Paperless transactions: How to get the best from the EU regulation
25/06/2019
Paperless transactions: How to get the best from the EU regulation
25/06/2019
Enable paperless transactions across borders. With the highest level of trust and security.
The eIDAS Regulation provides a framework for people and organisations when they use electronic trust services, such as electronic signatures or seals, time stamps, registered delivery services and certificates for website authentication. It defines the standards, the products and solutions that support these services need to comply with. The overall objective is to help citizens, businesses and public authorities interact electronically, making paperless transactions convenient and safe.
Thanks to eIDAS, purely electronic evidence has to be accepted. Courts, in particular, shall not deny legal effect and admissibility to electronic documents as evidence in legal proceedings solely on the grounds that it is in electronic form.
So, if an individual or organisation wants to complete a transaction electronically – whether they’re registering as a student at a foreign university or tendering for a contract – they can do it legally from anywhere in Europe. To add trust to the transaction they can make use of a trust service such as an electronic signature service or a time stamping service.
As well as saving the time and costs related to using paper, the eIDAS Regulation ensures cross-border recognition – of national electronic identities and of the trust services supporting electronic transactions. This boosts security and convenience further, and supports the interoperability of systems across Europe.
So the potential benefits of the eIDAS Regulation are far-reaching. But for the electronic trust services that support paperless transactions to work smoothly and securely, they should be set up and managed by the right kind of provider – preferably a Qualified Trust Services Provider (QTSP).
There are two types of trust services – generic and qualified – and the difference between a QTSP and a non-qualified provider comes down to which of these they can provide. A non-qualified provider can get involved only with generic services, which don’t require the same level of legal confirmation as their qualified equivalent. But these providers still have to meet requirements in accessibility, personal data protection, and managing risk and security – and they are liable for damages caused intentionally or negligently to any individual or organisation due to a failure to comply with the eIDAS obligations.
Qualified trust services require the highest level of trust, and this is where you should involve a QTSP. To find one, look for the ‘EU trust mark for qualified trust services’, which is the distinctive logo at the top of the pyramid diagram below. This is your guarantee of quality and trustworthiness in qualified trust services. It isn’t yet another ‘quality mark’ with little or no foundation. As the pyramid shows, the eIDAS Regulation imposes a consistent set of quality and security requirements and obligations for QTSPs and the services they provide. These aim to enhance the trust of consumers and enterprises (SMEs in particular) in the electronic market, and to promote the use of qualified trust services and products.
The supervisory regime requires QTSPs and their qualified trust services to pass a two-yearly conformity assessment report, issued by an accredited auditor, confirming they fulfil the requirements of the eIDAS Regulation. National supervisory bodies decide whether to grant qualified status to (or withdraw it from) trust services and trust service providers. These decisions are published in electronically signed or sealed national trusted lists, suitable for automated processing.
The pyramid of trust for qualified trust services established by the eIDAS Regulation also relies on, and is strengthened by, the use of best practices and standards. To ensure uniform conditions for implementing the regulation, the European Commission has powers to set implementation specifications and to provide standards with reference numbers, whose use indicates compliance with certain requirements.
Although those using a QTSP to set up qualified trust services are obliged to carry out certain procedures – such as the secure registration of the services – in most cases, they have to do this only once. And for some procedures, their QTSP can take care of everything.
So from a customer’s perspective, using a QTSP to establish and manage qualified services is relatively easy – especially as the burden of proof in cases of damages falls on the QTSP. Also, the legal value of qualified trust services is very clear, and the tools provided by eIDAS – such as the trust mark and machine-processable trusted lists – mean the services can be automatically recognised by off-the-shelf applications.
As well as helping provide consistent levels of trust, the use of standards in the eIDAS Regulation also makes it easier to develop interoperable and off-the-shelf solutions for different aspects of electronic trust services. And new solutions can be developed to improve services, even if there isn’t yet a related standard, as long as they comply with eIDAS requirements.
It’s now a few years since the eIDAS Regulation came into force, and the market seems to be self-regulating. The European Commission is referencing very few standards – and auditors, professional organisations like the CA/Browser Forum, and private companies like Adobe have chosen which standards they want QTSPs to be audited against.
One result of this flexibility in using the standards is the rise of interoperable solutions that help individuals and organisations at both ends of an electronic transaction communicate in an open, trustworthy way. For example, one person’s qualified electronic signature, created by a trusted signature-creation service in one country, can be validated by someone else in another country, thanks to an application on the latter’s laptop. The two don’t need to share the same application or provider. Another example is sending and receiving electronic registered mail without the sender and receiver being customers of the same service provider.
Not only can these applications understand each other by ‘speaking’ the same standardised language, but – thanks to the national trusted lists mentioned earlier – they can also let their users know whether or not a trust service output is qualified. QTSP status makes a vital difference to paperless interactions. Fortunately, the regulation that specified this status has encouraged the development of technology that makes it very easy to identify.
Sylvie Lacroix, CISA (Certified Information Systems Auditor), Managing Director of SEALED, is an eSecurity consultant with +20 years of experience. With a Master from the Ecole Polytechnique de Louvain as technical background, Sylvie started her career as researcher in cryptography at the UCL University. She acquired a significant experience in business representation and exploitation of security, cryptography and PKI topics. Sylvie participated to the implementation of major projects within Europe and beyond, such as national eID cards and ePassports projects. Sylvie was expert for several European studies on eSignatures that served as a milestone to draft the eIDAS Regulation. She worked for prestigious organisations such as European Governments, the European Commission, large enterprises and CEN and ETSI, the two major European standardisation bodies. Sylvie is leading the ETSI Special Task Force on signatures validation (STF 524) and is also the editor of security policies for TSPs.