A digital agenda aimed at removing barriers to an integrated e-commerce market in Europe
The European Union (EU) authorities have consistently articulated the expectation that the legal and technical Single Euro Payments Area () harmonisation exercise will contribute to streamlining business processes beyond payments by replacing paper-based procedures with standardised electronic solutions, i.e. to serve as a stepping stone to advance the digital single market.
In its conclusions of 4 February 2011 and of 23 October 2011, the European Council invited the European Commission to create a digital single market by 2015, to make rapid progress in key areas of the digital economy and to promote a fully integrated digital single market by facilitating the cross-border use of online services, with particular attention to ensuring secure electronic identification (eID) and authentication. (The European Council consists of the Heads of State or Government of the EU Member States, together with its President and the President of the European Commission.)
In its press release, entitled ‘Digital “to-do” list: new digital priorities for 2013-2014’ (see ‘related links’ below), the European Commission reiterated: “The digital economy is growing at seven times the rate of the rest of the economy, but this potential is currently held back by a patchy pan-European policy framework. Today’s priorities follow a comprehensive policy review and place new emphasis on the most transformative elements of the original 2010 Digital Agenda for Europe. (…) Full implementation of this updated Digital Agenda would increase European GDP by 5%, or 1500€ per person, over the next eight years, by increasing investment in ICT, improving eSkills levels in the labour force, enabling public sector innovation, and reforming the framework conditions for the internet economy.”
The European Commission’s Communication ‘A Digital Agenda for Europe’, first published in 2010, is one of the seven so-called flagship initiatives of the Commission’s ‘Europe 2020 Strategy’ (see ‘related links’ below). The Digital Agenda defines the key enabling role that the use of information and communication technologies will have to play if Europe wants to succeed in its ambitions for 2020. With regard to e-commerce, the original 2010 Digital Agenda found that fragmentation “limits demand for cross-border e-commerce transactions. Less than one in ten e-commerce transactions are cross-border, and Europeans often find it easier to conduct a cross-border transaction with a US business than with one from another European country. (...) This highlights the urgency of tackling the regulatory barriers holding back European businesses from trading cross-border.”
The Digital Agenda identifies eID technologies and authentication services as “essential for transactions on the internet both in the private and public sectors” and therefore, proposes a revision of the ‘Community framework for electronic signatures’ (the ‘eSignature Directive’; see ‘related links’ below) with a view to providing a legal framework for cross-border recognition and interoperability of secure e-authentication systems.
Ecommerce Europe, the European collective of merchant organisations and their members, confirmed1 that “while e-commerce has grown spectacularly over these past two decades, the EU has not yet taken full advantage of the benefits provided by the Single Market. There are still barriers to further growth in cross-border activities.” To remediate the situation, Ecommerce Europe recommended, among other things, the implementation of an EU-wide interoperable system for the recognition of eID and e-authentication.
Consequently, the Commission has taken steps to facilitate cross-border recognition of means of eID and interoperability of e-authentication systems.
‘Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC’ (the eIDAS Regulation)
In June 2012, the Commission published a proposal for a Regulation on eID and trust services for electronic transactions in the internal market, based on the objectives identified by the Legislation Team (eIDAS) Task Force set up by the Commission. The task force led the development, negotiation and basic implementation of the proposal.
In July 2014, the eIDAS Regulation (see ‘related links’ below) was adopted by the EU co-legislators, i.e. the European Parliament and the Council of the EU representing EU governments. The Regulation was published on 28 August 2014 in the Official Journal of the EU and entered into force on 17 September 2014.
The eIDAS Regulation builds on – and replaces – the eSignature Directive, which it repealed.
Main provisions included with the eIDAS Regulation
The scope of the eIDAS Regulation is twofold: (i) it covers the mutual recognition of eID, which should ensure that people and businesses can use their eID to access online services across the EU, and (ii) it regulates the activity of trust service providers established in the EU. The relevant provisions of the Regulation aim to assist in removing the barriers to eSignatures and related trust services across borders, however, without creating a general obligation to use them or to install an access point for all existing trust services.
eID and notification
Article 6 of the eIDAS Regulation stipulates that EU Member States must recognise and accept any eID means issued in another Member State (‘mutual recognition’). The precondition for this is that the EU Member State concerned has notified the Commission as to the identification system it uses for issuing means of identification. To this end, the notifying Member State’s eID scheme should meet the conditions of notification and the notification should have been published in the Official Journal of the EU. The Commission will draw up a list of all notified eID schemes and EU Member States will cooperate to ensure the technical interoperability of eID means issued as part of a notified scheme. The exchange of information and the sharing of best practices between Member States with a view to their mutual recognition should help such cooperation.
The eIDAS Regulation distinguishes three so-called ‘assurance levels’ (‘low’, ‘substantial’ and ‘high’) to characterise the degree of confidence offered by eID means in establishing the identity of a person, thus providing assurance that the person claiming a particular identity is in fact the person to which that identity was assigned. The obligation of ‘mutual recognition’ relates only to those eID means the assurance level of which corresponds to the level equal to or higher than the level required for the online service in question.
eSignatures and other electronic trust services
The eIDAS Regulation distinguishes three levels of eSignatures:
- ‘Simple’ eSignatures are data in electronic form, which are attached to or logically associated with other electronic data and are used for signing purposes, for example scanned signatures.
- Advanced eSignatures are electronic signatures which are uniquely linked to the signatory, capable of identifying the signatory and designed using signature creation data that the signatory can, with a high level of confidence, use under his sole control. Furthermore, advanced eSignatures should be linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
- Qualified eSignatures are electronic signatures created by a ‘qualified electronic creation device’ and based on a ‘qualified certificate’ for eSignatures. Qualified eSignatures can substitute a handwritten signature.
The eIDAS Regulation establishes the principle that an electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature. However, it is for national law to define the legal effect of electronic signatures, except for the requirements provided for in the Regulation according to which a qualified electronic signature should have the equivalent legal effect of a handwritten signature.
Other electronic trust services covered by the eIDAS Regulation include electronic seals, (similar to eSignatures, but to be used only by legal persons), electronic time stamps, electronic documents, qualified electronic delivery services and website authentication. The introduction of these trust services is positive considering that these services are currently only subject to national - often diverging - legal and technical rules, which impedes the cross-border activities of companies including payment service providers (). At the same time the provisions on website authentication could enable payment service users (PSUs) to verify the authenticity of web-merchants and PSPs’ websites across the EU.
Security requirements and supervision
Trust service providers shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. With regard to the latest technological developments, those measures shall ensure that the level of security is commensurate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any such incidents. Trust service providers shall, “without undue delay but in any event within 24 hours after having become aware of it”, notify the supervisory body and, where applicable, other relevant bodies, such as the competent national body for information security or the data protection authority, of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the personal data maintained therein. Where the breach of security or loss of integrity is likely to adversely affect a natural or legal person to whom the trusted service has been provided, the trust service provider shall also notify the natural or legal person of the breach of security or loss of integrity without undue delay. The notified supervisory body shall inform the public or require the trust service provider to do so, where it determines that disclosure of the breach of security or loss of integrity is in the public interest.
Where providers of trust services infringe on the security requirements, they are held liable for any direct damage caused. In the case of providers of ‘qualified trust services’, which are included in a ‘trusted list’ by the relevant supervisory body, the eIDAS Regulation introduces a shifted burden of proof: the providers concerned must prove that they did not act negligently. The Regulation foresees the creation of an EU trust mark to identify the qualified trust services provided by qualified trust service providers, allowing to clearly differentiate qualified trust services from other trust services.
The eIDAS Regulation requires EU Member States to designate a supervisory body or supervisory bodies for trust service providers. Such organisations shall supervise qualified trust service providers through ex ante and ex post supervisory activities. They should take action, if necessary, in relation to non-qualified trust service providers through ex post supervisory activities, when informed that those non-qualified trust service providers or the trust services they provide allegedly do not meet the requirements laid down in the Regulation.
Impact of the eIDAS Regulation on electronic transactions in SEPA
The eIDAS Regulation is expected to further promote the integration of the euro payments market. It requires higher accountability for security and provides clear and stronger rules for the supervision of eSignatures and related trust services. The recognition and acceptance of the notified eID means of other EU Member States can help reduce administrative and transaction costs, enabling quicker completion of requests made to PSPs in other EU Member States that require eID. This may, for example, simplify opening online accounts across the EU.
The Regulation also ties in with the European Central Bank’s (ECB) recommendations for the security of internet payments developed by the European Forum on the Security of Retail Payments (SecuRe Pay)2 published in January 2013 and effective as of February 2015 (see ‘related links’ below). Of particular relevance here is the SecuRe Pay Recommendation 7 on ‘strong customer authentication’ to be performed by PSPs for the customer’s authorisation of internet payment transactions, which can be linked to the assurance levels for eID means.
As to eSignatures, the implementation of the eSignature Directive, (which has been replaced by the eIDAS Regulation), into national law has led to different national quality and security levels for eSignatures. This has resulted in a lack in cross-border interoperability. The new eIDAS Regulation is a major step forward since it would allow PSPs and payment schemes to roll out the use of eSignatures at an appropriate security level, (simple, advanced or qualified), depending on the service concerned.
It remains to be seen whether the eIDAS Regulation will also further the issuance and amendment of electronic direct debit mandates. In this context, in October 2013, the European Payments Council () clarified that a SEPA direct debit mandate may be an electronic document which is created and signed using a legally binding method of signature. This understanding is now confirmed by the eIDAS Regulation, which establishes the principle that an electronic signature should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature (Article 25).
It is however to be noted that the latest compromise text issued by the Italian Presidency of the Council of the EU on the European Commission’s proposal for a revised Payment Services Directive () stipulates that “Member States shall ensure that a payment service provider applies strong customer authentication when the payer: […] signs an electronic debit mandate, without prejudice to any other legal requirement on electronic signatures” (Article 87, 1 PSD2). In practice, this could mean that a ‘simple’ eSignature might not suffice for signing an electronic direct debit mandate, but that an advanced or qualified eSignature would be needed to allow for ‘strong customer authentication’. It is most likely that the European Banking Authority (EBA), in close collaboration with the ECB, will be mandated to develop draft regulatory technical standards for authentication procedures in the framework of PSD2, which should shed more light on this subject.
In this context it will also be interesting to see the outcome of the work of the dedicated working group on pan-European electronic mandate solutions for SEPA direct debits established earlier this year by the Euro Retail Payments Board (), chaired by the ECB3. This ERPB working group is tasked with identifying barriers to the uptake of pan-European e-mandate solutions and providing suggestions to address these. One of the barriers identified by the working group is precisely that the uptake of SEPA direct debits on the basis of electronic mandates appears to be hampered by the relatively low level of harmonisation of legal acceptance of electronic signatures in the EU.
The eIDAS Regulation can, in consequence, be expected to contribute to supporting the objective of boosting cross-border e-commerce in the harmonised European digital market.
Gert Heynderickx is in house Legal Counsel to the EPC.
European Central Bank Recommendations for the Security of Internet Payments (developed by the European Forum on the Security of Retail Payments)
Proposal for a Directive of the European Parliament and of the Council [of the EU] on payment services in the internal market and amending Directives 2002/65/EC, 2013/36/EU and 2009/110/EC and repealing Directive 2007/64/EC - Presidency compromise (12 September 2014)
EPC Blog (18 September 2014): Next Steps in the Area of Online Payments: Is Europe Ready for e-Identity? A guest blog by Marine Sauvaget
Related articles in this issue:
Tensions in Cyberspace: Competing Priorities and Legislative Initiatives in the Online Payments World. Will the EU legal framework aimed at ensuring secure online payments amount to a series of harmonious provisions, or result in an uneasy compromise?
The European Court of Justice Has Ruled that Interchange Fees Are Permitted if They Provide Benefits to Merchants. What are the Implications of the MasterCard Judgment for Interchange Fees in Europe? The Court leaves an unresolved question: what are the permitted multilateral interchange fee levels?
The New European Commission: a Closer Look at President Juncker’s Vision for the EU Internal Market and Economic and Monetary Union. The European Commission will continue to play a principal role in the SEPA process going forward
Related articles in previous issue:
PSD2: EPC Calls on EU Lawmakers to Maintain the Firewall Protecting Consumers Making Internet Payments. This Means: No Sharing of Any Personalised Security Credentials with Third Parties. Update on legislative process leading to the adoption of the revised Payment Services Directive (EPC Newsletter, Issue 23, April 2014)
EPC Newsletter: Articles Published in the Section ‘Legal and Regulatory Issues’
1 Ecommerce Europe position paper ‘E-Payments 2012’.
2 The European Forum on the Security of Retail Payments (SecuRe Pay) was established in 2011 as a voluntary cooperative initiative between relevant authorities from the European Economic Area, supervisors of payment service providers and overseers.
3 On 19 December 2013 the European Central Bank announced the launch of the Euro Retail Payments Board (ERPB), which replaces the SEPA Council. The ERPB will “help foster the development of an integrated, innovative and competitive market for retail payments in euro in the EU”.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website Terms and Conditions.