More secure transactions on the Internet
Regulation (EU) No 910/2014: on electronic identification and trust services for electronic transactions in the internal market
The Electronic Identification and Trust Services (eIDAS) Regulation creates a new system for secure electronic interactions across the EU between businesses, citizens and public authorities.
It aims to improve trust in EU-wide electronic transactions and to increase the effectiveness of public and private online services and e-commerce. It applies to:
electronic identification (eID)* schemes notified to the European Commission by EU countries;
trust service providers based in the EU.
It removes existing barriers to the use of eID in the EU. For instance, it would now be straightforward for a Portuguese firm to tender for a public service contract in Sweden, while EU funding grants can be managed wholly online.
eID issued in one EU country must be recognised in all others. This applies only if the eID meets the regulation’s requirements and has been notified to the Commission and published in a list. Mutual recognition of eIDs will be mandatory from 28 September 2018 and will facilitate secure electronic transactions across the EU.
An eID scheme must specify one of three levels of assurance (low, substantial and high) for the form of electronic identification issued under that scheme. Mutual recognition is mandatory only when the relevant public sector body uses the ‘substantial’ or ‘high’ levels for accessing that service online.
When notifying the Commission of eID schemes, EU countries must provide information on aspects such as:
the level of assurance and the issuer of eID under that scheme;
the applicable supervisory and liability systems;
the body managing the registration of unique personal ID data.
In the event of a security breach of the eID scheme or authentication, the notifying EU country must:
quickly suspend/revoke the EU-wide authentication or the compromised parts of the scheme; and
inform other EU countries and the Commission.
In any transaction between EU countries where there is a failure to comply with the regulation’s obligations, the following parties can be held liable for any damage caused intentionally or negligently to any person or body:
a notifying EU country;
the party issuing the eID;
the party managing the authentication procedure.
Cooperation and operability among EU countries
National eID schemes notified must be interoperable. The interoperability framework must be technology-neutral, not favouring any specific national technical solutions for eID.
The regulation defines trust services as paid-for services that include:
the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services; or
the creation, verification and validation of certificates for website authentication; or
the preservation of electronic signatures, seals or certificates related to those services.
Trust service providers based in the EU are considered ‘qualified’ if they meet the regulation’s applicable requirements. They are legally entitled to provide qualified trust services (e.g. qualified electronic signatures, seals or certificates) in all EU countries. Trust services offered by service providers from non-EU countries can be considered legally equivalent to qualified ones, but only after an agreement between the EU and the non-EU country or an international organisation.
EU countries must select one or more bodies for the supervisory activities under this regulation. These bodies must cooperate with data protection authorities where appropriate.
All trust service providers are subject to supervision and to risk management and security breach notification obligations.
Non-qualified trust service providers are subject to ‘light-touch’ supervision, i.e. the supervisory body only reacts if the provider is suspected of misconduct.
Qualified trust service providers based in the EU are subject to strict supervision. This includes prior authorisation by supervisory bodies and auditing at least once every 2 years by an organisation that assesses whether they meet regulation requirements.
A new, voluntary EU trust mark will identify the qualified trust services provided by the relevant providers.
A series of acts adopted by the European Commission in the course of 2015 set out:
procedural arrangements for cooperation between EU countries on electronic identification
specifications relating to the form of the EU trust mark for qualified trust services;
technical and operational requirements of the interoperability framework;
minimum technical specifications and procedures for assurance levels for eID means;
technical specifications and formats relating to trusted lists;
specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies; and
circumstances, formats and procedures of notification of eID schemes.
Application & Background
It applies from 17 September 2014.
Electronic identification (eID)
: tangible or intangible forms of identification containing personal ID data as used for authenticating an online service.
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, pp. 73-114)
The successive amendments to Regulation (EU) No 910/2014 have been incorporated in to the original document. This consolidated version is of documentary value only.
Protecting electronic pay services against piracy
Legal protection of services based on, or consisting of, conditional access – Directive 98/84/EC
—The objective of this directive on the legal protection of services based on conditional access (i.e. access in return for a subscription)
—It seeks to protect electronic pay services against piracy.
—It prohibits all commercial activities involving the manufacture, distribution or marketing of smart cards (plastic cards with built-in microprocessors or microchips) and other devices which make it possible to bypass protected access to television, radio and Internet pay services.
The directive covers all services supplied on the basis of conditional access, such as pay-television and pay-radio services, on-demand video and audio services, electronic publishing and a large range of on-line services that are available to the public on a subscription or pay-per-view basis.
Each EU country must introduce laws to ban:
—the production, import, sale, rental or possession for commercial profit of illegal equipment or software enabling the unauthorised access to a protected service;
—installing, servicing or replacing illegal equipment for commercial profit;
—advertising that promotes illegal equipment or software.
Penalties and remedies
Each EU country must ensure it enacts measures:
—to introduce sanctions which are effective, dissuasive and proportional to the potential impact of the unlawful behaviour;
—to ensure that service providers adversely affected by unlawful behaviour can go to court to seek damages and an injunction and, where appropriate, apply for the seizure of illegal devices.
Principles relating to the internal market
EU countries may not restrict the:
—provision of protected services, or associated services, that originate in other EU countries;
—free movement of conditional access devices, except those devices designated as illicit by the directive (i.e. any equipment or software designed or adapted to give access to a protected service in an intelligible form without the authorisation of the service provider).
Council of Europe Convention
In 2015, the Council of the European Union approved, on behalf of the EU, the Council of Europe Convention on the legal protection of services based on, or consisting of, conditional access, which entered into force in 2003. The signing by the EU of the Convention is likely to encourage other members of the Council of Europe to ratify it. This would extend the application of rules similar to those in Directive 98/84/EC beyond the EU’s borders, and thus result in a law on services based on conditional access which would be applicable throughout the European continent.
Legal Protection of conditional access services
Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, or consisting of, conditional access (OJ L 320, 28.11.1998, pp. 54–57)
Council Decision 2014/243/EU of 14 April 2014 on the signing, on behalf of the European Union, of the European Convention on the legal protection of services based on, or consisting of, conditional access (OJ L 128, 30 April 2014, p. 61)
Council Decision (EU) 2015/1293 of 20 July 2015 on the conclusion, on behalf of the European Union, of the European Convention on the legal protection of services based on, or consisting of, conditional access (OJ L 199, 29.7.2015, pp. 3–5)
Report from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions – Second Report on the implementation of Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, and consisting of, conditional access (COM(2008) 593 final of 30 September 2008)
On the legal protection of electronic pay services – Report from the Commission to the Council, the European Parliament and the European Economic and Social Committee on the implementation of Directive 98/84/EC of the European Parliament and of the Council of 20 November 1998 on the legal protection of services based on, or consisting of, conditional access (COM(2003) 198 final of 24 April 2003)
Combating Document Fraud
: the False and Authentic Documents Online System
Regulation (EU) 2020/493 on the false and authentic documents online (FADO) system
It repeals Council Joint Action 98/700/JHA (see summary) which originally established the European image archiving system on false and authentic documents online (FADO).
It sets out a new legal basis for the FADO system, updating its management system by adapting it to the new institutional base set out in Article 87(2)(a) of the Treaty on the Functioning of the European Union.
The false and authentic documents online system
The FADO system contains information on authentic documents issued by EU countries, the EU and third parties (such as non-EU countries, territorial entities, international organisations and other entities subject to international law) and on false versions of those documents.
It aims to contribute to the fight against document and identity fraud by:
sharing information on the security features of, and potential fraud characteristics in, authentic and false documents between the EU countries’ authorities competent in the area of document fraud;
sharing information with other actors, including the general public.
The FADO system contains information on documents issued by EU countries or the EU. Documents include:
travel, identity, residence and civil status documents;
driving licences and vehicle licences.
It may also contain information on:
equivalent documents issued by third parties;
other related official documents, in particular those used in support of applications for official documents, issued by EU countries and, where applicable, third parties.
The information to be included in the system includes:
information, including images, on authentic documents, specimens of those documents and their security features;
information, including images, on false documents, whether forged, counterfeit or pseudo documents, and their fraud characteristics;
summaries of forgery techniques;
summaries of the security features of authentic documents;
statistics on detected false documents.
The system may also contain handbooks, contact lists, information on valid travel documents and their recognition by EU countries, recommendations on effective ways of detecting specific methods of falsification and other useful related information.
The EU countries, the EU and third parties must submit this information to the European Border and Coast Guard Agency (Frontex) set up by Regulation (EU) 2019/1896 — see summary. Technical support for Frontex can be provided by eu-LISA, which was set up by Regulation (EU) 2018/1726 — see summary.
The FADO system provides users with different levels of access to information:
The European Commission and Frontex, to the extent necessary for the performance of their tasks, and relevant national authorities, such as police, border guard and other law enforcement authorities, have secure access to the FADO system on a need-to-know basis.
The general public has access to specimens of authentic documents or authentic documents with pseudonymous data.
Other actors can gain access to information stored in the FADO system in a limited manner:
other EU institutions, bodies, offices and agencies, including Europol, which was set up by Regulation (EU) 2016/794 — see summary;
third parties, such as non-EU countries, territorial entities, international organisations and other entities subject to international law;
private entities, such as airlines and other carriers.
Personal data is protected by Regulation (EU) 2016/679 — see summary:
use of data by police and judicial authorities is specifically protected by Directive (EU) 2016/680 — see summary.
Frontex must apply the rules set out in Regulation (EU) 2018/1725 — see summary.
Application & Background
It has applied since 26 April 2020.
The regulation builds upon the Schengen acquis which, on the basis of protocols attached to the Lisbon Treaty, certain EU countries can opt in or out of.
Denmark did not take part in the adoption of the regulation and is therefore not bound by it nor subject to its application. It can however decide to opt in within a period of 6 months after the regulation takes effect.
Ireland, a non-member of the Schengen-zone, has chosen to take part.
The agreement applies additionally to Iceland, Liechtenstein, Norway and Switzerland.
Regulation (EU) 2020/493 of the European Parliament and of the Council of 30 March 2020 on the false and authentic documents online (FADO) system and repealing Council Joint Action 98/700/JHA (OJ L 107, 6.4.2020, pp. 1-8)
Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU) 2016/1624 (OJ L 295, 14.11.2019, pp. 1-131)
Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, pp. 99-137)
See consolidated version.
Consolidated version of the Treaty on the Functioning of the European Union — Part Three — Union policies and internal actions — Title V — Area of freedom, security and justice — Chapter 5 — Police cooperation — Article 87 (ex Article 30 TEU) (OJ C 202, 7.6.2016, pp. 83-84)
Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, pp. 53-114)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)
See consolidated version.
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, pp. 89-131)
See consolidated version.