The European Parliament and the European Council adopted, on 23 July 2014, the Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation).
The adoption of this regulation followed the relative lack of success of Directive 1999/93/EC on electronic signature. Several differences in the implementation of this Directive as well as technical choices made by Member States prevented the emergence of a common ground of interoperability which is necessary to ensure the development of cross-border interactions. This was stressed by the Commission at two different times in 2010 which led the European Council to invite the Commission to create a digital single market by 2015.
In June 2012, the Commission initiated works aimed at encouraging digital commerce in the Union with the purpose to adopt a regulation that would directly apply in Member States, without a implementation in their domestic law. More than two years of discussions have been necessary in order to achieve the final text of the regulation.
The eIDAS Regulation was published in the Official Journal of the European Union (OJ) on 28 August 2014, and it entered into force on 17 September 2014.
The eIDAS Regulation entered into force, for the majority of its provisions, on 1 July 2016. Mutual recognition of electronic identification means is mandatory since 29 September 2018.
The eIDAS Regulation applies to electronic identification, trust services and electronic documents, expanding the scope of Directive 1999/93/EC on electronic signature which it repeals. It aims at establishing an interoperability framework for the different systems implemented in Member States in order to promote the development of a digital trust market.
The Regulation provides requirements relating to the mutual recognition of electronic identification means as well as electronic signatures, for the transactions between public authorities and private users. It excludes internal transactions of administrations that have not a direct impact on third parties as well as private deeds.
The eIDAS Regulation is essentially dedicated to electronic identification and trust services. It also deals with, to a lesser extent, electronic documents by granting them a legal effect.
The involvement of ANSSI in the implementation of the regulation is two-fold: as entity in charge of assessing the security for the “electronic identification” part and as the supervisory body for the “trust services” part.
Purpose and principles of the “electronic identification” chapter of the regulation.
The eIDAS Regulation aims at establishing a mechanism of mutual recognition of identification means of Member States on all online services of others Member States.
In order to beneficiate from this mutual recognition, an identification means must:
Requirements applicable to the different assurance levels which are provided in the regulation are detailed in the Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015. These levels are granted according to the compliance with specifications, norms and minimal procedures. Three assurance levels are provided in the regulation:
Mutual recognition of electronic identification means became mandatory since 29 September 2018.
Competent national bodies
Moreover, the eIDAS Cooperation Network has been implemented by the Commission Implementing Decision (EU) 2015/296 and provides notices following the peer reviewing process on electronic identification schemes notified by Member States. The notices are public and available via this link:
Purpose and principles of the “trust services” chapter of the regulation.
The eIDAS Regulation also aims at establishing a legal framework for the use of trust services. It provides for requirements for trust services relating to electronic signature, electronic seal, electronic time stamp, electronic registered delivery and website authentication.
The Regulation sets a distinction between qualified trust services and non-qualified trust services. Qualified trust services fulfil particular requirements and can benefit from specific legal effects. Qualified trust services are provided by qualified trust service providers.
Qualified trust service providers are subjected to regular audits by conformity assessment bodies, accredited in accordance with the Regulation 765/2008 of 9 July 2008.The eIDAS Regulation applies since 1 July 2016 for trust services.
The list of qualified products and services by ANSSI is accessible on the tab “French trusted list”.
Qualified trust services provided in the regulation
Qualified trust services provided in the eIDAS Regulation are the following:
The creation of a qualified “remote” electronic signature (or “server signing”) is not considered as a qualified trust service under the regulation.
Qualified products for electronic signature or electronic seal
The regulation specifies that qualified electronic signatures and qualified electronic seals are respectively created by means of:
In each Member States, the certification of conformity of these products to the requirements of the regulation is certified by a certification body designated at the European Commission.
The regulation provides for, in certain cases, the creation of signature or seal can be delegated to a trust service provider which ensures, for the signatory or the legitimate creator or a seal, the generation or the management of creation data of signature or seal. In this case, this trust service provider must be a qualified trust service provider under one of the qualified trust service provider cited above.
Competent national bodies
In France, the role of supervisory body for trust services is ensured by ANSSI. As such, it:
In addition, ANSSI ensures two others roles provided in the regulation:
Regarding its technical aspects, the eIDAS Regulation refers to implementing acts (listed in “Documentary databased related to the eIDAS Regulation”).
As part of Mandate M/460, which is an initiative of the European Commission aiming at providing a coordinate response on the subject of the deployment of a digital European single market, the ETSI (European Telecommunications Standards Institute) and the CEN (European Committee for Standardization) have been designated to create norms relating to trust services provided by eIDAS.
Some of these norms have already been published, others are still under development. When necessary, implementing acts refer directly to some existing norms (especially the ETSI norms regarding signature profiles and trusted lists).
Furthermore, the competent bodies in Member States can specify the technical modalities allowing to ensure the compliance with the regulation, in regards to electronic identification means and qualified trust services.
Documents published by ANSSI, specifying the technical modalities for electronic identification means notified by France as well as qualified trust service providers in France, are available in the dedicated section.
The General Security Baseline is still completely effective to exchanges between administrative bodies.
The General Security Baseline also applies to exchanges between administrative bodies and users, with an exception relating to the obligation of the mutual recognition of electronic identification means and of electronic signatures and seals provided in the eIDAS Regulation.
Further information relating to the articulation of the General Security Baseline with the eIDAS Regulation are available in the FAQ.
For any questions relating to a requirement rule set published by ANSSI, the point of contact is the one indicated in the respective document.
Preliminary questions relating to a conformity certification or qualification application shall be addressed to the Industrial Policy and Assistance Unit of ANSSI.
Questions relating to a conformity certification or qualification shall be addressed to the IA Products and Services Approval Unit of ANSSI.
Email addresses of these points of contact are available in the FAQ.