The EUid – many benefits but even more challenges?
The project is without doubt ambitious. By 2023, every member state of the European Union is to offer its citizens an ID wallet that is recognized throughout the EU. How many national interests can the EUid bear? And what does it take for Europe’s digital identity to succeed against the single sign-on services of the big platforms? Patrick von Braunmühl, Head of Public Affairs at Bundesdruckerei GmbH, explains more.
On the road to a European digital identity
The Süddeutsche Zeitung wrote that on 3 June the EU may have very well announced the end of the password era. How realistic is this assessment?
The EUid is certainly a very good alternative to the classic combination of username and password. Some even speak of the EU single sign-on. The European Commission has offered citizens and businesses a universal way to identify themselves as well as an extremely convenient way to present credentials, for instance, a driving licence, train ticket or certificates.
What exactly is planned?
Each member state must offer its citizens a secure ID wallet that complies with data protection requirements from the end of 2023 which will be recognized throughout the EU and based on the eID of the respective country. This basic ID, in our case the German ID card identifies the wallet holder. And it allows more credentials to be gradually added to the ID wallet. Today’s trust service providers will be entrusted to check and verify credentials. What’s remarkable here is that up to now, when we think of sovereign IDs, we mostly think of dealings with public authorities. However, the European Commission regulation will also require certain sectors and platforms in the private sector to accept the EUid. This means that in addition to presenting our ID cards or certificates [https://www.bundesdruckerei.de/de/digitale-zeugnisse] online, we will soon be arriving at airports and able to get straight into our rental car because we already have the car key on our smartphone.
How far is implementation in Germany?
We are planning a big step right now. With the Smart eID, a derivative of the German ID card will be available on smartphones beginning in autumn. And a lot has happened in conjunction with this development too. Take, for instance, self-sovereign identity (SSI): there’s the IDunion or the pilot project for hotel check-in based at the Federal Chancellery. All this is perfectly in line with what the EU has in mind.
In the end, there will probably be 26 more European ID wallets. Why doesn’t the EU provide one overarching system?
The European Commission’s roadmap did in fact originally consider this idea. However, I think it became clear that an EU solution would not be enforceable in the member states. Identities are by tradition a nation-state issue. We haven’t had an EU ID identity up to now. And that’s why it made sense to create a framework to facilitate the interoperability of the different national systems. What’s more, standardization would hardly have offered any advantages anyway. When it comes to digitalization and digital identities, the countries are not all on the same page, so that a certain minimum level is needed for mutual recognition of ID wallets. But a completely uniform model would have been illusory. It would take years of negotiation and probably would have ended up tabled.
Now, however, the challenge of interoperability does not appear to be that small either ...
There’s no question about it, the consultations on architectural standards will not be easy. Especially where requirements are concerned. Massive conflicts already broke out during negotiations on the most recent eIDAS Regulation – and at that time all that was at stake was the mutual recognition of the eID. When it came to implementation, the supervisory authorities of the member states sometimes set the bar for trust services even higher. The EU will therefore ensure greater harmonization through more implementing acts. The Cybersecurity Act already provides some references for this – the European Union Agency for Cybersecurity (ENISA) specifies certain standards and certification requirements that are binding throughout Europe. The ambitious timeframe set for the EUid could also be of help, since all the stakeholders are aware that things will have to move quickly. After all, they are competing with big platforms when it comes to digital identities. The time has come to shift up a gear, otherwise this opportunity will be missed. Incidentally, it is essential for the legislative process to go hand in hand with technical development rather than the latter taking the back seat.
Social acceptance could pose an even greater challenge. In surveys on digital identities, the majority of people favor a sovereign rather than a private-sector solution. In reality, however, the single sign-on services of the US platforms are in fact hugely popular. How do you take the EUid to a broader user group?
Although it may sound like a platitude, but the fact of the matter is simply that politics must win people over. This can be achieved, for instance, through communication and education. Example: The Covid warning app where an awareness campaign led to a high level of acceptance. Usability is also important – the EUid should be convenient and it should make life much easier. At the same time, it needs a sufficient number of applications. As unpopular as visits to public authorities are, it’s not something that citizens have to do on a regular basis every year. This means that an ID solely for eGovernment is unlikely to get people in this country excited. But, if the ID wallet can be used much like a single sign-on, this changes everything. The data sovereignty argument would really come into play and people would opt for the solution authorized by their own government.
This also means that the private sector can do a lot to ensure acceptance of the EUid, doesn’t it?
Right. In the health and finance sectors alone, there is a vast range of possible applications. And especially for SMEs and start-ups, it might be worthwhile to rely on a sovereign ID system. That would give them direct contact with their customers, reducing their dependence on large platforms or virtual marketplaces. A real win-win situation, since companies benefit while at the same time building up the critical mass of application possibilities that will take the EUid into the mainstream.
Could we learn here from highly digitalized countries like Estonia?
Absolutely. We can learn a lot from Estonia and the Scandinavian countries. However, each state has its own individual requirements. Estonia is a small country that had to completely redefine many of its processes following independence from the Soviet Union. That made it easier for them to go digital at an earlier stage.