The European Union Agency for Cybersecurity issues technical guidance and recommendations on Electronic Identification and Trust Services helping Member States to implement the eIDAS regulation.
The European Union Agency for Cybersecurity (ENISA) completed a package of five reports in order to boost the implementation of the eIDAS regulation and promote the uptake of Electronic Identification and Trust Services. This work falls under the scope of the EU Cybersecurity strategy for the Digital Decade.
ENISA has been in the forefront of the developments on eIDAS since 2013 and with the Cybersecurity Act, established in 2019, the Agency has an extended mandate to support and assist the European Commission and the Member States in the area of electronic identification.
In this challenging period, the “EU digital ID scheme for online transactions across Europe” initiative will drive the revision of the eIDAS and will promote digital identities for all Europeans. ENISA in order to support the Commission has undertaken activities to explore the security considerations for trust service providers and remote identity proofing.
Four of the reports on trust services form an update of ENISA’s guidelines for qualified trust service providers. They represent a voluntary toolset designed to help those trust service providers comply with eIDAS. Specifically, they include:
- technical guidance on the security framework for Qualified Trust Service Providers (QTSP) and for the non-Qualified ones;
- security recommendations for Qualified Trust Service Providers based on Standards;
- guidelines on Conformity Assessment of Trust Service Providers.
A fifth report includes an analysis of the methods used to carry out identity proofing remotely and exploring security considerations. Remote identification allows customers to have their identification information collected and validated without the need for physical presence to the premises of the operator. This has become crucial during the COVID-19 pandemic as it allows access to cross-border online services offered by Member States.
Technical Guidelines on Trust Services
ENISA issued the reports in order to update existing recommendations and guidelines issued in 2017 for qualified trust services. The purpose of these reports is therefore to focus on the requirements set by the eIDAS regulation and the emergence of new standards and new TSP services.
The new guidelines are presented in four different reports according to the following topics:
- trust service providers (qualified or not) looking for guidance on how to meet the requirements of the eIDAS Regulation;
- service providers seeking to clarify whether they qualify as a trust service provider according to the provisions under the eIDAS regulation;
- relying parties seeking to evaluate to what extent their trust service provider complies with the eIDAS requirements.
As a result, the set of recommendations include:
- Security Framework for Qualified Trust Service Providers and for Non-Qualified Trust Service Providers. These guidelines consider the greater potential variety encountered in non-qualified trust service providers;
- Security Recommendations for Qualified Trust Service Providers based on Standards, and Guidelines on Conformity Assessment of Trust Service Providers.
These guidelines have been consulted with and validated by experts in the eIDAS field from various sectors.