Interview with Raido Aarop, eID expert at Proud Engineers, on the European Union’s eIDAS regulation and the opportunities it offers for cooperation with third countries
In 2014, the European Union (EU) adopted a regulation to establish a single market for electronic identification and trust serviced across its 27 Member States. Known as eIDAS, this is the first regulation of its kind in the world. eIDAS regulates the legal effect of electronic identification and signatures across 27 member states making it the most comprehensive and well utilized framework. Therefore, it offers many opportunities for third countries outside the European Union to draw inspiration and adopt similar security standards.
Raido Aarop, an expert working with Proud Engineers – an Estonian company that offers digital transformation expertise – explains in this interview the main elements of eIDAS and identifies potential areas for Africa-Europe cooperation in the digital signature field.
Proud Engineers experts support the African Union-European Union (AU-EU) Digital for Development (D4D) Hub’s technical assistance activities on digital signature as part of the Estonian ICT Cluster.
Photo: Raido Aarop, eID expert. Credit: Proud Engineers.
Q: Can you please begin by explaining what a digital signature is and what it is used for?
RA: To understand what a digital signature is, we need to think about a paper signature first. When it was invented, it used to be a unique, unmistakable mark that confirmed to all the other people in your village that something was done by you, usually a kind of contract or proclamation. But villages grew into towns and towns into today’s megacities. Statistically speaking, it is highly unlikely that your signature is still unique. And even if it was, the other 8 billion people in the world do not know you or your signature, so it does not really serve as proof of anything. In fact, physical signatures can be copied incredibly easily; signature-based identity fraud is rampant. Then, take popular figures like former German Chancellor Merkel, whose signature is even available on her Wikipedia page.
The answer to the ever-accelerating and globalising world is digital signatures. In Estonia, a digital signature is legally equivalent to a paper signature and has been so for over 20 years. Effectively, it is like a big digital stamp that renders one or several digital files (think documents, images, or videos) immutable and confirms that this particular person with their digital identity agrees with the contents of these files. It really is like a paper signature – just better.
In an ideal world, there may be a single ecosystem of digital signatures one day, but right now the sector is very fragmented, with government and private sector digital signatures competing. Most of them are not compatible with one another, which is something we absolutely need to address. To draw a comparison, imagine if you would have to pay three Euros or Dollars for a signature with your pen, and then you could not be 100% sure that the other contracting party can sign with their own pen. It is ludicrous. But that is the situation we find ourselves in. Thankfully, there are many initiatives that are beginning to tidy up this mess – if not worldwide, then at least in the European Union.
Now, before we continue with the interview, I just want to clarify that I am using the terms electronic signature and digital signature interchangeably. Digital signature is a common term used worldwide. Electronic signature is a legal term used in the eIDAS regulation and is widely used inside the European Union ecosystem.
Q: Now that you have mentioned eIDAS, can you explain what this regulation is about?
RA: The European Union Regulation No 910/2014, better known as eIDAS, regulates electronic identification and trust services for electronic transactions in the EU internal market. The regulation was introduced in 2014 with the aim of creating an EU-wide electronic identity and signature ecosystem, something close to what I previously described. A new version of eIDAS is currently being drafted and should be introduced next year.
eIDAS regulates the operation of an EU trust list. A trust list is a technical list that contains all the trust service providers in the EU that are issuing certificates (or other services) and fall under supervision. The trust list is consulted every time a signature is validated to assert that the signature was created using a trusted certificate that was issued by a trusted service provider.
Q: What are the kinds of electronic signature that exist under eIDAS?
RA: Two types of electronic signatures are defined in the regulation: (1) qualified electronic signature and (2) advanced electronic signatures. All electronic signatures regulated in eIDAS are defined as advanced electronic signatures. A subset of those signatures are more strictly regulated and are defined as qualified signatures.
The signatures are regulated in terms of:
- legal effect;
- requirements for signature formats;
- requirements for signature creation devices; and
- requirements for creation and validation of signatures.
In addition, eIDAS regulates electronic certificates that are needed for creation of signatures, namely:
- provisioning of electronic certificates;
- requirements for services of provisioning certificates (trust services);
- supervision of services of provisioning certificates (trust services);
Advanced electronic signatures are regulated more loosely and leave a lot open to be regulated by the EU Member States. On the other hand, qualified electronic signatures are regulated more strictly because they are legally equal to a handwritten signature. In addition, eIDAS makes it compulsory to accept qualified electronic signatures by all EU member states.
Q: What is a mutual recognition agreement (MRA) under the eIDAS regulation and what does this mean for third countries (outside the EU)?
RA: Article 14 of eIDAS regulates the recognition of qualified electronic signatures between the EU and a third country. Currently, the only option to have mutual recognition of qualified signatures is through an agreement concluded between the EU and the third country in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU). I will not go into the details, but this means such an agreement would need to be approved by the 27 Member States of the European Union.
In practice, this is very difficult to achieve. This is why the next version of eIDAS that I just talked about will regulate additional options for third countries to interact with the EU’s digital signature ecosystem.
That said, there are some “intermediate” steps that do not require signing an MRA – which I will try to explain without being too technical.
A third country’s signature solution can be recognised as an advanced signature under eIDAS. The European Commission has created a trust list for advanced signatures from third countries’ trust services and prepared the tools needed for validating the signatures. In order to be added to the trust list, an official request should be made to the European Commission. The trust list provides a tool for validating the signatures, but the legal effect and the trustworthiness of a signature still must be agreed separately between interested parties.
Q: What are the opportunities for African countries to comply with European standards on digital signature?
RA: There are many benefits for third countries to align with European standards on digital signature.
To start with, the European Union has invested in literally hundreds of legal, architectural, cryptological and policy experts who have thought hard about how to create solutions that are both user-friendly and secure. The result is very high standards.
Beyond this, meeting European standards could bring you much closer to a market of 450 million people. Imagine if you were an Armenian bank, and suddenly you could cater to European citizens because they can use their own eID and digital signature combo to log into online banking and confirm transactions seamlessly. Or what if you were an Egyptian entrepreneur looking to build a consortium with an Estonian business – no more paperwork, no more headaches. Entire industries would be not just streamlined, but most importantly simplified for end-users.
Q: What should be the first step for an African country seeking to cooperate with European partners to meet eIDAS standards?
RA: The first step would be to make yourselves familiar with the “Pilot for the International Compatibility of Trust Services” programme by the European Commission, especially the “MRA Cookbook”.
Then, you should perform a (self) assessment of the legal and technical framework in the country and identify the gaps and understand the effort that is required. You should then prepare the required documentation and submit a formal request to the European Commission.
Projects like the AU-EU D4D Hub can provide technical assistance to guide African institutions through this process.
Add new comment