The European Union’s new electronic identification regulation is being criticized on multiple fronts.
Designed to supersede the 2014 electronic identification and trust services (eIDAS) regulation, the European Commission proposed a revised eIDAS (eIDAS 2) in 2021 with the goal to give internet users more control over their data.
It is also intended to create a cross-border framework for digital identity services and will pave the way for the introduction of a common digital ID wallet for all EU citizens.
After much debate, the European Council adopted its common position on the proposed legislation in December. But as the different parties negotiate the final text of the regulation, it has come under fire.
In an open letter published earlier this month, the Cloud Signature Consortium — a group of businesses and researchers representing the cloud signature industry — outlined what it referred to as “risks” stemming from changes to Article 24 of eIDAS 2.
In the commission’s initial proposal, there are two assurance levels that would qualify an eID scheme as compliant with eIDAS 2: “substantial” or “high.” However, as consortium noted in its letter, the council’s position removes reference to substantial assurance, ensuring that only the highest level of assurance will qualify.
While it acknowledged “the best intentions of policymakers,” the group argued that the higher standard proposed by the EU council will disqualify many eID schemes that already exist.
These include some of the most widely used schemes in Europe, including FranceConnect, which counts more than 41 million users, as well as other major identification systems, such as the Swedish BankID and SPID in Italy.