eidas Regulation (EU) 910/2014 eidas implementation State of Play

Similar documents
eidas Regulation (EU) 910/2014 and the Connecting Europe Facility Boosting trust & security in the Digital Single Market

European Commission s proposal for a Regulation on Electronic identification and trust services for electronic transactions in the EU internal market

eidas Regulation eid and assurance levels Outcome of eias study

FOR QTSPs BASED ON STANDARDS

eidas & e-delivery CE Midsummer Conference "The role of policy decisions in the postal & delivery industry", Copenhagen (DK), 12 June 2017

ETSI ESI and Signature Validation Services

ENISA s Position on the NIS Directive

eias Study on an electronic identification, authentication and signature policy SUPERVISION Presentation on status

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

ARTICLE 29 DATA PROTECTION WORKING PARTY

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

Package of initiatives on Cybersecurity

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

eidas Workshop Return on Experience from Conformity Assessment Bodies - EY June 13, 2016 Contacts: Arvid Vermote

Technical guidelines implementing eidas

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Comparison of Electronic Signature between Europe and Japan: Possibiltiy of Mutual Recognition

Cybersecurity & Digital Privacy in the Energy sector

Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the General Data Protection Regulation (2016/679)

CEN & ETSI standards & eidas Compliance

CHAPTER 13 ELECTRONIC COMMERCE

Electronic signature framework

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

ETNO Reflection Document on the EC Proposal for a Directive on Network and Information Security (NIS Directive)

DIGITIZING INDUSTRY, ICT STANDARDS TO

A comprehensive approach on personal data protection in the European Union

Directive on security of network and information systems (NIS): State of Play

Guidance for Requirements for qualified trust service providers: trustworthy systems and products

ILNAS/PSCQ/Pr004 Qualification of technical assessors

ehealth in Europe: at the convergence of technology, medicine, law and society

IAS2. Electronic signatures & electronic seals Up-dates - feedbacks from :

Sándor Szőke, Dr. Microsec Ltd. Migration of national PKI Services to eidas conformant Trust Services case study in Hungary

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

THE CONNECTING EUROPE FACILITY

INSPIRE relevant policy developments in the EU's digital economy initiatives

Toward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

Directive on Security of Network and Information Systems

EU EHEALTH INTEROPERABILITY,

Brussels, 19 May 2011 COUNCIL THE EUROPEAN UNION 10299/11 TELECOM 71 DATAPROTECT 55 JAI 332 PROCIV 66. NOTE From : COREPER

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

SAT for eid [EIRA extension]

ETSI European CA DAY TRUST SERVICE PROVIDER (TSP) CONFORMITY ASSESSMENT FRAMEWORK. Presented by Nick Pope, ETSI STF 427 Leader

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

eidas Regulation in the context of Cybersecurity: Electronic seals and website certificates: Two sides of a (gold) medal?

Security guidelines on the appropriate use of qualified electronic seals Guidance for users

COMMISSION STAFF WORKING DOCUMENT EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT. Accompanying the document

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

How the European Commission is supporting innovation in mobile health technologies Nordic Mobile Healthcare Technology Congress 2015

Discussion on MS contribution to the WP2018

European Union Agency for Network and Information Security

NIS Standardisation ENISA view

EUROPEAN ACCREDITATION LEGAL FRAMEWORK

EUROPEAN COMMISSION Enterprise Directorate-General

Interoperability and transparency The European context

ehealth action in the EU

eid building block Introduction to the Connecting Europe Facility DIGIT Directorate-General for Informatics

Cosmos POFESSIONALS OF SAFETY ENGINEERING

UPDATE ON CEN & ETSI STANDARDISATION ON SIGNATURES

Countdown to eidas. Date: 19/04/2016 Auteur: CTIE Révision: 1.0 Ref: EIDAS_CTIE_4 Page 1

Strong Customer Authentication and common and secure communication under PSD2. PSD2 in a nutshell

Security Aspects of Trust Services Providers

Call for Expressions of Interest

Response to Public Consultation on the Revision of the European Interoperability Framework. June 2016

CEF Telecom policy background. DG CONNECT, 12 September 2017

United4Health session Regulatory Framework Trends & Updates. Nicole Denjoy COCIR Secretary General Wed. 7 May 2014, Berlin (Germany)

Network and Information Security Directive

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

EUROPEAN COMMISSION DIRECTORATE GENERAL FOR INTERPRETATION

Security and resilience in Information Society: the European approach

Connecting public services across Europe: ambition and results so far

Summary. Strategy at EU Level: Digital Agenda for Europe (DAE) What; Why; How ehealth and Digital Agenda. What s next. Key actions

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

ENISA EU Threat Landscape

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679

RESOLUTION 47 (Rev. Buenos Aires, 2017)

Towards a European Cloud Computing Strategy

CERTIFICATE OF CONFORMITY. The certification body LSTI. declares BALTSTAMP HEADQUARTER : DARIAUS IR GIRENO STR. 40, LT VILNIUS - LITHUANIA

10007/16 MP/mj 1 DG D 2B

13967/16 MK/mj 1 DG D 2B

***I DRAFT REPORT. EN United in diversity EN. European Parliament 2017/0225(COD)

Borderless ehealth in support of healthy citizens in Europe

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 21 October /13 LIMITE CO EUR-PREP 37. NOTE General Secretariat of the Council

Commonwealth Cyber Declaration

CERTIFICATE OF CONFORMITY. The certification body LSTI. declares ALEAT HEADQUARTER : SH.P.K RRUGA: XHANFIZE KEKO - TIRANA-ALBANIA

Standardization mandate addressed to CEN, CENELEC and ETSI in the field of Information Society Standardization

15 November Introduction to Connecting Europe Facility. DIGIT Directorate-General for Informatics

Europe (DAE) for Telehealth

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

ehaction Joint Action to Support the ehealth Network

Sector Vision for the Future of Reference Standards

Joint ITU-UNIDO Forum on Sustainable Conformity Assessment for Asia-Pacific Region (Yangon City, Republic of Union of Myanmar November 2013)

Web-Accessibility as a human right

Cybersecurity Package

European Commission Directorate General Enterprise and Industry INSTITUTIONAL FRAMEWORK ON

ehealth EIF ehealth European Interoperability Framework European Commission ISA Work Programme

Transcription:

eidas Regulation (EU) 910/2014 eidas implementation State of Play CA-Day 19 September 2016 Elena Alampi DG CONNECT, European Commission elena.alampi@ec.europa.eu

eidas The Regulation in a nutshell 2 MAIN CHAPTERS SUBJECT TO DIFFERENT RULES AND REQUIREMENTS Chapter II: Mutual recognition of e-identification means Chapter III: Electronic trust services - Electronic signatures - Electronic seals - Time stamping - Electronic registered delivery service - Website authentication + Chapter IV: Electronic Documents 2

The eidas Regulation provides for eid & TS: 3

eidas Regulation: scope and main principles eidas Regulation eid Trust Services (edocuments) Notification of schemes Assurance levels low, substantial, high Closed list at EU level Nondiscrimination and legal value Nondiscrimination Mutual recognition Public sector Qualified and nonqualified Supervision conformity assessment Shall not be denied legal effect 4

Timeline 2014 2015 2016 2017 2018 2019 17.09.2014 Entry into force of the eidas Regulation 26.11.15 - eid DSI v.1 eidas compliant eid 29/09/2015 Voluntary cross-border recognition 29/09/2018 Mandatory crossborder recognition Trust services esignature Directive rules 1.07.2016 Date of application of eidas rules for trust services 5

The eidas Legal Framework Legal Act Reference Adoption date Entry into force eidas Regulation 910/2014 23.07.2014 17.09.2014 (1.07.2016 - application provisions on TS) ID on procedural arrangements for MS cooperation on eid (art. 12.7) 2015/296 24.02.2015 17.03.2015 eid IR on interoperability framework (art. 12.8) Corrigendum C(2015) 8550 of 4.02.2016 IR assurance levels for electronic identification means (art. 8.3) 2015/1501 8.09.2015 29.09.2015 2015/1502 8.09.2015 29.09.2015 Trust services ID on circumstances, formats and procedures of notification (art. 9.5) IR on EU Trust Mark for Qualified Trust Services (art.23.3) ID on technical specifications and formats relating to trusted lists (art. 22.5) ID on formats of advanced electronic signatures and seals (art. 27.5 & 37.5) ID on standards for the security assessment of qualified signature and seal creation devices (art. 30.3 & 39.2) 2015/1984 3.11.2015 5.11.2015 (notified to Ms) 2015/806 22.05.2015 12.06.2015 2015/1505 8.09.2015 29.09.2015 2015/1506 8.09.2015 29.09.2015 2016/650 25.04.2016 05.2016 6

COMMISSION IMPLEMENTING DECISION ON STANDARDS FOR THE CERTIFICATION OF QSCDS - (EU) 2016/650 Key principles eidas Certification of QSCDs: Common Criteria certification where protection profiles are available (smart cards) Lack of protection profiles for remote signature QSCDs (HSM) Alternative certification process When protection profiles are published by standardisation bodies: assessment of compliance with eidas by the Commission Revision of CID (upon comitology procedure) Ensures security and compliance to eidas of QSCDs Ensures timely access to the market of QSCDs building upon innovative technologies 7

COMMISSION IMPLEMENTING DECISION ON STANDARDS FOR THE CERTIFICATION OF QSCDS - (EU) 2016/650 Key elements Legal basis Article 30(3) and 39(2) of the eidas Regulation Mandatory standards for the certification of QSCDs where the creation data is held in an entirely but not necessarily exclusively user-managed environment: ISO/IEC 15408 and ISO/IEC 18045:2008 and EN 419 211 parts 1 to 6 Alternative process (article 30(3)(b) of the Regulation) for the certification of QSCDs where a QTSP manages the creation data on behalf of a signatory or of a creator of a seal 8

Principles applicable to secondary acts Adoption of secondary legislation for which no obligation for adoption is set in the eidas Regulation would take into account the following principles: Framework consistency Stakeholders / market needs Favouring a non-regulatory / co-regulatory approach first Developments under other Regulatory frameworks Availability and adequacy of standards & technical specifications 9

COMMISSION IMPLEMENTING DECISION ON TRUSTED LISTS - (EU) 2015/1505 Key principles eidas Trusted Lists: Has a constitutive effect for QTSP and QTS Ensure continuity with the existing TLs established under the Service Directive. Ensure legal certainty wrt QTS. Foster cross border recognition of qualified trust services by facilitating a.o. the validation of e-signatures and e-seals. Allow citizens, businesses and public administrations to easily verify nature and status of a trust service. 10

The EU Trust Mark for Qualified Trust Services CIR (EU) 2015/806 Frequently asked questions User manual Downloadable files ec.europa.eu/digital-single-market/trust-services-and-eid 11

eidas requirements with regard to CABs & CARs Art. 3.18 conformity assessment body means a body defined in point 13 of Article 2 of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides; No specific requirements on accreditation basis for CABs (e.g. ISO/IEC 17065, 17021, 27006, etc.), provided Accreditation explicitly confirms the competence of accredited CABs to carry out audit of QTSPs/QTSs ( as defined in eidas Regulation) Art.20.1 [ ] The purpose of the audit shall be to confirm that the qualified trust service providers and the qualified trust services provided by them fulfil the requirements laid down in this Regulation. [ ] The conformity assessment scheme for which the competence of the CAB is accredited to audit QTSPs/QTSs must be such that it confirms the audited QTSP/QTS fulfil the requirements laid down in eidas The CAR resulting from a QTSP/QTS audit by a CAB accredited in accordance with eidas must confirm QTSP/QTS fulfil the requirements laid down in eidas (and not one or more specific standards only ) 12

Source: "Trusted Lists" 13.09.2016 (O.Delos Sealed)

Where does eidas have an impact? UMM&DS - Uniform User Management and Digital Signatures ehgi - ehealth Governance Initiative ECI - European Citizens' Initiative ESSN - European Social Security Number SUP - Directive on single-member private limited liability companies PSD2 Revised Directive on Payment Services AML4-4th Anti-Money Laundering Directive 14

Promoting eidas Regulatory fitness in other sector specific legislations Better Regulation Toolbox (Tool 23: ICT assessment, the digital economy and society) explicit reference to eidas Close bilateral cooperation with other DGs on specific regulatory initiatives Examples relevant to banking and financial sectors: Cooperation with JUST on supporting the transposition of the AMLD4 Directive at national level, as well as on the recent proposal to amend AMLD4 (of 5/7/16), in order to ensure consistency with eidas. with FISMA and the European Banking Authority (EBA) on the role of notified eid and trust services to meet the requirements under the PSD2: Green paper (of 10/12/15) on retail financial services and related public consultation - eidas featured with respect to the cross border benefits of e- signature and eid. EBA discussion paper (of 8/12/15) on strong customer authentication and secure communication under PSD2 - eidas is presented as a possible solution EBA Consultation Paper (of 12/8/16) on draft regulatory technical standards on strong customer authentication and common and secure communication 15

EBA Consultation Paper Draft regulatory technical standards on strong customer authentication and common and secure communication Article 20 Identification 1. For the purpose of identification, payment service providers shall rely on Qualified certificates for website authentication as per article 3(39) of Regulation (EU) No 910/2014. 2. For the purpose of this Regulation, the registration number as stated in the official records according to in Annex IV (C) of Regulation (EU) No 910/2014 shall be the authorization number of the account servicing payment service provider or the payment service provider issuing card-based payment instruments, and the account information service providers and payment initiation service providers available in the public register of the home Member State defined in Article 14 of Directive (EU) 2015/2366. 16

EBA Consultation Paper Identification between AISP/PISP/ASPS Option 1 website certificates issued by a qualified trust service provider under an eidas policy Option 2 website certificates issued by a general Certificate Authority Option 3 bilaterally agreed certificates (discarded) With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-idas policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services? 17

EU e-government Action Plan 2016-2020. Accelerating the digital transformation of government (COM(2016) 179 final) Underlying principles: Digital Once Inclusiveness Openness Cross-border Interoperability Trustworthiness by only and and by by and Default principle accessibility transparency default default Security References to eidas: Policy priority 1 ("Modernise public administration with ICT, using key digital enablers") - actions: "Further efforts by all administrations are needed to accelerate the take up of electronic identification and trust services for electronic transactions in the internal market [...] actions to accelerate cross-border and cross-sector use of eid (including mobile ID) in digitally enabled sectors (such as banking, finance, ecommerce and sharing economy) and in the public sector namely on the European e-justice Portal. The Commission will also explore the need to facilitate the usage of remote identification and secure authentication in the retail financial services" "The Commission will gradually introduce the 'digital by default' principle when interacting online with external stakeholders, using eidas services (in 2018), einvoicing (in 2018) and eprocurement (in 2019)." 18

Communication on Priorities of ICT Standardisation for the Digital Single Market (COM(2016) 176 final) Sets a comprehensive strategic and political approach to standardisation for 5 priority ICT areas: 5G communications, cloud computing, the internet of things (IoT), (big) data technologies and cybersecurity. Action in the area of Cybersecurity (section 3.1.4): "The Commission will: Invite ESOs and other SDOs and relevant stakeholders to develop standards by the end of 2018 that support global interoperability and seamless trustworthy authentication across objects, devices and natural and legal persons based on comparable trust models. This work should be based on technical standards aligned with the eidas regulatory framework." 19

Online Platforms and the Digital Single Market Opportunities and Challenges for Europe (COM(2016)288) Reference to eidas: IMPLEMENTING MAIN PRINCIPLES FOR PLATFORM DEVELOPMENT IN THE EU: iii) Fostering trust, transparency and ensuring fairness "In order to empower consumers and to safeguard principles of competition, consumer protection and data protection, the Commission will further promote interoperability actions, including through issuing principles and guidance on eid interoperability at the latest by 2017. The aim will be to encourage online platforms to recognise other eid means in particular those notified under the eidas Regulation that offer the same reassurance as their own". 20

Stakeholder engagement - eidas Observatory Purpose Help facilitate the use of cross-border electronic identification and trust services Foster transparency and accountability by identifying market hurdles and good practices, promoting knowledge-sharing and developing initiatives for innovation Contribute to the enhancement of trust and security of digital transactions thus to the building of the Digital Single Market Act as a virtual network of stakeholders to exchange ideas and good practices as well as recommend actions and initiatives to ease the uptake of eid and trust services Launch Officially launched by VP Ansip during the event "A new leap in the eidas journey: new trust services for a Digital Single Market" on 30 June 2016 21

For further information and feedback Web page on eidas http://ec.europa.eu/digital-agenda/en/trust-services-and-eid eidas Observatory https://ec.europa.eu/futurium/en/eidas-observatory Text of eidas Regulation in all languages http://europa.eu/!ux73kg Connecting Europe Facility Catalogue of Building Blocks https://ec.europa.eu/cefdigital eidas twitter account @EU_eIDAS 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback