Amendment of the eIDAS Regulation
Without coherent data protection regulations and a Europe-wide compatible technical solution for European Digital Identity Wallets, the security and self-determination of all EU citizens will fall behind as of 2026.
Research Focus: Safety, Security and the Law
Besides the opportunities for a further reaching digitalization, FZI scientists see many concrete risks in the current amendment of the eIDAS Regulation, in particular regarding the certificates (QWAC) being used. They also point out that there are no coherent regulations for data protection identifiable in the eIDAS Regulation – enabling governments to derive the usage behavior of EU citizens from their utilization of the EUDI Wallet in various areas of life. In that regard, the FZI is suggesting solutions within the consultation process of the Federal Ministry of the Interior and Communitiy (BMI) on the EUDI-Wallet.
On November 8, 2023, representatives of the EU Parliament, the European Commission and the European Council agreed on the amendment of the eIDAS Regulation. The Regulation on electronic identification and trust servcies for electronic transactions in the internal market seeks to enable public authorities, businesses and citizens carry out secure and seamless electronic interactions.
As the current regulation dates back to 2014, there was an urgent need to adapt it to current political challenges and technological progress. Core element of the eIDAS Regulation is the “European Digital Identity Wallet”(EUDI-Wallet). In this digital wallet, digital versions of documents such as ID card, driving license and healthcare card can be stored and then accessed electronically.
Via the wallet, authorities, companies and citizens can identify themselves to others and easily provide the necessary proof electronically. By 2026, all EU member states must make the EUDI-Wallet available to their citizens free of charge so that they can store various proofs of identity in the wallet on their mobile devices. People who do not want to or cannot use the wallet must not suffer any disadvantage as a result.
New Regulation Holds Opportunities and Risks
The amendment now being negotiated in a trilogue process extends the scope of the regulation to the private sector. Unfortunately, this extension not only offers opportunities for a more extensive digitalization, but also many specific risks. A significant point of criticism against the revision refers to the kind of the employed certificates, a technical regulation that could be designed differently from what is stipulated in the amendment.
Certificates are generally used to encrypt and secure the connection between the websites and the people who visit them. They are also used to authenticate the operators of the websites to the visitors.
According to the eIDAS Amendment, however, Qualified Website Authentication Certificates (QWAC) are to be used in future. Browsers shall accept these QWACs as trustworthy. People who access the websites will be able to recognize who stands behind a website. This concept is intended to create trust. The certificates are provided and controlled by the respective EU member states and may only be removed with the consent of the respective government.
Problem 1: Risk of Spying on Citizens
According to many IT security experts and researchers, the use of QWACs poses the risk of government authorities being able to use the self-created certificates to surveil the behavior of their own citizens and collect information about them. For this reason, experts and researchers have issued an open letter criticizing this aspect of the necessary amendment of the eIDAS Regulation during the trilogue.
Problem 2: Serious Breach of the GDPR
Sources and Background Information
About the FZI
The FZI Research Center for Information Technology conducts research on secure digital identities and the necessary legal framework, amongst others in the projects SDIKA SDIKA (BMWK program Showcase Secure Digital Identities Karlsruhe) and SDI4Ecom (innovation promotion of Invest BW). The FZI also participates in the consultation process of the Federal Ministry of the Interior and Communitiy (BMI) on the EUDI-Wallet.
The FZI Research Center for Information Technology, with headquarters in Karlsruhe and a branch office in Berlin, is a non-profit institution for information technology application research and technology transfer. It delivers the latest scientific findings in information technology to companies and public institutions and qualifies individuals for academic and business careers or the leap into self-employment. Supervised by professors from various faculties, the research groups at the FZI develop interdisciplinary concepts, software, hardware and system solutions for their clients and implement the solutions found as prototypes. The FZI House of Living Labs provides a unique research environment for application research. The FZI is an innovation partner of the Karlsruhe Institute of Technology (KIT) and strategic partner of the German Informatics Society (GI).
Download position paper eIDAS (pdf)