Presentation given at the Service Design and Delivery in a Digital Age - Academies for EaP countries organised by the SIGMA Programme and the GiZ Eastern Partnership Regional Fund. Topic 2: Digital transformation.

1. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
1
Laura Kask, CEO Proud Engineers, Estonia
SERVICE DESIGN AND DELIVERY IN A DIGITAL AGE
Academies for EaP countries
Digital
transformation

2. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
2
Laura Kask, CEO Proud Engineers, Estonia
SERVICE DESIGN AND DELIVERY IN A DIGITAL AGE
Academies for EaP countries
Implementing eID on national
level: legislation, tech,
governance

3. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU. Table of contents
1 Introduction
2 Key Principles of Trusted eID
3 Building Blocks of Trusted eID
4 eID Transformation Process
5 eID organizational structure
6 European legal framework for eID and trust services
7
Estonian national framework for eID and trust services
What have been the challenges?
8 Cross-border implications of eID and trust services

4. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
Laura Kask
• Former Chief Legal Officer for Government CIO,
Republic of Estonia
• CEO of Proud Engineers
• Visiting lecturer at Tartu University IT Law
Programme
• Obtaining PhD at Tartu University “eID and trust
services in national and cross-border transactions”
Proud Engineers: architects for a digital society

5. A
joint
initiative
of
the
OECD
and
the
EU,
principally
financed
by
the
EU.
5
Do we actually know who
is behind the computer?
Peter Steiner
published by The New Yorker on July 5, 1993

6. WHY?

7. X-Road®
digital
signature
id-card
e-school
2000 2001 2002 2003 2004
e-Estonia timeline
id bus
ticket
eesti.ee
e-tax
board
m-parking
e-cabinet

8. 2005 2006 2007 2008 2010
e-Estonia timeline
i-voting
e-police
system
e-notary
e-justice
mobile-id
company
registration
portal
e-health
system
keyless
signature
infrastructure
e-prescriptions

9. 2011 2012 2013 2014 2015
e-Estonia timeline
smart grid
visualised
business
register
ev quick
charging
network
public services
green paper
e-residency
e-service of the
Estonian Road
Administration
e-receipt

10. 2017 2018 2019 2020
e-Estonia timeline
reporting
3.0
AI strategy
kick-off:
proactive
government
crossborder
e-prescription
NIIS
X-Road®
consortium
data
embassy
2021
7 invisible
services
proactive family
benefits
e-notary for
remote verification
bürokratt

11. Key principles
of trusted eID
Without these, success is unlikely

12. Strong eID is based on strong
physical identity
eIDs must only be issued using a carefully
secured process involving capture of biometrics

13. Unique and
ubiquitous
identifier
of citizens
Most business processes in the country must use
the identifier, assumes a robust population registry.

14. Breaking the
stalemate
The citizens will not take the ID or remember the PIN codes, when there are no
services. There will be no services built for no customers.

15. The eiD
must have a
legal
meaning
Without a legal framework, the eID is simply people doing complex math

16. Building blocks
of trusted eID
These need to be built

17. Legal framework
• Population registry and its legal significance
• Regulation of trust services
• Electronic signature and its significance
• Dealing with legacy
• Education of legal practitioners
• Revamping regulations requiring paper-based processes

18. Capabilities
• Cybersecurity to
• drive requirements for eID and validate deliverables
• monitor the ecosystem
• execute incident response
• Cryptography to keep the ecosystem developing
• Legal to drive legal changes
• Architecture to define, manage and develop the technical ecosystem

19. Trust services
• Trust services create and operate services underpinning the trust in eID
• Certification Authority and Registration Authority
• Time Stamping Authority
• Signature creation and validation
• Trust must stem from audited, regulated and supervised adherence to standards

20. The ecosystem
• It is not possible for a
• single government authority to build eID due to the range of capabilities and
changes necessary
• single private sector organization to build eID due to the lack of critical mass in
terms of customers and services
• Create and manage an ecosystem of service providers, integrators, technology
providers, researchers, cybersecurity practitioners, trust service providers etc.
• Alternatively make sure to participate in one

21. eID transformation process

22. eID transformation process

23. eID transformation process

24. Supporting the vision execution

25. eID organizational structure

27. European legal framework for
eID and trust services

28. European legal framework for
eID and trust services: eIDAS
Regulation

30. Mandatory recognition of electronic identification for
Member States
1. May ‘notify’ the ‘national’ electronic identification scheme(s) used at for
access to its public services
2. Must recognise ‘notified’ eIDs of other Member States for cross-border
access to its online services when its national laws mandate e-identification
3. Must provide a free online authentication facility for its 'notified' eID(s).
4. May allow the private sector to use ‘notified’ eID
NB! No obligation to recognize eIDs outside EU
NB! Only EU level agreement between a third country is a possibility (there is now an option to
overcome the legal gap)

31. Trust Services
eIDAS creates an European internal market for electronic trust services by ensuring
that they will work across borders and have the same legal status as traditional paper
based processes.

32. Trust Services
When the public sector accepts a document being signed electronically, they must
accept documents signed electronically in the same format from the other member
states or with the service offered by the other service providers.

33. Trusted List
• Member states maintain and publish trusted lists where they have all the necessary
information about the qualified service providers acting inside the EU.
• Trust services provided by trust service providers established in third country shall
be recognised legally once there is an agreement between the EU and the third
country.
• Trust services provided services provided by trust service providers established in
third country shall be recognized when they are in the trusted list and audited in
the EU, provided by EU located service provider.

34. Principles of trust services
• Technological neutrality.
• Mutual recognition of «qualified» electronic trust services.
• Ensuring validity and legal certainty of cross-border electronic
transactions through the impossibility to reject a document on the grounds
that it is in electronic form.

35. Levels of e-signature (electronic signature)
• The simple e-signature has a low level of security and assurance. It cannot
guarantee that the person signing the document is who he pretends to be.
• It does not provide details on the signing event (such as time, date etc.) either. For
example, when ticking the “Accept terms & conditions” box of an online
transaction, using stylus etc.

36. Levels of e-signature (advanced e-signature)
• Advanced electronic signature – an electronic signature is considered advanced if it meets
certain requirements:
a. it is uniquely linked to the signatory;
b. it is capable of identifying the signatory;
c. it is created using electronic signature creation data that the signatory can, with
a high level of confidence, use under his sole control; and
d. it is linked to the data signed therewith in such a way that any subsequent
change in the data is detectable.
• Certificate for electronic signature – electronic proof that confirms the identity of the
signatory and links the electronic signature validation data to that person.

37. Levels of e-signature (qualified e-signature)
• Meets the requirements of advanced electronic signature and in addition, it is
created based on the use of a qualified signature creation device (QSCD) and relies
on a qualified certificate for electronic signatures.
• These two extra features ensure that the qualified e-signature is unique,
confidential and secure.
• Only electronic signature that is equal to handwritten signature (wet signature) and
there cannot be exceptions in national law

38. Legal consequences
• Qualified electronic signatures are equal to handwritten signatures (eIDAS article
25)
• Usage in private sector?
• Usage in public sector?

39. How to become a qualified trust service provider?
• Apply to a conformity assessment body assessing compliance against the
requirements for qualified trust service providers and qualified trust services.
• The conformity assessment body will produce a conformity assessment report,
demonstrating how the requirements have been met.
• Submitting the report to national supervisory authority who will grant you qualified
status if appropriate – service will be added to the national trusted list and will be
able to use the eIDAS EU trust mark.
• There is a requirement to undergo the conformity assessment process every two
years, at your own expense.

40. Conclusion
• The eIDAS Regulation:
• ensures that people and businesses can use their own national electronic identification schemes
(eIDs) to access public services in other EU eID are available;
• creates an European internal market for eTS - namely electronic signatures, electronic seals, time
stamp, electronic delivery service and website authentication - by ensuring that they will work
across borders and have the same legal status as traditional paper based processes;
• consists of regulation, implementing acts, standards (ETSI), national laws and implementing acts;
• sets rules for mutual recognition of eIDs and cooperation between the member states;
• regulates trust service providers and trust services to be recognized across EU.

41. European legal framework for
eID and trust services: eIDAS
2.0

42. 42
Do we actually know who
is behind the computer?
Peter Steiner
published by The New Yorker on July 5, 1993
Justification for amendments: about 60% of the EU
population in 14 Member States are able to use their
national eID cross-border.
Only 14% of key public service providers across all Member
States allow cross-border authentication with an e-Identity
system.
Aim of eIDAS 2.0: by 2030 80% of the EU population are
equipped with a digital wallet that will allow them to prove
their identity and authenticate themselves on public
services in all EU countries and the UK, regardless of their
nationality
*https://commission.europa.eu/strategy-and-policy/priorities-2019-
2024/europe-fit-digital-age/european-digital-identity_en

43. Mutual Recognition of eIDs
+ currently notified eIDs
+ up to Member States to decide which schemes to notify
+ country should accept notified eIDs that are equal of higher level than the eID used in
their country (public sector)
+ Mutual recognition of electronic identities is not considered in eIDAS (although, being
an exclusive competence of the EU could be the object of international agreements
under
art. 218 TFEU)
eIDAS 2.0:
+The right of every person eligible for a national ID card to have a digital identity that is
recognised anywhere in the EU
+Operated via digital wallets available on mobile phone apps
+ MS are obliged to notify at least one “Wallet” under a national eID scheme to make
them interoperable at EU level.
©
copyright

44. 44
Article 3 (42):
is a product and service that allows the user
to store identity data, credentials and
attributes linked to her/his identity, to
provide them to relying parties on request
and to use them for authentication, online
and offline; and to create qualified
electronic signatures and seals
What is an European
Digital Wallet?

45. Main challenges
45
+ The proposal offers no rationale how the obligation to issue and recognise the wallet helps to overcome the
shortcomings of the current eIDAS regulation. The obligation to accept the wallet also degrades the proven
value of existing electronic identity schemes and results in unfair competition.
+ Proposed 24 months` timeframe for implementation is complicated, as there is no solution that meets the
requirements of the wallet and wallet-like products have to be developed from the ground up, also there are
no technical standards and/or comprehensive technical descriptions that would correspond to the proposal.
+ Concept of unique and persistent identifier has been left aside and have been replaced with record matching.

46. 46
+ “The Digital Wallet will become a reliable, all-in-one identity
gateway that puts citizens in full control of their own data and gives
them the freedom to decide exactly what information to share, with
whom, and when. From social, financial, medical, and professional
data, to contacts and much more, it will make it possible to store
personal credentials within a single digital ID.”*
+ Although technically feasible, it puts even harder responsibility on
the human side for various fraud.
+ The concept of decentralized data collection is heavily influenced.
* eIDAS 2.0 rapporteur Romana Jerković (S&D, HR)

47. Mutual Recognition of trust services
of third countries
+ currently services and service providers in the EU Trust List
+ country should accept qualified trust services if they are in use in
national service provision (Article 14 of eIDAS)
BUT
©
copyright

48. Mutual Recognition of trust services from third
countries*
https://ec.europa.eu/digital-building-
blocks/wikis/display/DIGITAL/2023/02/06/The+EC%27s+actions+on+international+compatibility+of+trust+services?preview=/640549582/661194677/Masterdeck_The%20Commission%27
s%20actions%20on%20international%20compatibility%20of%20trust%20services_Presentation.pdf
48

49. 49

50. What will change with eIDAS 2.0?
+ Trade agreement or Implementing Act for recognition
+ Non- EU should meet requirements for qualified TS/TSP
+ Should follow trusted list MRA Cookbook
50

51. Estonian national framework
for eID and trust services

52. electronic ID
the strongest identity since 2002
©
copyright
owning an ID card is compulsory
three devices: eID, mID, SmartID
70% use ID-card regularly

53. eID in Estonia
High level government provided identity
based on identity nr that is unique (eID,
mID).
• authentication
• electronic signing
• i-voting
• business, banking
• state and healthcare
• public transport
• loyalty card
High level private sector provided identity
based on identity nr that is unique (Smart
ID).
• authentication
• electronic signing
• business, banking

54. Two main legal principles in national law
• Electronic identification is as good as face-to-face identification
and
• electronic signature of certain level is equal to handwritten one.
NB! Although the framework exists there is no actual use of the concept of
professional certificate (e.g electronic seal)!

55. The hierarchy of norms
eIDAS Regulation
eIDAS implementing acts
National level laws on the
implementation of eIDAS regulation
National level
implementing acts
Standards

56. Same eIDAS-based legislative framework, BUT how to prove
your intent online?

57. What have been the challenges?

59. Nature of the security risk
The private key can be computed from the public key, which means that
theoretically:
• it was possible to digitally sign a document in the name of another person
• it was possible to enter e-services in the name of another person
• it was possible to steal a digital identity without having the physical card
• decrypt documents encrypted with the ID card

61. Lessons learned
• eID is more important than we knew AND we cannot go back on paper
• Map cross-dependencies of critical services
• Certified does not mean secure
• Have alternatives – eID card and mobile-ID, private sector solution
• Pool of experts is limited – duplicate, if possible
• How to handle a non-incident?
• Nobody wants to go back to paper, even if they could
• This will not be the last such event

62. →In the rapid technological change the product standards and audits based on standards might not
give the guarantees for a liable product
→ 2 years for the audit period is too long period, BUT the audits are expensive and there are not
many auditors for the specific topics
→The notification system is too vague, but the only solution in those cases is tight cooperation
→The next crisis can be different, the legal framework in place enabled finding solution, but from
learnings we never know what the next crisis will look like

63. Identity thefts: suspension vs declaring invalid
• If the person who has stolen/found your card does not know your PIN and/or PUK
codes, they can only obtain information that is visually printed on the card (name,
personal identification code, validity period of the card), except your photo and
signature.
• If the person also has your PIN and/or PUK codes, they can use the card to access
e-services and give digital signatures if the owner has not suspended the
certificates.

64. Cases
• On September 22, a woman contacted a 64-year-old woman living by phone, informing them about the
maintenance work at Swedbank and the problems with her woman's Smart-ID.
• The woman was then called by a man who introduced himself as a maintenance technician, asked for the
applicant's personal identification number and Smart-ID PIN codes to check that the Smart-ID application
was working.
• After a few moments, the call was made again and the petitioner was asked to authenticate himself in
the Internet bank via Smart-ID, under the pretext of completing the maintenance work.
• Misled in this way, the applicant initiated authentication in the internet bank and entered the PIN1 and
PIN2 codes, during which an unknown person gained access to the woman's bank account and made
payments to five people for a total of EUR 12,184.23, of which the bank recovered EUR 609.00.
• What could be the solution in your country?

65. How this would be solved in your own country?

66. Cross-border implications of
eID and trust services

67. Barriers based on the example of NOBID countries
• Although authenticating a citizen (i.e. allowing a person to prove they are in control of a
particular national identifier) is technically possible, the semantic interoperability between
the identities is said to be lacking.
• On the EU level, there appears to be a stalemate where the services are not accepting
foreign electronic identities because there is no demand and the lack of demand is in turn
caused by the lack of services.
• There is no concept of shared physical identity between the NOBID countries and
therefore the sharing of electronic identity is hindered.
• The lack of technical and legal standards around the identity codes appears to be a barrier.

68. Barriers based on the example of NOBID countries
• Authentication services are significantly linked to interoperability services.
• Lack of cooperation in software and service development was seen to be a cross-border barrier.
• The vast majority of citizens currently do not need cross-border services.
• Difficulties in determining the level of trust in trust services and alternatives thereof is a barrier to their use
between NOBID countries.
• The extent of the cross-border demand, challenges or potential use is difficult to estimate since there is a lack
of statistics.
• Despite international standards being present, technical compatibility in terms of the ASiC-E signature
container compatibility between NOBID countries remains a challenge as countries differ in the precise way
standards are utilised
• Electronic services are dependent on a personal identification codes both in terms of technological solution as
well as service design.
• All countries, quite naturally, prioritise their national services and compliance over cross-border compliance
and services.

69. Potential use of cross-border trust services and alternatives
thereof
• There is strong preference among Nordic countries (clearly expressed by Finland, Sweden,
Norway and Denmark) to focus on authentication in the cross-border dimension and only
then on trust services. All people should be able to have strong authentication mean to
access e-services.
• Cross-border trust between eID schemes would be the most important element as more
than 90% of the population have the means available. Many interviewees pointed out that
the first step would be for each country to have their national eID notified - this would
raise confidence in the ability to issue national eIDs in the reliable way.
• A deliberate effort must be made to start trusting identification by other countries.

70. Other observations
• The COVID-19 pandemic was seen as a major driver of eID adoption and trust
services in general.
• Personal identity tends to be under tight control of national governments while
other trust services are commonly procured within an international context (e-
delivery, timestamping, web certificates).
• Different requirements for assurance level of eIDs create interoperability problems.
• Banking is a significant driver of eID use (Bank-initiated schemes in Sweden,
Norway, Finland; respective mentions in Latvia and Estonia, Bank-owned or
operated TSPs in the Baltics, Iceland and elsewhere).

71. Other observations
• Cooperation and cross-border use are to a very large extent driven by corporate strategy of a much
wider group of organisations than just trust service providers
• Large multinationals tend to utilise centrally developed solutions using a corporate trust network
rather than adopting the local one (Latvia, Estonia)
• Integrators, document management service providers and other parties operate internationally
and bring their international cooperation networks into local context (Latvia)
• Large Relying Parties often operate internationally and seek to unify solutions at least on a
regional basis (Telia, Swedbank, SEB in the Baltics but also in other NOBID countries)
• Trust service providers operate internationally and, seeking to minimise cost, will unify solutions
creating interoperability in the process (SK ID Solutions in the Baltics, Nets, Signicat and others in
the Nordics, Dokobit)

72. What are your main
takeaways?

73. Further reading
- Study on NOBID Trust Services: https://www.digdir.no/samhandling/study-nordic-
baltic-trust-services/2058
- ROCA vulnerability and lessons learned:
https://www.ria.ee/sites/default/files/content-editors/kuberturve/roca-
vulnerability-and-eid-lessons-learned.pdf
- E-Estonia fact sheet: https://e-estonia.com/facts-and-figures/
73

74. Thank you!
Laura Kask
laura.kask@proudengineers.com
proudengineers.com