November 14, 2019

Blog postEJBCA EnterpriseGovernmentTrust Service Provider

ENISA Trust Services Forum and CA Day 2019 – My reflections from the events and the eIDAS evolution

tomas gustavsson

I attended two co-organized events in Berlin, The ENISA Trust Services Forum and CA Day, during the course of two days this year. It felt like one event because most people were there for both days, but nevertheless the focus for each is slightly different. The 2019 event was attended by more than 200 people, mostly from Europe but also from other parts of the world. The eIDAS regulation is attracting attention, as everyone is on the path toward further digitization of society, and it is a good practice to share experiences and learn what others are doing. You can easily say that the events were well organized and I can highly recommend attending.

It is clear that eIDAS is truly a long-term vision and a journey aimed to bring great benefits to citizens, government, businesses and society at large. We have come a long way on this journey during the past few years, but it is also clear that there are further steps that need to be taken. The need for an improved internal market for e-transactions is obvious and from the data that was presented during the event there were still only a small number of e-transactions between member states. While eIDAS does a lot to tear down digital barriers for government communication and trade barriers for technology companies to provide services across Europe, the EU still consists of individual Member States who have a strong independence, different traditions and different short-term goals. This definitely sets some limits to the speed of which the EU wide changes can take place. Three topics that were discussed extensively and that I want to highlight:

  • Conformity of audits used to gain the status of Qualified Trust Service Provider (QTSP)
  • Remote initial identification of persons when issuing digital IDs
  • Review of the eIDAS regulation

From my experience, the differences between audits in different countries and with different auditors were discussed as an issue in the times before eIDAS, under the old Directive, and it is still a hot topic. In addition to this, something that I learned is that the only mandatory document to fulfill in an eIDAS audit is the eIDAS regulation. The ETSI standard guiding technical implementations are not required by the law and the result is that a QTSP can implement the same regulatory requirement in different ways than suggested by the ETSI specifications, if the auditor, the CAB and the supervisory body approves it. Thus, finding conformity between audits is currently a far goal. Initial registration of individuals in many cases still require physical presence at some stage in the process. Remote identification for enrollment of individuals is a topic which has seen a lot of thought and innovation. In some member states, there are systems for remote identification, such as over a video link. This is not allowed in other member states. A conclusion from the event is that there is a clear desire for standardization in this area, both from technology vendors and TSPs. Finally, a mandatory review of the eIDAS regulation will be presented in 2020. The high level scope is to try to answer the following questions:

  • Can we offer convenience?
  • Can we offer consumer choice?
  • Are we protecting data and privacy?
  • Is there a level playing field for business?
  • What is our global reach?

My reflection is that eIDAS is already partly a success and the continued success of the regulation will depend on the level of reach and usage. Proper understanding and being able to measure aspects like usability for all, security and personal privacy and business drivers will be crucial for taking the next steps. On the more detailed level, the review will most likely include suggestions on modifications for some of the topics discussed above.  

Want to know more about our view on eIDAS?

Driving transparency, interoperability and innovation across the European Union with eIDAS.

PrimeKey on eIDAS  



Tomas Gustavsson

Tomas is the co-founder and CTO of PrimeKey. He has been implementing PKI systems since 1994. As founder and developer of the open source enterprise PKI project, EJBCA, contributor to numerous open source projects, and member of the board of Open Source Sweden, Tomas is passionate about helping users worldwide to find the best possible PKI and digital signing solutions.