The EUid – many benefits but even more challenges?
published on 29.06.2021
The project is undoubtedly ambitious: By 2026, every Member State of the European Union is expected to offer its citizens an ID wallet that is recognised throughout the EU. How many national interests can the EUid accommodate? And what will be needed for Europe’s digital ID to stand up to the single sign-on services of the big platforms? Patrick von Braunmühl, Head of Public Affairs at Bundesdruckerei GmbH, provides answers
On the road to a European digital identity
The Süddeutsche Zeitung wrote that on 3 June the EU may have very well announced the end of the password era. How realistic is this assessment?
The EUid is certainly a very good alternative to the classic combination of username and password. Some even speak of the EU single sign-on. The European Commission has offered citizens and businesses a universal way to identify themselves as well as an extremely convenient way to present credentials, for instance, a driving licence, train ticket or certificates.
What is planned specifically?
By 2026, each Member State must offer its citizens a secure, data protection-compliant ID wallet that is recognised throughout the EU and based on the eID of the respective country. The Person Identification Data (PID), (the “Personalausweis in Germany) guarantees the identity of the wallet holder. And it makes gradually adding additional credentials to the ID wallet possible. The existing trust service providers will play an important role here, checking and verifying credentials. The remarkable thing is that up to now, official IDs have tended to be associated with official procedures. However, the European Commission’s regulation will also oblige certain industries and platforms in the private sector to accept the EUid as well. Soon we will not only be able to present our ID cards online, but also other credentials such as a driving licence.
What is the implementation status in Germany?
It is planned to introduce the Smart eID, a version of the ID card, on smartphones starting in autumn. In addition, as part of the POTENTIAL Consortium, the German Federal Government and 19 other countries in the EU are calling for funding for “Large-Scale Pilots” (LSPs) with the implementation of use cases for piloting eIDAS-compliant wallets. Germany is in the lead here in the areas of “SIM registration” and “mobile driving licences”. Bundesdruckerei is supporting the CSP implementation on behalf of the German Federal Ministry of the Interior and Home Affairs. Implementing the cross-border the use cases is to start in 2024; national tests are planned starting around the end of 2023.
In the end, there will probably be 26 more European ID wallets. Why doesn’t the EU provide one overarching system?
The European Commission’s roadmap did in fact originally consider this idea. However, I think it became clear that an EU solution would not be enforceable in the member states. Identities are by tradition a nation-state issue. We haven’t had an EU ID identity up to now. And that’s why it made sense to create a framework to facilitate the interoperability of the different national systems. What’s more, standardization would hardly have offered any advantages anyway. When it comes to digitalization and digital identities, the countries are not all on the same page, so that a certain minimum level is needed for mutual recognition of ID wallets. But a completely uniform model would have been illusory. It would take years of negotiation and probably would have ended up tabled.
Now, however, the challenge of interoperability does not appear to be that small either ...
There’s no question about it, the consultations on architectural standards will not be easy. Especially where requirements are concerned. Massive conflicts already broke out during negotiations on the most recent eIDAS Regulation – and at that time all that was at stake was the mutual recognition of the eID. When it came to implementation, the supervisory authorities of the member states sometimes set the bar for trust services even higher. The EU will therefore ensure greater harmonization through more implementing acts. The Cybersecurity Act already provides some references for this – the European Union Agency for Cybersecurity (ENISA) specifies certain standards and certification requirements that are binding throughout Europe. The ambitious timeframe set for the EUid could also be of help, since all the stakeholders are aware that things will have to move quickly. After all, they are competing with big platforms when it comes to digital identities. The time has come to shift up a gear, otherwise this opportunity will be missed. Incidentally, it is essential for the legislative process to go hand in hand with technical development rather than the latter taking the back seat.
Social acceptance could pose an even greater challenge. In surveys on digital identities, the majority of people favor a sovereign rather than a private-sector solution. In reality, however, the single sign-on services of the US platforms are in fact hugely popular. How do you take the EUid to a broader user group?
Although it may sound like a platitude, but the fact of the matter is simply that politics must win people over. This can be achieved, for instance, through communication and education. Example: The Covid warning app where an awareness campaign led to a high level of acceptance. Usability is also important – the EUid should be convenient and it should make life much easier. At the same time, it needs a sufficient number of applications. As unpopular as visits to public authorities are, it’s not something that citizens have to do on a regular basis every year. This means that an ID solely for eGovernment is unlikely to get people in this country excited. But, if the ID wallet can be used much like a single sign-on, this changes everything. The data sovereignty argument would really come into play and people would opt for the solution authorized by their own government.
This also means that the private sector can do a lot to ensure acceptance of the EUid, doesn’t it?
Right. In the health and finance sectors alone, there is a vast range of possible applications. And especially for SMEs and start-ups, it might be worthwhile to rely on a sovereign ID system. That would give them direct contact with their customers, reducing their dependence on large platforms or virtual marketplaces. A real win-win situation, since companies benefit while at the same time building up the critical mass of application possibilities that will take the EUid into the mainstream.
Could we learn here from highly digitalized countries like Estonia?
Absolutely. We can learn a lot from Estonia and the Scandinavian countries. However, each state has its own individual requirements. Estonia is a small country that had to completely redefine many of its processes following independence from the Soviet Union. That made it easier for them to go digital at an earlier stage.