eIDAS regulation: frequently asked questions about cross-border identification
This article provides answers to frequently asked questions about the eIDAS regulation and the way in which it is interpreted.
Is there any joint policy or interpretation at central government level on the mutual recognition of the cross-border identification rules contained in the eIDAS regulation?
Under the eIDAS regulation, all public sector actors must ensure that they comply with the requirements contained in the regulation and allow EU citizens with an eIDAS-notified identification token to use their services.
There is no joint policy or interpretation at central government level on when and how the identification obligations laid down in the eIDAS regulation should be applied in public administration e-services.
No party has been tasked with drawing up joint policies in this area. The Digital and Population Data Services Agency provides the national node, as laid out in the eIDAS regulation, but it is not responsible for supervising compliance with the regulation or for interpreting it. Likewise, as regards the e-services that the authorities are obliged to provide under the regulation, the Finnish Transport and Communications Agency does not have the authority to supervise compliance with the regulation or to interpret it.
As there is no central body responsible for the above matters, each public actor must independently assess what is required of it under the eIDAS regulation. This article provides advice for making such an assessment.
What are the situations where an organisation must, under the eIDAS regulation, accept an identification token granted in another EU Member State?
Provisions on the requirements for mutual recognition are laid down in Article 6 of the eIDAS regulation. Under the article, mutual recognition only applies to the means with identification assurance level substantial or high and to online services provided by public sector bodies. Thus, the eIDAS regulation does not apply to lower assurance levels.
This means that if identification into an e-service of a public sector actor requires strong electronic identification, the e-service in question should, as a rule, also accept the mutually recognised identification tokens referred to in the eIDAS regulation.
Finland’s own national legislation on strong electronic identification (Act on Strong Electronic Identification and Electronic Trust Services) is in compliance with the eIDAS requirements for assurance levels substantial and high.
Suomi.fi e-Identification can be used by means of mobile certificates and online banking codes that in the view of the Finnish Transport and Communications Agency meet the requirements for eIDAS assurance level substantial under the Act on Strong Electronic Identification and Electronic Trust Services. Identification can also be by means of identification certificates granted by the Digital and Population Data Services Agency (personal identity card or organisation card) that in the view of the Finnish Transport and Communications Agency are in accordance with eIDAS assurance level high. Tokens evaluated and accepted in Finland are listed in the register of the Finnish Transport and Communications Agency.
By adopting Suomi.fi e-Identification, an organisation has determined that its e-services require strong electronic identification. If the online service provided by the organisation requires Suomi.fi e-Identification, the requirements laid down in Article 6 are probably met and the e-service should also accept eIDAS tokens.
Organisations can interpret the mutual recognition obligation for e-services on the basis of Article 6 of the regulation:
1. When an electronic identification using an electronic identification means and authentication is required under national law or by administrative practice to access a service provided by a public sector body online in one Member State, the electronic identification means issued in another Member State shall be recognised in the first Member State for the purposes of cross-border authentication for that service online, provided that the following conditions are met:
(a) the electronic identification means is issued under an electronic identification scheme that is included in the list published by the Commission pursuant to Article 9;
(b) the assurance level of the electronic identification means corresponds to an assurance level equal to or higher than the assurance level required by the relevant public sector body to access that service online in the first Member State, provided that the assurance level of that electronic identification means corresponds to the assurance level substantial or high;
(c) the relevant public sector body uses the assurance level substantial or high in relation to accessing that service online.
As a rule, all public sector services that use e-identification of assurance level substantial or high (Suomi.fi e-Identification) fall within the scope of the regulation. This should be taken into account when an organisation assesses the obligatory nature of the mutual recognition laid down in the eIDAS regulation.
Does the eIDAS regulation mean that organisations must also make their e-services available to foreigners?
The eIDAS regulation lays down conditions on which electronic identification means should be recognised and how electronic identification schemes should be made eligible for notification. With these conditions, it is easier for the Member States to build the required trust in each other’s electronic identification schemes and mutually recognise the electronic identification means of other Member States.
However, the regulation does not contain specific provisions on the offering of e-services. Provision of the services themselves is outside the scope of requirements laid down in the eIDAS regulation. The principle of mutual recognition only applies to the verification of the customer’s identity in connection with the provision of an online service. However, access to online services and providing them for end users is closely connected with the conditions laid down the national legislation that concern the right to use such services.
The extent that customers should be able to use foreign eIDAS tokens when using online services not only depends on the eIDAS regulation and identification but also on the national legislation applying to the services and possibly also other EU legislation. The distinction between ‘recognition’ of identification and an online service itself may be open to interpretation.
As a rule, the requirements for providing the service are laid down at national level. Even if the national legislation does not require or enable the provision of e-services for residents or citizens of another Member State, good governance under the Administrative Procedure Act requires that they are at least provided with advice.
At Union level, access of EU citizens, residents and companies to Member States’ e-services will be promoted with a single digital gateway. On 27 September 2018, the Council adopted a regulation on the establishment of a single digital gateway. The new gateway will allow individuals and companies to access online information and procedures and consult assistance and problem-solving services. The digital gateway will contain a common user interface (‘Your Europe’) providing EU citizens with information on different Member States. One of the key principles of the digital gateway is that if a procedure is available to citizens in one Member State, it should also be available to the citizens of other Member States.
Even though as a rule, the eIDAS regulation contains provisions on the identification of citizens of other Member States and not on access to e-services, public sector organisations should give more consideration to European-wide e-services in their own range of services. This should be done where possible and within the limits of national legislation.
Which government agency is responsible for supervising compliance with the eIDAS regulation?
No government agency is responsible for supervising compliance with the mutual recognition obligation of the eIDAS regulation in central government. Each organisation must ensure compliance with its obligations under the regulation and enable identification with eIDAS tokens in their e-services if this is required under the regulation.
The Digital and Population Data Services Agency maintains the national node (as required under the eIDAS regulation) through which the details of the foreign citizens identifying themselves with eIDAS tokens are relayed to Suomi.fi e-Identification. However, the agency does not supervise compliance with the regulation. It only provides the eIDAS identifiers for organisations’ e-services through Suomi.fi e-Identification.
Under the Act on Strong Electronic Identification and Electronic Trust Services, the Finnish Transport and Communications Agency represents Finland in the cooperation network of the Member States referred to in Article 12 of the eIDAS regulation. The peer reviews of the identification schemes notified to the EU are organised in the network. The tasks of the Finnish Transport and Communications Agency concern the conformity of the electronic identification schemes and not the provision of public sector e-services.
Which organisations can use the node provided by the Digital and Population Data Services Agency?
As the node is produced as part of Suomi.fi e-Identification, it can be used by all organisations entitled to use Suomi.fi e-Identification in their e-services. By law, the use of Suomi.fi e-Identification is mostly limited to public sector e-services and for this reason, the private sector cannot use the node.
The fact that the national node is only available to the public sector is in accordance with the requirements of the eIDAS regulation. One the objectives of the regulation is to remove obstacles to mutual recognition of identification means in public services.
However, the regulation also allows mutual recognition of tokens in private sector e-services. Under the regulation, Member States must also encourage the private sector to voluntarily use tokens meeting eIDAS requirements in their online services. If a Member State decides to allow private sector actors to use the national node on the same conditions as the public sector, the technical means to distinguish between public and private sector actors should also be present.
Under sections 30 and 42 c of the Act on Strong Electronic Identification and Electronic Trust Services, maintaining the node is the responsibility of the Digital and Population Data Services Agency.
Relevant legal provisions:
Introductory sentences of the eIDAS regulation
(12) One of the objectives of this Regulation is to remove existing barriers to the cross-border use of electronic identification means used in the Member States to authenticate, for at least public services. This Regulation does not aim to intervene with regard to electronic identity management systems and related infrastructures established in Member States. The aim of this Regulation is to ensure that for access to cross-border online services offered by Member States, secure electronic identification and authentication is possible.
(13) Member States should remain free to use or to introduce means for the purposes of electronic identification for accessing online services. They should also be able to decide whether to involve the private sector in the provision of those means. Member States should not be obliged to notify their electronic identification schemes to the Commission. The choice to notify the Commission of all, some or none of the electronic identification schemes used at national level to access at least public online services or specific services is up to Member States.
(15) The obligation to recognise electronic identification means should relate only to those means the identity assurance level of which corresponds to the level equal to or higher than the level required for the online service in question. In addition, that obligation should only apply when the public sector body in question uses the assurance level ‘substantial’ or ‘high’ in relation to accessing that service online. Member States should remain free, in accordance with Union law, to recognise electronic identification means having lower identity assurance levels.
(17) Member States should encourage the private sector to voluntarily use electronic identification means under a notified scheme for identification purposes when needed for online services or electronic transactions. The possibility to use such electronic identification means would enable the private sector to rely on electronic identification and authentication already largely used in many Member States at least for public services and to make it easier for businesses and citizens to access their online services across borders. In order to facilitate the use of such electronic identification means across borders by the private sector, the authentication possibility provided by any Member State should be available to private sector relying parties established outside of the territory of that Member State under the same conditions as applied to private sector relying parties established within that Member State. Consequently, with regard to private sector relying parties, the notifying Member State may define terms of access to the authentication means. Such terms of access may inform whether the authentication means related to the notified scheme is presently available to private sector relying parties.
eIDAS regulation
Article 6: Mutual recognition
1. When an electronic identification using an electronic identification means and authentication is required under national law or by administrative practice to access a service provided by a public sector body online in one Member State, the electronic identification means issued in another Member State shall be recognised in the first Member State for the purposes of cross-border authentication for that service online, provided that the following conditions are met:
Article 12: Cooperation and interoperability
1. The national electronic identification schemes notified pursuant to Article 9(1) shall be interoperable.
2. For the purposes of paragraph 1, an interoperability framework shall be established.
3. The interoperability framework shall meet the following criteria:
...
7. By 18 March 2015, the Commission shall, by means of implementing acts, establish the necessary procedural arrangements to facilitate the cooperation between the Member States referred to in paragraphs 5 and 6 with a view to fostering a high level of trust and security appropriate to the degree of risk.
8. By 18 September 2015, for the purpose of setting uniform conditions for the implementation of the requirement under paragraph 1, the Commission shall, subject to the criteria set out in paragraph 3 and taking into account the results of the cooperation between Member States, adopt implementing acts on the interoperability framework as set out in paragraph 4.
Commission Implementing Regulation (EU) 2015/1501
Article 5: Nodes
2. The nodes shall be able to distinguish between public sector bodies and other relying parties through technical means.
Article 8: Message format for the communication
The nodes shall use for syntax common message formats based on standards that have already been deployed more than once between Member States and proven to work in an operational environment. The syntax shall allow:
(c) distinction between public sector bodies and other relying parties;
How can an organisation start using eIDAS identification in an e-service?
Organisations using Suomi.fi e-Identification do not necessarily need to take any action to start using eIDAS identification. The new countries will be shown as identification options as they are added to Suomi.fi e-Identification.