Position

12/18/2023

Amendment of the eIDAS Regulation

Without coherent data protection regulations and a Europe-wide compatible technical solution for European Digital Identity Wallets, the security and self-determination of all EU citizens will fall behind as of 2026.

Research Focus: Safety, Security and the Law

Besides the opportunities for a further reaching digitalization, FZI scientists see many concrete risks in the current amendment of the eIDAS Regulation, in particular regarding the certificates (QWAC) being used. They also point out that there are no coherent regulations for data protection identifiable in the eIDAS Regulation – enabling governments to derive the usage behavior of EU citizens from their utilization of the EUDI Wallet in various areas of life. In that regard, the FZI is suggesting solutions within the consultation process of the Federal Ministry of the Interior and Communitiy (BMI) on the EUDI-Wallet.

On November 8, 2023, representatives of the EU Parliament, the European Commission and the European Council agreed on the amendment of the eIDAS Regulation. The Regulation on electronic identification and trust servcies for electronic transactions in the internal market seeks to enable public authorities, businesses and citizens carry out secure and seamless electronic interactions.

As the current regulation dates back to 2014, there was an urgent need to adapt it to current political challenges and technological progress. Core element of the eIDAS Regulation is the “European Digital Identity Wallet”(EUDI-Wallet). In this digital wallet, digital versions of documents such as ID card, driving license and healthcare card can be stored and then accessed electronically.

Desired Benefit

Via the wallet, authorities, companies and citizens can identify themselves to others and easily provide the necessary proof electronically. By 2026, all EU member states must make the EUDI-Wallet available to their citizens free of charge so that they can store various proofs of identity in the wallet on their mobile devices. People who do not want to or cannot use the wallet must not suffer any disadvantage as a result.

New Regulation Holds Opportunities and Risks

The amendment now being negotiated in a trilogue process extends the scope of the regulation to the private sector. Unfortunately, this extension not only offers opportunities for a more extensive digitalization, but also many specific risks. A significant point of criticism against the revision refers to the kind of the employed certificates, a technical regulation that could be designed differently from what is stipulated in the amendment.

Certificates are generally used to encrypt and secure the connection between the websites and the people who visit them. They are also used to authenticate the operators of the websites to the visitors.

According to the eIDAS Amendment, however, Qualified Website Authentication Certificates (QWAC) are to be used in future. Browsers shall accept these QWACs as trustworthy. People who access the websites will be able to recognize who stands behind a website. This concept is intended to create trust. The certificates are provided and controlled by the respective EU member states and may only be removed with the consent of the respective government.

Problem 1: Risk of Spying on Citizens

According to many IT security experts and researchers, the use of QWACs poses the risk of government authorities being able to use the self-created certificates to surveil the behavior of their own citizens and collect information about them. For this reason, experts and researchers have issued an open letter criticizing this aspect of the necessary amendment of the eIDAS Regulation during the trilogue.

Problem 2: Serious Breach of the GDPR

Another point discussed in the open letter concerns the relationship between the eIDAS Regulation and data protection regulations. Although the draft eIDAS Regulation refers to the General Data Protection Regulation with regard to the processing of personal data, coherent data protection regulations are not recognizable in the eIDAS Regulation. Therefore, according to the most recent status, the possibility cannot be ruled out that governments might be able to read user behavior in various areas of life via the use of the EUDI-Wallet, which would be highly contrary to data protection law. Art. 6a para. 7 of the draft eIDAS Regulation stipulates that user behavior should remain unobserved and the data should not be linked to each other. However, those authorized to access the EUDI-Wallet can obtain consent from citizens to use their data. As the data stored on the wallet are only slightly separated, several or even all of the data could subsequently be merged to create a personal profile.

The Solution

Concrete steps to implement the eIDAS Regulation have not yet been taken. For this reason, there is an opportunity for secure technical regulation and more citizen-friendly implementation. To provide all EU citizens with a functioning and secure EUDI-Wallet that can be used throughout the EU by 2026, a solution must be developed based on a unified technical architecture. A technical working group is in charge of the relevant details and specific requirements. According to the FZI scientists, technical implementation must focus on security, transparency and self-determination in addition to user-friendliness. To this end, the opportunities and risks of the EUDI-Wallet should be clearly communicated to citizens who wish to use it. They will then be aware of the consequences of giving their consent and can make an informed decision.

Sources and Background Information

About the FZI

The FZI Research Center for Information Technology conducts research on secure digital identities and the necessary legal framework, amongst others in the projects SDIKA SDIKA (BMWK program Showcase Secure Digital Identities Karlsruhe) and SDI4Ecom (innovation promotion of Invest BW). The FZI also participates in the consultation process of the Federal Ministry of the Interior and Communitiy (BMI) on the EUDI-Wallet.

The FZI Research Center for Information Technology, with headquarters in Karlsruhe and a branch office in Berlin, is a non-profit institution for information technology application research and technology transfer. It delivers the latest scientific findings in information technology to companies and public institutions and qualifies individuals for academic and business careers or the leap into self-employment. Supervised by professors from various faculties, the research groups at the FZI develop interdisciplinary concepts, software, hardware and system solutions for their clients and implement the solutions found as prototypes. The FZI House of Living Labs provides a unique research environment for application research. The FZI is an innovation partner of the Karlsruhe Institute of Technology (KIT) and strategic partner of the German Informatics Society (GI).

Our Experts

Aline Vugrincic

Research Scientist
Division: Cybersecurity and Law

Antonio Scaduto

Research Scientist
Division: Cybersecurity and Law