More secure transactions on the Internet

Regulation (EU) No 910/2014: on electronic identification and trust services for electronic transactions in the internal market

The Electronic Identification and Trust Services (eIDAS) Regulation creates a new system for secure electronic interactions across the EU between businesses, citizens and public authorities.

It aims to improve trust in EU-wide electronic transactions and to increase the effectiveness of public and private online services and e-commerce. It applies to:
electronic identification (eID)* schemes notified to the European Commission by EU countries;
trust service providers based in the EU.

It removes existing barriers to the use of eID in the EU. For instance, it would now be straightforward for a Portuguese firm to tender for a public service contract in Sweden, while EU funding grants can be managed wholly online.

It applies from 17 September 2014.

Electronic identification

eID issued in one EU country must be recognised in all others. This applies only if the eID meets the regulation’s requirements and has been notified to the Commission and published in a list. Mutual recognition of eIDs will be mandatory from 28 September 2018 and will facilitate secure electronic transactions across the EU.

An eID scheme must specify one of three levels of assurance (low, substantial and high) for the form of electronic identification issued under that scheme. Mutual recognition is mandatory only when the relevant public sector body uses the ‘substantial’ or ‘high’ levels for accessing that service online.

Notification

When notifying the Commission of eID schemes, EU countries must provide information on aspects such as:
the level of assurance and the issuer of eID under that scheme;
the applicable supervisory and liability systems;
the body managing the registration of unique personal ID data.
In the event of a security breach of the eID scheme or authentication, the notifying EU country must:
quickly suspend/revoke the EU-wide authentication or the compromised parts of the scheme; and
inform other EU countries and the Commission.

Liability

In any transaction between EU countries where there is a failure to comply with the regulation’s obligations, the following parties can be held liable for any damage caused intentionally or negligently to any person or body:
a notifying EU country;
the party issuing the eID;
the party managing the authentication procedure.
Cooperation and operability among EU countries

National eID schemes notified must be interoperable. The interoperability framework must be technology-neutral, not favouring any specific national technical solutions for eID.

Trust services

The regulation defines trust services as paid-for services that include:
the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services; or
the creation, verification and validation of certificates for website authentication; or
the preservation of electronic signatures, seals or certificates related to those services.

Trust service providers based in the EU are considered ‘qualified’ if they meet the regulation’s applicable requirements. They are legally entitled to provide qualified trust services (e.g. qualified electronic signatures, seals or certificates) in all EU countries. Trust services offered by service providers from non-EU countries can be considered legally equivalent to qualified ones, but only after an agreement between the EU and the non-EU country or an international organisation.

Supervision

EU countries must select one or more bodies for the supervisory activities under this regulation. These bodies must cooperate with data protection authorities where appropriate.
All trust service providers are subject to supervision and to risk management and security breach notification obligations.

Non-qualified trust service providers are subject to ‘light-touch’ supervision, i.e. the supervisory body only reacts if the provider is suspected of misconduct.

Qualified trust service providers based in the EU are subject to strict supervision. This includes prior authorisation by supervisory bodies and auditing at least once every 2 years by an organisation that assesses whether they meet regulation requirements.
A new, voluntary EU trust mark will identify the qualified trust services provided by the relevant providers.

A series of acts adopted by the European Commission in the course of 2015 set out:

procedural arrangements for cooperation between EU countries on electronic identification
specifications relating to the form of the EU trust mark for qualified trust services;
technical and operational requirements of the interoperability framework;
minimum technical specifications and procedures for assurance levels for eID means;
technical specifications and formats relating to trusted lists;
specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies; and
circumstances, formats and procedures of notification of eID schemes.

ACT

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73-114)

The successive amendments to Regulation (EU) No 910/2014 have been incorporated in to the original document. This consolidated version is of documentary value only.

Protecting electronic pay services against piracy

Legal protection of services based on, or consisting of, conditional access – Directive 98/84/EC

The objective of this directive on the legal protection of services based on conditional access (i.e. access in return for a subscription)

— It seeks to protect electronic pay services against piracy.
— It prohibits all commercial activities involving the manufacture, distribution or marketing of smart cards (plastic cards with built-in microprocessors or microchips) and other devices which make it possible to bypass protected access to television, radio and Internet pay services.

Scope

The directive covers all services supplied on the basis of conditional access, such as pay-television and pay-radio services, on-demand video and audio services, electronic publishing and a large range of on-line services that are available to the public on a subscription or pay-per-view basis.

Illicit activities

Each EU country must introduce laws to ban:

—the production, import, sale, rental or possession for commercial profit of illegal equipment or software enabling the unauthorised access to a protected service;
—installing, servicing or replacing illegal equipment for commercial profit;
—advertising that promotes illegal equipment or software.

Penalties and remedies

Each EU country must ensure it enacts measures:

—to introduce sanctions which are effective, dissuasive and proportional to the potential impact of the unlawful behaviour;
—to ensure that service providers adversely affected by unlawful behaviour can go to court to seek damages and an injunction and, where appropriate, apply for the seizure of illegal devices.

Principles relating to the internal market

EU countries may not restrict the:

—provision of protected services, or associated services, that originate in other EU countries;
—free movement of conditional access devices, except those devices designated as illicit by the directive (i.e. any equipment or software designed or adapted to give access to a protected service in an intelligible form without the authorisation of the service provider).

Council of Europe Convention

In 2015, the Council of the European Union approved, on behalf of the EU, the Council of Europe Convention on the legal protection of services based on, or consisting of, conditional access, which entered into force in 2003. The signing by the EU of the Convention is likely to encourage other members of the Council of Europe to ratify it. This would extend the application of rules similar to those in Directive 98/84/EC beyond the EU’s borders, and thus result in a law on services based on conditional access which would be applicable throughout the European continent.

ACT

Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, or consisting of, conditional access (OJ L 320, 28.11.1998, pp. 54–57)

Council Decision 2014/243/EU of 14 April 2014 on the signing, on behalf of the European Union, of the European Convention on the legal protection of services based on, or consisting of, conditional access (OJ L 128, 30 April 2014, p. 61)

Council Decision (EU) 2015/1293 of 20 July 2015 on the conclusion, on behalf of the European Union, of the European Convention on the legal protection of services based on, or consisting of, conditional access (OJ L 199, 29.7.2015, pp. 3–5)

Report from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions – Second Report on the implementation of Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, and consisting of, conditional access (COM(2008) 593 final of 30 September 2008)

On the legal protection of electronic pay services – Report from the Commission to the Council, the European Parliament and the European Economic and Social Committee on the implementation of Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, or consisting of, conditional access (COM(2003) 198 final of 24 April 2003)