man sitting at a table in the office

eIDAS at government organizations – A visit to Wiesbaden

With its eIDAS Regulation, the European Union has opened the door to fully digital processes. This is also the case for government organizations. Jan Klumb from the so-called ‘Online City Hall Team’ of the City of Wiesbaden, however, believes that the regulations for trust services in this country could go much further.

The quest for more digitalization takes us to Brussels

New regulations that change established processes – that sounds more like a scenario that would set off alarm bells among public authorities. Mr Klumb, on the other hand, has been looking for precisely these regulations for years. He is head of the registry office and the citizens' bureau of the City of Wiesbaden. It is likely that his yearning for new workflows stems primarily from his role as head of the Online City Hall Team. “Our digitalization drive probably became really acute in 2012, around the time when the City of Wiesbaden – as one of the first municipalities in Germany – introduced its Citizen Service Portal,” Mr Klumb explains. At the time, colleagues at the office were specifically looking for laws that would help the authority to handle services on a purely digital level.

 

“We didn’t have many options,” Mr Klumb says. And the Online Access Act was still a long way away. Although the eGovernment Act from 2013 did create a framework for electronic processes, it took some time before this found its way into administrative regulations. The Hessian variant came into force in September 2018. In the end, the big change came neither from Berlin nor from Wiesbaden, but from Brussels. In 2014, the EU presented a recipe for the digitalization of business and administrative processes, i.e., a regulation for ‘electronic IDentification, Authentication and trust Services’ – eIDAS Regulation for short. Mr Klumb and his team were particularly interested in the trust services defined there.

“We experiment a lot, we have digitally signed deeds with a qualified signature and now we want to begin using the qualified seal to confirm our identity as an organization.”

Jan Klumb, Registrar, Head of Department and Head of the Online City Hall Team of the City of Wiesbaden

eIDAS trust services in the name of love

The most important trusted service was and is the qualified electronic signature (QES) “Strictly speaking, we have been using the QES since 2010 to digitally sign civil status entries and then transfer them to the electronic civil status register,” Mr Klumb explains. So far, so pragmatic. That's QES. The time of great emotions was yet to come – in 2020. Since then, people have been able to register their marriage in Wiesbaden online – all thanks to the QES. “Some registry offices had severely limited the dates they were offering for registering marriages,” Mr Klumb recalls. “But our motto was: There must always be a place for love in the pandemic, all the more so since everyone has a legal right to marry. Now, in a pilot project, people can identify themselves via VideoIdent, generating a QES according to eIDAS which they can then use to digitally sign the application for a marriage license.”

By the end of 2021, more than 1,800 marriage license registrations were made official in this way. And last but not least, a 90 percent positive feedback rate has encouraged the registry office to expand its range of services. “We experiment a lot, we have digitally signed deeds with a qualified signature, and now we want to begin using the qualified seal to confirm our identity as an organization,” says Mr Klumb. His team is currently trying out a digital birth certificate with a QES and a qualified seal. “When people use their birth certificate, it is usually simply to present it to another public authority which costs time, not to mention the hassle of looking for it,” says Mr Klumb. “Ideally, the once-only principle will prevail at some point in time, leaving the data to do the running and not citizens. But until then, we could do with an interim solution, because as it stands now around 80 percent of data is available in 'paper' format which has to be first digitized by registrars and then digitally signed and transferred to the electronic civil status register.”

 

Why the eIDAS Regulation must be included in specialized laws

For now, the digital birth certificate is still an experiment. That’s because there is simply no specialized law that permits such a document – a fact that reveals the general problem with the eIDAS Regulation in Germany. Mr Klumb has developed his own narrative to describe this: “If this country were a human being, you would see a little eIDAS Regulation angel sitting on one shoulder, promoting digitalization. On the other shoulder, however, a little devil – the specialized law slowing everything down.” For Mr Klumb, there is only one way to put that little devil in its place: “Germany simply has to adapt its specialized laws by including reference to eIDAS.”

 

PSD2 – A prime example of eIDAS integration

Mr Klumb’s ideas are strongly supported by Christian Seegebarth, an eIDAS expert at D-Trust GmbH, a company of the Bundesdruckerei Group. He is also co-author of a study on the challenges of implementing the eIDAS Regulation in Germany. His wish is for laws, especially for new laws, to be reviewed with a view to their applicability in the digital space. This is what Germany’s National Regulatory Control Council refers to as digital suitability in its report entitled ‘Monitor Digitale Verwaltung #6’. "Whenever authentication and identification come into play, the law should read: ‘For these purposes, eIDAS trust services are to be integrated,’” Mr Seegebarth emphasizes.

It is particularly important to him to understand signatures, seals and website certificates as tools that can create new opportunities rather than restrictions. Just like the European Union’s Payment Services Directive 2 (PSD2) which is a prime example, so to speak, of how eIDAS trust services can be integrated into a specialized law.

The PSD2 of 2019 is considered to be an important step towards open banking. Banks are required to grant payment service providers access to their customer accounts. However, access is only possible if the companies can identify themselves with a qualified website certificate (QWAC) or a qualified electronic seal (QSeal). And the banks can also use these trust services to identify themselves. “Suddenly, two companies are communicating with each other here which had no business relationship at all,” says Mr Seegebarth. “This offers a certain degree of potential for new business models.”

 

Number plates for the digital space

By using eIDAS trust services, the transaction remains highly secure. Mr Seegebarth compares QWACs and QSeals to a number plate. After all, the trust between road users is rooted in the fact that their identity can be quickly traced in an emergency.

But how can eIDAS services now find their way into the specialized laws? The European Commission can help here with its Better Regulation Toolbox. The Better Regulation project by the Federal Ministry of the Interior and Community (BMI) also points in the right direction. Mr Seegebarth could envisage supplementing these efforts with an impact assessment of laws for the digital transformation. He also believes in the technical affinity of the authors of regulations.

And we really don’t have far to go, as Mr Klumb noticed during a digital wedding ceremony: “The Civil Status Act states that in the event of an important reason, it is possible to revert to the written form requirement, which the qualified electronic signature actually fulfils.” So, what we need is not so much words, but important reasons in order to promote eIDAS and the digitalization of the public administration. The important reason at present is only formally the Covid‑19 pandemic, however, Germany’s Online Access Act (OZG, Onlinezugangsgesetz) or eIDAS are unfortunately not considered to be important reasons. It is not until the announced and urgently needed change in the specialized law has been implemented will it be possible to apply the procedure without restriction, even after the Covid‑19 pandemic. Putting it in a nutshell, the time is ripe for new regulations.

"Whenever authentication and identification come into play, the law must read: ‘For these purposes, eIDAS trust services are to be integrated.’”

Christian Seegebarth, Senior Expert Trusted Solutions at D-Trust GmbH
Christian Seegebarth, Senior Expert Trusted Solutions at D-Trust GmbH