability of the national systems.
So, at the current stage of the project, we are comparing the requirements and the technical, like, what is technically available in each country, and how can we match it? So, that's on that side. We have in LSP potential interoperability event, where we invite all relying parties, all potential issuers, to, like, coach together on common solutions and open source, so I think that's the best thing, to, like, open up spaces where the interested parties can come together and create added value which everyone can use.
On the other side, there are, like, other types of exchange, especially, for example, with the Netherlands, with the French colleagues, like, with our neighbours, where we exchange ideas, and where we try to, like, have a common understanding.
Yeah, and at the same time, the European Commission is also, like, active to engage with this process with the reference implementation, and we try to use as much as possible, which comes from the European Commission, so there are interlinkages, but still, you really have to mind the specific needs of each national, of each existing national system, because we have notified EIT systems, there are specific technical requirements, we have, what I said before, the specific registry landscapes, and when it comes to organisational identities, you just saw how, like, the differences are, like, 50 years of difference, yeah, so you have to match it somehow with things you can find on national level, so there is a lot of stuff to do, you have, which you have to do on yourself as a national government.
Yeah, maybe I can add is, I don't know whether the person who asked the question knows, but there is, like, an EIDIS expert group, which already exists since 2014, and since 2021, I think the cooperation within the EIDIS expert group, where the national representatives, like Moritz, I'm also a member of that, are working together with the Commission in order, and what we are working right now on the implementing acts, we have been very active in the ARF phase in the past years, and that coordination that we had, and we'll be continuing outside of the EIDIS expert group on a bilateral or multilateral basis, so I think there's a very good cooperation between member states going on right now, like Moritz said.
Yeah, and the large-scale pilots are where a lot of that is happening, and there's a call for funding for two or three more, I think, as well. And a related question coming from the audience, so thanks to Freddy, I don't know who wants to handle this, I'm going to throw it at you, Vedran, this is nasty, this one. Why not just one wallet for the EU? That's a good question, I don't know.
Actually, I think for the most part, in the beginning, everybody understood that there is, in fact, going to be one wallet. I think maybe that was just a misconception, but I know at the initial stages, everybody was excited, everybody was like, okay, so it's like one wallet in all the member states, and then, yeah, you have to explain that actually it's 27 wallets. It could be more, couldn't it? Each country could have more than one?
Yes, that's actually correct. Each member state has to provide for at least one wallet, but there is nothing preventing certain member states from having more than one.
I think, to go back to the original question, the idea was, by not introducing a single European wallet, is to allow member states to keep using their existing systems, so that the European wallet comes on top of the existing national solutions, because we also have to acknowledge that certain member states have already quite good working digital identity systems, national identification schemes that have been notified, and I think all that work would sort of be in vain, and it would be kind of expensive to try to reinvent the wheel by joining forces into a single European wallet.
I think also, technically, that would prove to be quite difficult, so the idea was more that, yes, each member state continues to keep their existing system in place, but it has to be upgraded with the latest requirements that the new EIDAS sets for them. Yeah, so that's going to be a really interesting, as Merit said, Germany has a specific way of doing things.
Yes, exactly. The Netherlands has a way of doing things. And I think it's also good to give member states a little bit of flexibility, because obviously, you know, we are 27 member states with our own traditions, cultures, mentalities, so everybody tends to do things in their own way, so I think it's good not to be too prescriptive around that.
Yeah, okay. So, maybe coming on to Vicky, actually, we could go on that particular subject a lot, and I think there's going to be more on that during the day. Lots of people are asking about Apple and Google as well, but I think we're okay on that for the moment.
So, this is from Yash. Digital ID is free for citizens, but would it cost businesses to accept them? Is it mandatory for businesses to accept the EIDAS wallets or signatures or credentials from them? There are several industries or verticals that are mandated by the regulation.
Mandated, okay. And which verticals are, or which sectors are there? Do you know offhand? Financial sector, utilities, service providers. Telcos.
Yeah, telcos. They should accept the EUDI wallet identification if a citizen requests to. Right.
So, it could be like one citizen has a wallet, and every bank in the country has to be able to. He wants that. He wants to use that. He has this right, so the bank should put him in the condition to use and to not ask additional measures or to come to a physical branch to identify himself.
So, this is mandated. Let's come on to Moritz on that one.
Yeah, a bit more. Yeah, I just wanted to add, I think it's 5F or something in the EIDAS.
So, for like the government services, if you need to identify or authenticate yourself towards the government service online, the wallet has to be accepted, as one means. When it comes to businesses, only if there are legal requirements for identification, only then the business needs to implement it. If I have an online shop and I just want to know the identity of the user, I don't have to implement the EUDI wallet for identification.
But if there is a legal requirement, for example, for strong customer authentication, then I have to accept the EUDI wallet three years after the implementing EXO around 2028. Yeah, so there is going to be pressure on those organizations and three years and a bit to go. It's like tomorrow.
Yeah, if you think of a big bank, they've got to put it on their roadmap somewhere and decide to do it and put the money in. So, they need to know it's happening. Just to jump back to this, so also just to clarify, all the sectors that have a strong customer authentication requirement, they will be the ones who need to comply. And what about age verification as well? Would that come into scope? Because there's a lot of age verification action happening at the moment, isn't there? It may not be in scope now, but...
Yes, there is nothing per se about age verification in the regulation, but just also to clarify, so it's SEA requirements, they need to comply. There is a carve-out for small and medium-sized enterprises. They will not need to provide the customers the option to sign with the European Digital Identity Wallet, because it was sort of agreed politically that it would be a big cost for them to comply, so they're left out. And also the third category are the very large online platforms.
They will need to comply, so in the future, if I decide that I want to log into Facebook with my wallet, with my European wallet, the Facebook will have to provide me with that option. That's true.
So, we're talking about Apple and Google, but all the big tech platforms... Yes, exactly. ...will have to comply.
Yes, they will have to comply. So, Rob, let's come to you. I think it's a very good question, and what I hope we can achieve is getting people to see it in a different way.
Of course, there is an obligation to accept the wallet for authentication online, where a strong user authentication is required, but on the other hand, we hope that the relying party also sees the advantages the sharing of data will have for them. So, not only see the wallet as, yeah, we have to do it, and oh wow, I don't like it, but that they see the business opportunities, reducing fraud. We hope that we can contribute in letting organizations see where it can help them, and not only see it as a pain in the ass.
Yeah, exactly. There should be a carrot as well as a regulatory stick. Yes. Because if you can onboard somebody in two seconds with an IDAS wallet versus typing in lots of forms and costing 20 times as much, why wouldn't you do that? Yeah. Just the last one, then. We've got two minutes left.
Maybe, Moritz, I can come to you on this one. EIDAS outside Europe, has the German government been thinking about this? What happens when a German citizen goes to the UK, or to Canada, or Bhutan, for example?
Yeah, our strategy towards this point is the first step, and then the second step. So, at the moment, we're really focusing on getting EIDAS in place, getting everything done.
Still, we are in contact with governments outside of Europe, yes, and they have a very close look on what's happening, starting with the UK, but also with governments outside of Europe as continent. I think EIDAS will have a huge impact, because there will be standards set, just like the GDPR.
So, there will be standards, and I think we have to look, when EIDAS is in place, how we can make wallets be usable across borders of the European Union. I think this is going to be a really interesting question as it evolves, and there's a question on standards and protocols, which is the next session coming up, actually. But I know there's a huge amount of interest in EIDAS amongst other countries, and it's almost like it's kind of setting the gold standard for how this should be done, which is really impressive, despite the fact there's going to be lots of challenges implementing.
It sets the standard. Yeah, last word, Vicky.
Yeah, I would add something. EIDAS was a trendsetter for trust services provisioning, and many countries outside EU implemented the model. I expect to be the same for the digital identity wallet, and there are already countries outside the European Union looking at the model, trying to understand how to implement, how to adopt the model, and I'm sure we'll have surprises very soon. Perhaps they will move faster than European member states.
Yeah, I completely agree. I think, watch the large-scale pilots really closely, and if you want to set up a consortium and bid for new funding, then crack on. I think that's happening now, isn't it?
So, we're at time. The thing is flashing. I'd like to say thank you to Vedran, Vicky, Rob and Moritz. A round of applause. Thank you for a really informative session.
