Enhancing eIDAS with Common Criteria: Security and Interoperability in the EU

‍The European Union's digital infrastructure is continuously evolving to facilitate secure, cross-border electronic transactions. In this context, two crucial frameworks—the eIDAS regulation and the Common Criteria standard— play pivotal roles. eIDAS (Electronic Identification, Authentication, and Trust Services) aims to unify and enhance electronic identification systems across the EU. Meanwhile, the Common Criteria standard offers a comprehensive framework for evaluating the security of IT products and systems. 

‍This article delves into how eIDAS and Common Criteria work together, why they are critical for the EU's digital future, and how they ensure a secure, interconnected framework for electronic identification and trust services across member states.

The eΙDAS Regulation, formally known as Regulation (EU) No 910/2014, establishes a unified framework for electronic identification and trust services across the European Union. 

The regulation is foundational to the EU’s digital single market and is designed to enhance electronic transactions' security, trustworthiness, and efficiency across member states. By establishing common standards for trust services such as digital signatures, electronic seals and timestamps, eIDAS ensures that these services are legally recognized and interoperable throughout the EU.

eIDAS plays a critical role in the digital single market by fostering widespread acceptance of electronic identification and trust services across all EU member states. 

This facilitates cross-border transactions and boosts economic growth by promoting innovation and removing barriers to digital interactions. The framework supports both public and private sector transactions, enabling citizens and businesses to securely engage in digital interactions, from signing contracts to accessing governmental services.

One of the key contributions is the definition of electronic identification (eID), which allows individuals and businesses to verify their identity online. It defines three assurance levels for electronic identification systems—low, substantial, and high—depending on the robustness and security of the recognition process. This categorization ensures that electronic identification systems across member states are reliable, secure, and capable of facilitating trust in cross-border digital interactions.

‍

What is eIDAS 2?

With technological advancements rapidly transforming the digital landscape, the original eIDAS regulations needed an update to address new use cases and emerging technologies. This led to the proposal of eIDAS 2, an enhancement of the existing framework aimed at expanding its scope and improving usability.

eIDAS 2 is a revision of the 2014 regulation designed to incorporate new technological solutions such as mobile applications, digital wallets, and blockchain-based technologies. One of its most significant changes is the introduction of the European Digital Identity Wallet. 

This wallet will enable EU citizens and businesses to store and manage their personal identification and credentials digitally. It will allow users to securely store information such as driver’s licenses, health insurance cards, and financial data within one secure, interoperable framework.

Besides, the new regulation aims to strengthen the mutual recognition of electronic identities (eIDs) across the EU, promoting seamless access to public and private services across borders. This enhanced mutual recognition bolsters the cybersecurity of digital transactions and improves user control over personal data, making cross-border interactions more user-friendly and secure.

Key Components of eIDAS (Expanded)

The core components of the regulation, such as electronic signatures, electronic seals, timestamps, electronic registered delivery services, and website authentication, all play a crucial role in ensuring the integrity, authenticity, and non-repudiation of digital transactions. These components make digital interactions secure and legally binding, providing the framework for a reliable digital single market.

1. Electronic Signatures

Electronic signatures are one of the most prominent trust services defined under eIDAS. They are vital for verifying the authenticity of digital documents and communications. Under the regulation, electronic signatures are divided into three distinct types based on their level of security and legal standing:

• Simple Electronic Signatures (SES): These are the most basic forms of electronic signature, where data is logically attached to a document to indicate agreement. While they can be useful for low-risk transactions, they do not offer high levels of security and legal protection.
• Advanced Electronic Signatures (AES): Advanced electronic signatures offer a higher level of security than simple ones. An AES is uniquely linked to the signatory, capable of identifying them, and created in a way that ensures the integrity of the document. Any changes made to the signed document would invalidate the signature.

• Qualified Electronic Signatures (QES): Qualified electronic signatures are the most secure type, providing the highest level of legal assurance under eIDAS. They are created using a qualified electronic signature creation device (QSCD) and are based on a qualified certificate issued by a qualified trust service provider (QTSP). A QES has the same legal standing as a handwritten signature across the EU, making it suitable for high-stakes transactions such as business contracts, legal documents, or governmental forms.

‍

2. Electronic Seals

While electronic signatures are intended for individuals, electronic seals serve a similar purpose for legal entities, such as businesses or organizations. An electronic seal ensures the origin and integrity of a document issued by a legal entity, effectively acting as a digital equivalent to a company stamp. Like electronic signatures, electronic seals can be classified into simple, advanced and qualified forms, with the qualified electronic seal offering the highest level of security, and legal protection.

Qualified Electronic Seals are based on a certificate issued by a QTSP which ensures that any modification of the sealed document after its issuance is detectable. This makes them highly valuable in sectors such as banking, legal services, and government agencies, where the authenticity and integrity of documents are critical.

3. Electronic Timestamps

An electronic timestamp is another key trust service under eIDAS, which certifies that certain data existed at a specific point in time. By linking a specific date and time to electronic data, a qualified timestamp provides verifiable proof that a document or transaction occurred at a particular moment, making it tamper-evident.

Electronic timestamps are crucial for legal and financial transactions that require precise verification of the moment of execution. For example, they are often used in contractual agreements, issuing invoices, or validating documents for intellectual property claims, where time-sensitive evidence is critical.

4. Electronic Registered Delivery Services (ERDS)

Electronic registered delivery services (ERDS) ensure that electronic data is securely transmitted between parties, with proof of sending and receiving provided. This trust service is particularly important when legal proof of delivery is required, such as in court proceedings or formal business communications.

eIDAS sets stringent standards for qualified ERDS, ensuring that both the sender and recipient can be verified and that the data remains unaltered during transit. A qualified electronic registered delivery service must ensure the integrity of the transmitted data and provide a clear record of the time of sending and receiving, making it suitable for sensitive communications like legal notices, bills, or contractual documents.

5. Website Authentication

Website authentication is another critical component of eIDAS, which ensures that a website is genuine and secure. In a digital world where phishing and online fraud are rampant, website authentication certificates provide a way for users to verify the authenticity of a website, ensuring that they are interacting with the legitimate website of a service provider or business.

Under the regulation, qualified website authentication certificates are issued by QTSPs, giving users confidence that the website has been verified according to strict EU standards. These certificates are essential for e-commerce websites, online banking platforms, and other web services where user trust and data security are paramount.

6. The EU Trust Mark: A Symbol of Compliance

The EU trust mark is a key feature of the regulation, serving as an indicator of compliance for qualified trust service providers (QTSPs). QTSPs are organizations that meet the high-security standards set by eIDAS and are authorized to issue qualified certificates for services like electronic signatures, seals, and timestamps.

The EU trust mark helps build user confidence in digital services by signifying that the provider has been vetted by the relevant authorities and complies with the stringent requirements of eIDAS. 

Users interacting with a service that bears the EU trust mark can trust that the service is secure, reliable, and legally recognized in the member states. This trust is particularly important in sensitive industries such as finance, healthcare, and government services, where the protection of personal and financial data is paramount.

‍

Integration of Common Criteria with eIDAS

As the EU focuses on creating a unified and secure digital market, the integration of Common Criteria (CC) with eIDAS offers a key solution for ensuring that products and services meet robust security standards.

Security Certification for Trust Services

Common Criteria is an international standard for IT security certification that evaluates the security of IT products and systems, ensuring they meet uniform standards. 

The integration of CC into eIDAS 2 is particularly relevant in the context of trust services and digital identity systems. By leveraging CC certifications, the EU ensures that its member states' IT components and trust services comply with stringent security requirements.

For example, a digital signature creation device used under the regulation may undergo CC certification to meet the required security standards. This not only bolsters trust in the security of these devices but also ensures their interoperability across the EU. The certification process thoroughly evaluates the integrity, confidentiality, and availability of the provided services, contributing to a secure digital ecosystem for all users.

Interoperability of Certified Products

Another impact of Common Criteria’s integration with eIDAS is the assurance of interoperability across member states. CC ensures that products and services from different countries are mutually recognized by standardizing the security requirements for electronic identification systems and trust services. This uniformity is essential for facilitating cross-border digital transactions, allowing users to access services in other EU countries without compatibility issues.

‍

This interoperability extends to key components such as electronic signatures, seals, and timestamps, where adherence to CC ensures that trust services are secure and compatible across borders. This is crucial for creating a seamless digital single market where electronic interactions between citizens, businesses, and governments can occur without friction.

‍

Common Criteria and EU Cybersecurity Certification

The role of CC in enhancing the security of eIDAS aligns with broader EU efforts to establish a robust cybersecurity framework. The EU Cybersecurity Act aims to implement a comprehensive certification scheme for ICT products and services across the EU. 

The relationship between eIDAS 2 and CC is particularly relevant in the context of trust services and security certifications for digital identities, electronic signatures, and trust service providers. 

Security Certification for Trust Services

Under the regulation, providers of trust services (such as digital signature services, electronic seals, timestamps, etc.) must meet stringent security requirements to ensure the integrity, confidentiality, and availability of their services. 

Common Criteria is one of the standards that can be used to certify the security of the IT systems and components used by these trust service providers. For example, a digital signature creation device used under eIDAS may undergo Common Criteria evaluation to ensure its compliance with the necessary security standards.

Interoperability of Certified Products

With eIDAS 2 promoting secure cross-border electronic identification and trust services, CC certifications help ensure that products and systems used across different EU countries meet a common security standard. This guarantees that digital identity systems and trust services are interoperable and dependable across national borders.

EU Cybersecurity Certification

The regulation aligns with broader EU efforts, such as the EU Cybersecurity Act, which aims to establish a cybersecurity certification framework across the EU. Common Criteria is often referenced as part of the certification schemes for IT products in this framework, ensuring that devices used for trust services or digital identity management meet high-security standards.

One of the key aspects of Common Criteria is its structured approach to security evaluation, known as Assurance Levels. These levels represent the depth and rigor of the security evaluation, offering a scalable measure of how thoroughly a product or system has been tested for vulnerabilities and its ability to resist threats. Each level, from EAL1 (Evaluation Assurance Level 1) to EAL7, corresponds to an increasing degree of assurance, complexity, and scrutiny. 

In the context of eIDAS 2, these Common Criteria Assurance Levels ensure that devices used for trust services, such as electronic signatures, electronic seals, and timestamps, are evaluated to meet stringent security standards. 

The appropriate level of assurance is selected based on the risk and sensitivity of the service. For instance, a qualified electronic signature creation device, which must provide the highest level of legal certainty, would typically require an evaluation at a higher Assurance Level to ensure it can withstand sophisticated attacks.

Harmonizing Security and Trust Services Across Member States

The harmonization of eIDAS across member states is further strengthened by using CC. This framework provides a consistent approach to evaluating the security of electronic identification systems and trust services, ensuring that they meet the same high-security standards regardless of the country in which they are deployed.

By integrating CC with eIDAS, the EU creates a unified security standard that reduces disparities between national regulations. This uniformity is critical for fostering a cohesive digital market where services are interoperable and secure across borders.

Conclusion

Integrating Common Criteria with eIDAS marks a pivotal step toward improving the security, interoperability, and trustworthiness of electronic identification and trust services across the EU. This collaboration not only facilitates cross-border digital transactions but also promotes a cohesive digital single market where services are recognized and trusted throughout member states. As the digital landscape continues to evolve, integrating these two frameworks will play a crucial role in ensuring the safety and efficiency of electronic interactions within the EU.

‍