eIDAS Regulation Compliance

eIDAS Regulation Compliance

Thales can help your organization comply with the European Union’s eIDAS regulation.

  • Regulation
  • Compliance

eIDAS regulation summary

The Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (referred to as the eIDAS -- electronic IDentification and Authentication Services) was published by the European Union as Regulation (EU) No 910/2014 on August 28, 2014. Most of its provisions took effect July 1, 2016, and it repeals the existing eSignatures Directive.

Because it is a regulation and not merely a directive (as was predecessor eSignatures), eIDAS is not open to interpretation and represents European Union law. eIDAS was developed to ensure the ability to safely conduct electronic transactions online when dealing with businesses or public services, allowing both the signatory and the recipient a higher level of convenience and security.

What is regulated?

eIDAS mandates two primary codes of practice:

Interoperability of government issued ID

This section of the eIDAS mandates EU Member States to mutually recognize each other’s electronic identification (eID) systems when accessing online services. This cross-border recognition makes eID from any EU Member State interoperable between all other Member States. Although this is a mandate for the public sector, the private sector will follow suit, if it indeed proves to make business transactions easier, faster, and cheaper and truly opens up business opportunities across borders.

Single digital market

While the eSignatures directive guaranteed the admissibility of electronic signatures, eIDAS will go a step further in defining and providing requirements associated with Trust Services to ensure the security of electronic transactions. With eIDAS, Electronic Trust Services (eTS), including electronic signatures, electronic seals, time stamps, electronic registered delivery service, and website authentication, will work across borders and will have the same legal status as paper-based processes. The goal is to increase confidence in the safety and reliability of digital transactions, which will lead to growing adoption and usage.

eIDAS and electronic signature

eIDAS recognizes electronic signatures as legally binding and identifies different levels of electronic signature.

  • Electronic signatures -- are basic signatures in electronic form. With eIDAS, eSignatures are recognized legally and can’t be denied legal acceptance because they are digital.
  • Advanced electronic signatures (AdES) -- require a higher level of security typically met with certificate-based digital IDs. AdES must be uniquely linked to the signatory, can authenticate the signer and the document, and enable the verification of the integrity of the signed agreement.
  • Qualified electronic signatures (QES) -- also must be uniquely linked to the signatory but are further required to be based on qualified certificates. Qualified certificates can only be issued by a certificate authority (CA) accredited and supervised by authorities designated by EU Member States. Qualified certificates must also be stored on a qualified signature creation device (QSCD), such as a USB token, smart card or a cloud-based hardware security module (HSM). In order to provide qualified eSignature services, a trust service provider must be granted qualified status.

How to prove digital signature compliance with eIDAS

Common Criteria is an international set of guidelines and specifications for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria (CC) certification is a pre-requisite for qualified digital signatures under the eIDAS Regulation.

Smart cards

Thales’s IDPrime MD 840 and IDPrime MD 3840 smart cards are both CC EAL5+ / PP Java Card certified for the Java platform and CC EAL5+ / PP QSCD certified for the combination of Java platform plus PKI applet. The CC EAL5+ / PP QSCD certification is based on the Protection Profiles EN 419211 parts 1 to 6, as mandated by eIDAS Regulation.

Hardware security modules (HSMs)

The Thales Luna Hardware Security Module (HSM) v.7.7.0, is certified in accordance with Common Criteria (CC) at EAL4+ level against the electronic IDentification, Authentication and Trust Services (eIDAS) Protection Profile (PP) EN 419 221-5. Luna HSM 7 has also received eIDAS certification as both a Qualified Signature and Qualified Seal Creation Device (QSCD). In addition, the Luna HSM (generations 6 and 7) has already achieved multiple certifications as a standalone QSCD or as part of a composite QSCD with various remote signing solution vendors from the conformity assessment bodies (CAB) in Austria, Italy and Spain (in accordance with Article 30.3.b [Alternative Processes]). These certifications provide Thales customers and partners within and outside Europe with the highest levels of assurance and conformity for seamless cross border electronic identification and trust services.

Qualified Trust Service Providers (QTSP)s as well as public or private companies that issue digital certificates and provide local or remote digital signatures and seals (advanced and qualified), timestamp, electronic delivery, and website authentication services, can now use Luna HSM 7 as a part of their eIDAS-compliant solution. QTSPs can also issue qualified certificates for customers using on-premises Luna HSM 7 for eIDAS QSCD purposes.

Both cloud-based and on-premises HSM solutions comply with eIDAS, but the HSM employed must be certified as a QSCD device. In remote work environments users and applications must be able to access digital signature keys whenever and wherever they are needed. HSMs are used to manage and protect the private signing keys of signatories, without the signatory being in possession of the key (as is the case when smartcards are used). As such, HSMs facilitate the creation of mutually binding legal documents across all EU/EEA member states.

These keys are maintained in the TSP environment (yet controlled by the HSM), which is certified by an accredited national body. For the secure execution of their operations and services, TSPs deploy and maintain the required HSMs to be used as qualified devices for electronic signature creation. Essentially, these HSMs act as a root of trust.

Why you need a Luna HSM

Electronic signatures, electronic seals, high-volume code signing, and other sensitive cryptographic operations require high-throughput performance. Furthermore, Luna HSMs are designed to protect sensitive key material for its entire lifecycle, regardless of the environment. In addition, a broad partner ecosystem enables organizations to secure many mainstream and specialized applications.

As eIDAS certified devices, Luna Network and PCIe card HSMs provide the strong performance, high-assurance key protection, and centralized administration/monitoring of crypto operations required for eIDAS compliant electronic signatures, seals and other trust services. As the market leader, Thales’ Luna HSM is the foundation of trust for enterprise and government organizations worldwide.

Secure your digital assets, comply with regulatory and industry standards, and protect your organization’s reputation. Learn how Thales can help.

Risk Management Strategies for Digital Processes - White Paper

Risk Management Strategies for Digital Processes with HSMs - White Paper

An Anchor of Trust in a Digital World Business and governmental entities recognize their growing exposure to, and the potential ramifications of, information incidents, such as: Failed regulatory audits Fines Litigation Breach notification costs Market set-backs Brand...

Thales Data Protection on Demand Services

Thales Data Protection on Demand Services - Solution Brief

Thales Data Protection on Demand (DPoD) is a cloud-based platform that provides a wide range of Cloud HSM and key management services through a simple online marketplace. With DPoD's extensive platform of Luna Cloud HSM, CipherTrust Key Management, payment, and partner-led...

Choosing the Right Cloud HSM - Webinar

Choosing the Right Cloud HSM - Webinar

Join us as we discuss the complexities of managing native cloud HSMs separately, leading to islands of security with different features and rules for each.

Data Security Compliance and Regulations - eBook

Data Security Compliance and Regulations - eBook

This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.

Luna Network HSM

Luna Network Hardware Security Module - Product Brief

Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...

Other key data protection and security regulations

GDPR

Regulation
Active Now

Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

PCI DSS

Mandate
Active Now

Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

Data Breach Notification Laws

Regulation
Active Now

Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.