An important part of eIDAS is to regulate electronic signature and ensure safe transactions online. By providing qualified electronic signature, Trust Service Providers allow both signatory and recipient a higher level of convenience and security. Use this guide to understand and navigate the regulation goals and benefits.
2. Overview of eIDAS
eIDAS Electronic Trust Services and types of digital signature
Becoming an Qualified Trust Service Provider
Meeting eIDAS use cases with Gemalto solutions
Topics Covered
2 Security, convenience & mobility
4. What is eIDAS?
4
Source: The Authentication and Identity Management Index
The Regulation of Electronic Identification and Trust Services
for Electronic Transactions in the Internal market (eIDAS) is a
European regulation aimed at creating a framework for cross-
border electronic identification and transactions across EU
member countries
Complying with eIDASS
5. What are the goals of eIDAS?
5
Open up access to public services &
ensure secure online transactions
across borders of EU member countries
Improve security and convenience
when doing business online
Encourage digital transaction
growth and dematerialization
Enable cross-border trust
Complying with eIDASS
6. Primary Regulations of eIDAS?
6
EU Member States
are required to
mutually recognize
each otherâs
electronic
identification (eID)
systems when
accessing online
services
Electronic Trust
Services (eTS),
including electronic
signatures, electronic
seals, time stamps,
electronic registered
delivery service and
website authentication,
will work across borders
and will have the same
legal status as paper-
based processes
Interoperability
of Government
Issued ID
Single Digital
Market
Complying with eIDASS
7. eIDAS Timeline
7
2014 2015 2016 2017 2018 2019
September 2014 - Entry into force of the Regulation
September 2015 - Voluntary recognition of eIDs*
1st July 2016 - eIDAS Regulation replaces eSignature
Directive **
September 2018 - Mandatory cross border recognition of eIDs
**
â˘Certificates issued to natural persons under the eSignature Directive
remain valid until expiry and
â˘Certification Service Providers are allowed a 1 year time frame to
submit a conformity assessment report and as consequence are
considered as qualified Trust Service Providers under the new
eIDAS regulation.
*Adoption of 6 implementing acts on:
â˘MS cooperation
â˘Interoperability framework
â˘eID levels of assurance
â˘Formats of advanced electronic signature & seals
â˘Technical specifications of the national trusted lists
â˘EU Trust mark
Complying with eIDASS
9. Electronic Trusted Services (eTS) Benefits
9
Improved customer
experience
Increase trust and
confidence
Efficiencyâfaster
processes
New business
opportunities with
cross-border reach
Efficiencyâ
paperless and
error reduction
Facilitate regulatory
compliance
Complying with eIDASS
10. Types of Electronic Trusted Services (eTS)
10
1 2 3 4 5
Issued to and
used by legal
persons to
ensure origin
and integrity of
data /docs.
NOT an
eSignature of
the legal person
The date and
time on an
electronic
document which
proves that the
document
existed at a
point-in-time
and that it has
not changed
since then
Storage and
transfer of
documents
online. eIDAS
sets the
principle of non-
discrimination
of the legal
effects and
admissibility of
electronic
documents in
legal
proceedings
The process of
determining a
person/entity's
identity by using
electronic
means
Infrastructure
for the transfer
of documents
(or data)
between two
entities or
systems
electronically
6
Electronic
Seals
Time
Stamps
The electronic
equivalent of a
handwritten
signature
Electronic
Documents eID
Electronic
Delivery
Electronic
Signature
7
Trusted
information on a
website (e.g. a
certificate)
which allows
users to verify
the authenticity
of the website
and its link to
the entity or
person behind
the
website.industry
.
Website
Authentication
Complying with eIDASS
Electronic
Signature
6
11. Types of Electronic Signature Defined by eIDAS
11
Standard
Electronic
Signatures
Advanced
Electronic
Signatures
(AdES)â
Qualified
Electronic
Signatures
(QES)â
⢠Basic signatures in electronic form
⢠eSignatures are recognized legally
and canât be denied legal
acceptance, just because they are
digital.
⢠Require a higher level of security,
typically met with certificate-based
digital IDs, including,
⢠unique identifying info that
links to the signatory
⢠signatory has sole control of
data used to create signature
⢠capable of identifying if data
as been tampered
⢠Based on qualified certificates that
can only be issued by CA
accredited and supervised by EU
designated authorities
⢠Qualified certificates must also be
stored on a qualified signature
creation device (QSCD), such as a
USB token, smart card or HSM
⢠In order to provide qualified
eSignature services, a trust
service provider must be granted
qualified status
Complying with eIDASS
12. eIDAS Electronic Signature Use Cases
Security, convenience & mobility12
Local Signing Use Cases
The userâs keys are held on a Qualified Signature Creation Devices
(QSCDs) in the form of a eIDAS compliant smartcard or USB token.
The user signs locally with the smart card or USB token.
eIDAS specifies that the smart card or USB token used as the QSCD in
local signing use cases has to be Common Criteria certified.
Remote Use Cases
The userâs keys are held securely inside a Hardware Security Module
(HSM) attached to a signing server. The signer's key is held securely on a
trusted server and generated remotely.
The eIDAS regulation does NOT specify any standards relating to the HSM
used in remote server signing.
14. 14
Qualified trust service providers render
services which ensure a higher level of
security. They comply with specific
requirements as laid down in the
Regulation and are submitted to an
enhanced supervision mechanism.
Complying with eIDASS
Qualified Trust Service Provider
What is a Qualified trust service provider?
â
â
15. 15
Only qualified trust service providers are
part of the EUâs Trust List, which
contains the providers and services that
are given qualified status. If an entity is
not on that list, they are not permitted to
provide qualified trust services
Because of stringent process to become
a qualified trust service provider, the
trust services they provide have a
higher legal certainty and higher
security of electronic transactions than
non-qualified trust services
Only qualified trust service
providers may use the powerful
Trust Mark to advertise or market
their services
Only qualified trust service
providers have a standard level of
security in Europe and comply
with the requirements defined in
the eIDAS Regulation
Complying with eIDASS
Benefits of Becoming a Qualified Trusted Service Provider
16. How to Become a Qualified Trust Service Provider (TSP)
16
Business needs to get an assessment report
issued by an accredited conformity assessment
body. This assessment will verify the business
and the services it provides meet the
requirements to be qualified.
Trust Service Provider sends the report with
letter of intent to the national supervisory body in
the member state where the business is located.
Supervisory body has three weeks to determine
if the report proves compliance.
If qualified status is granted, the Trust Service
Provider, together with the qualified trust services
it provides are added to the Trusted List. These
Lists are established, published and maintained
by the Member States.
1). Assessment
2). Approval
3). Trust List
4). Trust Mark After the Trust Service Provider is deemed
Qualified, the Trust Mark is provided and clearly
differentiates them from other trust services.
Complying with eIDASS
17. Electronic Trust Services Use Cases
17
eHealth eTax Filing eBankingeProcurement ContractseEducation
Complying with eIDASS
The eIDAS single digital market will create an abundance of opportunities for qualified Trust
Service Providers who can attract customers looking for the highest security channel available to
conduct their business
⢠eEducation: eIDAS simplifies access to public administrations, allowing students to complete foreign
college applications without submitting in person. Student uses eID to authenticate, uses a digital signature
to securely sign the application and the record is preserved digitally
⢠eProcurement: With eIDAS, a cross border call for tenders is easier, allowing businesses to easily and
securely respond to the request with a digital submission that includes electronic registered delivery, a time
stamp to prove it was submitted on time, and eSignature to formalize
⢠eTax: A citizen who moves from one EU country to another, can easily file the previous yearsâ taxes without
traveling. eID is used to authenticate and digital signature securely files the taxes
19. Gemalto Solutions for eIDAS Electronic Signature Use Cases
19
Local Use Cases
The eIDAS regulation requires CC certified smart cards for local
or client-side digital signing use cases. Gemalto meets the
requirements of the local signing use case with the IDPrime
smart card family.
Remote Use Cases
The eIDAS regulation does NOT specify any standards relating
to the HSM used in remote server signing, and it is up to
individual countries to determine which certification is required.
As such, suitability of Gemalto HSMs for use in remote signing
use cases will depend on a per-country decision based on local
legislation. For example, Poland is proposing using our HSMs as
an SSCD.
20. Gemalto Compliant PKI Smart Cards for Local Signing Use Cases
20
IDPrime MD 840 and 3840 are PKI-based
smart cards that address a wide range of use
cases requiring PKI security, including secure
access, email encryption, secure data
storage, and digital signature. Both cards are
common criteria certified and have the
following features:
⢠CC EAL5+ / PP Java Card certified for the
java platform and CC EAL5+ / PP QSCD
certified for the combination of Java
platform plus PKI applet. The CC EAL5+ /
PP QSCD certification is based on the
Protection Profiles EN 419211 part 1 to 6,
as mandated by eIDAS regulations
⢠Enhanced cryptographic support with both
RSA and elliptic curves
The IDPrime MD 840
⢠Contact smart card
IDPrime MD 3840
⢠Contactless smart card
Complying with eIDASS
21. Common Criteria
Security, convenience & mobility21
eIDAS and CC
CC certification is a pre-requisite for qualified digital signatures under the eIDAS regulation
What is Common Criteria (CC)?
An international set of guidelines and specifications for evaluating information security products, specifically to
ensure they meet an agreed-upon security standard for government deployments
Key components of CC
Protection Profiles and Evaluation Assurance
Gemalto products
IDPrime MD 840 and the IDPrime 3840 are both CC EAL5+ / PP Java Card certified for the Java platform and
CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD
certification is based on the Protection Profiles EN 419211 part 1 to 6, as mandated by eIDAS regulations