Herbert Leitold is the General Director of A-SIT Secure Information Technology Centre, Austria UC5 Lead and Austrian single point of contact (SPOC).
How does the eIDAS regulation enhance the security of identity data in Europe?
First and foremost, the eIDAS regulation revision within the European digital identity wallet introduces an eID that operates at the so-called “Level of Assurance: High”. This means that the eID has technologically state-of-the-art security. And that’s not just about the security of the citizen’s devices. The revision also broadens the availability of eID: previously, eIDAS regulations let EU Member States introduce an eID system or modify their existing system for cross-border use. Now, however, this becomes an obligation. Member States must issue a European digital identity wallet. That flips the coin and makes having an eID a right for citizens. It alo increases the incentive for applications to use it. So, I also expect a broader ecosystem of secure services for eID systems thanks to this eIDAS regulation revision.
How can the implementation of large scale European pilots like POTENTIAL improves the security of identity data compared to isolated national approaches?
The European digital identity wallet has security and privacy at its core, and of course, so do the national eID programs. With the European digital identity wallet, however, we are sailing into uncharted waters. Novel ideas and new technologies are being introduced, and there is the whole concept of cross-border use.
The large scale pilots are a reality check. You need to test to understand how to get broad acceptance, to see whether the devices your citizens already own can be used, to check if it works in all applications and use cases. The large-scale pilots can prove that it works, but importantly, they can give us a view on where we might get stuck. And that is so important to know before your deploy for real.
What possible challenges do Member States will face when implementing these programs?
The biggest challenge for Member States is that they will have to modify their eID systems. Until now, cross-border use of electronic identity worked through federation, which essentially meant that States could keep their existing eID systems and fit an interoperability layer on top of it. That worked pretty well with the kinds of services you access from a browser on a computer. But in today’s mobile-first environment, where there is more or less ubiquitous use of smartphones, new concepts are required, which essentially means Member States must change to a common protocol and a common environment. This is also where the large scale pilots are important: the transition from the existing national eIDs to the European digital identity wallet needs to be as seamless as possible.