From the Single Euro Payments Area to electronic identification and authentication: promoting the integration of the digital market
In the position paper on 'Online Payments in Europe' (June 2011), the E-Payments Merchant Initiative (see 'related links' below), highlights the fast development of e-commerce in Europe: "In the past 15 years, e-commerce has become a mature market and is still growing. This trend is expected to continue in the coming years due to the further proliferation of mobile devices (smartphones, tablets) and the customer need of 'being always online'." Ecommerce Europe, the European collective of merchant organisations and their members, confirmed this trend in its position paper 'E-Payments 2012' (December 2012) (see 'related links' below): "E-commerce has enabled consumers to access goods and services from all over Europe. As such, e-commerce has contributed significantly to the European economy in general and the success of the European Single Digital Market in particular." Ecommerce Europe however also clarifies that "while e-commerce has grown spectacularly over these past two decades, the [European Union] has not yet taken full advantage of the benefits provided by the Single Market. There are still barriers to further growth in cross-border activities. One of these barriers is the regulatory framework in Europe. Europe is still a patchwork of national markets and the absence of a truly harmonised regulatory framework in Europe hinders the further development of cross-border e-commerce and undermines consumer trust." To remediate the situation, Ecommerce Europe recommends, among other things, the implementation of an -wide interoperable system for the recognition of electronic identification (eID) and e-authentication.
Promoting the single digital market and realising the potential offered by the digital economy is also high on the agenda of the European Parliament Committee on Internal Market and Consumer Protection (IMCO) (see 'related links' below). The IMCO Committee has set up a working group on the digital single market and on e-commerce (see 'related links' below), which in 2013 "will start its third round of meetings in order to identify key remaining barriers and priority areas, where further action is needed as a matter of urgency. To ensure timely input, a series of meetings will be held throughout the first half of 2013, leading to the adoption of conclusions by IMCO in July 2013."
The European Commission (the Commission) has consistently articulated the expectation that the legal and technical Single Euro Payments Area ( ) harmonisation exercise will contribute to streamlining business processes beyond payments by replacing paper-based procedures with standardised electronic solutions. The Commission Communication 'A Digital Agenda for Europe' (2010) (see 'related links' below) is one of the seven so-called flagship initiatives of the Commission's 'Europe 2020 Strategy' (see 'related links' below). The Digital Agenda for Europe defines the key enabling role that the use of information and communication technologies will have to play if Europe wants to succeed in its ambitions for 2020. Section 2.1.2 of the Digital Agenda for Europe, states: " will also provide a launch platform for value added services linked to payments, such as the development of a European e-invoicing framework. (...) The e-money Directive1 should be swiftly implemented so as to open the way for new market entrants to offer innovative e-money solutions - such as mobile wallets - without a loss of protection of consumer funds. (...) As there will be many solutions, industry, supported by policy actions - in particular e-government services - should ensure interoperability based on standards and open development platforms." With regard to e-commerce, the Digital Agenda for Europe finds that fragmentation "limits demand for cross-border e-commerce transactions. Less than one in ten e-commerce transactions are cross-border, and Europeans often find it easier to conduct a cross-border transaction with a US business than with one from another European country. (...) This highlights the urgency of tackling the regulatory barriers holding back European businesses from trading cross-border." The Digital Agenda for Europe identifies eID technologies and authentication services as "essential for transactions on the internet both in the private and public sectors."
The Digital Agenda (section 2.1.2) recommends implementation of the following "key actions" by policy-makers with a view to making "online and cross border transactions straightforward":
- Ensure the completion of , eventually by "binding legal measures fixing an end date for migration" (...) and facilitate the emergence of an interoperable European e-invoicing framework.
- Propose a revision of the 'Community framework for electronic signatures' (the 'eSignature Directive'; see 'related links' below) with a view to providing a legal framework for cross-border recognition and interoperability of secure e-authentication systems.
As previously reported on many occasions in this newsletter, in February 2012, the legislator adopted the 'Regulation ( ) No 260/2012 establishing technical and business requirements for credit transfers and direct debits in euro' (see 'related links' below), which effectively mandates migration to harmonised payment schemes by 1 February 2014 in the euro area. The Commission also followed up on the key action to facilitate the emergence of an interoperable European e-invoicing framework (see 'related links and articles' below). Last but not least, the Commission has taken steps to facilitate cross-border recognition of means of eID and interoperability of e-authentication systems.
Main provisions included with the proposed Regulation on eID and trusted services for electronic transactions
In June 2012, the Commission published a proposal for a Regulation on eID and trust services for electronic transactions in the internal market (see 'related links' below). The proposal is due for consideration by the European Parliament's IMCO Committee and its Committee on Industry, Research and Energy (ITRE) (see 'related links' below) by July 2013. It is expected that the Regulation on eID and trust services for electronic transactions will be adopted by the legislator (i.e. the European Parliament and the Council representing Member States) in the course of the next year. The proposal is based on the objectives identified by the Legislation Team ( ) Task Force set up by the Commission. The task force leads the development, negotiation and basic implementation of the proposal for a Regulation on eID and trust services for electronic transactions.
The Regulation on eID and trust services for electronic transactions builds on - and will replace - the existing eSignature Directive. The scope of the proposed regulation is twofold: it covers the mutual recognition of eID, which should ensure that people and businesses can use their eID to access online services across the , and the activity of trust service providers established in the . The relevant provisions of the proposed regulation aim to assist in removing the barriers to eSignatures and related trust services across borders.
eID and notification
The proposed Regulation on eID and trust services for electronic transactions stipulates that Member States must recognise and accept any eID means issued in another Member State. The precondition for this is that the Member State concerned has notified the Commission as to the identification system it uses for issuing means of identification. The Commission will draw up a list of all notified eID schemes and Member States will cooperate to ensure the interoperability of eID means issued as part of a notified scheme.
eSignatures and other trust services
The proposed Regulation on eID and trust services for electronic transactions allows distinguishing three levels of eSignatures:
- 'Simple' eSignatures are data in electronic form, which are attached to or logically associated with other electronic data and are used for signing purposes, for example scanned signatures.
- Advanced eSignatures are electronic signatures which, among other things, are uniquely linked to the signatory, capable of identifying the signatory and designed using signature creation data that only the signatory can use.
- Qualified eSignatures are electronic signatures created by a "qualified electronic creation device" and based on a "qualified certificate" for eSignatures. Qualified eSignatures can substitute a handwritten signature.
All Member States must recognise and accept qualified eSignatures. In addition, eSignatures must not be denied legal effect and admissibility in legal proceedings solely because they are in electronic form.
Other electronic trust services introduced with the proposed regulation include electronic seals (similar to eSignatures, but to be used only by legal persons), electronic time stamps, electronic documents, qualified electronic delivery services and website authentication. The introduction of these trust services is positive considering that these services are currently only subject to national - often diverging - legal and technical rules, which impedes the cross-border activities of payment service providers ( ). Harmonised rules on qualified electronic documents can boost trust in electronic direct debit mandates. At the same time the provisions on website authentication could enable payment service users to verify the authenticity of ' and e-merchants' websites across the .
The proposed Regulation on eID and trust services for electronic transactions requires Member States to designate a supervisory body for trust service providers. Such providers must take "technical and organisational measures" to ensure that the "level of security is appropriate". The competent national supervisory body and "other relevant third parties such as data protection authorities" must be notified of any "significant" breach of security "without undue delay and where feasible" not later than 24 hours after having become aware of it. Where providers of trust services infringe on the general security requirements, they are held liable for any direct damage caused. In this case, the proposed regulation introduces a shifted burden of proof: the providers concerned must prove that they did not act negligently. Additional security requirements apply to providers of "qualified trust services", which are included in a "trusted list" by the relevant supervisory body.
Appropriate measures designed to ensure trust in eID schemes and eSignatures remain to be introduced into the proposed Regulation on eID and trust services for electronic transactions
From a legal perspective, there remain however several concerns which should be addressed in the legislative process leading to the adoption of the forthcoming Regulation on eID and trust services for electronic transactions. The proposal does currently not foresee prior authorisation or accreditation for eID schemes or that an independent body controls whether or not notified eID schemes actually comply with the requirements stipulated by the regulation; the proposed regulation does not provide for a mechanism to verify whether the eID schemes adhere to the minimum security standards and data protection requirements. This could potentially lead to misuse and would challenge the security of sensitive personal data, which eventually jeopardises the confidence of users in means of identification. The proposed Member State liability mitigates but does not exclude these risks. It is expected that this will give rise to controversy from a privacy and data protection perspective and will be scrutinised by the European Parliament and the Council representing Member States in the legislative process going forward.
As to eSignatures, the implementation of the existing eSignature Directive (which will be replaced by the forthcoming Regulation on eID and trust services for electronic transactions) into national law has led to different national quality and security levels for eSignatures. This has resulted in a lack of cross-border interoperability. The proposed regulation is a major step forward since it would allow and payment schemes to roll out the use of eSignatures at an appropriate security level ('simple', advanced or qualified) depending on the service concerned. Unfortunately, the supervisory rules for providers of qualified trust services appear to be imprecise and inconsistent. This concern requires urgent clarification in order to ensure security. The forthcoming Regulation on eID and trust services for electronic transactions should avoid replicating the imprecise supervisory rules of the existing eSignature Directive which have already contributed to a loss in confidence. It remains to be seen to which extent the Commission intends to tackle this issue through delegated and implementing acts2.
The proposed Regulation on eID and trusted services for electronic transactions and
The proposed Regulation on eID and trust services for electronic transactions is expected to further promote the integration of the euro payments market. It would require higher accountability for security and would provide clear and stronger rules for the supervision of eSignature and related trust services. The recognition and acceptance of the notified eID means of other Member States could help reduce administrative and transaction costs, enabling quicker completion of requests made to in other Member States that require eID. This will, for example, simplify opening online accounts across the . The proposed regulation also ties in with the European Central Bank recommendations for the security of internet payments (SecuRe Pay) published in January 2013 and effective as of February 2015 (see 'related links' below). Of particular relevance here is the SecuRe Pay Recommendation 7 on "strong customer authentication" to be performed by for the customer's authorisation of internet payment transactions. The proposed regulation will also support the issuance and amendment of electronic direct debit mandates. The proposed Regulation on eID and trust services for electronic transactions will, in consequence, support the objective of boosting cross-border e-commerce in the harmonised European digital market.
Gert Heynderickx is in house Legal Counsel to the .
Related articles in this issue:
The Long Road to Harmonisation: Transitional Arrangements in European Union Member States Permissible Under Regulation 260/2012 (the SEPA Regulation). European Commission and European Central Bank provide information on national derogations
On the Shelf Life of a Banknote or How to Promote the European Digital Market: Electronic Legal Tender Is Now a Matter of Fairness. Fresh thinking is required to bring greater coherence to the policy target of payment innovation
Related articles in previous issues:
1 Directive 2009/110/EC on the taking up, pursuit and prudential supervision of the business of electronic money institutions.
2 'Delegated acts' and 'implementing acts' are new additions to the European Union ( ) decision-making landscape. They were introduced by the Lisbon Treaty, which entered into force in December 2009 and more specifically, by Articles 290 and 291 of the Treaty on the Functioning of the European Union (TFEU). Whereas European legislation is adopted by the legislators: the Council of Ministers (made up of representatives of the 27 Member States) and the European Parliament (made up of 754 directly elected members), Article 290 TFEU allows the Council and the European Parliament to delegate the power to adopt non-legislative acts to the European Commission (the executive body). Implementing acts (Article 291 TFEU) include implementation measures whereas delegated acts allow amending, supplementing, or deleting non-essential elements of the basic legislative act. See also http://europa.eu/legislation_summaries/institutional_affairs/treaties/lisbon_treaty/ai0032_en.htm.
If you would like to comment on this article, please identify yourself with your first and last name. Your name will appear next to your comment. Email addresses will not be published. Please note that by accessing or contributing to the discussion you agree to abide by the EPC website conditions of use.