Analysis of standards related to trust service providers : mapping of requirements of eIDAS to existing standards

Pursuant to 15 years of implementation of Directive 1999/93/EC1 on a Community framework for electronic signatures, the lack of trust and in particular the perceived lack of legal certainty have made consumers, businesses and public authorities hesitate to carry out transactions electronically and to adopt new digital services. Re-building trust in the online environment has been perceived as key to economic and social development by the European legislator. Regulation (EU) No 910/20142 (hereafter the eIDAS Regulation) adopted last year and repealing Directive 1999/93/EC on 1 July 2016 clearly aims to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union. In order to ensure uniform conditions for its implementation, the Regulation confers implementing powers to the Commission, to promulgate implementation specifications or to reference standards the use of which would raise a presumption of compliance with select requirements laid down in the eIDAS Regulation. When adopting delegated or implementing acts, the Commission needs to take due account of the standards and technical specifications drawn up by European and international standardisation organisations and bodies, in particular ETSI, CEN, ISO and ITU. Already in 2009, the European Commission issued Standardisation Mandate 460 to CEN, CENELEC and ETSI to update the existing eSignature standardisation deliverables in view of establishing a fully rationalised framework, which would solve the issues raised in actual use of eSignatures in the EU. These issues were about, notably, the mutual recognition and cross-border interoperability of eSignatures, the multiplicity of standardization documents and the lack of usage guidelines, and different technical implementations. This report on one hand analyses the eIDAS requirements with regard to the standards, on the other analyses currently available standards and compares the results of both analyses. Such a mapping is oriented at the requirements specified in the various eIDAS articles. Pursuant to this mapping it can be concluded that usually the analysed standards usually cover some requirements in part or whole.