eIDAS Regulation: Strengthening SMEs through standardisation

eIDAS Regulation: Strengthening SMEs through standardisation

Key points

• The “Twin Transition” – the green and digital transformation of the EU – and the COVID-19 pandemic have highlighted the crucial importance of electronic transactions to businesses and citizens.

• An efficient eIDAS (electronic identification and trust services) regulation is needed to scale up electronic identification technologies that can effectively support electronic transactions,
including remote working. A new trust service for online identification could expand benefits brought by eIDAS trust services to SMEs enabling them to develop new added value services

• Standards should play a key role in providing certainty for SMEs to invest in eIDAS value added services. Identification of standards and the publication of their reference in the Official Journal can guarantee at least a baseline for security and technical interoperability for all the trust services in the public sector. It is advisable to:

– make the publication of implementing acts referencing standard mandatory for most, if not all, the different trust services.

-minimize the risk of the Regulation becoming obsolete by delegating power to the Commission for minor changes that do not relate the fundamental principles to respond
quickly to changing technology paradigms, after consultation with relevant stakeholders.

– support and increase SMEs´ participation to standard setting to improve and adapt standards and have better market recognition


The European Commission recently launched a public consultation on Regulation (EU) 910/2014 (the eIDAS Regulation) to collect stakeholders’ feedback on the needed changes to ensure optimal delivery of an EU digital identity1.

The eIDAS Regulation provides a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens, and public authorities by:

•ensuring that people and businesses can use their own national electronic identification means (eIDs) to access public services in other EU countries, where eIDs are available;

• creating a European internal market for electronic trust services – namely electronic signatures, electronic seals, time stamp, electronic delivery service and website authentication – by ensuring that they will work across borders and have the same legal status as traditional paper-based processes

Digital technologies are key to reduce the effect of the COVID-19 pandemic on the economy and keep the activities alive even with the most severe restrictions in place. This was vital, especially in the case of SMEs. Now that the EU is investing to recover from the immense damage caused by the pandemic, it is fundamental to promote sustainable growth. In fact, the “Twin Transition” – the green and digital transformation of the EU – is at the centre of the European Commission 20202 and 20213 Work Programme.

According to the Centre for European Policy Studies (CEPS)4, Member States’ experience with digital identification varies5. Other countries are currently experiencing a surge in demand for digital identification means6. In Italy, the identification scheme system “SPID” has been able to satisfy high demand for digital identification thanks to its unique characteristics:

• numerous identity providers, both public and private, audited by accredited Conformity Assessment Bodies and under supervision by the national supervision body;

• the possibility to implement remote recognition procedures;

• no need to distribute physical identification means as most of the identity providers use mobile phone applications for this purpose

An efficient eIDAS regulation is needed to scale up electronic identification technologies

The eIDAS Regulation contributed to reducing the need for face-to-face interactions enabling eGovernment and business interactions supporting cross-border reliable and trustworthy electronic
identities and trust services, such as eSignatures, eDelivery, and eID, which are key enablers for the digital transformation. The eIDAS Regulation already introduced a first cross-border framework for mutual recognition of notified digital identities aiming to ensure that individuals and businesses can use their own national electronic identification means (eIDs) to authenticate when accessing public online services in other EU Member States. This was achieved by establishing an interoperability framework and by enforcing mutual legal recognition of notified schemes.

However, the current eIDAS interoperability framework setting based on eIDAS nodes has some flaws:

• it is inefficient and often hard to use, especially by inexperienced users, and can hardly scale up to support real business needs, where users are familiar with simple and immediate identification means when using online services,

• it is not possible to use paper-based identification documents, and

• many eIDs require card readers. Only the most recent eIDsthat support Near Field Communication (NFC) 7 have a seamless integration with smartphones (that support NFC).

Experience shows that the adoption of secure but difficult-to-use devices and technologies is a huge hindrance to widespread use of eID enabled services. Thus, a new type of qualified trust service for identification of natural and legal persons – conceptually like the Italian SPID discussed above – would be a better approach. Electronic Identification means issued by SPID fully relies on official identification documents issued by the Italian government, either paper based or electronic. In practice, SPID identity is not a stand-alone identification document but relies on the official IDs issued by the Italian Ministry of Interiors and enable to reuse the identity online, thanks to electronic assertion electronically sealed by the SPID providers.

Under the eIDAS framework, SPID is considered as an identification scheme but it is very similar to a qualified trust service both in terms of governance and at the technical level, providing electronic identification of a natural or legal person to an electronic service in a very effective and scalable way. This approach would allow to decouple the issuance of legal IDs, reserved to Member States authorities, from electronic identification means “anchored” to those IDs, issued by the States. This is a key element to deploy an identification service that can scale seamlessly to EU wide dimension without changing the rules for legal IDs that must remain under the Member State sovereignty.

This new trust service can (and should) benefit from the same sound approach of other trust services, i.e.:

• supervision;

• conformity assessment under accreditation and based on standards;

• electronic signatures and seals format (for identity assertions to be consumed by services);

• trusted lists for mutual recognition

This proven trust framework can effectively support remote working that now is the prevalent behaviour for many European employees and will likely continue to play a key role also when the pandemic is over. This can also help to face the huge challenge to assess and manage the security threats coming from a radically changed scenario that is very alarming, especially for SMEs. The pandemic has also brought in fact an alarming increase in cyber-attacks.

SMEs are expected to benefit from a widespread EU eID infrastructure, especially if those flaws are removed. It is of paramount importance to consider trustworthiness, performance, resilience and, most important, user-friendliness as top priorities for widespread business use. Benefits brought by eIDAS to SMEs are twofold. On the one hand, SMEs can benefit as users of trust services and supporting their digital transformation; on the other hand, SMEs can act as providers of trust services and related solutions.

Standards can help SMEs reap the full potential benefits of the new eIDAS framework and invest in eIDAS services across the EU.

A new trust service for online identification could expand benefits brought by eIDAS trust services to SMEs enabling them to develop new added value services. This should be an evolution of the current eIDAS framework, not a revolution: the stability and neutrality of the legal framework should remain the guiding principles. The eIDAS regulation sets only the basic legal principles but it is not enough to be used directly at technical level. This is not a limitation, on the contrary, it is a fundamental property of legislation to allow a state-of-the-art interpretation, and this is exactly the role of standards. Their role in fact is to have a common and consistent technical baseline, possibly usable also in different legal frameworks, that avoid the risk of having completely different approaches between Member States or also outside the European Union.

The consistent use of standards is a key principle introduced with eIDAS and demonstrated to be an effective tool to avoid putting at risk and challenge the investments made by many SMEs in creating innovative services based on eIDAS trust services. The identification attributes should be specified only semantically in the Regulation implementing acts, leaving to standards their concrete technical implementation.

In addition to electronic identification, trust services are another fundamental and cornerstone innovation introduced by eIDAS that greatly improved the previous legislation removing their limitations and creating a real single market for electronic signatures, electronic seals, time stamps, electronic registered delivery services and website authentication with a sound governance and interoperability framework.

However, common legal rules alone do not lead to technically interoperable services: eIDAS’ approach was innovative because it guaranteed a legal layer common to all EU with a good level of technical neutrality while relying on standards for the technical layer, leaving therefore freedom to the market to regulate these aspects.

This innovative approach introduced by eIDAS for trust servicesis similar to the New Legislative Framework one that relies on harmonised standards to fully specify the essential requirements of products. Time is now mature to further develop this approach to fully achieve the expected results of eIDAS: the identification of standards and the publication of their reference in the Official Journal can guarantee at least a baseline for security and technical interoperability for all the trust services in the public sector.

Currently, only few of the possible implementing acts referencing standards were published by the Commission. They are limited to electronic signature and seal formats, qualified signature and seal devices and trust lists. This has prevented from reaping the full benefits of the new eIDAS framework. New standards should be referenced for other qualified trust services, especially for eDelivery that has applications both in the public sector (ranging from eProcurement and eInvoicing to e-Justice and eHealth) and in the private sector. SBS recommends making the publication of implementing acts referencing standard mandatory for most – if not all – the different trust services, along the lines of what is already foreseen for electronic signatures and seals.

Moreover, while the general principles of the eIDAS Regulation are and will almost certainly remain substantially unchanged thanks to its technologically neutral approach, a complete exclusion of all the technical aspects from legislation is not possible nor desirable, as it could become too abstract and leave unwanted room for interpretation. It is therefore suggested to add to the eIDAS Regulation a delegation of power to the Commission for minor changes that do not relate the fundamental principles but allow to adapt those parts that are more likely to require changes to adapt the Regulation when new technology paradigms emerge8. Examples of parts that should be possible to be adapted are the specification of signature, seal and their validation, the content of signature, seal and web certificates, qualified signature, and seal creation devices, etc. The Commission should be required, before adopting those delegated acts, to consult the relevant stakeholders. This would minimize the risk that the Regulation becomes obsolete and requires frequent time-consuming changes continuously chasing technological progress.

It is also important that security is addressed by a wider adoption of standards. Standardisation processes in European Standardisation Organisations are open to all interested parties and security standards like ETSI 319 401 are developed and updated by a consensus-based approach open to all interested parties from the market. Participation in standard setting allows any actor – including SMEs – to improve standards and have better market recognition.


The eIDAS Regulation has helped citizens and companies, including SMEs, to process a wide range of services electronically, which helped the fight against COVID-19 and supported digital transformation, one of the two pillars of the “Twin Transitions”. eSignatures, eDelivery, and eID and other eServices are key enablers that contribute to strengthening the EU Single Market through cross-border reliable electronic identities and trust services.

The eIDAS regulation can be more effective for better cross-border services by (1) decoupling production of legal IDs and electronic identification for legal IDs, (2) speeding up adoption of eID in eServices, (3) supporting new verification methods, and (4) remaining technology neutral. The way to achieve this level of effectiveness is through adopting a similar approach to the NFL, where more eIDAS-related standards are published as an effective tool to provide certainty and avoid risk.

1 https://ec.europa.eu/digital-single-market/en/news/eidas-open-public-consultation
2 https://ec.europa.eu/info/publications/2020-commission-work-programme-key-documents_en
3 https://ec.europa.eu/info/publications/2021-commission-work-programme-key-documents_en
4 https://www.ceps.eu/wp-content/uploads/2020/06/TFR_Europe-Digital-Identification-Opportunity.pdf
5 While Belgium and Estonia electronic ID cards allow access to about 100 applications, other countries offer access
to less services. Not only Member States’ experience vary with adoption rate, but they also implement different
approaches to electronic services. While Belgium adopted a central approach with a national registry, nordic
countries adopted a de-centralised system that enables the private sector, led by banks, to introduce an eID
6 For example, in Italy, the rate of requests of digital identities doubled during the lockdown in March with more
than 100.000 requests per week.
7 https://nfc-forum.org/
8 A concrete example is related to technologies such as blockchain and DLT (and, more specifically, Self-Sovereign
Identity solutions): a careful assessment about what changes are needed to adapt the eIDAS Regulation principles
to enable the use of blockchain and DLT is not likely to be possible in the short timeframe and the foreseen Review
should introduce the necessary flexibility to allow the needed adaptations to be introduced when possible and
necessary. A new trust service for identification could easily be the basis and a first step in the direction of a fully
decentralized identification solution based on blockchain/DLT solutions when this will be made possible by
development of well-established solutions and standards.


Views and opinions expressed are those of Small Business Standards (SBS) only and do not necessarily reflect those of the European Union or EFTA. Neither the European Union nor EFTA can be held responsible for them.