January 2021

Overview of Member States’ eID strategies

CEF eID SMO Version 3.0

This study was carried out for the European Commission by Deloitte.

Authors: Massimo Pedroli, George O’Neill, Arianna Fravolini, Leonardo Marcon

Picture on the first page from Flaticon

CONTENT

Introduction ...... 6

Overview of national eID strategies and legal framework ...... 7

eID Strategy Formalisation ...... 7

Common Strategic Objectives among EU Countries ...... 10

Legal requirements to hold eID ...... 20

Security of eID Means ...... 22

Ecosystems overview: service providers and accessible services ...... 23

The Role of the State ...... 23

Accessible Digital Services ...... 25

Country Overview ...... 27

Austria ...... 28

Belgium ...... 30

Bulgaria ...... 32

Croatia ...... 33

Cyprus ...... 35

Czech Republic ...... 37

Denmark ...... 39

Estonia ...... 42

Finland ...... 47

France ...... 50

Germany ...... 52

Greece ...... 55

Hungary ...... 57

Ireland ...... 58

Italy ...... 60

Latvia ...... 62

Lithuania ...... 65

Luxembourg ...... 66

Malta ...... 68

The ...... 69

Poland ...... 71

Portugal ...... 73

Romania ...... 76

Slovakia ...... 77

Slovenia ...... 79

Spain ...... 81

Sweden ...... 83

Conclusions ...... 87

Annex: Overview table ...... 89

Disclaimer: Please note that this document is a discussion paper aiming to animate discussion between Member States. This document does not reflect the official position of the European Commission nor the intention of EU Member States.

INTRODUCTION 01

The success of the approach founded in the eIDAS The present study is based on a desk research carried out Regulation to ensure that online public services are to investigate multiple aspects related to eID and is available to users across borders thanks to mutually composed of two main parts: recognised digital identity means, is dependent upon • The first part (chapters 2 and 3) highlights the national efforts and approaches towards eID. trends related to the adoption of national eID The system of mutual recognition of eID means pursued strategies, as well as the set-up nationally of the eID through eIDAS is only effective if Member States make ecosystem. The report looks at the form that eID efforts at national level to promote the widespread use strategies take, the main objectives countries of eID and the availability of services using these pursue, and the presence of legal requirements to identification technologies. hold eID. In addition it assesses the role of the state in the eID ecosystem in different countries, and the No Member State can look solely at their own nationally availability of different online public services using available eID(s) when developing strategies for e- eID. services and eID usage and this should be reflected in this report. • The second part (chapter 4) provides a detailed overview of each EU27 Member State with a With this in mind, the following report provides an structured set of information on the various overview of the national approaches to electronic dimensions of the national eID landscape, including identification, describing how the 27 Member States are the documents in which the eID strategy is rolling out eID solutions to ensure that digital services contained, the eID means available, the set-up of can be securely accessed both at national and at the eID ecosystem and the level of use of eID. This European level. The report focusses on the approaches allows the reader to easily compare them and have towards eID outlined in national strategy documents, an overview of the level of maturity of each Member together with other supporting documentation and web State with regard to eID. Further facilitating this, the resources, with the aim of offering a thorough main features of each country in relation to eID is understanding of the eID state of play across . summarised in an Overview table in the Annex This understanding of national strategies can feed into (p.89). discussions on future EU-level action on eID.

6

OVERVIEW OF NATIONAL EID STRATEGIES AND LEGAL FRAMEWORK 02

National public administrations within the EU differ plans to update these cards to comply with the new significantly in terms of the extent to which they have European regulation may also be accompanied by plans formally laid out their strategic vision for eID. Some have to upgrade or otherwise alter the eID capabilities of the a stand-alone eID strategy describing key objectives and card. This chapter, therefore, also includes an overview approaches, others have a section of broader of the countries’ plans to upgrade their national ID cards digitalisation strategy dedicated to eID, still others just in response to the new regulation. make a short reference to eID in their digitalisation Finally, the chapter considers the legal framework of EU strategy, while for the remainder no strategic document countries within which the eID means are used, to referring to eID has been identified. analyse in particular whether citizens are required to This chapter provides an overview of the extent to which hold at least one eID means. The presence of such legal EU countries have adopted formalised eID strategies. requirements may help increase the uptake of eID. Furthermore, it analyses the main objectives adopted within the strategies, in order to reveal recurring and common patterns across countries. eID Strategy Formalisation The new European Regulation (EU) 2019/1157 may affect the way in which some national governments This chapter focuses on the way that national strategy update their eID means. The legislation introduces new documents formalise or otherwise make reference to security and technological requirements for national eID means. Legislative measures concerning eID are out identity cards. As many EU countries have integrated eID of scope of this analysis. This focus on strategies can help functionalities within their national identity cards, and identify whether the provision of an eID means is the use these cards as one of their primary eID means, any expression of a durable vision and falls into a medium-

7

long term plan, possibly encompassing a wider an existing one or the setup of an eGovernment digitalisation perspective, which may be deployed into a program within which eID plays a crucial role. This series of policy initiatives. cluster includes 16 Member States: Austria, Belgium, Croatia, Cyprus, Estonia, Finland, France, Member States can be divided into the following clusters Ireland, Italy, Malta, Netherlands, Poland, Portugal, according to the extent to which they have explicitly laid Romania, Slovakia and Sweden. out and formalised their eID strategy: • Brief reference to eID within a wider digitalisation • Stand-alone eID strategy document: Countries that strategy or strategies: Countries having developed have developed a dedicated strategy for a national digitalisation strategy or strategies that implementing and promoting eID, identifying makes some mention of eID, but does not expand objectives and deadlines for new measures. This on this subject in detail. This cluster includes 9 cluster includes 2 Member States: Denmark and Member States: Bulgaria, Czech Republic, Greece, Germany. Hungary, Latvia, Lithuania, Luxembourg, Slovenia • Section of wider digitalisation strategy focused on and Spain. eID: Countries that have dedicated a specific section

of their national digitalisation strategy to the

implementation of eID measures, which could be the development of new eID means, the update of

8

Figure 1: Reference to eID in strategy documents - EU MS

There is therefore still a substantial number of Member eID have done this before 2017 (Estonia in 2000, States for which a formalised and explicit strategy on Denmark in 2001, Spain in 2006, Finland in 2008, Cyprus eID has not been identified. 10 countries in total either in 2012, Germany in 2013, Czech Republic, Hungary, make just a brief reference to eID in a strategy Latvia, Lithuania, Romania and Slovakia in 2014, Belgium document, or have no strategy document describing in 2015, Greece and Slovenia in 2016). Of these their intentions regarding eID. Those countries which countries, two (Czech Republic and Slovakia), have make a brief reference to eID tend to focus on a planned referred briefly again to eID in later strategy documents introduction of an eID means with the aim of facilitating focussed on other issues. citizens’ lives by enabling digital administration. Before 2017, 3 countries (Cyprus, Romania and Slovakia) Although indicative that eID is being prioritised, this dedicated a full section of a wider digitalisation strategy mention does not amount to a long term vision for the to eID, with also Denmark and Germany adopting a adoption or implementation of eID. It is of course dedicated eID strategy. In the last four years, however, possible that such a vision is detailed in other non-public the publication of eID strategies has been much more documents. common. In this time, 12 Member States have either It is also interesting to consider the year in which these dedicated a section of their digital strategies to eID or documents were published, to understand which developed a dedicated eID strategy (Austria, Bulgaria, countries may have outdated strategies potentially no Croatia, Ireland, Poland, and Sweden in 2017, longer aligned with recent technological and policy Netherlands and Portugal in 2018, France, Luxembourg developments. The results of this analysis are shown in and Malta in 2019 and Italy in 2020). Figure 2, which shows that fourteen of the 26 countries Looking at the countries that first introduced national having adopted a strategy focused on or mentioning eID cards (Austria, Belgium, Estonia, Finland and

9

Sweden), it can be seen that there is no strong driven the development of national eID means (although observable correlation between the year when the eID this may be the case in individual countries). Instead, means was adopted and the year in which the strategy strategies adopted after the provision of an eID means was published. In many cases, the eID means was seem to have focused on extending deployment and the developed and adopted several years before the application of eID to a larger number of use cases. formalisation of national eID objectives. Therefore, we do not see a strong trend whereby eID strategies have

Figure 2: Timeline showing Years of enactment of eID Strategies

objectives set in each of the strategy documents have Common Strategic Objectives among been compiled and compared. Table 1 provides a EU Countries summary of the strategic goals expressed in the various strategic papers, categorizing the objectives in order to With the aim of identifying the main priorities in relation identify those commonly pursued by multiple countries: to eID for the 27 EU Member States, the primary

10

Table 1: Main objectives of the national Strategic documents on eID

Country eID Strategy objectives eID Strategy objectives clusters

Support the “mobile first” strategy so that mobile eID and mobile services are integral parts of the mobile Extend eID use cases / features government platform

eID means extension to additional functionalities Expand the attributes of the eID means to make them usable for additional purposes such as driving license, Austria youth pass, and identity card Extend eID use cases / features

Seamless integration of other Member States’ eID Cross-border eID recognition

Enable personalized services through electronic eID means extension to customized services identification Mobile identification as an essential lever for digital and connected administration

Ensuring that a maximum of online public services (from Enabling digital administration through Belgium the federal level to the regional and local levels) are mobile available using the Federal Authentication Service (FAS), and the eIDs, and that is available to a maximum of citizens. Currently 2000 online public services are available through the FAS. Introduction of the first national eID card / Bulgaria Introduction of a national electronic identification eID means

Introduction of eID for all citizens Full eID coverage

Establishment of a Central Government Information Establishment of a centralised Croatia System concentrating the provision of e-services eGovernment gateway

Enhancing cross-border interoperability of public Cross-border eID recognition administration

Introduction of the first national eID card / eID means Delivering every citizen with an eID which will include Cyprus personal identity data and (biometric) data Full eID coverage

11

Country eID Strategy objectives eID Strategy objectives clusters

Definition of the organizational setup and roles of the parties involved in the eID implementation, the necessary eID ecosystem setting regulatory framework and key standards related to the eID infrastructure

Introduction of a first eID means Realization of a usable across the board, uniform, state guaranteed and EU interoperable system of electronic identification, authentication and authorization Czech Cross-border eID recognition Republic

eID card as a means for secure access to citizens services Secure, easy access to digital services

eID for businesses Making NemID and existing national solutions available for all Full eID coverage

Introduction of NemID (eID solution) Introduction of the first national eID means

Developing mutual acceptance of e-identities across the Cross-border eID recognition internal borders of the EU

Rebuild the eID infrastructure within the next few years (MitID - migration from mid-2021) including several new Denmark strategic and practical aspects, such as: • Enhanced registration methods including the use of identification-app based on passport chip content and facial recognition, enhanced authentication methods including the use of authentication-app on assurance level substantial and high, and a U2F based eID ecosystem setting / review authenticator. (infrastructure) • A modular design with identity brokers ensuring a secure ecosystem with an easy Service Provider connection and future proofing, i.e. continuous adaptation to future security challenges and user requirements • New options for dealing with special needs, e.g. users with disabilities and users who need to authenticate themselves many times a day

Ensuring the right level of security in ID solutions at Enhance security by promoting use of the children and young people national eID

12

Country eID Strategy objectives eID Strategy objectives clusters

Establishing digital tendering procedures and procurement

High level of awareness of information security

The possibility to surrender digital power of attorney and consent

Further development of central technological solutions in the field of eID and digital trust services (digital signature, Introduction of a new eID means digital seal)

Ensure eID support for most widely used open source eID ecosystem setting / review software platforms. (infrastructure)

Cross border interoperable solutions Cross-border eID recognition

Ensure cooperation between public and private sector and Public / private partnerships their capacity to deal with risky and dangerous situations.

Estonia Promote the eID use among foreign nationals to enable them to use Estonian e-services and become, thus, Increase diffusion of eID “virtual residents” of Estonia

Ensure stability in the field of identity management and Enhance security secure identification of a person.

Higher administrative efficiency Use modern, secure and user-friendly technological solutions that enables processes to be automated as much as possible. Easy access to digital services

Ensure usability of electronic identity and eID, expand the Extend eID use cases / features scope of the .

Introduction of regulated (approved/certified) eID providers (private Create a common competitive market for private and BankIDs, private MobileIDs, public ID cards) Finland public eID providers. eID ecosystem setting

13

Country eID Strategy objectives eID Strategy objectives clusters

Promote public and private cooperation. Public / private partnership

Promote user choice of eID by promoting the recognition of generic eIDs in public and private sector digital services Coverage of private sector (despite the branch or sector of business or administration).

Promote use of international standards.

Enhance eID security Guarantee trust in eIDs (eID providers) by defining requirements in legislation, notification process and supervision.

Establishment of a centralized eGovernment gateway Introduction of a new platform called Suomi.fi, which provides citizens, businesses and government organizations the access to online public services eID for businesses

Introduction of a new electronic identification mode Introduction of a new eID means

eID ecosystem setting Introduction of regulated and certified eID brokers and wholesale regulation to enable brokering services ("trust Competition in provision of network") identification/authentication services to relying parties (digital services in private sector and public sector/suomi.fi)

Ensuring that all online public services, and a large number Establishment of a centralized of private services, are available using FranceConnect by eGovernment gateway 2022

Introduction of the first eID national card France Introduction of a national eID card (other means exist)

Certifying identity providers from the private sector with eID ecosystem setting / review (network of substantial and high assurance levels, and integrate them personal identifiers) in the France Connect federation

14

Country eID Strategy objectives eID Strategy objectives clusters

Paving the way for the international implementation of electronic identification, setting the standards for EU- Cross-border eID recognition wide secure and reliable electronic transactions

Federal, state and local governments to offer their Extend eID use cases administrative services digitally by 2022

Implementing smartcard functionalities on mobile phones Mobile identification e.g. online ID function

Germany

Introduce an eID card for use by EU citizens and members of the European Economic Area (as opposed to just Increase diffusion of eID German citizens), thus increasing the population able to access eID solutions in Germany

Involving industry in the commercial use of the eID eID for businesses function

Making it easier to use the eID function, e.g. optimize the Extend eID use cases / features PIN reset procedure and use in corporate networks

Introduction of a first eID card / eID means Implementation of a common e-authentication method Greece combined with a set of identification checks and data security controls (for the access to online services) Enabling digital administration

Leveraging eID as a means to ensure interoperability Hungary Technological interoperability between IT systems

Ireland Developing existing eID capabilities eID means extension to customized services

15

Country eID Strategy objectives eID Strategy objectives clusters

Introduction of a digital service gateway accessible Establishment of a centralized through eID eGovernment gateway

Provide eID for businesses eID for businesses

eID as a key enabling platform for ensuring that citizens and businesses can access online services of the Public Enabling digital administration Administration

Italy

Entrust the management of digital identity and attributes eID ecosystem setting / review (network of to a network of public and private organisations personal identifiers)

Qualify eID as a part of an individual set of digital Enabling digital administration equipment for each citizen to be received Latvia Develop cross-border functionality for cooperation with the EU common use solutions and large scale design Cross-border eID recognition solutions into the national common use platforms and solutions Encourage the population to use electronic identification Lithuania tools and services that ensure the reliability of electronic Enabling digital administration operations

Developing an innovative regulatory environment and Cross-border eID recognition Luxembourg internationally recognised certification for technologies, including electronic identity Technological / regulatory innovation

Development of a user-authentication service which Establishment of a centralized provides a single sign on for users accessing eGovernment eGovernment gateway services Malta

eID ecosystem setting / review Updating of the eID middleware software (infrastructure)

Ensure a safe and secure interaction with digital Increase safety and security of national government services and thus the availability of eID recognised eID means solutions that meet the highest assurance levels. Netherlands

Introduction of an open eID scheme via the Ensuring the availability of multiple eID means Digital Government Act

16

Country eID Strategy objectives eID Strategy objectives clusters

Ensuring the cross-border mutual recognition of the NL Cross-border eID recognition eID solutions – DigiD and eHerkenning

Developing working vision on digital identity with Introduction of a digital base identity stakeholders.

Providing a way for representatives to conduct online Extend eID use cases (internationally) activities on behalf of another person or company

Introduction of the first national eID card / Development of an eID card eID means

Development of a central eID hub, enabling digital identification and authentication of citizens Establishment of a centralized eGovernment gateway Poland Draw on the identification mechanisms used for eBanking to provide access to online public services

Introduction of a federation model for eIdentity enabling private players such as banks or telecoms to provide the Public / private partnership schemes and means for eIdentification

Ensuring that information is available through one single Establishment of a centralized point, accessible using a single identification eGovernment gateway

Development of the available with new eID means extension to additional features functionalities

Allowing citizens to authenticate their identity on public Extend eID use cases Portugal administration sites and systems

Enabling digital administration Make the Professional Attributes Certification System (SCAP) available, for signature and authentication Coverage of private sector

Creation of a digital residency Program enabling access to Introduction of a new eID means digital services

Provision of an electronic centralized system of authentication and unique identification of the users through the implementation of online public services Establishment of a centralized Romania eGovernment gateway Increase the adoption of eGovernment services

17

Country eID Strategy objectives eID Strategy objectives clusters

Providing new opportunities for a comfortable and secure digital identity Extend eID use cases / features Following a PKI smart card model for future eID cards Slovakia Considering making eID means mandatory Mandatory eID

Enabling mobile identification Mobile identification

Introduction of the first national eID card / Introduction of eID cards eID means Slovenia Making eID services available also for businesses eID for businesses

Enable an identification mechanism through username Enabling digital administration and password, integrated into the Cl@ve platform

Spain Multiplatform accessibility of public services, with the aim Extend eID use cases / features of evolving the existing identification and signature systems towards more simple and usable models, also on mobile phones. Mobile identification

Allow individuals to access digital services in both public Public and private services available and private sectors in a simple and secure way through eID

Establishment of a centralized Creation of a centralized governmental portal through eGovernment gateway which citizens and businesses can access all online public services and gather any type of public information eID for organisations

Sweden Provide citizens with eIDs document that can be used in Extend eID use cases / features all contexts

Guarantee electronic identity to anyone who needs it Increase diffusion of eID

18

Country eID Strategy objectives eID Strategy objectives clusters

Implementation of cross-border electronic identification

Cross-border eID recognition Speeding up the implementation of eIDAS in the Nordics and Baltics

The most frequently adopted eID means is the eID Netherlands and Sweden), others that want to ensure version of the national identity card. Member States that legal entities can also access electronic without an eID means (or with an eID means not related identification means (Denmark, Finland, Ireland, to the national identity card) at the time of the Slovenia) and finally, some countries that promote the publication of the strategy (Bulgaria, Cyprus, France, use of eID also among foreigners (Estonia1, Germany2). Greece, Poland and Slovenia) are planning to introduce Several countries have used their eID strategies to a national eID card, while a number of countries with announce plans to extend the services available via the existing eID means announce plans in their strategies to eID means they provide (Austria, Germany, Netherland develop new eID means (Czech Republic, Estonia, and Portugal), for example embedding additional Germany, Finland and Sweden) or to introduce new and functions, such as driving licenses. more secure versions of their eID cards (Netherlands Other countries (Denmark, Estonia, France, Italy and and Portugal). A major trend towards mobile eID Malta) have also announced plans to update their eID solutions is also spreading through most member states. infrastructure to support the use of their eIDs. Denmark, 19 countries have already adopted mobile eID for example, is updating its entire infrastructure solutions, and most eID solutions that were originally surrounding electronic identities in order to increase designed for other supports (electronic card, token etc.) security, introduce a new eID authentication means, have been or are being deployed in a mobile modernize the infrastructure and create a more modular environment. Finally, some solutions adopted by several architecture, while Malta announced plans to update member states are natively mobile. their eID middleware software. Another common objective is to promote the spread and use of existing eID means. In this regard, there are A common link made by many countries is between eID countries that intend to achieve a full eID coverage, and their aim to establish a centralised eGovernment trying to provide all of their citizens with at least one eID gateway (Croatia, Finland, France, Ireland, Malta, means (Croatia, Cyprus, Denmark, Germany, Portugal, Poland and Romania). According to these

1 Estonia aims at promoting the use of eID also among 2 In Germany the promotion of the spread and use of existing foreigners eID means refers to EU citizens and members of the European Economic Area

19

countries’ plans, citizens will be able to access online mandatory. The choice to activate the eID services via these gateways, using their eID means in functionality of the card can be however left to the order to identify themselves. user3.

A final objective of direct relevance to the eIDAS 5 Member States – Belgium, Estonia, Latvia, Regulation, named by several countries (Austria, Luxembourg, Portugal and Spain. Denmark, Croatia, Estonia, Germany, Latvia, eID means exists and is mandatory for new Luxembourg, Netherlands and Sweden), is to ensure the national IDs: The eID means is linked to new cross-border mutual recognition of eID means. versions of the national ID card. The eID means can therefore be seen as mandatory for those that need

a new national ID card. It should be noted that in these cases it is not currently4 mandatory to Legal requirements to hold eID substitute the old-paper documents, which can Another way in which Member States differ in their continue to circulate until their respective expiry approach to eID, regards whether they require citizens date, with the new electronic version. to hold an eID means or whether this is optional. 3 Member States: Croatia, Malta, and Poland. Generally, eID may be mandatory in those countries • eID means exists but is not mandatory: eID means where an eID means is embedded in the national were developed, but there is no legal requirement identity card. A large number of countries with to hold one. mandatory identity cards have integrated eID 18 Member States: Austria, Czech Republic, functionalities. Denmark, Finland, France, Germany, Greece, In particular, according to the legal framework in force in Hungary, Ireland, Italy, Latvia, Lithuania, every country, the 27 EU countries can be categorized in Luxembourg, Netherlands, Romania, Slovakia, the following clusters: Slovenia, Sweden.

• eID means is mandatory due to links with • No eID means currently available: no eID means has mandatory national ID: a national ID card is the been implemented yet (although it may be under mandatory identification means and is available development).

only in the eID format, thus the eID card is 2 Member States: Bulgaria and Cyprus.

3 In Estonia, the certificates on the eID card are activated at 4 The substitution of paper documents for new secure ID the time of issuing, so the eID functionality is active by cards will become mandatory with the implementation of EU default. User can deactivate functionalities after they receive Regulation (EU) 2019/1157. the ID card.

20

Figure 3 – Mandatory / optional eID means use across Member States

21

Generally, eID means are not mandatory per se, but Luxembourg, Romania, Slovakia, and Slovenia), only mandatory insofar as they are associated to however, have so far explicitly confirmed that they will mandatory national ID cards. Thus, in countries where upgrade their national identity cards in order to comply the eID card is the only version of the mandatory identity with the new security requirements by 2021. Of these document, all citizens should hold a card capable of countries, France, Greece, Romania, and Slovenia do not acting as an eID means (although the citizen may not yet have a national ID card with eID functionality. have opted to activate the eID functionality). Lithuania has in fact already gone beyond a simple confirmation, issuing a new version of the national There is no apparent correlation between the presence identity card which includes eID and eSignature of an eID strategy (either as a stand-alone document or certificates, as well as fingerprints in compliance with the as a section within a wider digitalisation strategy) and new EU Regulation5. the fact that a country mandates the possession of an eID means. Countries for which an eID means is Moreover, since Bulgaria, Cyprus, Denmark and Ireland mandatory include those which have just passing do not issue a national eID card to their citizens, they references to eID in their digitalisation strategy have no obligation to comply with Regulation (EU) documents (Belgium, Luxembourg, Spain), while 2019/1157.

Denmark, which has a stand-alone eID strategy document, has not made mandatory any of its eID means in use.

Security of eID Means

As described earlier in this chapter, the new EU rules

(Regulation (EU) 2019/1157) laying out common security requirements for national identity cards throughout the

EU are likely to have a knock-on impact on eID, at least for the countries which use the national ID card as an eID means. The impact is amplified by the fact that national ID cards are the most frequent eID means adopted in the

EU. Having said that, countries which need to upgrade their ID cards in order to comply with the new regulation, may take this as an opportunity to introduce new eID capabilities, e.g. mobile identification.

Relatively few countries (twelve: Belgium, Croatia, Czech Republic, Estonia, France, Greece, Italy, Lithuania,

5 https://www.gemalto.com/govt/customer-cases/lithuania

22

ECOSYSTEMS OVERVIEW: SERVICE PROVIDERS AND 03 ACCESSIBLE SERVICES

Based on the information on the approach to eID adopted by each EU country (available in the next The Role of the State chapter), this overview describes the eID ecosystem European eID ecosystems are heterogeneous in terms of existing in each country, focusing in particular on the their levels of maturity as well as their regulatory following: frameworks. However, they can be divided into three • The role of the State in relation to eID. Namely, main categories according to the role that the State plays whether the State actively intervenes in the within them: provision of eID or whether it adopts a more hands- • Regulator and supervisor for eID schemes and off approach, setting the rules with which eIDs private brokers, identity broker for public sector: should comply, but allowing private suppliers to The eID means is operated by private service lead the way in providing these eID means. providers and the state acts as regulator and • The extent to which online public services are supervisor and as an intermediary that connects available using eID, looking at the availability of Identity Providers with Service Providers in the national eGovernment portals, and whether eID can public sector. Finland represents this model when it be used in order to sign in to these portals. comes to public sector online services. In Finland

23

there is a private regulated market where eID identity provider and is responsible for the providers and eID brokers fulfilling requirements certificate policies, registration authorities and the aligned with eIDAS can notify and be approved in legal framework. Public service providers do not public registry. The state (government body) identify and authenticate users themselves, but rely provides a supervision and approval regime, a kind on the role of the state as certified identity provider.

of certification for eID providers and brokers. There 11 Member States: Austria6, Denmark, Estonia, are several registered organisations that provide eID Greece, Hungary, Latvia, Ireland, Malta, Portugal, means (like the ones mentioned in the mixed model) Romania, Slovakia. or brokering services. The registered providers • Mixed model: This is the most frequent model, constitute the Finnish Trust Network, where the eID where some eID means are provided by the state means providers are obliged to open to brokers with while others by private service providers with the a regulated conditions an access to authentication state acting as identity broker. In general, this takes services. Suomi.fi is a centralised government the form of the state providing national identity function that acquires authentication services from cards with integrated eID capabilities, while also Finnish Trust Network only for public online allowing private-sector providers to develop and services. implement other eID solutions (e.g. Mobile ID – an 1 Member States: Finland eID embedded in smartphones, tablets, wearable

• Primary identity provider: The government is technology and the Internet of Things, BankID – an primarily responsible for the creation, eID linked to bank accounts, PostID – an eID linked implementation, maintenance, and direct control of to postal accounts). the eID means. The state plays this role in more than 16 Member States: Belgium, Bulgaria, Croatia, one third of the Member States. Interesting is the Cyprus, Czech Republic, Estonia, France, Germany, case of Denmark where Nets is the private company Italy, Lithuania, Luxembourg, Netherlands, Poland, developing the main eID means available (NemID) Slovenia, Spain and Sweden7.

and which is responsible for the technical infrastructure. In this context, the government is the

6 In Austria, it should be noted that while the state is their services directly to the trusting parties. Compliance responsible for core citizen attributes, through its with the trust framework is not mandatory, as it is a self- national registers, private providers issue the technical regulating model through soft law. means of identification

7 Sweden has private or public issuers of eID, delivering

24

Figure 4 – Role of the state in the provision of eID means

environment, family, finance, healthcare, insurance, Accessibility of Digital Services legal services and justice, transports, work and retirement and taxation. Focusing on the accessibility of public digital services using eID, the analysis has taken into consideration the According to the way through which citizens can access online services available for citizens, to verify: these services, the online Portal/s were divided into the following clusters: • Whether countries have an online portal which gives access to public services; • Central Portal accessible through eID only: Through a centralized online portal (eGovernment • in which domains (e.g. education, healthcare), centralized gateway), users can identify themselves online services tend to be available; with one of the available eID means (not necessarily • which identification means can be used to log-in to the national eID card but also others, such as mobile the eGovernment portal. apps or eBanking) and then directly access a range Concerning the service access gateway, all 27 EU of national digital services8, regardless of the source countries have at least one online portal from which providing these services and without being required users can access online services. These are mainly public to re-identify themselves by accessing each new services and fall most frequently in the following service. domains: civil registry, defence, education, energy, 20 Member States: Austria, Belgium, Croatia, Czech

8 In some cases (e.g. Austria, Czech Republic), this may co- exist with a decentralised model in that some digital services are not accessible via the central portal.

25

Republic, Denmark, Estonia, Finland, Greece, 3 Member States: France, Italy and Sweden.

Hungary, Ireland, Latvia, Lithuania, Luxembourg, • Central Portal accessible with eID and other means: Malta, Netherlands, Poland, Portugal, Slovakia, Users can access a centralized portal by identifying Slovenia, Spain. themselves through an eID means or a different • Decentralized Portal accessible with eID only after means of authentication (e.g. username/password).

redirecting the user to other portals: Users can 4 Member States: Bulgaria, Cyprus, Germany9 and identify themselves with one of the available eID Romania. means only after having been redirected to a portal Bulgaria and Cyprus do not yet have any eID means, used to access sector-specific or regional services. and may move into one of the other categories once Once redirected to the decentralized portals, they their eID means become fully operational. have to log in using an eID means.

Figure 5 – Accessibility of digital services through online Portal

9 For Germany there is the Federal portal as well as the portal portals of the German states. network which connects this Federal portal to the different

26

COUNTRY OVERVIEW 04

This chapter provides an overview of the state of play in • The foreseen evolutions in the eID domain in each EU countries concerning eID strategies. The chapter country. summarises for each country: Information for this chapter has been collected from • Whether a dedicated eID strategy has been the following main sources:

designed, or whether specific reference is done to • The national digital strategies (where existing) eID in wider strategy documents (e.g. national • The Digital Government Factsheets produced within digital strategies), and what is the implementation the NIFO (National Interoperability Framework status of those strategies; additionally, whether Observatory) action, promoted by the European targeted communication (e.g. through a dedicated Commission;10 website) is done on the national eID initiatives; • The websites of the digital agencies of the various • Which online public services are accessible through countries, particularly those specifically dedicated eID means, whether the private sector is using the to the national eID means (where existing). national eID means as well and how the state is These main sources have been complemented through cooperating with other actors (in the private sector, extensive research in online media of the various in other countries or with supranational member states, as well as in other specialised analyses organisations) in the design and implementation of on the eID ecosystems in the . eID means; The chapter ends with a table (p.89) summarising the eID • Which eID means are used in the country, and what state of play for each country. is their notification status in relation to the eIDAS

regulation;

• Whether actions have being taken to strengthen the security of the adopted eID means in relation with the new Regulation (EU) 2019/1157;

10 https://joinup.ec.europa.eu/collection/nifo-national- interoperability-framework-observatory/digital-government- factsheets-2019

27

Austria electronic identification. • The recent Government agreement between the What is the national digital strategy for eID? current ruling coalition of ÖVP and the Greens “Aus Austria was one of the first European countries to have Verantwortung für Österreich. provided a national eID, piloting a version of its “Citizen Regierungsprogramm 2020–2024”14 also describes Card” in 2003, before making it widely available in future intentions in the area of eID. It highlights in 200511. This was introduced through a government particular the intent to ensure that privacy and data strategy togethers with eID and digital strategy protection concerns are addressed in relation to documents that evolved to a holistic digital strategy. eID, and that the principle of data minimisation is Today, there are 3 main strategy documents indicating complied with. the future direction of eID in Austria, described below:

• The “Digital Roadmap Austria12” was published in Which eID means are available? 2017 by the Federal Ministry for Digital and Currently, the country is making use of four eID means, Economic Affairs. It provides an overall national although none of them have yet been notified: approach towards digitisation, with 150 measures across 12 areas, including politics and • “Citizen card” based on chip-cards and mobile administration. In this chapter, the Government phone signature: it is used by citizens in order to describes its intent to expand the attributes of the access e-government services. It was available in main national eID means – the citizen card and two forms, as a mobile phone signature app, or as a mobile phone signature - to make it usable for card with an activated Citizen Card function with a additional purposes. The attributes listed include, card reader. In a major revision of the eID system it for example: driving licence, youth pass, and identity evolves to the “E-ID” to launch beginning 2021 card. In addition, the roadmap announces plans to where the mobile eID is developing into the new “E- introduce an administrative registration process ID” whereas chip-cards will only be relevant as that will provide greater security. possible second factor triggering the new E-ID (e.g. for certain professional use-cases etc. rather than • Additional insights into the federal government’s for the broad public). approach are provided by the short “eGovernment Vision 2020”13 summary, developed by the Platform • E-ID (from 2021): Following the experience with the Digital Austria (PDÖ), the coordination and strategy system showing poor take-up of card-based eID and committee of the Federal Government for good performance of mobile eID the eID means has eGovernment in Austria. This statement highlights undergone a major revision. A new E-ID which is an the intent to enable personalised services through evolution of the mobile eID launches beginning of

11 13 https://www.digitales.oesterreich.gv.at/e-government- http://www.egov2012.gov.cy/mof/DITS/conference/Europeo vision-2020 ne.nsf/All/E7916860932FBB22C2257ACB004BAEBE/$file/SESS 14 Aus Verantwortung für Österreich. Regierungsprogramm ION1_No2_KUSTOR.pdf 2020–2024, 12 https://www.digitalroadmap.gv.at/ https://www.dieneuevolkspartei.at/Download/Regierungspro gramm_2020.pdf

28

2021. through a public-private cooperation framework, with a

• Health insurance card: this card has replaced health private organisation, A-Trust GmbH, a group of Austrian certificates in Austria since 2005. It could be chambers and banks, responsible for the development activated as Citizen Card, thus be used as eID, and technical infrastructure. between 2005 and 2020. Due to low take-up the eID

function has been discontinued. What is the level of use of eID?

• Profession card: a card with the primary purpose of Austria counts over 1.600.000 citizens using electronic enabling the user to identify as certain profession, identification means and electronic signature. Since like lawyer, notary public, or civil engineer. 2011 the mobile solution of the Citizen Card linked to the Profession cards can be used as eID. mobile phone signature already represents the most widespread form of the e-ID in Austria, in 2020 reaching

a circulation of approx. 18% of the Austrian population with an average of 61,000 daily transactions. What plans are there for new or updated eID means? Usage of the mobile eID is free of charge and the users The eID means has undergone a major revision to be simply need a browser and a mobile phone to access launched beginning of 2021. This revision emphasizes on online services. Citizens can access a wide range of public mobile eID to support the Austrian mobile first strategy, services using it16. Concerning the public services, these it shall seamlessly integrate with the mobile platform can be accessed through the official governmental “Digitales Amt”. A further evolution is to support portal17 , where citizens, after online digital identification services by embedding additional attributes such as via single sign-on (SSO), can, without further password driving license or young people’s pass. requests, manage requests related to:

How is the national eID ecosystem set up? • Civil registry

Austria exhibits a mixed and heterogeneous eID • Defence ecosystem, with different types of entities providing the • Education various eID means available. In particular, while the • Health Citizens Card, the health card and the profession card • Security solutions are created, implemented and directly • Tax policy controlled by the state, the e-Identifikation solution is a private means created by STUZZA GmbH15 to respond to • Work and retirement the need of the Austrian banks to be provided with the The eID can also be used for private sector transactions, identity data of their customers. by calculating private-sector-specific identifiers

The Citizen Card’s accompanying Mobile Phone additional data protection measures are applied. Signature and App is developed and implemented Moreover, it allows legally secure electronic signing of

15https://asquared.company/en/blog/e-identity-solutions-in- 16 Full list available here: https://www.buergerkarte.at/en/ europe-an-european-overview-769/ applications-card.html 17 https://www.oesterreich.gv.at/oeservices.html

29

documents such as contracts, receipts, cancellation state is the “Belgian law on electronic identification” (18 notices or other electronic forms (in PDF format)18. July 2017) which completes the eIDAS Regulation20. Importantly, this legislation establishes that along with

public providers, external private providers can also Are actions planned to increase the security of identity develop and operate electronic identification means for cards and (eID means)? access to public services. Both public and private As described in the Digital Roadmap Austria, Austria has offerings are made available via the ”Federal planned to implement a future official administrative Authentication Service” (FAS). registration process, which will ensure a greater level of The “Digital Belgium” action plan for the digital future security19. Nevertheless, it hasn’t explicitly confirmed of the country, also emphasises the importance of easy that specific measures will be put in place to comply with mobile identification as “an essential lever for digital and the new Regulation (EU) 2019/1157. connected administration”21. The action plan highlights

the ITSME digital identification means in this regard.

Belgium What eID means are available? Currently, three eID means have been notified for cross- What is the national strategy for eID? border use under the eIDAS Regulation: Belgium was one of the first countries in the world to • National cards : implement eID at the national level. To do so, it o Belgian Citizen eCard and Foreigner eCard: developed a framework containing a series of legislative these documents contain two certificates, measures (Royal and Ministerial Decrees), which since one for authentication, and one with an 2003 have been in continuous evolution: electronic signature; • Royal Decree of 25 March 2003 on the legal o Kids-eID card: it allows children under 12 to framework of electronic ID card; be identified rapidly, either within or • Ministerial Decree on the format of electronic ID outside Belgian borders. It is, therefore, a cards of 26 March 2003; secure identity and . • Royal Decree on the generalisation of electronic ID • ITSME mobile app cards of 1 September 2004; Other non-notified eID means available are TOTP + • Royal Decree on the eID document for Belgian username / pswd, Token + username / pswd, and children under 12 of 18 October 2006. username / pswd. The most recent legislative measure adopted by the

18 https://www.buergerkarte.at/en/pdf-signature-card.html 20 http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?sq 19 https://www.digitalroadmap.gv.at/fileadmin/ l=(text%20contains%20(%27%27))&language=fr&rech=1&tri= downloads/digital_road_map_broschuere_eng.pdf dd%20AS%20RANK&value=&table_name=loi&F=&cn=201707 1809&caller=image_a1&fromtab=loi&la=F 21 https://bosa.belgium.be/fr/actualites/arrete-royal-du-22- octobre-2017

30

have been issued23. Belgian Citizen eCard and Foreigner eCard are mandatory and have a duration validity of 10 What plans are there for new or updated eID means? years (5 years for the eIDs issued until 2014). Since 2014, eID means are continuously being assessed and adapted. over 2 million cards have been delivered per year, with F.i. email otp was introduced in 2019; FIDO2 is being the eID card in fact compulsory for all citizens of 12 years considered, mobile authentication (for mobile native and more. apps) is another important track on which we are For ITSME, so far 2,7 million Belgians and permanent working. Partnerships with private IdPs remains possible residents in Belgium have created an account by the end under conditions provide by Royal Decree laying down of 2020 (24,5 % of the whole population). Each month of the conditions, procedure and consequences of 2020, nearly 10 million transactions are conducted using accreditation of electronic identification services for the app. public applications (22/10/2017) .

With these eID means, over 2000 public applications are available, for which, in 2020, 76%of all authentications How is the national eID ecosystem set up? have been made using the notified eIDs. The main As already described, both public and private providers federal services are listed in the portal are able to offer electronic identification means that can https://my.belgium.be/, and concern mainly the 22 be used to access government services in Belgium . All following domains: Finances, Social Security, Civil electronic identification means are available via the registry; Energy; Environment; Health; and Property / “Federal Authentication Service” (FAS). Land administration. Many regional and local online

The federal government plays a leading role in this services are available through the portal of the ecosystem as provider of the Citizen eCard and Foreigner municipality/region. eCard and as developer and owner of the FAS. The FAS is A dedicated website24 has been implemented for used by online public services from all over the country, informing citizens on the features and usage of the from federal to local level. Another leading eID means in national cards means. the country, ITSME, is provided by BMID, a joint-venture Are actions planned to increase the security of identity consortium of Belgium’s banks and mobile network cards and (eID means)? operators founded in 2016. Since 2018, Itsme is Belgium is introducing biometrics to strengthen the recognised by the Belgian government to be used within security of the Citizen card and the Foreigner card. the FAS for connecting to public services (Royal Decree Fingerprints will be introduced, enabling Belgium to of 22 October 2017). comply with the new Regulation (EU) 2019/1157. A pilot What is the level of use of eID? project has started in January 2020 in the municipality of For the national cards, as of 2020, over 28 million units Lokeren, followed by 24 others, with all other

22 23 https://www.gemalto.com/govt/customer-cases/ http://www.ejustice.just.fgov.be/cgi_loi/loi_a1.pl?sql=(text% belgium 20contains%20(%27%27))&language=fr&rech=1&tri=dd%20A 24 https://eid.belgium.be/ S%20RANK&value=&table_name=loi&F=&cn=2017071809&ca ller=image_a1&fromtab=loi&la=F

31

municipalities following suit by June 2020, in case of started in 2016, as a payment solution from a consortium positive outcome of the pilot.25 Rollout in 2021. of banks. The plan is to make this card become a means of electronic identification by 202229. Bulgaria How is the national eID ecosystem set up? What is the national strategy for eID? The national eID being developed will be provided by the Bulgaria adopted national legislation on eID in 2016, Government. At the same time, as mentioned above, the when the Ministry of Transport, Information Technology group of banks behind the National Card Scheme and Communications carried out the: described above have announced intentions to develop • Electronic Identification Act26. This specific an eID functionality. However, it is not clear yet whether regulation is part of a wider country digitalisation this would be recognised by the state as a means to strategy, which began in 2008, when the access public services. eGovernment Act (EGA) entered into force, and

evolved over the years with the adoption of several governmental policies and amended acts. What is the level of use of eID?

Recently, the Governance Programme of Bulgarian As mentioned above, no eID means are currently Government for the period 2017 – 202127 was adopted. available.

This Programme contains important measures related to Moreover, even though at end of 2018, 150 online digital public administration in Bulgaria, and notably administrative services were available, these are announces the intention to introduce a national accessible without the need of being in possession of an electronic identification means. eID card. Still, there is a dedicated website30 for informing citizens about eID and its future utilization.

What eID means are available?

Bulgaria does not currently have a fully operational eID Are actions planned to increase the security of identity means. cards and (eID means)?

The state is developing new biometric technologies to be

What plans are there for new or updated eID means? included within its future eID means, which eventually will allow it to comply with the new Regulation Bulgaria has announced plans to develop a national eID (EU)2019/1157.31 means and is currently running an eID pilot project.28

In addition, the Bulgarian National Card Scheme “Bcard”,

25 https://www.gemalto.com/govt/customer-cases/ 28 http://eid.egov.bg/ belgium; https://www.sudinfo.be/id161441/article/2020-01- 29 https://www.bcard.bg/en 14/ 30 http://eid.egov.bg/ lempreinte-digitale-sur-la-carte-didentite-cest-parti-ce-mardi- 31 Planet Biometrics (2016), Bulgaria to launch biometric ID pour-lete-toutes cards, available at https:// 26 http://www.lex.bg/bg/laws/ldoc/2136822116 www.planetbiometrics.com/article-details/i/4084/ 27https://www.government.bg/files/common/GovPr_2017- desc/bulgaria-to-launch-biometric-id-cards/ 2021.pdf

32

Croatia has 21 available eID means in use at national level. The National Identification and Authentication Croatia System (NIAS) underlies the use of all these means, as the IT system used to identify and authenticate users What is the national strategy for eID? when they attempt to access public services online. In recent years Croatia has released a number of A large number of eID means, provided by both public documents and strategies describing its plans and and private suppliers, can be used together with NIAS in intentions for eID: order to access online public services35 as well as private • the Croatian Government programme for 2016- services36.

32 2020 states the objective of introducing eID for all Republic of Croatia notified the eID scheme NIAS and citizens, connected to the establishment of a Central Personal Identity Card (eOI) in 201837. Government Information System concentrating the The primary form of eID means owned by the state or provision of e-services on one platform(e-Citizens state agencies are: portal); • The Personal Identity Card (eOI): which since 2015 • the Croatian National Digitalisation Strategy (e- has been issued as the national identity card38 (LoA Croatia 2020)33 dedicates a specific section to eID, high, included in NIAS and publicly available to describing it as a key enabler necessary for the access public services online since 2015., notified achievement of the eGovernment Action Plan. It with NIAS 2018.) also places particular emphasis on the provision of • mToken - an state owned application created by eID as one of the main components necessary to CARNet for smart phones which is free for Croatian provide citizens access to electronic public services. citizens (LoA substantial, included in NIAS and • the Identity Card Act of 2015 is the legislative basis publicly available to access public services online of the above strategic approach. It states that every since 2014., free for Croatian citizens) Croatian, regardless of age and residence (Croatia or • ePass: user name/password mean which is also abroad) can request and possess an eID card and state owned and free for Croatian citizens (LoA low, that every citizen aged 18 years and more, residing included in NIAS and publicly available to access in Croatia, can request both an authentication and public services online since 2014., free for Croatian an electronic signature certificates34. citizens)

• AAI@EduHr: user name/password mean, operated What eID means are available? and coordinated by the University Computing

32 35 List available at https://gov.hr/e-gradjani/lista-prihvacenih- https://vlada.gov.hr/UserDocsImages/ZPPI/Dokumenti%20Vla vjerodajnica/1667 da/Program_Vlada_RH_2016_2020.pdf 36 https://joinup.ec.europa.eu/sites/default/files/inline- 33 https://uprava.gov.hr/UserDocsImages/Istaknute files/Digital_Government_Factsheets_Croatia_2019.pdf %20teme/e-Hrvatska/e-Croatia%202020%20Strategy%20- 37 EUR-Lex - 52018XC1107(01) - EN - EUR-Lex (europa.eu) final.pdf 38 Ministry of Public Administration Republic of Croatia (2018), 34https://ec.europa.eu/cefdigital/wiki/download/attachments Overview of the Croatian eID scheme /62885743/L8.v1.0%20Law%20on%20Identity%20Card%20EN G.pdf?version=1&modificationDate=1531760999909&api=v2

33

Centre, University of Zagreb (SRCE) (LoA low, national eID card in managed by Ministry of Internal included in NIAS and publicly available to access affairs. .41 public services online since 2014., free for Croatian As described previously, both private and public citizens)) organisations are able to provide eID means and credentials that can be used to access online Other forms of eID included in the NIAS are Croatian government services. Post, Croatian telecom inc., banks whom provides their customers with eID means (so far 9 of them) and 2 state- What is the level of use of eID? owned agencies FINA and AKD that are market-oriented and represented on the free market with their eID The digital public services that can be accessed by using products. the eID card are listed in the eCitizens portal, namely

Altogether, there are 21 eID means in NIAS. concerning the following domains:

• Business

Access to the e-Citizens portal (see below) is possible • Civil registry both through the means mentioned above, but also via • Defence online bank authentication. Bank users can log in • Education through: • Health 1. Mobile App • Property / land administration 2. Token devices • Security

• Tax policy What plans are there for new or updated eID means? • Transport and vehicles New eID means are continuously included in NIAS39, two • Work and retirement new requirements are currently under consideration. As from 2014 to mid-2020, statistical data from the e- The main current trend is instead an effort to increase Citizens portal shows42: the number of online public services available to citizens using eID. - Over 1 million unique users of online government services How is the national eID ecosystem set up?

NIAS allows access to eGovernment services through the - Over 1.3 million used e-means (one single user eCitizens portal40, which aggregates all of them. NIAS is can log in to e-services with several different was provided by Ministry of Public administration, and credentials) today it is under the jurisdiction of the Central State - Over 40 million authentication to e-services Office for the Development of the Digital Society and the (SSOn)

39 Središnji državni portal - Lista prihvaćenih vjerodajnica 41 Website – About Project, available at (gov.hr) https://europe.gov.hr/about-project/86 40 https://pretinac.gov.hr/KorisnickiPretinac/eGradani.html 42 https://data.gov.hr/dataset/e-gradjani-statistika

34

The e-Citizens portal was established in 2014. Today it The “Digital Strategy for Cyprus”45 dating back to 2012 offers as many as 77 e-services to Croatian citizens. and covering until 2020, was developed by the Ministry During 2016 and 2017 Ministry of Public Administration, of Communications and Works (Department of with the support of the Financial Agency, implemented a Electronic Communications), with the goal of spreading project called "Ensuring Access to Croatian Public e- ICT in all sectors of the economy and society. The eID is Services within the e-Citizens Platform for EU / EEA the object of a specific measure, stating the target of Citizens". This project enabled cross-border delivering every citizen with an eID “which will include authentication, established the europe.gov.hr platform personal identity data and passport (biometric) data. The as the central platform for Croatian public e-services for eID will also be capable of storing an advanced certificate foreigners and enabled the use of first ten public e- for the creation of qualified signatures and other data”. services for EU/EEA citizens. In view of implementing the recommendations of the

In May 2018 project "ePIC - Electronic Public Digital Strategy, in 2016 Cyprus partnered with Estonia Identification Croatia" started, within which eight new (in particular with the Estonian e-Governance Academy) electronic services have been upgraded so they can be to design a plan for the implementation of eID, based on available to citizens of the European Union and the Estonian best practice, that was completed in May 2017. 46 European Economic Area. Today there are 18 e-Services The Memorandum of Understanding defined the on-line and ready43. organisational setup and roles of the parties involved in the eID implementation, the necessary regulatory

framework and key standards related to the eID Are actions planned to increase the security of identity infrastructure (compliant with the EU eIDAS regulation cards and other eID means? to be used by private and public sector institutions). On 27 August 2020 Government of the Republic of However, it was not until 2019 that more concrete steps Croatia sent to the Croatian Parliament a Proposal for have been taken for the implementation of a national Amendments for Identity Card Act. This Amendments eID means. In relation to this, amendments to the will harmonize Identity Card Act with Regulation (EU) existing legislation on the eIDAS implementation, the 2019/115744. The Croatian parliament adopted Civil Registry and the technical specifications of the eID amendments to the law on identity cards on 23.12.2020. protocol have been drafted.47 On 02/01/2020, the and they will come into full application from 02.08.2021. Department of Electronic Communications of the

Ministry of Transport, Communications and Works

Cyprus

Is there a national digital strategy on eID?

43 e-Citizens Platform for EU/EEA Citizens - Home (gov.hr) 46http://cyprus-mail.com/2016/01/26/cyprus-seeks-help- 44 PZE_13.pdf (sabor.hr) from-e-government-pioneer-estonia/ 45 https://ec.europa.eu/newsroom/dae/document.cfm 47 Available at http://www.mcw.gov.cy/mcw/dec/ ?doc_id=4831 . The national Digital Strategy is due to be dec.nsf/all/B5D46C6021 reviewed upon the completion of a tender for its update from 028B0AC22584F60040F825?opendocument 2020 onwards.

35

announced the launch of a public consultation48 aimed Based on currently available information, the future eID at obtaining comments and suggestions on a National ecosystem shall be regulated by the state – which will act Plan for Electronic Identities. Under the proposed plan as identity broker – and operated by private entities “any Electronic Identity Service Provider authorized under public supervision. The legislation drafted allows under the National Electronic Identity Plan can provide private entities (“Electronic identity service providers”) citizens with e-ID services”. to issue eID only if in possession of a liability insurance

49 for a minimum of €1,000,000 . The Ministry of Transport will oversee the issuance of eIDs, supported by Which eID means are available? the Ministry of Interior (which manages the Population No eID means are currently in use. Register)50.

The contract with the Civil Registry and Migration What plans are there for new or updated eID means? Department of the Ministry of Interior of Cyprus to The main expected evolution, due in relatively short upgrade and manage the country’s system for biometric term, is the development of a national eID card, as part data collection, centralized personalization, and of the National Electronic Identity Plan described above. issuance of electronic , ID cards and residence The eID means is under preparation and is due to be permits, has been awarded to Veridos, a joint venture completed in 2020. between the German state-owned Bundesdruckerei and the security group Giesecke+Devrient (G+D).

How is the national eID ecosystem set up? What is the level of use of eID?

As Cyprus has not yet issued national eID cards to The possible future use of the eID relies upon the existing citizens, a fully functioning eID ecosystem has not yet and soon to be upgraded government gateway portal, been set up. “Ariadni”51. Ariadni enables both citizens and businesses The state has first launched an open tender procedure to access a series of digital services, for which designed in 2017 to procure an eID solution for secure registration is required, and may in the future be digital transaction tools in the private and public sector. accessed through the national eID means, through At the beginning of 2019, the e-governance Council, common user identity management / authentication and which is currently in charge of the implementation of authorization and single sign-on credentials. Currently, digitization reforms, in anticipation of the launching of registration on the site is required, to be confirmed at the Deputy Minister of Research and Innovation, has Citizen Services Centres or at the Central Post Office. taken the decision to promote the implementation of Currently 40 e-services are accessible over Ariadni, the electronic identity cards programme and to prepare covering the following domains: a national means on eIdentification and eSignature by • Agriculture changing relevant legislation, as reported above. • Business

48 http://www.mcw.gov.cy/mcw/DEC/dec.nsf/all/ 50 https://www.financialmirror.com/2020/01/22/one-step- B5D46C6021028B0AC22584F60040F825?opendocument closer-to-e-governance-with-electronic-ids/ 49 https://www.biometricupdate.com/202001/cyprus-mulls- 51 https://eservices.cyprus.gov.cy/EN/Pages/Home. over-digital-ids-as-electronic-signatures aspx

36

• Civil registry Regulation eIDAS”52.

• Culture The digital strategy (Digital Czech Republic53) issued in

• Environment 2018, confirms the strategy of the implementation of full electronic submission using eIdentification, in • Health accordance with the eIDAS and in compliance with a • Marine “digital by default” principle. • Property / land administration In that context, the new Czech National eID card will • Tax policy contribute to facilitate secure access to citizen services, • Transport and reduce administrative burden.

• Work and retirement Regarding the legislative framework:

• A law on electronic identity54 was issued in 2017,

Are there actions planned for increasing the security of the law creates conditions and functional identity cards and the consequent use of eID? environment for development and delivery of new on-line services able to use electronic identification There is no specific reference in the available means for identity proof of its users. Introducing a documentation to increased security requirements set 'national point for identification and authentication' forth by Regulation (EU) 2019/1157. The existing Cypriot as a necessary part of the environment, an identity card already includes biometric data (fingerprint information system that provides a shared tool to all and photograph) in order to strengthen its level of public authorities to verify the identity of users of security. their online services. Private providers of identity

means will also be able to participate, so that their

identity services can be used to access online public services.

Czech Republic • The Act on Citizen Identity Cards55 Act. No.

Is there a national digital strategy on eID? 328/1999 Coll. on identity cards, as amended. Amended Act introduces issuance of identity cards The Strategic Framework of the Development of Public with contact electronic chip and identification Administration in the Czech Republic for 2014-2020 sets certificate from 1.7.2018 as an identification means forth the objective of a “[r]ealization of a usable across with the highest level of assurance mainly used for the board, uniform, state guaranteed and EU on-line public administration services use.; interoperable system of electronic identification, authentication and authorization […] assumed by the EU

52 https://www.mvcr.cz/soubor/strategic-framework-for-the- 54 https://www.mvcr.cz/clanek/zakon-c-250-2017-sb-o- development-of-public-administration-in-the-czech-republic- elektronicke-identifikaci-a-souvisejici-zmenovy-zakon-c-251- for-the-period-2014-2020.aspx, p. 50 2017-sb.aspx 53 https://www.databaze-strategie.cz/cz/mv/strategie/ 55 https://www.zakonyprolidi.cz/cs/1999-328 digitalni-cesko-2030?typ=struktura; https://www.digitalnicesko.cz/

37

Which eID means are available? replacement for the national eID card which has a LoA

The national identity card, which since 1/7/2018 has high. Services, where “stronger” (LoA high) verification is included a chip enabling electronic identification, is required will not be accessible using this eID. "But we mandatory for every national of the Czech Republic aged assume that 90 percent of the operations will go through 60 15 or more. Function of electronic identification of banking identity ," says one of the MPs who presented national identity cards is optional (opt – in). There are the bill. also another eID means – both from state and from Once the necessary infrastructure and technological private sector56. eID means provided by other subjects processes for communication between banks and than the state needs to be accredited57. The country electronic service providers are set up, the launch of the notified the eID scheme in 2019 under the authority of BankID could be expected, tentatively, around the first the Ministry of the Interior of the Czech Republic. half of 2021.

What plans are there for new or updated eID means? How is the national eID ecosystem set up?

The Czech Banking Association is cooperating in As described above, both public and private providers preparing an eID means, BankID58 as part of a project are able to provide digital identity means which can be called “Sonia”, launched in February 2019 and aimed at used to access online public services. Although currently, facilitating the handling of its affairs with private the main eIDs in use are the national identity card and companies and authorities electronically. A group of NIA ID provided by the Ministry of the Interior, deputies proposed during summer 2019 a bill to allow respectively by the National Registers Authority, other banks to participate in the state digital identity scheme. competing means such as eID mean from I.CA, mojeID or The amendments to the electronic Identity law and also BankID can be expected to provide competition in the to the banking law necessary for the implementation of near future.

BankID initiative were signed by the Czech President on The Citizen’s Portal,61 launched in 2018, allows access to 59 February 12, 2020 . The BankID, inspired by similar 130 digital services62 and redirects on more than 35 experiences in the Nordic countries, is intended to be cooperating portals using the new national eID card and used to access eGovernment services but also some other eID means. Services are provided in the following services in the private sector. domains:

BankID shall be available for citizens and businesses • Business alike. However, it will not provide a complete

56 https://info.eidentita.cz/idp/ 60 iDNES.cz (2019), The office through the bank. The citizens' 57 https://www.mvcr.cz/clanek/seznam-udelenych-akreditaci- portal is to be made accessible to more people, available at pro-spravu-kvalifikovaneho-systemu-elektronicke- https://www.idnes.cz/ekonomika/ identifikace.aspx domaci/portal-obcana-internetove-bankovnictvi. 58 https://www.bankovni-identita.cz/ A190711_488255_ekonomika_are 59 https://www.businessinfo.cz/clanky/cesta-k-vyuzivani- 61 https://obcan.portal.gov.cz” bankovni-identity-cechy-je-otevrena-prezident-podepsal- https://www.mvcr.cz/clanek/portal-obcana.aspx potrebne-novely/ 62 https://joinup.ec.europa.eu/sites/default/files/inline- files/Digital_Government_Factsheets_Czech%20Republic_201 9.pdf

38

• Civil registry Denmark • Education What is the national strategy for eID? • Health For years, Denmark has been recognized as one of the • Justice most digitised European nation. Helping it reach this • Property / land administration position has been a clear strategy on eID, laid out in

• Security several digitisation strategies, the first one being published in 2001. The “Digital Strategy 2001-2004”63 • Tax policy included recommendations on developing specific • Transport electronic identification means, in particular highlighting • Work and retirement the need to establish an infrastructure that supported • Regions electronic documents from citizens, companies and

• Municipalities other authorities. Since 2001, every 4 years a new digitization strategy has been negotiated and agreed. However, although more than 1.1 million new eID cards Major decisions in relation to developments of the have been issued as of the end of 2019, only around national eID have need taken within the framework of 66,500 people are registered on the portal. A possible the digitization strategies. In this regard, an important reason for the disparity between these numbers of the milestone has been reached with the “Digital strategy eID national card holders is that the registration requires 2007-2010”64 which foresaw the introduction of the first both a unique reader for the eID card (which has to be Danish eID solution (NemID). Right now, the current purchased separately as it is not given to the user with digitisation strategy is represented by the following the eID card) and specific software. But the numbers of documents: users increase continuously. • The “Digital Strategy 2016-202065” was

implemented in 2016 under the authority of the Are there actions planned for increasing the security of Agency for digitization and includes a dedicated identity cards and the consequent use of eID? section called “The Public Sector Protects Data” in With regard to the function of electronic identification of which it focuses on the interventions planned for the national identity cards, identification has the LoA eID. In particular, the strategy highlights the need to high. The Czech Republic is preparing to add biometric implement digital identity solutions such as NemID data to the national identity cards as required by for businesses with the aim of ensuring them to Regulation (EU) 2019/1157. receive the right benefits and report correct data (e.g. VAT returns). Similarly, another recognized challenge addressed by the strategy relates to the need to ensure the right level of security in eID

63 https://digst.dk/media/12700/digitaliseringsstrategi-2001- 65 https://en.digst.dk/media/14143/ds_singlepage_uk_ 2004.pdf web.pdf 64 https://digst.dk/media/12701/digitaliseringsstrategi-2007- 2010.pdf

39

solutions for children and young people who are not Denmark currently has two eID solutions:

old enough to have a NemID, but who need to • NemLog-in3,67 which in 2020 becomes operational, securely navigate online and log on to relevant replacing the previous version of the scheme named digital services. Additionally, the strategy mentions (NemLog-in2), represents a long-term and highly that existing eID means will have to be updated in flexible, coherent solution, which in the future (once the coming years to respond to the need for creating NemID will be expired and substituted with the new long-term solutions with a high degree of flexibility solution) will become the primary means of eID for and positive user experience, so that they will be businesses usable in all public sectors of all EU Member States. • NemID,68 which was notified in April 2020 and which • “The future infrastructure for digital identities in includes the following six products: Denmark”66 was published in 2017 and describes o Key card (OTP) the Denmark strategy to rebuild the eID o Mobile app infrastructure within the next few years. Looking o Key token forward to the expiration of the contracts for the existing eID means at that time (NemLog-in, which o NewID hardware contract expired in 2019 and NemID, supplied until o Interactive voice/response (OTP)

2021 by Nets DanID A/S, which will then be o Magna key card (OTP) replaced), the country presented the main requests NemID can be issued both to natural and legal entities69. that were then inserted in the tenders for the new Since the range of services covered by these two means solutions to be provided. Looking at the future, is very extensive covering all e-services provided by the MitID represents the new generation of NemID and banking and insurance sector and a plethora of other will be a user-friendly and future-orientated key to private services including, but not limited to, auction online banking and Digital Post, having also many houses, betting portals and many others. NemID when it additional attributes and functionalities enabled was developed, replaced a selection of different online (e.g. compliance with new signing standards as well schemes and means for authentication which had been as smartphone-based, password-based and physical developed from 1999 to 2008. NemID will be replaced by authentication factors). The previously existing MitID in 2021. infrastructure was reviewed and re-assessed to

introduce the concept of a certified identity broker responsible for handing the authentication process What plans are there for new or updated eID means? for the end user. A new digital identity solution, MitID70, will replace the

NemID-solution in 2021. With MitID, users will be offered the same functionality NemID delivers today, What eID means are available? with additional ease of use, flexibility and future-

66https://en.digst.dk/media/14836/english_fremtidens- 68 https://www.nemid.nu/dk-en/ infrastruktur-for-digitale-identiteter.pdf 69 https://www.nemid.nu/dk-en/about_nemid/ 67 https://digst.dk/it-loesninger/implementeringssite/ business/ infrastrukturbeskrivelse/nemlog-in3-projektet/ 70 https://en.digst.dk/digitisation/eid/next-generation-nemid/

40

proofing. factor) and therefore allowing users both to identify

MitID will build on one common identity core, which will themselves online and to digitally sign documents. be used not only by public players, but also by financial Going forward the aim is to also provide easier institutions and other private service providers needing access for users to services which require a lower secure digital personal identities. One of the main level of security. objectives is that all personal identities registered in the • Privacy and context dependent information: the core may be used across sectors and service providers. same standard of privacy of the current solution

The development of the system will take place in a should continue to be abided by. Meanwhile, the partnership between the state and Finance Denmark, Agency of Digitisation continues to examine ways to the Danish Bankers Association. This will help to end the increase privacy and security. division established by the predecessor, NemID, which • Improved support options: the new solution has the consists of two independent parts - the 'banking goal of reducing the overall cost of support and solution' and the public, PKI-based 'OCES solution'. This improve user satisfaction. will now be replaced by a common identity and new authentication means with a single identity core How is the national eID ecosystem set up? supporting authentication and life-cycle handling of The NemID solution was developed within a public- digital personal identities. private partnership between the Danish public sector The development of the MitID is still not completed, and Danish banks. For the development of the new MitID however the following principles are being applied: means the state also cooperated with the private sector, • Better administrative solutions for businesses: in particular with the Danish Bankers Association, with more adequately handling the needs of businesses the main objective of updating the existing platform. with divergent needs according to their differing Under the new system, as it is the case today, online size, number of employees and digital service providers will not identify users themselves, but competencies; will rely on one of the certified identity brokers to do so. • Extended use of private eID means for business It is expected that there'll be a selection of different purposes, to be done by connecting the user’s identity brokers:

private MitID to a business’s CVR number; - From the public sector servicing private and • Multiple login factors, the new MitID infrastructure public sector e-services;

introduces new authentication means and it eases - For banks; the introduction of new future authentication - For service providers in other parts of the means.; private sector. • Multiple security levels and a separation of eID and The country is also cooperating with other Nordic-Baltic electronic signature: the current NemID solution fulfils the requirements to eIDAS Level of Assurance: Substantial as per the notification in April 2020. It is based on two ‘login factors’ (username/password combined with a secondary possession based

41

states within the NOBID project71 which is meant to cards (and eID means)? build on and support the ambitions of the eIDAS Denmark does not currently issue a national identity regulation by identifying barriers to the use of identities card 74 and there is therefore no obligation to update the through eIDAS and further developing existing national security levels of such a national ID card in accordance services to allow for full self-service based on an eIDAS with Regulation (EU) 2019/1157. identity. It is the intent to bring together like-minded countries and achieve maximum value from the eIDAS regulation Estonia

What is the national strategy for eID? What is the level of use of eID? Estonia is one of the most digitised European countries Although the use of the National eID means is not and one of the most advanced in terms of the mandatory, approximately 5.16 million Danish citizens implementation of eID solutions75, credited by the use NemID and more than 60 million transactions International Telecommunications Union (ITU) as having currently take place on a monthly basis72. “by far the most highly-developed national ID card Citizens and businesses use NemID to log on to borger.dk system in the world”76. (the official one-stop-portal where the vast majority of In Estonia, the eID policy and strategy is the governmental e-services are available for example e- responsibility of two ministries: Ministry of the Interior services related to taxes, healthcare, welfare services, and Ministry of Economic Affairs and Communications. employment, among many others can be found), virk.dk (a data catalogue with open government data provided Therefore, there are 2 main strategy documents by various public institutions) and a long list of private indicating the future direction, described below: websites (like online banking), to use an array of digital The “Digital Agenda 2020 for Estonia”77 was published self-service solutions and to use Digital Post (digital mail) in 2014 by Ministry of Economic Affairs and which is also available on borger.dk. Communications. It summarizes all objectives towards

The public services accessible through the single and digital society and focuses on creating an environment official gateway73 covers virtually all public services in that facilitates the use of ICT and the Development of Denmark. smart solutions in Estonia in general. The strategy focuses on several eID measures as follows:

• Development of a common service space for the Are actions planned to increase the security of identity

71 https://www.difi.no/nobid 75 Already in 2002, with the adoption by the Estonian 72 https://ec.europa.eu/cefdigital/wiki/display/ Parliament of the Identity Documents Act that regulates the EIDCOMMUNITY/Denmark?preview=/129105932/200867933 scheme, the first eID cards were distributed (130,000 were /NOTIFICATION%20FORM%20FOR%20ELECTRONIC%20IDENTI issued the first year). TY%20SCHEME%20UNDER%20ARTICLE%209-1%20- 76 ITU (2018), Digital Identity Roadmap Guide. Available at %20version%20final%20(2).pdf https://www.itu.int/en/ITU-D/ICT-Applications/Documents/ 73 https://www.borger.dk/ Guides/ITU_eID4D_DIGITAL%20IDENTITY_ROAD_MAP_GUIDE 74 https://en.wikipedia.org/wiki/Identity_document# _FINAL_Under%20Review_Until-05-10-2018.pdf Denmark 77 https://www.mkm.ee/sites/default/files/digitalagenda2020_fi nal.pdf

42

public and the private sector. The interoperability is a need to continuously develop secure physical solutions of the common service space will be identification, identity creation and verification further developed to make sure they are up-to-date processes.

with technological development and function both b) Use modern, secure and user-friendly technological nationally and cross border in a secure manner. This solutions that enables processes to be automated as will be done by: much as possible.

a) further development of central technological c) Ensure usability of electronic identity and eID, solutions in the field of eID and digital trust expand the scope of the identity document. services (digital signature, digital seal). Increase the number of eID users through providing b) eID support will be ensured for most widely more convenient means and mitigating security used open source software platforms. risks. In order to achieve those objectives next steps

c) The eID use will be promoted among foreign have to be taken: nationals to enable them to use Estonian e- Ensure continuous development of identity services and become, thus, “virtual residents” document that has digital authentication and of Estonia; The first e-resident Digital ID was qualified electronic signature creation issued at the end of 2014.The initial target functions.

mentioned in the strategy was to reach 5000 - Ensure the existence of at least two (updated target 20 000) e-residents by the year independent eID means issued by the public rd 2020, but by the end of 3 quarter 2020 there sector. was already about 75 000 e-residents. - Ensure a sustainable software business model In 2020 the new “Internal Security Development plan and security, including developing an action 78 2020-2030” was published by the Ministry of the plan for various threat and risk situations. Interior. According to a Plan by the year 2030 Estonia - Ensure cooperation between public and private should be a world leader in issuing secure digital sector and their capacity to deal with risky and documents. Stable and sustainable system of identity dangerous situations. management policy should be established, taking into account the needs of ensuring public safety and national What eID means are available? security. A user-friendly and modern eID application environment should be offered, taking into account the Estonia uses multiple eID means issued by the public and modern and innovative solutions. This also empowers private sector (mostly by banks). The most popular are the development of the information society. The Agenda following 7 eID means (the first six of which are state- sets out the following lines of action to meet objectives owned and have been notified (all of them LoA “high”) mentioned above: and 1 private eID mean which has not been notified). All means are issued only to a natural persons. The means a) Ensure stability in the field of identity management are as follows: and secure identification of a person. Hence, there

78 https://www.osce.org/files/f/documents/0/e/450661.pdf

43

• ID card79: An ID card is an identity document with electronic environment. E-Resident’s digital ID digital functionality.. An ID card is a compulsory allows an alien to participate in public and private identity document for Estonian citizens residing in law operations in Estonia regardless of her/his Estonia. An ID card is issued also to the citizen of physical location. E-Resident’s digital ID does not the European Union who holds right of residence grant the right to reside in Estonia.83

in Estonia. An EU citizen ID card is not valid as a • Mobile-ID84: allows people to use a mobile phone travel document. The digital document issued, is as a form of secure digital ID. It is a digital a physical identification document and has document that can be used only in an electronic advanced electronic functions that facilitate environment in order to identify the person and secure authentication and a qualified electronic give digital signatures. It is a voluntary signature. alternative eID mean next to ID card (or to any • Digital ID80: A digital identity card or digital ID is a card-based eID mean) and is issued to holders of digital document that can be used only in an an Estonian ID card or Estonian residence permit electronic environment for identification card (RP card) by a mobile operator upon the purposes and for giving digital signatures. Digital contractual client’s request.85 Certificates for the ID cannot be presented to identify a person. A Mobile-ID are issued by the State.

digital ID may be applied if you are 1) an Estonian • Diplomatic identity card86: an identity document, citizen with a valid ID card or if you apply for a that can be used in a physical world and that has digital ID together with an ID card or 2) a foreigner also digital functionalities that can be used in an with a valid residence permit card/ID card or if electronic environment for identification you apply for a digital ID together with a purposes and for giving digital signatures. It is 81 residence permit card. issued to foreigners working for diplomatic • e-Resident’s digital ID:82 An e-resident is an alien representations and consulates in Estonia or to an to whom, as a benefit, Estonia has created a Estonian citizen or permit resident who is digital identity based on the identity of the employed by a foreign representation.

country of nationality of the person and issued a • Residents permit card (RP card): Is an obligatory digital identity card: e-resident’s digital ID. It is a identity document with digital functionalities for digital document that can only be used to identify domestics use for foreigners who are not citizens a person and provide digital signature in an of EU member states and who are in Estonia on

79 https://ec.europa.eu/cefdigital/wiki/download/ 85 attachments/62885749/EE%20eID%20LoA%20mapping%20- https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY %20ID%20card.pdf /Estonia?preview=/62885749/65972515/EE%20eID%20LoA% 80 https://www.politsei.ee/et/juhend/digi-id-taotlemine 20mapping%20-%20Mobiil-ID.pdf 81 https://www.politsei.ee/en/instructions/digital-id 86 https://ec.europa.eu/cefdigital/wiki/download/ 82 https://www.politsei.ee/et/juhend/e-residendi-digi-id attachments/62885749/EE%20eID%20LoA%20mapping%20- 83 https://www.politsei.ee/en/instructions/e-resident-s- %20diplomatic%20identity%20card.pdf?version digital-id =1&modificationDate=1531759815709&api=v2 84 https://ec.europa.eu/cefdigital/wiki/download/ attachments/62885749/EE%20eID%20LoA%20mapping%20- %20Mobiil-ID.pdf?version=1&modificationDate= 1531759816924&api=v2

44

the basis of a residence permit or right of aim is to cover main properties: high level eID scheme residence. It can be used in an electronic and QSCD solution.

environment for identification purposes and for Target is to launch the new Mobile-ID in the beginning of giving digital signatures. The RP card is not a valid 2022. This will require starting a new notification travel document, but must be carried along with process. the passport of the country of citizenship in order As for the eID means and their processes in general we to return to Estonia.87 are always looking for new possibilities how to improve 88 • Smart ID : a mobile identification solution our eID means with innovative solutions, making them offered by the private sector. It can be used to more convenient to our citizens and more digital to access both public and private services. Also reduce the administrative burden. For example, we are supports qualified electronic signatures creation. analysing a solution on how to move towards paper The scheme is assessed by government to freedom – that the entire application and processing support it by public e-services, but is is not process would be fully digital. We are also analysing and notified. looking into possibilities of delivering documents in ID1 format by courier service. In doing so, these solutions

What plans are there for new or updated eID means? must meet the eIDAS Regulation, must be safe and ensure that the eID means will maintain its “high” level. At the moment, Estonia has no plans to introduce new All these are in the works and if during the analysing eID means but there are plans to update existing ones. process we come to the conclusion that those ideas Estonia is soon notifying the update on RP card e-scheme cannot be reached because they are not compliant with which allows to apply for a recurring RP card also in self- the eIDAS regulation nor the level “high” they won’t be service portal (something which is already possible for an pursued. ID card and is already an audited and notified process under the ID card e-scheme. How is the national eID ecosystem set up? Starting from august 2021, there will be update on the ID card stemming from the EU regulation 2019/1157 In the National Digital Identity Framework of Estonia, the concerning the collection of biometrics. This requires an Government has a leading role, acting as regulator and update of already notified e-scheme but the process is unique identity provider at the same time. As regulator, already audited and peer reviewed in an RP card’s e- it provides guidance and control on the National Digital scheme. Identity Framework, producing specific laws, regulations, criteria, conditions, procedures and directly Estonia is currently in progress to procure a new Mobile- controlling the management of digital identities.89 ID solution which will replace the current solution. During the procurement procedure we are looking to As unique identity provider, the Government issues each find a new innovative Mobile-ID service solution. The citizen with an (electronic) ID card, enabling them to access eServices. Although other private providers are

87 https://www.politsei.ee/en/instructions/residence-permit- 89 https://www.itu.int/en/ITU-D/ICT-Applications/ card-for-an-adult Documents/Guides/ITU_eID4D_DIGITAL%20IDENTITY_ROAD_ 88 See https://www.smart-id.com/ MAP_GUIDE_FINAL_Under%20Review_Until-05-10-2018.pdf

45

also able to act as “identity carriers” (for example Smart popular ones like tax services, business portal and so on, ID) provide alternative means of identification, the have their own known websites). In particular, services underlying identity remains the same90. In order to set in the following domains are available: up the new identity means, these private solutions draw • Business on and store the identity established by the state91. • Civil Registry This condition presents at the same time both benefits • Culture and disadvantages: on one hand, the Government might • Defence leverage on its local presence on the territory, its control over the whole system and other programs/initiatives • Education already in place, but on the other hand the state doesn’t • Environment have the same experience in managing digital identities • Health as the one gained over the years by third parties such as • Local / Regional planning Banks or Telco Operators, nor the ability to fast deploy a • Property / land administration system leveraging experience and capabilities.92 • Tax policy

• Traffic What is the level of use of eID? • Work and Retirement There are approximately 1.3 million electronic ID cards used in Estonia, representing almost 98% of the entire • Justice country population. This is in part due to the fact that the A variety of services in the private sector can also be electronic ID card is a mandatory document for its accessed using eID. For example, the Smart-ID scheme citizens starting from the age of 15. lists services ranging from domains including trade and

In terms of use, the country claims that “800,000 people business, to financial services, to insurance and 96 have used their ID card electronically at least once per pension . year” while “300,000 ID card users use their card The Information System Authority (RIA) plays a 93 electronically on a weekly basis” . It also notes that 200 prominent role in shaping and developing e-ID in 000 citizens are using Mobile-ID, and 380 000 are using Estonia. It is responsible for ensuring the eID card can be Smart-ID. used by everyone who wants to.

99% of government services (5000) are available online94, and can be accessed via the governmental Are actions planned to increase the security of identity portal, eesti.ee95 (some of them, especially the most

90 See https://www.ria.ee/en/state-information- 92 https://www.itu.int/en/ITU-D/ICT- system/electronic-identity-eid.html Applications/Documents/Guides/ITU_eID4D_DIGITAL%20IDE 91 See process maps provided in Centre for Internet and NTITY_ROAD_MAP_GUIDE_FINAL_Under%20Review_Until- Society (2019), Mapping Digital Identity Systems: Estonia. 05-10-2018.pdf Available at https://digitalid.design/research- 93 See https://e-estonia.com/estonia-introduced-a-new-id- maps/estonia.html card/ 94 See https://e-estonia.com/ 95 See https://www.eesti.ee/en/ 96 See https://www.smart-id.com/et/teenused/

46

cards (and eID means)? the recognition of generic eIDs in public

In December 2018, Estonia issued an update to its and private sector digital services (despite national identity card. The new card features a the branch or sector of business or contactless (near-field communication, NFC) interface as administration). well as new security features including a new colour o Promote use of international standards.

97 photograph of the holder . o Guarantee trust in eIDs (eID providers) by The country is investigating the opportunity of defining requirements in legislation, introducing biometrics to facilitate personal notification process and supervision. identification. • In 2009, it adopted the “Act on Strong Electronic Security is a continuous process and Estonia aims to Identification and Electronic Signatures”. The Act's continuously monitor security risk and analyse security objective was “to create common rules for the solutions for eID. This requires a good cooperation provision of sound electronic identification services, between different countries, EU member States and and to promote the provision of identification national partners as well. services and the use of trust services99”. The act was further updated in 2015100, introducing the concept Finland of the Finnish Trust Network – allowing “application providers to enter into a single contract and a single What is the national strategy for eID? integration to make use of multiple identity means Finland was the first country in the world to introduce an providers”101. electronic identity card back in 1999, following the • In 2017, Finland completed the programme Identity Card Act 829/1999. Since then, the country has “National Architecture for Digital Service”, gone through several iterations in its approach. introducing a new platform called Suomi.fi which • In 2008, Finland implemented the “Action Plan provides citizens, businesses and government 2008–2011”98 under the Minister of organisations the access to online public services. As Communications, which outlined the government part of this new approach an electronic strategy and decisions concerning electronic identification model was put forward102. Under this identification. In particular, the main objectives of model, “electronically verifiable information is the strategy were: based on the population information system

o Create a common competitive market for maintained by the Population Register Center”. private and public eID providers. However, “identification services and tools for the

o Promote public and private cooperation. use of electronically verifiable identities may be

o Promote user choice of eID by promoting

97 See https://e-estonia.com/estonia-introduced-a-new-id- 99 http://www.finlex.fi/fi/laki/ajantasa/2009/20090617 card/ 100 https://www.finlex.fi/fi/laki/kaannokset/2009/ 98 en20090617.pdf https://julkaisut.valtioneuvosto.fi/bitstream/handle/10024/7 101 See https://www.ubisecure.com/authentication/ 7808/Arjen_tietoyhteiskunta_toimintaohjelma.pdf?sequence finnish-trust-network-ftn/ =1&isAllowed=y 102 https://vm.fi/sahkoinen-tunnistusmalli

47

provided on market terms”103. What plans are there for new or updated eID means?

The Finnish system allows for private providers to notify

What eID means are available? the Government and begin providing new identity means108. Currently, the following eID means are available in Finland (not notified): As an example of recent private initiatives and innovation, there is a group of organisations planning a • Bank ID:104 an identification system developed by new eID means, SisuID, and ecosystem connected to it. the Federation of Finnish Financial Service and used As announced by Nixu Corporation109, the Ministry of by all major Finnish banks. There are 10 separate Education and Culture in Finland has taken part in the independent BANK ID/eID means providers and thus biometric authentication pilot SisuID110 to enhance the several different eID implementations. international student experience and deliver a • Mobile ID105: is an identification system provided by frictionless process before they arrive in Finland. In 3 major mobile telecoms operators. The Mobile ID is particular, the new solution will allow the students to in the SIM card of the mobile phone. create a digital identity and an identification tool to then • 106 Citizen Certificate: an eID document containing log in all channels related to the application process, citizens’ information that can be used for carrying immigration and integration, across all sectors.111 out safe online services. In addition, it provides As another example on recent private initiatives, the eSignatures and can be attached to the ID card. telecoms operators are planning to introduce a new eID 107 • Organisation Certificate : certificates used to means based on mobile application. Their current verify a given person's identity as a representative Mobile ID is based on SIM-card. of a business, organisation or associated group. The government is preparing an initiative to provide Brokering services mobile ID-cards to citizens. Along with this project also There are also nationally notified/registered and new capabilities to enable digital use of identity data in supervised private eID broker services population register are searched as well as provision of

• Many providers of BankID and Mobile eID also new eID means. Impact assessment on the market provide brokering services (e.g. Nordea, OP ecosystem and policy decisions are scheduled for 2021. Group, Telia)

• sole eID brokers without their own means How is the national eID ecosystem set up?

(Nets, Signicat) The following types of stakeholders make up the Finnish eID ecosystem:

103 See https://vm.fi/sahkoinen-tunnistusmalli 108 See Section 12, Act on Strong Electronic Identification and 104 https://www.nets.eu/developer/e-ident/eids/Pages/ Electronic Trust Services. Available at BankIDFI.aspx https://www.finlex.fi/fi/laki/kaannokset/2009/en20090617.p 105 https://mobiilivarmenne.fi/eng/ df 106 https://dvv.fi/en/citizen-certificate-and-electronic-identity 109 https://www.nixu.com/ 107 https://dvv.fi/en/for-organisations 110 https://sisuid.com/ 111 https://www.biometricupdate.com/201912/finnish- ministry-tests-sisuid-biometrics-nixu-restructures-amsterdam- team

48

• Identity providers: a role played by private entities supervision of eID-providers and trust services.

such as banks and telecoms providers. • Ministry of Finance: steering of Digital and • Identity brokers: stakeholders that provide a Population Data Services Agency, eID policy solution enabling authentication of the identity guidelines for public sector.

means provided by different identity providers (10 • Digital and Population Data Services Agency114: BankIDs and 3 MobileIDs). management of the national eIDAS node, the public These stakeholders form the Finnish Trust Network, sector eID portal (Suomi.fi e-Identification) and the which is overseen by the Finnish Transport and national ID card.

Communications Agency Traficom. The dominant eID provider in Finland has traditionally What is the level of use of eID in public sector115? been the banks, which accounted for 95% of The Government provide citizens access to public authentications for online public services as of 2018. In administration services through the Suomi.fi portal. this year, just 1% of authentications were done using the Citizens can access the services on the portal using national ID card, while 4% were performed using eIDs different means of electronic identification: online from mobile operators112. In 2019 the stake of BankIDs banking codes, mobile certificates, certificate card and was 89 % and the stake of MobileID 7 %. eIDAS token. In particular, the services for citizens

The recent legislative changes formalised the role of the offered on the portal, cover the following domains: identity broker, which serve as an intermediary between • Defence the different identity providers and online service • Education providers. These changes have been interpreted as • Health aimed at reducing the dominance of banks in this area as • Security well as enhancing secure private sector online services • Work and retirement by promoting easy and reasonably priced one-stop shop acquisition of authentication of customers using Meanwhile services offered for business are clustered in different eIDs113. the following categories:

The main eID stakeholders in the public sector are: • Starting a business

• Ministry of Transport and Communication: • Being an employer

legislation on eIDs and trust services. • Financing a business and business subsidies

• Transport and communications agency Traficom: • Financial management and taxation

112 European Commission (2019), Digital Government 114 See https://dvv.fi/en/about-the-agency Factsheet 2019 Finland. Available at https://joinup. 115 There is not yet data on usage of eID in private sector ec.europa.eu/sites/default/files/inline-files/Digital_ online services. However due to legislative amendments in Government_Factsheets_Finland_2019.pdf Trust Network obligations this is growing, which is the policy 113 Bazarhanova, A., Yli-Huumo, J. & Smolander, K. (2019), From objective behind the legislation. platform dominance to weakened ownership: how external regulation changed Finnish e-identification. Electron Markets. Available at https://link.springer.com/article/10.1007/s12525- 019-00331-4#citeas

49

• Developing the business France’s prioritisation of eID was delayed compared to

In this regard, it is important to note that there are e- some other EU Member states. However, in the last 5 Authorizations available for both natural and legal years the country been catching up, adopting targeted persons116. However, there are not eIDs for legal persons legislation. In 2017, the “Ordinance on electronic available when it comes to regulated/nationally notified identification and trust services for electronic 120 eID means. transactions” aimed to strengthen the security of electronic identification means. It provides a legal Finland does not have an eID dedicated website. framework for the certification of providers of electronic However relevant information on national eID means identification. can be found here117118. France’ digital strategy “Stratégie internationale de la

France pour le numérique”121 does not make reference Are actions planned to increase the security of identity to electronic identity. However, as of late 2019, the cards (and eID means)? Agence National des Titres Sécurisés (ANTS) was pushing The eID cards issued by the Digital and Population Data for the definition of a strategy for digital identity122. Services Agency have been evaluated with a “high level” According to it, this strategy should respect four main 119 of assurance according to the eIDAS regulation . principles: However, no plans have been identified to include new • Protection of personal data: in particular guarantee biometric technologies within its national eID cards. of anonymity and the right to be forgotten; Otherwise, in order to increase security and • Security: ensuring that identity data cannot be interoperability, the secondary legislation, guidelines on stolen or copied; conformity assessment and specifications for interfaces • Ease of use: for exchange and use of identification are updated on a regular basis in collaboration with the data; stakeholders. • Shared trust

ANTS also claims that future activities on digital identity,

should include a focus on R&D, helping French companies to position themselves internationally. France Meanwhile, La Direction interministérielle du numérique What is the national strategy for eID? (DINUM) released in October 2019 a strategy document

116 https://www.suomi.fi/e-authorizations 120 Ordonnance n° 2017-1426 du 4 octobre 2017 relative à 117 https://www.suomi.fi/instructions-and- l'identification électronique et aux services de confiance pour support/information-on-eidentification les transactions électroniques 118 https://www.kyberturvallisuuskeskus.fi/en/our- https://www.ssi.gouv.fr/actualite/publication-de- activities/regulation-and-supervision/electronic-identification lordonnance-relative-a-lidentification-electronique-et-aux- 119 https://www.signicat.com/identity-methods/public-eids- services-de-confiance-pour-les-transactions-electroniques/ finnish-electronic-identity 121 Stratégie internationale de la France pour le numérique. Available at https://www.diplomatie.gouv.fr/IMG/pdf/strategie_numeriq ue_a4_02_interactif_cle445a6a.pdf 122 See https://ants.gouv.fr/Les-solutions/Identite- numerique/Strategie-de-l-identite-numerique

50

on the acceleration of the digital transformation of the What plans are there for new or updated eID means?

123 public service . This strategy describes the plans to France is developing a national eID card, to be available create a unified means of identification for online by 2021128. services through “France Connect”. It aims: In addition, the Alicem129 smartphone application • To ensure that all online public services, and a large developed by the Ministère de l’Intérieur et l’Agence number of private services, are available using nationale des titres sécurisés will allow users to prove FranceConnect by 2022. their identity online. It will make use of facial recognition

• To introduce a national eID card technology to initially authenticate the user. The application is currently in a testing phase. • To certify identity providers from the private sector with substantial and high assurance levels, and integrate them in the France Connect federation. How is the national eID ecosystem set up?

The France Connect project provides a federated mechanism so that users can log-in using a common What eID means are available? interface using any of the identity means listed above.

Currently eID means available in France include those The providers of these means include both public and provided by: private organisations, and the State has announced its • AMELI (for social services);124 a username/password intention to certify further identity providers from the solution; private sector with substantial and high assurance levels,

• Impots.gouve.fr (for payments and taxations);125 a and integrate them in the France Connect platform130. username/password solution;

• La Poste Digital Identity126 (part of Le Group La What is the level of use of eID?

Poste, operating in multiple industrial and logistics FranceConnect had 20 million users as of the end of facilities), a username/password solution; 2020131, and is aiming to cover 25 million users by • Mobile Connect127 (provided by the telecom 2021132. It is now deployed on 850 public websites (cities, operator, Orange); departments or ministries) and, since November 2018,

has also been available for online services from the private sector (e.g. banks and insurance). FranceConnect

123 DINUM (2019), Accélérer la transformation numérique du 129 https://www.interieur.gouv.fr/Actualites/L-actu-du- service public. Available at https://www.numerique.gouv.fr/ Ministere/Alicem-la-premiere-solution-d-identite-numerique- uploads/TECH-GOUV_2019-2021.pdf regalienne-securisee 124 https://www.ameli.fr/assure/actualites/la-creation- 130 DINUM (2019), Accélérer la transformation numérique du immediate-du-compte-ameli service public. Available at 125 https://www.impots.gouv.fr/portail/particulier/ https://www.numerique.gouv.fr/uploads/TECH-GOUV_2019- acceder-mon-espace 2021.pdf 126 https://www.groupelaposte.com/en/article/ces-2019- 131 See https://www.gemalto.com/france/gouv/identite- digital-identity numerique-forte-le-cas-cnie 127 https://mobileconnect.orange.fr/selfcare/#/ 132 DINUM (2019), Accélérer la transformation numérique du welcome service public. Available at 128 DINUM (2019), Accélérer la transformation numérique du https://www.numerique.gouv.fr/uploads/TECH-GOUV_2019- service public. Available at https://www.numerique. 2021.pdf gouv.fr/uploads/TECH-GOUV_2019-2021.pdf

51

currently attracts more than 500,000 new users per government137” published back in 2013 under the month.133 Ministry of the Interior. The aim of the strategy was to

Services available using France Connect include in the provide “a comprehensive range of secure electronic following domains134: procedures to guarantee identity, authenticity, integrity, confidentiality and verifiability (trust services) in • Online procedures electronic transactions, which are used by citizens, • Civil registry companies and the administration”. To do so, all citizens • Retirement should have been able to identify themselves to all

• Pension administrative services with a single user account that they have set up in a federal state or with the federal • Health government. In particular, the strategy pointed out three • Tax goals: • Justice • Acceptance: according to the “acceptance” goal, it • Banks should have been necessary to improve the acceptance of eID and trust services among citizens, Are actions planned for increasing the security of companies and administration to achieve greater identity cards and the consequent use of eID? use of e-government services at the federal,

France is taking steps to ensure that the new eID card it regional and local levels. is developing is in compliance with the new Regulation • Security: according to the “security” goal, (EU) 2019/1157. It is developing biometric technologies depending on the protection requirements of the to be implemented, including storing two digital respective administrative service, the trust services fingerprints on the card135. Facial recognition should have guaranteed security in particular with technologies will also be used for the future eID regard to identity, authenticity, integrity, means136. confidentiality and verifiability.

• Economy: according to the “economy” goal, citizens

and organisations should have been able to use the administration's trust services with as little effort as Germany possible. On the part of the administration, the selected trust services should also be able to be What is the national strategy for eID? implemented with reasonable effort.

Germany’s strategy on eID is shaped by the content of More recently, the “Digital strategy 2025138”, the “Strategy for eID and other trust services in e-

133 https://www.numerique.gouv.fr/espace- 136 https://www.bloomberg.com/news/articles/2019-10-03/ presse/franceconnect-franchit-le-cap-des-10-millions- french-liberte-tested-by-nationwide-facial-recognition-id-plan dutilisateurs/ 137 134 See https://franceconnect.gouv.fr/nos-services https://www.beta.bund.de/DE/Navigation/Home/home_nod 135 https://www.gemalto.com/france/gouv/identite- e.html numerique-forte-le-cas-cnie 138https://www.de.digital/DIGITAL/Redaktion/EN/Publikation/ digital-strategy-2025.pdf?__blob=publicationFile&v=9

52

implemented under the authority of the Federal ministry not yet adopted143, will introduce an eID card for use by for economic affairs and energy, makes reference to eID. EU citizens and members of the European Economic The strategy sets up ten “steps” for Germany to become Area (as opposed to just German citizens), thus the most digitalised country in Europe. The fifth step increasing the population able to access eID solutions in “Strengthening data security and developing Germany. informational autonomy”, highlights that the country is Finally, the most recent reference to eIdentity in a “paving the way for the international implementation of governmental policy document is made in the “nine- electronic identification… setting the standards for EU- point plan for a digital Germany144” according to which wide secure and reliable electronic transactions”. one of the objectives is to “establish an electronic The legislation that Germany has adopted on eID in identity” in three ways: recent years is potentially more revealing of the overall • Implementing smartcard functionalities on mobile approach. The entry into force in 2017 of the Electronic phones, e.g. online ID function Identification Promotion Act139, promoted the use of • Making it easier to use the eID function, e.g. online identification through a national eID card. The optimize the PIN reset procedure and use in first eID cards – national ID cards with additional eID corporate networks functionality - were issued back in 2010. However the • Involving industry in the commercial use of the eID new legislation promoted the activation and use of the function eID functionality by making it opt-out rather than opt-in. In addition, other organisations and companies are able to provide eID solutions. The legislation simplifies the What eID means are available? authorization process for companies and authorities to As described above, Germany provides a national eID provide identification services140. card to its citizens. In addition, non-EU citizens living in

Moreover, another eID legislation is represented by the Germany can obtain an electronic resident permit online “Online Access Act (OZG)141” which came into (“Aufenthaltstitel”). Both these eID means have been force in August 2017. According to the OZG, the federal, notified, as two parts of a single eID scheme, for cross- state and local governments must offer their border use under the eIDAS regulation. administrative services digitally by 2022. In order to In addition to the public e-identity scheme, private- implement this goal, the IT planning council launched the sector solutions are also active in Germany. However, digitization program. the functionality of the solutions is lower than that of the

More recent legislation142, initially drafted in 2018, but state means; for example, they do not achieve digital

139 http://dip21.bundestag.de/dip21/btd/18/112/ 143 https://www.bmi.bund.de/SharedDocs/ 1811279.pdf gesetzgebungsverfahren/DE/entwurf-vo-einfuehrung-eid- 140 https://www.bundesregierung.de/breg- karte-fuer-unionsbuerger.html;jsessionid= de/aktuelles/sicherer-identitaetsnachweis-im-netz-388084 408745EB80289AFA2659CA7F59A7BA06.1_cid373 141 https://www.it- 144 planungsrat.de/DE/Projekte/Koordinierungsprojekte/Digitalisi https://www.onlinezugangsgesetz.de/SharedDocs/downloads erungsprogramm/DigPro_node.html /Webs/OZG/EN/9-point- 142 http://dip21.bundestag.de/dip21/btd/19/080/ plan.pdf;jsessionid=E864D46013BA35F102A870924716AF92.1 1908038.pdf _cid287?__blob=publicationFile&v=1

53

identifications according to the provisions of the Anti- provide user access to a Smart Wallet where he can store money laundering directive (EU) 2015/849145. his ID data and use it with different providers.

Other eID solutions (which reuse in part the German eID) One foreseen development is the extension of the include: number of services that can be accessed through the

• PostID146: a system developed by the Deutsche Post various eID means. For example, the YES system will that allows users to archive the identity data after allow users to exploit their identity data for other service 152 an initial identification has been made, and to reuse providers.

it for other processes. In addition, the OPTIMOS project funded by Federal • Identity Giro147: an electronic identification solution Ministry of Economics and Energy aims at implementing drawing on data collected in the banking systems. a "Secure eID" app with an eID service that will support

• YES:148 a system, participated in by savings banks online identification and authentication as well as the 153 and cooperative banks, which enables users to transfer of identity data . access e-banking services.

• Verimi149: a login solution in which users are able to How is the national eID ecosystem set up? store their personal identification card or driver’s Electronic identification in Germany relies upon a mixed license to identify themselves in order to register framework, with some solutions under the responsibility and use this registration for various partner services of the state, and others developed by private companies.

(currently, mostly financial and insurance On the one hand, the national eID card is a fully public- companies). driven initiative, with the state as the identity provider.

On the other hand, the other eID means listed in the What plans are there for new or updated eID means? above section are provided by private companies. For

Along with the introduction of an eID card for EU citizens these cases, the state acts as an “identity broker”, and Members of the European Economic Area, a key playing an intermediary role in connecting identity focus for Germany will be the introduction of a mobile providers and service providers154. eID, as stated in the 9-point plan for digital Germany150.

A number of new eID solutions are also under What is the level of use of eID? development. For example, SmartWallet, SmartLogin151 Over 75 million eID cards and 12 million electronic is a system, currently available for alpha testing, that will residence permits were in circulation in October 2018.

145 https://asquared.company/en/blog/e-identity-solutions- 152 https://www.finextra.com/pressarticle/78648/ in-europe-an-european-overview-769/ signicat-and-yescom-collaborate-on-digital-identity-service-in- 146 https://www.deutschepost.de/en/p/postident/ germany postid.html# 153 147 https://identity.tm/en/giro.html https://www.bundesdruckerei.de/en/Unternehmen/Innovati 148 https://www.yes.com/ on/Optimos 149 https://verimi.de/en 154 https://www.itu.int/en/ITU-D/ICT- 150 Applications/Documents/Guides/ITU_eID4D_DIGITAL%20IDE https://www.cio.bund.de/SharedDocs/Kurzmeldungen/DE/20 NTITY_ROAD_MAP_GUIDE_FINAL_Under%20Review_Until- 20/20200715_9-punkte-plan.pdf?__blob=publicationFile” 05-10-2018.pdf 151 https://jolocom.io/solution/

54

The Federal Ministry of the Interior, Construction and is provided through a dedicated website156.

Home has stated that German citizens had an eID card in The use of eID will be further reinforced by 2022, when November 2020 and that almost 56% (estimated value) the federal, state and local authorities are to offer all of them activated their eID functionality. administrative services in Germany digitally via The eID card enables access to over 60 services, 72% of administrative portals and link these portals into a which are public, and 28% private. Services from the network157, to be accessed using the eID card as well as federal government can be accessed via a single other easy-to-use means of identification. The higher the portal155, however, as several digital services are level of security of an administrative service, the higher managed at local (federal state or municipal) level, the the requirements for the means of identification to be use of eID fostered by a single point of access approach used will be.158 will not be fully effective until when the federal and the local portals are actually federated. Currently, the Are actions planned to increase the security of identity services available are in the following domains: cards (and eID means)? • Agriculture Since the German ID card is already machine-readable in • Business accordance with the ICAO 9303 standard and has the

• Civil registry necessary physical security features, the changes will mainly be limited to the design and minimal adjustments • Culture to the access protocol for reading the chip. No technical • Education changes are required for the fingerprints. Already today • Energy the fingerprints are stored voluntarily in approx. 42% of • Health the cases. From 1st August 2021, this option will be • Property/ land registration mandatory.

• Tax policy The project for the timely national implementation of this ordinance is running according to plan with the • Transport involvement of the parties involved159. • Work and retirement

• Finances

• Telecommunication

Using the national eID card eID citizens may also access Greece service portals at the federal level. What is the national strategy for eID? Communication to the public on the usage of eID means

155 158 https://www.beta.bund.de/DE/Navigation/Home/home_nod https://www.onlinezugangsgesetz.de/Webs/OZG/DE/umsetz e.html ung/portalverbund/portalverbund-node.htm 156 www.personalausweisportal.de 159 https://www.bmi.bund.de/SharedDocs/faqs/DE/ 157 This is mandated by the Online Access Act of 2017 themen/moderne-verwaltung/ausweise/eu-verordnung- (https://www.onlinezugangsgesetz.de/Webs/OZG/DE/startsei erhoehung-der-sicherheit/erhoehung-der-sicherheit.html te/startseite-node.html)

55

While no specific eID strategy document has been access to the ERMIS portal163, which the Greek identified, Greece adopted in 2016 a “National digital Government plans to make the single window to online policy160”, presenting the plans of the country for the public services. period 2016-2021, which includes a section dedicated to public services. In this section, eID is mentioned and the What plans are there for new or updated eID means? need to align with the eIDAS Regulation is highlighted. In Digital Governance Minister Kyriakos Pierrakakis has particular, the strategy recognizes that the user announced plans for a national eID card, to be delivered experience of the citizens towards online public services by 2021164. The new eID card will also include a digital strongly decreases if users are asked to manage multiple signature. online profiles and create a different authentication for each service. For the country, working in this direction means implementing a common e-authentication How is the national eID ecosystem setup? approach combined with a set of identification checks With no full-scale eID means available, the eID and data security controls. In compliance with that, ecosystem is not yet properly developed. The indications article 23 of Law 4647 of 16/12/2019, amending and are that Greece will pursue the national identity card supplementing article 3 of law 1599/1986 states that approach towards eID, making the state the main “The identity card shall include an electronic storage identity provider. medium containing the holder's photograph in digital form, the details of the machine readable belt area, two What is the level of use of eID? (2) fingerprints of the markers and both hands of the The ERMIS eID card, the only one currently in use, has holder, and an approved electronic signature certificate, been issued to 75 000 citizens and businesses165. The in accordance with Article 3 of Regulation (EU) ERMIS portal has been developed with the intention of 910/2014”161. providing “integrated and secure eGovernment

services”166. The list of services accessible by citizens What eID means are available? include the following domains:

Currently, no full-scale eID means are available in • Defence Greece. A limited number of ERMIS eID cards162 have • Education been make available, since 2018, to public servants and • Environment private sector companies submitting bids for online public procurement tenders. These eID cards enable • Health

160https://mindigital.gr/old/images/GENIKOI/RALIS/PDF/Digit 164 http://www.ekathimerini.com/245334/article/ al_Strategy_2016_2021.pdf ekathimerini/news/digital-governance-minister-elaborates- 161 https://www.e-nomothesia.gr/kat-ygeia/nomos-4647- on-new-id-cards 2019-phek-204a-16-12-2019.html 165 https://joinup.ec.europa.eu/sites/default/files/ 162 https://joinup.ec.europa.eu/sites/default/files/ inline-files/Digital_Government_Factsheets_Greece_ inline-files/Digital_Government_Factsheets_Greece_ 2019.pdf 2019.pdf 166 https://joinup.ec.europa.eu/sites/default/files/ 163 http://www.ermis.gov.gr/portal/page/portal/ermis/ inline-files/Digital_Government_Factsheets_Greece_ 2019.pdf

56

• Local/regional planning The public eID scheme is based on eSzemelyi,170 the

• Security national eID card provided to citizens. It contains data including social security and tax identification numbers • Work and retirement as well as a unique identifier for the citizen. The scheme

has not yet been notified for cross-border use under the Are actions planned to increase the security of identity eIDAS Regulation. cards (and eID means)? The eID cards allow registering fully electronically to the A tender has been launched at beginning 2020 to launch Client Gate ((Ügyfélkapu), an access portal to a procedure for the procurement of eID cards as per the eGovernment services.171 A Client Gate account can also provisions of the Law 4647 of 16/12/2019, which will be opened by following an identification procedure at a also ensure compliance with the security measures public office. requested by Regulation (EU) 2019/1157.167 Biometrics identification solutions are available in the private sector, and the demand for larger use of such identification measures is increasing, in consideration of their higher perceived security.172

Hungary

What is the national strategy for eID? What plans are there for new or updated eID means?

No specific strategy for eID has been identified for The eID card was introduced in January 2016. There are Hungary. However the topic is raised in passing in the no identified plans to upgrade it or create additional eID country’s National Infocommunications Strategy 2014- means. 2020168. The strategy outlines the necessity to ensure interoperability between IT systems in order to provide How is the national eID ecosystem setup? efficient eGovernment services. It references electronic The provision of the Hungarian eID card is state-led, with identification as one aspect of this. the Ministry of the Interior responsible for overseeing it. Meanwhile, in terms of legislation, Act No. CCXXII. of For the technical aspects of providing and implementing 2015 (eAdministration Act) provides the conditions the scheme, the Ministry relies upon the state-owned under which forms of eID can be used when citizens are companies the National Infocommunications Service interacting online with the public administration169. Company Ltd, and its subsidiary, Idomsoft Ltd173.

What eID means are available? What is the level of use of eID?

167 https://www.ethnos.gr/ellada/87538_nees-taytotites- 171 https://regi.ugyintezes.magyarorszag.hu/ poso-tha-kostizoyn-polemos-nd-syriza-gia-ton-diagonismo szolgaltatasok/ugyfelkapu_regisztracio.html 168 https://www.kormany.hu/download/5/ff/70000/ 172 https://www.portfolio.hu/uzlet/20200303/a-magyarok- NIS_EN_clear.pdf szivesebben-fizetnenek-ujjlenyomatukkal-mint-jelszavakat- 169 See Article 18, Act No. CCXXII. of 2015. Available at hasznalva-417821 http://njt.hu/cgi_bin/njt_doc.cgi?docid=193173.362563 173 https://nisz.hu/en/subsidiaries 170 https://eszemelyi.hu/

57

4.6 million national eID cards (eSzemelyi)174 have been Regulation (EU) 2019/1157 have been defined so far. issued as of January 2020, although it remains an Anyway, biometric technologies have been included optional scheme. The number of Client Gate accounts within the national eID cards since 2016, namely has reached 3.7 million175. fingerprints178.

A single portal, SZÜF, is provided to ensure access to all online services. The central authentication agent is integrated in the portal, so users are able to use either Ireland of the eID means described in order to access all services What is the national strategy for eID? on the portal. The role of eID in Digital Government has been The services available over the platform include those in recognised across a number of digital strategies the following domains: produced by Ireland, beginning first in 2013 with “Doing • Agriculture More with Digital - National Digital Strategy for • Education Ireland” strategy, which emphasised the crucial role of • Energy eID. This was further extended in Ireland’s

179 • Environment “eGovernment Strategy 2017-2020 ” which sets out plans to make Ireland a leader in the provision of digital • Health government services including through the • Finance implementation of a targeted strategy focused on eID. • Property / land administration One of the strategy’s ten key principles is to “develop • Security existing eID capability”. In relation to this, the MyGovID

• Work and retirement and Public Services Card are specifically mentioned. An

The most frequently used services are in the domain of adoption plan to promote their use across different e-health (patient admission at hospitals, e-referrals and services is included in annex to the strategy. In addition e-prescriptions).176 plans for a digital service gateway, providing access to all online services, and accessible via the eID means Finally, communication to the public on the usage of the mentioned above are announced. The strategy also eID card is based on a dedicated website177. announces the intention to provide e-identification

means for businesses as well. Are actions planned to increase the security of identity The importance of eID has continued to be recognised in cards (and eID means)? the Public Service Data Strategy (2019-2023) which sets No specific additional measures to comply with the new out two actions with respect to MyGovID

174 https://www.vg.hu/gazdasag/gazdasagi-hirek/mar-tobb- 176 https://www.vg.hu/gazdasag/gazdasagi-hirek/mar-tobb- mint-46-millio-darab-e-szemelyi-kerult-forgalomba-2- mint-46-millio-darab-e-szemelyi-kerult-forgalomba-2- 1976049/ 1976049/ 175 https://joinup.ec.europa.eu/sites/default/files 177 https://eszemelyi.hu/ /inline-files/Digital_Government_Factsheets_Hungary_ 178 https://www.microsec.hu/en/pki-blog/personal-e-id-cards- 2019.pdf hungary 179 https://egovstrategy.gov.ie/

58

• Action 8 – Protect personal data online using verified account which enables access to a wider MyGovID range of online services.

• Action 19 – Promote roll out and adoption of the • MyAccount182: it is a single access point for secure Public Service Card, MyGovID and Eircode. online services developed by Irish Tax and Customs.

The Data Sharing and Governance Act 2019180 provides a generalised legal basis for data sharing between public What plans are there for new or updated eID means? bodies for specific, legitimate purposes, The aim is to Ireland is exploring the future of MyGovID with a view to reduce the administrative burden associated with the widening the range of identity verification options need for individuals to provide their personal data to available including the use for example of driver’s numerous public bodies. The Act allows for the sharing licences and passports. of personal data between public bodies where the There is also active exploration of various options to sharing is for the performance of a function of either of facilitate public private partnerships to enhance the the public bodies. The Act also provides for the benefit of MyGovID for citizens by enabling them to establishment of a personal data access portal. access private sector services. Legislation around eIDs in Ireland is generally related to public bodies’ needs and duties. MyGovID and the Public How is the national eID ecosystem set up? Services Card are underpinned by the Social Welfare Consolidated Act 2005 which governs the manner in The eID ecosystem in Ireland is State-led with MyGovID which data collected for the Public Services Card and at the forefront. MyGovID provides a single MyGovID can be used as part of the identity authentication means that citizens can use across online infrastructure in Ireland. service access in Ireland. The Public Services Card is a an identity token used by MyGovID as part of the

verification process issued after a face to face meeting as What eID means are available? part of the SAFE registration process. Currently, the following eID means are in use in Ireland, The rollout of MyGovID is being driven by the none of which have been notified for cross-border use Department of Public Expenditure and Reform who are under the eIDAS Regulation yet: responsible for the rollout of MyGovID across online • MyGovID181: is a secure online identity verification public services. This has been done in partnership with service with which you can prove your identity when the Department of Employment Affairs and Social using online government services. There are two Protection who are responsible for the technical types of account, differing according to the level of implementation of MyGovID and the issuance of the security and assurance they provide: basic and Public Services Card. verified. The basic account can be set up with just an

email address and only enables access to a limited What is the level of use of eID? range of services. Higher value services require a

180 http://www.irishstatutebook.ie/eli/2019/act/5/ 181 https://www.mygovid.ie/ enacted/en/html 182 https://www.ros.ie/myaccount-web/home.html

59

As an eID means, MyGovID is optional for Irish citizens. as one of the key enabling platforms for ensuring that There has been a significant increase in uptake of citizens and businesses can access online services of the MyGovID with the number of MyGovID basic accounts Public Administration. According to the strategy, every now standing at 2.2 million of which 860 K are verified citizen should have a unique, free, easy-to-use digital accounts. As a result there are a growing number of identity that allows him to identify himself securely and service providers requesting to use MyGovID for access all public and private digital services in Italy and authentication and service access purposes. Europe.

MyGovID provides online access for a number of services The State plans to coordinate its own system for unique including the following; identification of individuals with digital identification

• Revenue means to ensure that each individual has one unique identity. However, under the strategy it entrusts the • Welfare management of digital identity and attributes to a • Childcare network of public and private organisations. • Agriculture Over the last two decades, the country has developed a • Drivers Licences framework containing a series of legislative measures • Voter registration which since then have been in continuous evolution. In

In the future, more services will come online for particular, as concerns the electronic ID card, the MyGovID including Passport services, and Digital Mail regulatory framework consists of: services. • Decree of the President of the Council of Ministers 22 October 1999, n.437: Regulation containing

characteristics and methods for issuing the national Are actions planned to increase the security of identity identity card and national identity document cards (and eID means)? • Interministerial Decree 9 December 2004: Technical As concerns security, Ireland is exploring ways of making and safety rules relating to the technologies and eID means more secure, for example by the addition of materials used for the production of the National authenticator functionality or through additional Service Card. identity verification mechanisms. Ireland does not have • Legislative Decree 7 March 2005, n. 82: Digital a national identity card. administration code

Italy • Decree of the President of the Council of Ministers 24 October 2014: Definition of the characteristics of What is the national strategy for eID? the public system for the management of the digital Within its “2025 Strategy for technological innovation identity of citizens and businesses (SPID), as well as and digitalisation of the country,183 implemented under of the times and methods of adoption of the SPID the authority of the Ministry for technological innovation system by public administrations and businesses and digitization, the country named electronic identity

183 https://docs.italia.it/italia/mid/piano-nazionale- innovazione-2025-docs/it/stabile/index.html

60

• Decree 23 December 2015: Technical methods for to encourage the adoption and use of the digital issuing the electronic identity card. identities, by adopting two strategies:

• Decree 25 May 2016: Determination of the fee to be • an increasingly wide range of services, paid by the applicant for the electronic identity card especially private services, accessible with

digital identities;

What eID means are available? • Making digital identities more accessible to the elderly and minors through the use of specific Italy is making use of three eID means, the first two technologies or the introduction of delegations notified respectively in 2018 and 2019, while the other through the use of attribute authorities (or has not been notified: some other mechanism). • SPID – Public System of Digital Identity: it is the Italy is proceeding with the issue and dissemination of system which guarantees all citizens and businesses CIE 3.0. This is the most recent version of the national a unique, safe and secure access to the digital eID card, which thanks to the Near Field Communication services of the Public Administration. (NFC) interface allows the owner to use it with • Italian eID card: The national identity card has smartphones and other terminals. electronic identification functionalities. The current

version has been available since 2016184. The card’s Near Field Communication (NFC) interface allows How is the national eID ecosystem set up? the owner to use it with smartphones and other In Italy, digital identity is provided by both private and terminals. In addition to its use for electronic public providers. In order to be used to access online identification purposes, it can be used to request a public services (via SPID), these identity providers must digital identity on the SPID system. be accredited by the Agency for Digital Identity (AGID)186.

• National Services Card (CNS)185: it is a smart card or a USB stick that contains a "digital certificate" of What is the level of use of eID?

personal authentication, allowing access to online The national eID card is optional for Italian citizens and public services for those users who do not yet have only available for natural persons. As of the end of 2020, the national eID card, with which it is fully 17,800,000 had been issued. interoperable. Through SPID, citizens (with their national eID and the other available digital identity means) can access online What plans are there for new or updated eID means? public services from over 5000 administrations187. These No current plans for new eID means have been include in the following domains: identified. However, the State plan for the next years is • Agriculture

184 https://www.reconnaissance.net/secure-document- 186 AGID (2017), SPID General Information. Available at news/issues/may-2017/ https://ec.europa.eu/cefdigital/wiki/download/attachments/ 185 https://www.agid.gov.it/en/piattaforme/national-service- 62885733/G.1%20- card %20General%20information%2C%20v1.0.pdf?version=1&mod ificationDate=1531759224705&api=v2 187 See https://avanzamentodigitale.italia.it/it

61

• Environment preferable solutions to the building of population’s

• Energy confidence in digital solutions.

• Justice Latvia’s Digital Transformation Guidelines for 2021- 2027191 include the idea to sequentially equip a person • Education with the necessary tools within a set to receive services • Regional planning before the person has a need to receive the service in • Health the digital environment. It also touches on the questions • Transport and problematic of equipping juniors (from 7 to 14 years

In terms of numbers, at the end of November 2020 the of age) with e-identity etc. However, several pieces of number of identities issued by the SPID were about 12 legislation have been identified which serve to provide a million.188 framework for electronic identification in the country. In 2012, the Personal Identification Documents Law192 Communication to the public on the usage of the eID came into force. This law defined different types of means is based on a dedicated website189. identity cards available in Latvia (for citizens, non-

citizens, EU/EEA/Swiss citizens, 3rd country nationals, Are actions planned to increase the security of identity and foreign diplomats. It specified that all such identity cards (and eID means)? cards must “include the information in electronic form The 2016 Italian eID card complies with the ICAO MRTD necessary for the electronic verification of the identity security requirements (including biometric card holder's identity”. technologies), to which all European identity cards will The Law on Electronic Identification of Natural have to converge (Regulation (EU) 2019/1157). Persons193 came into force in 2015. It defines nationally recognized types of electronic identification that are Latvia equivalent to on-site verification of the identity of a natural person by presenting a personal identification What is the national strategy for eID? document. In accordance with the mentioned law, the Latvia’s Information Society Development Guidelines electronic identification shall be regarded as completed 2014–2020190 is a medium term development planning and shall be equated to on-site verification of the document which includes the first description of the identity of a natural person, presenting a personal necessity to develop cross-border functionality for identity document, if it has been conducted with the cooperation with the EU common use solutions and means of qualified or qualified increased security large scale design solutions into the national common electronic identification and it complies with the use platforms and solutions as well as the description of requirements laid down in the Law itself, if it has been

188 https://avanzamentodigitale.italia.it/it/progetto/ 191 spid https://www.varam.gov.lv/sites/varam/files/content/files/dig 189 https://www.agid.gov.it/ italas-transformacijas-pamatnostadnes-_2021-27.pdf 190 192 https://likumi.lv/doc.php?id=243484 http://old.varam.gov.lv/in_site/tools/download.php?file=files 193 https://likumi.lv/ta/en/en/id/278001-law-on-electronic- /text/Darb_jomas/elietas//Information_Society_Developmen identification-of-natural-persons t_Guidelines_2014_2020.docx

62

conducted in the case when the electronic identification in use195: service provider and electronic service provider have • eID karte196: is an identity document that includes agreed in written form regarding electronic an eSignature for signing documents and for identification and the type of electronic identification verifying the e-identity of a person in digital without using qualified or qualified increased security environment. electronic identification, or if it has been conducted in • eParaksts karte:197 is an eSignature carrier available the case when the electronic service provider and for legal entities which allows signing documents natural person have agreed in written form regarding and verifying identity of a person in the digital the verification of the identity of the natural person in environment. The card is valid for five years. the electronic environment without using qualified or Together with the eSignature card you will receive a qualified increased security electronic identification. free card reader. In addition, the Ministry of Environmental Protection • eParaksts karte+:198 is an eSignature carrier and Regional Development, who coordinates the policies available for legal entities which allows signing related to the creation of a digital single market, drafted documents and verifying identity of a person in the in 2018 legislative amendments which were endorsed to digital environment. The card is valid for five years. transpose the EU regulation to enable secure cross- Together with the eSignature card you will receive a border electronic transactions. The decision No. 60 §62 free card reader. The difference between this of the Cabinet of Ministers194 on “possible financing product and “e-Paraksts karte” is that it can also be solutions for the provision of certification services in used in organisations municipalities as a means to personal certificates (eID) and how a single and priority identify employees. means for ensuring the electronic identity of a person” • eParaksts Mobile: the app provides e-Identity was approved, foreseeing that starting from 2023, eID authentication on a variety of self-service portals for cards will become the mandatory identification institutions and companies, including municipal document for all Latvian residents who have reached the services, house management, and medical and age of 15. insurance service providers. eParaksts mobile is

available free of charge for iOS and Android What eID means are available? smartphones. Under the “Latvian eID scheme (eID)”, developed under Moreover, alongside these means it is posible to identify the Latvian State join-stock company “Latvia State Radio another one: and Television Centre” and notified for cross border use • Smart ID199: a mobile application for smartphones in 2019, four types of electronic identification means are

194 http://tap.mk.gov.lv/mk/mksedes/saraksts/ 196https://www.eparaksts.lv/en/Produkti/Privatpersonam/eid protokols/?protokols=2016-11-08 /eid_apraksts 195 Ministry of the Interior, OCMA, LVRTC (2018), Notification 197https://www.eparaksts.lv/en/Produkti/For_legal_entities/5 Form For Electronic Identity Scheme Under Article 9 (5) Of g/apraksts Regulation (Eu) No. 910/2014, available at 198https://www.eparaksts.lv/en/Produkti/For_legal_entities/5 https://ec.europa.eu/cefdigital/wiki/ g/apraksts display/EIDCOMMUNITY/Latvia?preview=/77370111/148898 199 Website – Smart-ID, available at https://www.smart- 035/LV_notification%20form%20for%20eID%20scheme.pdf id.com/

63

that can be used for verifying the owner’s identity with the state acting as the primary identity provider.

when signing documents, accessing eServices or for banking services. What is the level of use of eID? The Latvija.lv portal can be accessed both through the From 2023 on, eID cards will become the mandatory means mentioned above, but also via online bank identification document for all Latvian residents who authentication. have reached the age of 15. As of the first half of 2018, 1,246,282 eID cards have been issued.203

What plans are there for new or updated eID means? Nearly 87,000 people had received the eParaksts karte Currently, no plans for new eID means have been as of 2018.204 developed. However some updates to the existing Meanwhile, there are 2,675,047 Smart ID users across national eID card are planned. In particular, the card will Estonia, Latvia and Lithuania, who have completed 200 become mandatory in 2023 . Moreover, the Cabinet of 53,780,790 transactions last month205 (750,000 users are Ministers is planning to introduce an updated version of Latvian206). The eParaksta cards and mobile app is the eID card with twice the shelf life, new and innovative available for legal entities as well as natural persons. security features, and the possibility for users to use an unlimited number of e-signatures201. LVRTC has developed a dedicated website were citizens

and businesses can get information regarding eID and How is the national eID ecosystem set up? other related services207

In Latvia, the development and delivery of digital identity In order to ensure that citizens are informed about the is state-led. Both the national eID card and the eParaksts use of the national eID, eSignatures etc. Latvian identification solutions described previously were authorities have published a life event description on the developed as the result of a collaboration between the national portal www.latvija.lv, were citizens can get the Office of Citizenship and Migration Affairs (OCMA) and basic information about the use of eID, eSignatures208, 202 the Latvian State Radio and Television Centre (LVRTC) , what are its benefits for natural and legal entities and

200 https://eng.lsm.lv/article/society/society/eid-cards-to- 204 Delfi.lv (2018), Almost 87,000 People Have Been Issued eID become-mandatory-identification-documents-in- Cards Since the Beginning of the Year, available at 2023.a290382/ https://www.delfi.lv/news/national/ 201 LSM.LV (2019), New style ID Cards to Be Issued From politics/kops-gada-sakuma-eid-kartes-izsniegtas-teju-87-000- September in Latvia, available at iedzivotaju.d?id=50111235 https://eng.lsm.lv/article/society/society/new-style-id-cards- 205 Website – Smart-ID, available at https://www.smart- to-be-issued-from-september-in-latvia.a330132/ (also here id.com/ https://www.la.lv/bus-jaunas-id-kartes) 206 Edgar Stafeckis (2019), Implementing e-Signing Is Easy 202 Ministry of the Interior, OCMA, LVRTC (2018), Notification With SigningServices, available at Form For Electronic Identity Scheme Under Article 9 (5) Of https://digitalmind.lv/ieviest-e-parakstisanu-ir-vienkarsi-ar- Regulation (Eu) No. 910/2014, available at signingservices/ https://ec.europa.eu/cefdigital/wiki/ 207 www.eparaksts.lv/en/. display/EIDCOMMUNITY/Latvia?preview=/77370111/148898 208 https://www.latvija.lv/en/DzivesSituacijas/tiesibu- 035/LV_notification%20form%20for%20eID%20scheme.pdf aizsardziba/elektroniskais-paraksts#show8 203 LV Portal (2018), It Is Planned to Make the Identity Card a Compulsory Document, available at https://lvportals.lv/skaidrojumi/298146-personas-apliecibu- plano-noteikt-par-obligatu-dokumentu-2018

64

even how to prevent eID thefts with some useful operations. precautions. Generally, the services available to users More recently, the Lithuanian government adopted in (both natural and legal) through the Latvija.lv portal can 2018 legislation on eID and Trust services. This included be classified as follows: the “Law on Electronic Identification and Trust Services • Business for Electronic Transactions”210 which names the Ministry

• Culture of the Interior as the responsible organisation for policy on electronic identification. • Education

• Environment What eID means are available? • Health and care Lithuanian citizens have access to the following eID • Property/land administration means: • Tax policy • Lithuanian National Identity card (eID / ATK):211 a • Transport secure and effective eID card, pre-notified for cross- • Work and retirement border use in December 2019.

• Mobile ID:212 identification solution provided Are actions planned to increase the security of identity through the collaboration of the private company SK cards (and eID means)? ID, and mobile operators;

No plans have been identified to increase the security • Smart ID:213: a mobile app through you can access and features of the national identity card in response to online bank accounts, mobile banking and other e- Regulation (EU) 2019/1157. services safely and securely thanks to its strong identification tools. Lithuania In addition, access to the eGovernment gateway is possible using online bank authentication solutions. What is the national strategy for eID?

Lithuania’s digitalisation strategy “Digital Agenda of the What plans are there for new or updated eID means? Republic of Lithuania 2014-2020 Information Society Development Program209” dates from 2014 and has Lithuania plans to introduce an eResidency programme, been implemented by the Minister of Transport and available from January 2021, which will enable foreign Communications. One of its objectives is to encourage nationals to receive a digital identification means 214 the population to use electronic identification tools and allowing them to access online services in Lithuania . services that ensure the reliability of electronic

209https://eimin.lrv.lt/uploads/eimin/documents/files/30310_ 212 https://www.skidsolutions.eu/en/services/digital- LRV%20nutarimas(en).pdf identity/mobile-id 210https://e- 213 https://www.smart-id.com/ seimas.lrs.lt/portal/legalAct/en/TAD/c5174772ecd011e89d4a 214 https://fintechnews.ch/baltic/lithuania-introduces-e- d92e8434e309 residency-program/29675/ 211 https://www.nsc.vrm.lt/

65

How is the national eID ecosystem set up? • Health

The State leads on the provision of the national • Property/land administration electronic identity card, through the Ministry of the • Security Interior215. However, the other means described above • Tax policy are provided by private operators, with the State • Transport allowing them to be used to access online public services216. • Work and retirement

For what concerns the implementation of the eID means The country also has several official websites where we need to distinguish between the three means. The information about the national eID can be found, some 218 Lithuanian National Identity card (eID / ATK) is fully in Lithuanian while others provide information also in 219 public driven initiative, while Smart ID and Mobile ID rely English . upon a public-private cooperation network.

Are actions planned to increase the security of identity

What is the level of use of eID? cards (and eID means)?

The national eID Card is a mandatory document for all The Lithuanian eID card contains an embedded citizens above 16. For Smart ID, there are 2,664,919 contactless microprocessor holding one certificate for users across Estonia, Latvia and Lithuania, who have online identification and another one for electronically completed 53,80,787 transactions last month. signing official documents such as contracts and declarations220. This eID means appears compliant with Through the Lithuanian eGovernment gateway217, the EU Regulation 2019/1157, to the extent that it is a citizens (both natural and legal persons), can access a highly-secure polycarbonate laser-engraved card, wide range of online public services. In particular, these featuring contactless technology for identity verification latter can be grouped in the following macro areas: at border crossings based on fingerprint checks, • Agriculture therefore facilitating Lithuanian citizens to travel in EU • Business Member States221. • Culture • Culture • Defence Luxembourg • Education What is the national strategy for eID? • Energy In 2019 Luxembourg started to implement a • Environment digitalisation strategy under the authority of the Ministry

215 https://www.gemalto.com/govt/customer-cases/lithuania 219 https://digital-lithuania.eu/digitalgovernment/ 216 See eID means that can be used to log-in to the 220 Gemalto (2018), eID for Lithuania, available at eGovernment gateway here: https://www.gemalto.com/govt/customer-cases/lithuania https://www.epaslaugos.lt/portal/nlogin 221 Gemalto (2018), eID for Lithuania, available at 217 https://www.epaslaugos.lt/portal/en https://www.gemalto.com/govt/customer-cases/lithuania 218https://www.nsc.vrm.lt/default.htm

66

of the Economy: “The Data-Driven Innovation Strategy strictest international standards existing in digital trust. for the Development of a Trusted and Sustainable Economy in Luxembourg222”. The strategy remarks on What plans are there for new or updated eID means? the importance of electronic identity in an increasingly In 2020, an update to the national eID card has been pre- data-centric society. It highlights the intention to notified to the eIDAS Cooperation Network, in a view to develop an innovative regulatory environment and use a new chip. internationally recognised certification for technologies including electronic identity. How is the national eID ecosystem set up? On 17 July 2020, a law revising the amended law of 14 August 2000 on e-Commerce223 has been published, Currently, Luxembourg’s eID ecosystem is quite mature bringing Luxembourgish legislation in line with the eIDAS in terms of adoption and use of electronic identity. The regulation224. implementation of the national identity card (eID card) is a fully public driven initiative. However, LuxTrust is a

private solution developed by a private company of the What eID means are available? same name. There are currently two eID means in use in the country: LuxTrust has also established a joint venture with its • Luxembourg national identity card (eID card): it counterpart, ITSME, in Belgium, to make their digital was notified in 2018 after having replaced the identities interoperable in both countries226. Together, previous version issued in 2000. It allows citizens to the two companies want to offer a fully interoperable access public administration and private national solution to the EU market with the highest level of services, and also to create qualified electronic security. signatures.

• LuxTrust225: a multi-factor authentication service What is the level of use of eID? available in different versions: The adoption of the national eID card is mandatory for o Smart Cards all citizens above 15 residing in Luxembourg, however o Signing Stick the usage of the electronic authentication and signature o Token features is opt-in. Meanwhile, LuxTrust had 525,000 o Mobile app subscribers as of 2017 (20% more in respect to the LuxTrust not only allows customers to identify themselves online, but also to sign electronic documents and make bank transactions safely, with respect to the

222 https://digital- 224 luxembourg.public.lu/sites/default/files/2019-05/The-Data- http://legilux.public.lu/eli/etat/leg/loi/2020/07/17/a644/jo driven-Innovation-Strategy_0.pdf 225 Website – LuxTrust, available at 223 Joinup (2019), Digital Government Factsheet Luxembourg, https://www.luxtrust.com/trust-services/electronic-identity/ available at 226 https://www.luxtrust.com/luxtrust-launches-itsme-in- https://joinup.ec.europa.eu/sites/default/files/inline- luxembourg-for-digital-identity-and-solutions-interoperable- files/Digital_Government_Factsheets_Luxembourg_2019_0.p in-belgium-and-luxembourg/ df

67

previous year)227. Both forms of eID can be used to Malta’s public digitalisation plan “Mapping Tomorrow: access the single portal for eGovernment services in A strategic plan for the digital transformation of the Luxembourg – Guichet.lu – reaching online services in public administration”228 emphasises electronic the following domains: identification in a number of places, particularly in

• Education relation to the implementation of the once-only principle. The strategy describes the objective of the • Health “Identity Malta Agency” link information on each person • Property/land administration “to have one common data source available across all • Tax policy Ministries”. It also describes a “User-authentication • Transport service” which provides a single sign on for users

• Work and retirement accessing eGovernment services. In relation to the existing electronic identity card, the strategy announces Through the same portal, businesses can access services the intent to “update eID middleware software, analyse in the following domains: blockchain technology and consider new security • Business features”. • Environment Prior to the “Mapping Tomorrow” Strategy, Malta’s • Health digital strategy, “Digital Malta229” released in 2014, was • Tax policy the main document of relevance for eID. In it, the

government described its intent to work with banks and

Are actions planned to increase the security of identity other organisations to develop a national electronic cards (and eID means)? identity card as a trusted source of authentication.

The national eID card includes biometric technologies and has been attributed with the highest possible level What eID means are available? of assurance by the eIDAS cooperation network. In Right now, one eID means is available in Malta, which addition to the chip upgrade mentioned above, it is has not yet been notified for cross-border use under the planned to add new physical security features to the eID eIDAS Regulation: card in 2021, as well as making it fully compatible with • National eID: it is issued by the Identity Card Unit EU Regulation 2019/1157. (ICU), which is also responsible to verify that the citizens activate an e-Id virtual account, necessary to access an array of sensitive eGovernment online Malta services. They also include electronic signature.

What is the national strategy for eID? What plans are there for new or updated eID means?

227 Chronicle.lu (2017), Luxtrust Hits the €10m Mark for 2016, 228 https://publicservice.gov.mt/en/Documents/ available at https://chronicle.lu/category/ MappingTomorrow_StrategicPlan2019.pdf ict/21745-21745-luxtrust-hits-the-eur10m-mark-for-2016 229 https://digitalmalta.org.mt/en/Documents/ Digital%20Malta%202014%20-%202020.pdf

68

No plans for new or updated eID means have been • Energy identified. • Education

• Transport

How is the national eID ecosystem set up? There does not seem to be a single website on which The eID scheme described above are both fully public information on the available eID means and their driven initiative. The Identity Malta Agency is the benefits is collected. Instead this information is spread government agency responsible for their administration. across a number of websites including the Government’s In this regard, the state acts as the primary identity page on eGovernment230 and the Identity Malta online provider. page231.

What is the level of use of eID? Are actions planned to increase the security of identity The adoption of the eID card is still optional for Maltese cards (and eID means)? citizens. However, those in possession of the eID card No plans have yet been identified to update the national can access eGovernment services via the portal eID card to ensure that it is in compliance with the new “servizz.gov.mt”. Through this single point of contact, EU Regulation 2019/1157. citizens can access services in the following domains:

• Agriculture • Business • Culture The Netherlands • Defence What is the national strategy for eID? • Education The Netherlands’ Agenda for Digital Government232 (NL • Energy DIGIbeter) emphasizes the importance of digital identity,

• Environment describing it as a pillar for digital government, thus including a dedicated section on it. Planned actions and • Health priorities described include: • Security • Broadening the groups of stakeholders using safe • Tax policy and secure eID means for digital government • Transport services and increasing the number of people using • Work and retirement eID means using higher assurance levels;

Businesses have their own dedicated portal • Ensuring the availability of an open eID scheme; www.businessfirst.com.mt, which they can log into using • Ensuring the cross-border mutual recognition of the their eID to access services in the following domains: NL eID solutions DigiD andeHerkenning ;

230 https://mita.gov.mt/en/eGov/Pages/ 232 Website - Digital Government Agenda, available at eGovernment.aspx https://www.nldigitalgovernment.nl/digital-government- 231 https://identitymalta.com/services/e-id-virtual-account/ agenda/

69

• Developing further digital identity applications What plans are there for new or updated eID means?

together with the Association of Dutch Preparations are made for a Digital Government Act. The Municipalities and in pilots with ten municipalities; purpose of the Digital Government Act is to make it • Providing a way for representatives to conduct possible for citizens and businesses to login to online activities on behalf of another person or a governmental services in a safe and reliable mannerso company. that citizens can avail themselves of electronic

Moreover, twice a year, the State Secretary of the identification means (eID) om more reliable security Interior and Kingdom Relations reports to the levels than the currentmeans. Under the act, open Parliament on its progress233 on electronic identity and standards are mandatory. The act also describes the 236 on the measure it is taking to foster its use. standards for the providers of the means .

What eID means are used by the country? How is the national eID ecosystem set up?

The following eID means are currently in use in the There are currently both public and private identity Netherlands: providers in the Netherlands. As it stands, in order for citizens to access public online services it is necessary to • DigID234: this means consists of a username and a use the State provided eID, DigiD, which is operated by password, and optionally an additional verification Logius and implemented under the authority of the step via SMS or alternatively via the DigiD mobile Dutch Ministry of Interior and Kingdom Relations. app. Services are charged to the public administrations with rates fixed by the governments However, under the Digital Government ACT digital using them (but not to individual customers). access to public services is allowed through digital Currently, having a DigID account is not mandatory, identity solutions developed by private companies or in except for digital government services such as a public private partnership. electronically submitting tax returns. The scheme For businesses eHerkenning is used. eHerkenning is a has been notified for cross-border use under the Dutch Trust framework set up by the government. eIDAS Regulation. Within this trust framework users can select recognised private identity providers237 to provide them with a • eHerkenning:235 While DigID is used by natural digital identity. persons, legal entities use eHerkenning. Users pay via subscription and services are charged to the public administrations. The adoption of What is the level of use of the eID?

eHerkenning by legal entities is not mandatory The Netherlands has around 17 million citizens. In total, either. The scheme has been notified for cross- border use under the eIDAS Regulation.

233 The latest report (dated January 29, 2020) is available at 235 https://www.eherkenning.nl/ https://www.privacy-web.nl/nieuws/kamerbrief-voortgang- 236 https://www.nldigitalgovernment.nl/dossiers/digital- aanpak-digitale-toegang government-act/ 234 https://www.digid.nl/en/ 237 https://www.eherkenning.nl/leveranciersoverzicht

70

around 13.8 million people use DigiD238. In particular, mandatory)

“The use of the DigiD App has increased considerably in recent months. Whereas there were 3.3 million Are actions planned to increase the security of identity activated DigiD applications in May 2019, this number cards (and eID means)? almost doubled in December - partly as a result of the The Dutch identity card already has NFC technology and online campaign - to 6.3 million activated applications” can be scanned in order to enable a citizen’s DigiD 239. account to be used for more sensitive services and in In total there are approx. 647 affiliated organisations. relation to more sensitive data241. The domains for which it is possible to use DigID to The Government also has plans to increase the level of access digital public services include: security associated with the highest level of usage of • Civil registry assurance available for DigID, DigID Substantieel and • Property / land administration DigiD Hoog..DigiD and eHerkenning are both notified for • Tax policy eIDAS levels of assurance substantial and high.

• Transport / vehicles

• Work and retirement Poland

For eHerkenning, the use is around 5.5 million What is the national strategy for eID? authentications in 2019. The number of means issued Poland’s main approach in terms of eID is described in per month has rapidly increased over 2019 (from 400 / two documents – the Paperless and Cashless Poland month at the beginning of the year to 20000 / month in Program242, and the Strategy for Responsible November) for a total of 375,000 means issued until Development. November240. In total there are approx. 403 affiliated The Paperless and Cashless Poland program names organisation. Services available mainly concern the digital identity as one of its 13 streams intended to following domains: enable the digitization of government services, • Environment processes and transactions. It aims to build “a central e- • Public procurement ID hub, enabling digital identification and authentication

• Statistical data submission of citizens”. The government describe its intention to draw on the identification mechanisms used for • Tax policy (electronic submission of tax returns is

238 Ministry of the Interior and Kingdom Relations (2020), 240 Ministry of the Interior and Kingdom Relations (2020), Digital Access Progress Report, available at Digital Access Progress Report, available at https://www.rijksoverheid.nl/binaries/rijksoverheid/documen https://www.rijksoverheid.nl/binaries/rijksoverheid/documen ten/kamerstukken/2020/01/29/kamerbrief-voortgang- ten/kamerstukken/2020/01/29/kamerbrief-voortgang- aanpak-digitale-toegang/kamerbrief-over- aanpak-digitale-toegang/kamerbrief-over- voortgangsrapportage-digitale-toegang.pdf voortgangsrapportage-digitale-toegang.pdf 239 Ministry of the Interior and Kingdom Relations (2020), 241 https://www.digid.nl/inlogmethodes/id-check Digital Access Progress Report, available at 242 Paperless and Cashless Poland, Program Overview (2017). https://www.rijksoverheid.nl/binaries/rijksoverheid/documen Available at https://www.gov.pl/documents/ ten/kamerstukken/2020/01/29/kamerbrief-voortgang- 31305/0/paperless_cashless_poland- aanpak-digitale-toegang/kamerbrief-over- program_overview.pdf/d9ff05f9-9379-325a-d7de- voortgangsrapportage-digitale-toegang.pdf 2afb2361f4ba

71

eBanking to provide access to online public services. The 2019247.

Programme states the government plan to introduce a • Bank Polski Identity:248 mobile identity means “federation model” for eIdentity, developing “principles provided by Bank Polski, Poland’s largest bank. and requirements” as well as “technical infrastructure” • Inteligo249: identity means provided by the Inteligo for digital identification, but enabling private players Bank. such as banks or telecoms to provide the means and • mIdentity250 – a mobile identity means provided by means for eIdentification. the State, which draws upon an existing Trusted The Strategy for Responsible Development, meanwhile, profile account. adopted in 2017 by Council of Ministers, announced plans to develop an electronic identity card243. What plans are there for new or updated eID means? In terms of legislation shaping the Polish electronic identity landscape, the National Act on Trust Services No plans for further or updated eID means in Poland and Electronic Identification244 was adopted in 2016. have been identified. The Act, aimed at aligning the country’s national legal system with the eIDAS Regulation, and introduced the How is the national eID ecosystem set up? procedure for notifying the national eID scheme. Poland has chosen to pursue a federated model for eID, as explained in the Paperless and Cashless Poland

What eID means are available? program. Under this approach, both private and public

A number of eID means are available in Poland, although providers are able to provide electronic identity means, none have yet been notified for cross-border use under which will be recognized by the public administration 251 the eIDAS Regulation. The available means include: and by private entities as well . The State’s additional role is to provide standards with which these digital • Trusted Profile245 (Profil Zaufany – eGO): a digital identity means must comply. identification program launched in 2011246, provided What is the level of use of eID? by the State. The Trusted Profile identity means, which has been • National (electronic) identity card: Available since

243 Polish Council of Ministers (2017), Strategy for Responsible 247 https://www.pwpw.pl/en/News/2017/12/polish-e- Development. Available at identity-card-in-2019.html https://www.gov.pl/documents/33377/436740/SOR_2017_st 248 https://www.pkobp.pl/klienci-indywidualni/e-urzad/e- reszczenie_en.pdf tozsamosc/ 244http://prawo.sejm.gov.pl/isap.nsf/DocDetails.xsp?id=WDU 249 https://inteligo.pl/ 20160001579 250 https://www.gov.pl/web/mobywatel/mtozsamosc 245 https://www.biznes.gov.pl/en/firma/how-to-handle- 251 Michal Tabor (2017), Electronic transactions based on the official-matters-in-poland/handling-official-matters-via- federation of electronic identification systems - a Polish biznes-gov-pl/how-to-handle-official-matters-and-sign- perspective, available at documents-online-at-biznes-gov-pl/trusted-profile-and- https://www.cryptomathic.com/news-events/blog/electronic- electronic-signature-signing-documents-sent-to-offices-via- transactions-based-on-the-federation-of-electronic- the-internet identification-systems-a-polish-perspective 246 Statista (2020), Total Number of Registered Users of the Digital Identification Program Profil Zaufany (Ego) in Poland from 2016 to 2020, Available At https://www.statista.com/statistics/1088164/poland-profil- zaufany-users/

72

available since 2011, now has over 5 million users252. It is country’s approach and future plans for eID is presented one of a number of eID means (the others are the in a number of government strategy documents. The national identity card, Bank Polski, and Inteligo) that can most significant of these is the Estrategia TIC 2020 be used to access the services available on the Gov.pl “Estratégia para a Transformação Digital na portal, which provides a central information and access Administração pública”254. The document, which lays point for public services. Concerning these latter, citizens out the Government’s vision for applying ICT to the can access the following domains: public administration states the ambition of ensuring

• Business that information is available through one single point, accessible using a single identification. It lays out plans • Education for a number of actions on digital identity, including: • Environment • Develop and make the citizen card (the primary • Health form of Portuguese eID) available with new • Security features;

• Tax policy • Allow citizens to authenticate their identity on • Work and retirement public administration sites and systems;

While the services accessible by businesses are: • Make the Professional Attributes Certification

• Business System (SCAP) available, for signature and authentication • Security Digital identity is also mentioned as one of the measures • Tax policy in Portugal’s Simplex+ Program. This program has been

in place since 2016 (following on from the preceding Are actions planned to increase the security of identity Simplex Program) and aims to “to ensure that Public cards (and eID means)? Administration provides prompt and effective responses No plans have been identified to update Poland’s to the needs of people and businesses”. The most recent identity card to ensure compliance with Regulation (EU) annual Simplex Program includes a proposal to create a 2019/1157. digital residency Program enabling access to digital services255.

Portugal

What is the national strategy for eID?

Portugal was one of the first EU countries to adopt an What eID means are available? electronic identification means with plans for the Cartão Right now, three eID means are available in Portugal:

253 do Cidadão (Citizen Card) dating back to 2005 . The • The Cartão de Cidadão: the national identity card,

252https://www.statista.com/statistics/1088164/poland- 254 https://preprod.tic.gov.pt/documents/37177/ profil-zaufany-users/ (February 2020) 108997/CTIC_TIC2020_Estrategia_TIC.pdf/e2ea3d32-82a8- 253 Gemalto (2019), Portuguese Citizen’s Card,available at ed18-0fbf-9d51dfc24acc https://www.gemalto.com/brochures-site/download- 255 https://www.simplex.gov.pt/medidas site/Documents/gov-portugal-eID.pdf

73

with electronic identification functionality, Citizen Card is the Law no. 7/2007 of 5 February 2007258 implemented under the authority of the which also regulates its issuance, replacement, use and Administrative Modernization Agency256. It was cancellation. Later on, Law nº32/2017 of June 2017259 introduced to replace five previous physical ID introduced significant changes to the Citizen Card, in documents (paper-based ID; taxation card; voting particular the integration of the Professional Attributes card; social security card; healthcare card). It has a Certification System.

large memory capacity compared with other similar For what concerns the Digital Mobile Key, the reference documents and also stores biometric data law is the Law no. 37/2014, of 26 June.260 (fingerprints). It was notified for cross-border use

under the eIDAS Regulation in 2019. What plans are there for new or updated eID means? • The Sistema de Certificação de Atributos Portugal plans to introduce an electronic residency Profissionais is a certification system that allows programme in 2020. This will enable digital workers and citizens to authenticate themselves and sign entrepreneurs to access services online using an eID. The documents in their roles a professional. It was pre- programme is being introduced with the aim of notified for cross-border use under the eIDAS attracting over 5000 digital workers, entrepreneurs and Regulation in 2018 and implemented under the investors.261 authority of the Administrative Modernization

Agency. How is the national eID ecosystem set up? • The Chave Móvel Digital (Digital Mobile Key) was created in 2017 under the authority of the The Portuguese government plays a leading role in the Administrative Modernization Agency257. It was provision of eID in Portugal. All three of the currently notified for cross-border use in April 2020. It enables available eID means are provided by the state, and there citizens to authenticate their identity using a mobile are no privately provided eID means (such as from banks phone (with a confirmation code sent to the phone as in other countries) that can be used to access online number). It also provides eSignature functionality. public services. The INCM (Imprensa Nacional Casa da Moeda SA) and the Portuguese National Printing Office, In this context, the reference law for the creation of the leads the production of the citizen cards. As in many

256 Administrative Modernization Agency (2018), Notification 258 Law no. 7/2007 of 5 February 2007, available at Form for Electronic Identity Scheme Under Article 9(5) of http://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?nid= Regulation (Eu) No 910/2014, available at 2807&tabela=leis&so_miolo= https://ec.europa.eu/cefdigital/wiki/pages/viewpage.action? 259 Law nº32/2017 of June 2017, available at pageId=78555468&preview=/78555468/78555735/NOTIFICA https://dre.pt/web/guest/pesquisa/- TION%20FORM%20FOR%20ELECTRONIC%20IDENTITY%20SCH /search/107114304/details/maximized EME%20UNDER%20ARTICLE%209_PT_signed%20(1).pdf (also 260 Law no. 37/2014 , of 26 June, available at here https://www.autenticacao.gov.pt/o-cartao-de-cidadao) https://dre.pt/home/-/dre/107114304/details/maximized 257 Administrative Modernization Agency (2018), Notification 261 https://www.portugal.gov.pt/pt/gc22/comunicacao/ Form for Electronic Identity Scheme Under Article 9(5) of noticia?i=e-residency-e-balcao-do-empreendedor- Regulation (Eu) No 910/2014 ,available at apresentados-no-1-dia-da-semana-digital https://ec.europa.eu/cefdigital/wiki/ pages/viewpage.action?pageId=78555712&preview=/785557 12/78555740/NOTIFICATION%20FORM%20FOR%20ELECTRO NIC%20IDENTITY%20SCHEME%20UNDER%20ARTICLE%209_P T_signed%20(1).pdf

74

other EU countries, the INCM selected in 2006 Gemalto portal are in the following domains: as prime contractor to provide the digital security • Business solution for the national eID card (Sealys eID), which • Civil registry included not only the secure operating system and the • personalization system (Coesys Issuance solution) but Culture also the applications, the middleware and associated • Defence helpdesk services provided by other Portuguese private • Education companies. • Energy

• Health What is the level of use of eID? • Property / land administration Since 2014, the Citizen Card has been a mandatory • Security document for all Portuguese citizens262. According to the • Tax policy official authentication Portuguese portal, at the end of 2019 almost 6,8M of Citizen Card had been issued263, • Transport while 1,2M had registered for Digital Mobile Keys264. For • Work and Retirement what concerns the access to the governmental portal, more than 15M users have verified their identity online Are actions planned to increase the security of identity using one of the three means mentioned before (in the cards (and eID means)? period 2014-2019)265. Even though Portugal hasn’t explicitly confirmed that it 266 In February 2019 the ePortugal portal replaced the is taking measures to comply with the Regulation (EU) Citizen Portal as the main channel for accessing digital 2019/1157, the country will soon adopt a new eID card services offered by the public administration, becoming that will include the EU flag, will show the photograph on the central repository for all services dedicated to the left side instead of on the right and will ensure citizens and companies, and providing a directory of stronger protection of card users' data. The card will addresses, websites and mobile applications of the keep the same name in Portuguese, but in English Public Administration. Citizens are able to log on to it and "Citizen Card" will be replaced by "Identity Card".267 access services using any one of the three means The Citizen Card number format is expected to be kept described above (although only limited services related as it is, so every citizens will be able to keep the same to professional activity are available if you sign in using Portuguese ID number they already have. Concerning, the Sistema de Certificação de Atributos Profissionais). instead, the technology, a common authentication and The available services the users can access using the electronic identification mechanism will be introduced

262 Law No. 91/2015, of 12 August, available at 265 https://www.autenticacao.gov.pt/stats-autenticacaogov http://www.pgdlisboa.pt/leis/lei_mostra_articulado.php?arti 266 https://eportugal.gov.pt/ go_id=2809A0003&nid=2809&tabela=leis&pagina=1&ficha=1 267 https://www.idealista.pt/en/news/legal-advice- &so_miolo=S&nversao= portugal/2019/02/28/297-cartao-de-cidadao-portuguese- 263 https://www.autenticacao.gov.pt/stats-cartao-cidadao citizen-card-changing 264 https://www.autenticacao.gov.pt/stats-chave-movel- digital

75

with the insertion of a contactless chip, so that the card In terms of legislation on eID, the state introduced in will be read automatically at all borders. 2017 a law on eID and trust services for electronic

270 As per current plan, by 2020 or 2021 there may already transactions to ensure compliance with the eIDAS be new eID cards which will circulate in Portugal, even regulation. before the deadline set by the EU that the country has to

268 comply to adopt the new standards . What eID means are available?

Currently, there are very few options available in Romania for online identification. The national ID card has not yet been upgraded with an electronic Romania identification functionality. Access to online portals such as the Punctul de Contact Unic electronic271 is possible What is the national strategy for eID? through user accounts including the “eDirect” account, Romania’s current digital strategy “National Strategy on “ghiseul.ro” account, or use of a qualified digital 269 Digital Agenda for Romania (2014-2020) ” is the certificate. The Ghiseul.ro account, set up to pay taxes primary existing strategy document laying out an online, links to the banking system, and draws upon data approach on eID. Electronic identity is described as an on the user’s bank card in order to authenticate them272. “enabler initiative” to be prepared between 2015 and One eID means, the National Health Insurance Card, is 2018 in order to increase the adoption of eGovernment provided by the National Health Insurance House. It services. The provision of an “electronic centralized contains basic identification data including the national system of authentication and unique identification of the health insurance code of the holder, plus – upon request users, prepared so as to incorporate all needs of by the holder – medical data. Holders use those cards to electronic identification resulted from the apply for medical services, except for emergency implementation of online public services” is described as services, and to access all health insurance information a key component for delivering a “solid implementation systems273. of eGovernment”. Two possible options are acknowledged, either the provision of a single sign-on What plans are there for new or updated eID means? mechanism, or the provision of a “unique element of identification” that all online public service suppliers Romania is developing a national eID card with electronic recognise. The strategy names a target of “25% of identification functionality, which should start to be adoption of e-identity” by 2020. issued in 2021. Planned uses for the eID card are to

268 Idealista news (2019), “The 'citizen card' Portuguese citizen 270 https://www.comunicatii.gov.ro/wp- card is changing”, available at content/uploads/2017/12/Proiect-de-Lege-serviciilor-de- https://www.idealista.pt/en/news/legal-advice- incredere-13.12.2017.pdf portugal/2019/02/28/297-cartao-de-cidadao-portuguese- 271 https://edirect.e-guvernare.ro/User/Login.aspx citizen-card-changing 272 https://www.ghiseul.ro/ghiseul/public/credentiale 269 https://www.trusted.ro/wp- 273 National Health Insurance House (2015), National Health content/uploads/2014/09/Digital-Agenda-Strategy-for- Insurance Card, available at http://www.cnas.ro/page/cardul- Romania-8-september-2014.pdf national-de-asigurari-de-sanatate-2.html (also at https://business-review.eu/featured/national-health- insurance-card-becomes-compulsory-this-month-76603)

76

enable citizens to interact online with public Are actions planned to increase the security of identity administration, as well as allowing them to log in to the cards (and eID means)?

274 healthcare system . The legal framework implementing the new eID card will provide for the direct application of Regulation (EU)

How is the national eID ecosystem set up? 2019/1157, so that the Romanian identity documents will comply with the standards established at EU level, The initiative aiming at introducing the new eID card is a mainly those regarding the security elements. fully public initiative coordinated by the Ministry of Interior. The existing means of online authentication in The new identity card will feature a “photo and two use for online services, appear to be organised at the fingerprints of the cardholder, stored in a digital format, 276 service level (e.g. health, taxes). In the case of taxes, the on a contactless chip” . public authority cooperated with banks in order to allow “The new identity documents come with additional users to authenticate their identity on the public security guarantees and strengthen the confidence of website. public institutions and the private environment that the

Going forward, cooperation with the banking sector and person presenting the document is in fact the holder” the telecom service providers is also planned to affirms the Ministry of Interior, which coordinates the 277 implement a program in order to allow citizens to initiative. securely authenticate and use public administration services by connecting exclusively online.275

What is the level of use of eID? Slovakia As concerns the national eID card, the Ministry for What is the national strategy for eID? Information Society set the goal of 25% of eID adoption Slovakia’s 2019 strategy on digital transformation, by 2020. However, at the issue of this report, electronic “Strategy of the Digital Transformation of Slovakia ID cards have not been released yet and a draft 2030278”, makes a brief reference to digital identity, government ordinance put up by public debate by the naming it as one of its priorities to enable citizens to Interior Ministry now sets the launch date of eID cards at manage the data that the public administration holds on August 2021. The new eID will not be mandatory them and use it for third party services, providing “new (citizens may opt out for a non-digital version), however opportunities for a comfortable and secure digital they will be the only ones allowing travel abroad, even identity”. within the EU. Earlier strategies have focused to a greater extent on the

issue, however. The 2008 National Concept of

274 https://www.romania-insider.com/romania-electronic-id- 277 https://www.agerpres.ro/justitie/2020/01/14/mai-proiect- cards-2021 de-ordonanta-ce-prevede-emiterea-actelor-electronice-de- 275 https://www.arb.ro/wp-content/uploads/Studiu-e- identitate-lansat-in-dezbatere-publica--432262 Guvernare.pdf 278 https://www.vicepremier.gov.sk/wp- 276 https://www.romania-insider.com/romania-electronic-id- content/uploads/2019/11/Brochure-SMALL.pdf cards-2021

77

eGovernment document provided an approach for identification, multifactor authentication, electronic efficient digitalisation of the public administration, and signature, and for accessing any online public already named the national electronic ID card as one of service. the principal architecture components. • Foreigner eCard: the ID document given to More recently, the Strategic Document for Digital foreigners with a residence permitted in the Slovak Growth and Next Generation Access Infrastructure (2014 Republic to verify their identity.

279 – 2020) indicated that Slovakia would follow a PKI smart card model for future eID cards, and emphasized What plans are there for new or updated eID means? the need to ensure the availability of services, ease of Slovak eID is a multi-application card with contact use, reducing costs of use, communicating benefits of electronic chip. The Slovak republic is preparing an use, considering making the eID means mandatory, and upgrade this card with dual interface chip but it is enabling mobile identification. necessary to maintain maximum compatibility and The key legislation for eID is the 2013 eGovernment continuity with the current chip platform. Act280. This law mandates the use of eID cards (or alternative authenticators) for authentication for How is the national eID ecosystem set up? eGovernment services281. Slovakia issued the eID card for the first time in 2013 with Act No. 395/2019 Coll. on ID cards, and on amendments the aim of ensuring a secure access to eGovernment to certain acts regulates the conditions and procedure services and to allow citizens to control their consent for issuing ID cards and keeping the ID card record. about the use of their personal data. The Additionally, Act No. 272/2016 on trust services for implementation of the eID scheme is fully-public driven electronic transactions in the internal market282 initiative, with the state as the identity provider. ensured Slovakian compliance with the eIDAS regulation. The District Headquarters of Police Force is responsible

for the issuance of the eID, while the National What eID means are available? Personalization Center of the Ministry of the Interior of The key eID means available in Slovakia is the national the Slovak Republic is responsible for data electronic ID card. It was notified for cross-border use personalisation of the eID card285. under the eIDAS Regulation in 2019. It has been issued since 2013283 and is available in two forms What is the level of use of eID? • Slovak Citizen eCard:284 for citizens - used for According to the Ministry of Interior of the Slovak

279 https://www.vicepremier.gov.sk/en/sections/ 282 https://www.slov-lex.sk/pravne-predpisy/SK/ZZ/2016/272/ informatization/egovernment/strategic-documents/strategic- 283 https://www.researchgate.net/publication/ document-for-digital-growth-and-next-generation-access- 327888030_Identifiaction_and_Authentication_of_Persons_in infrastructure-2014-2020/index.html _Cyberspace_in_Selected_States 280 Act No. 305/2013 Coll. on the Exercise of Public Authorities 284 https://www.minv.sk/?obcianske-preukazy Competences in Electronic Form and on changes and 285 https://www.researchgate.net/publication/ amendments to certain acts 327888030_Identifiaction_and_Authentication_of_Persons_in 281 https://www.researchgate.net/publication/ _Cyberspace_in_Selected_States 327888030_Identifiaction_and_Authentication_of_Persons_in _Cyberspace_in_Selected_States

78

Republic, more than 4 million Citizen Cards have been private sector to use eID to make the provision of issued (430,000 holders also have certificates for the electronic services faster, not just for citizens but also for creation of an electronic signature)286. There are more the business community. The amendment No. than 1 000,000 authentications per month287 using the 238/2017289 to the Act No. 305/2013 of Coll. on the eID card. eGovernment (accepted in April 2019) has made it

A single gateway to eGovernment services is provided possible for banks, telecommunication companies and through the Central Government Portal288, both for postal entities to cross-reference or verify client details citizens and businesses. Access is granted through the against records held within the registries of ID cards and national eID, as well as through the notified eID means physical persons, after an agreement with the Ministry of other EU countries. In particular, the services in the of Interior, and after having provided the details of the 290 following domains are available for citizens: person’s eID . There is no dedicated website regarding eID, but • Civil registry information on it is available on the Central Government • Culture Portal mentioned above291. • Defense

• Education Are actions planned to increase the security of identity • Environment cards (and eID means)?

• Health The Slovak republic is preparing to add biometric data to

• Property/land administration the national identity cards as required by Regulation (EU) 2019/1157. • Security

• Tax policy

• Transport Slovenia • Work and retirement What is the national strategy for eID? Services in the following domains are available for businesses: Slovenia’s digitalisation strategy “Digital Slovenia 2020 - • Business Development strategy for the information society • Environment 2020292” dates back to 2016. It mentions plans for eID,

• Tax policy saying that “[a] new system of electronic identities should be established in good time”. Concretely, it

In addition, Slovakia is fostering cooperation with the proposes the introduction of an eID card, and the need

286 https://fontech.startitup.sk/elektronicke-obcianske- 290 https://joinup.ec.europa.eu/sites/default/files/ preukazy-nocna-mora-slovenska-alebo-krok-k-jednoduchsej- inline-files/Digital_Government_Factsheets_Slovakia_ buducnosti/ 2019.pdf 287 https://thrive.dxc.technology/eur/2019/05/16/ 291 https://www.slovensko.sk/sk/eid/_eid-karta/ slovakia-uses-eid-card-for-safe-digital-public-services/ 292 https://www.gov.si/assets/ministrstva/MJU/DID/ 288 https://www.slovensko.sk/sk/titulna-stranka Digital-Slovenia-2020-Development-Strategy-for-the- 289 Amendment No. 238/2017, available at https://www.slov- Information-Society-until-2020.pdf lex.sk/pravne-predpisy/SK/ZZ/2017/238/

79

to develop effective identifiers. It proposes the An upgrade of the existing national ID card is currently “consolidation of e-identity management in state underway, with the intention of integrating electronic administration”, while also proposing that services identification capabilities. The new eID card should be should be made available for businesses as well. issued by 2021297.

More recently, The Ministry of Public Administration has prepared and published a proposal for the Electronic How is the national eID ecosystem set up? Identity and Trust Services Act (ZEISZ)293. The law The providers of the eID means described are provides Slovenian citizens with the possibility of predominantly public organisations. Both SI-PASS and obtaining a single national electronic identity issued by Mobile identity smsPASS are fully public driven the state through one or more means of electronic initiatives, with SI-TRUST298, the trust service authority of identification. With these means, they identify Slovenia, being the identity provider. themselves in all the processes they carry out Meanwhile, the Qualified Digital Certificate relies upon electronically both at national level and throughout the both public and private providers, with four different EU internal market. organisations able to issue these certificates (Ministry of

Public Administration Pošta Slovenije, Nova Ljubljanska What eID means are available? Banka, Halcom)299.

Currently, three eID means are in use in Slovenia, none of which have yet been notified for cross-border use: What is the level of use of eID? • Qualified Digital Certificate:294 certificate issued by With the three eID means mentioned above, it is possible public or private qualified providers, which allows to access online services through the eGovernment access to eGovernment services. portal300. In particular, the macro areas of services • SI-PASS:295 a single account enabling online available are: registration for a number of different electronic • Agriculture service providers. • Civil registry • Mobile identity smsPASS:296 a login method based • Culture • Education on two-factor authentication of the user that • Environment provides his or her unique identification. • Health • Property/land administration What plans are there for new or updated eID means? • Tax policy • Transport

293 https://www.gov.si/novice/2020-02-27-ministrstvo-za- 297 https://www.total-slovenia-news.com/lifestyle/ javno-upravo-pripravilo-in-objavilo-predlog-zakona-o- 4652-slovenia-to-launch-biometric-id-cards-in-mid-2021 elektronski-identiteti-in-storitvah-zaupanja-zeisz/ 298 Website – SI-Trust, available at https://www.si- 294 https://e-uprava.gov.si/podrocja/osebni-dokumenti- trust.gov.si/en/si-pass/ and https://www.si-trust.gov.si/en/si- potrdila-selitev/osebni-dokumenti/ pass/mobile-identity-smspass/ digitalno-potrdilo-za-elektronsko-poslovanje.html 299 https://e-uprava.gov.si/podrocja/osebni-dokumenti- 295 https://sicas.gov.si/ potrdila-selitev/osebni-dokumenti/digitalno-potrdilo-za- 296 https://e-uprava.gov.si/pomoc-kontakt/pomoc-pri- elektronsko-poslovanje.html uporabi/sms-pass.html 300 https://e-uprava.gov.si/

80

• Work and retirement identification mechanism through username and password, integrated into the Cl@ve platform”.

Are actions planned to increase the security of identity In terms of the use of emerging technologies, the Royal cards (and eID means)? Decree-Law 14/2019 temporarily prevents the use of a In compliance with Regulation (EU) 2019/1157, a Bill on Digital Identity (ID) blockchain for public administrations Amendments to the Identity Card Act301 is being drafted, to identify citizens until “the identification systems which will stipulate the issuance of identity cards with based on distributed registration technologies and the biometrics including a facial photo, and two signature systems based on the previous ones, are fingerprints302. subject to specific regulation by the State within the

305 framework of European Union Law ”. Spain as part of the European Blockchain Partnership (EBP), is working Spain on a use case of Sovereign or Self-managed Digital Identity. What is the national strategy for eID? The Law 39/2015 (1 October 2015)306 of the Common No single document has been identified laying out an eID Administrative Procedure of Public Administrations, 303 strategy for Spain. The “Plan Avanza” , implemented lays out in article 9 the available identification options under the authority of the Ministry of Industry, Tourism for the citizens to prove their identity. They are able to and Commerce in 2006, refers to electronic choose eID means based on a certificate or an electronic identification but only in the section dedicated to e-Trust ID/key agreement, or on the use of a key chosen by the where it was pointed out that the promotion of digital user and a PIN communicated by SMS and that requires identity did not correspond to the expected and desired previous registration. levels. In this regard, one of the objective that have been More recently, the “Digital Agenda 2025”307 identified was the promotion of the use of digital implemented under the authority of the Ministry of identity. Economic Affairs and Digital Transformation in 2020, The “Digital Transformation Plan for the General pointed out the need to promote the use of digital Administration and its Public Agencies (ICT Strategy) services, seeking support in the strengths of the Spanish 304 2015-2020 ”, approved by the Ministry of Finance in digital sector of electronic communications services, 2015 mentions the topic in passing but does not especially in terms of secure digital identity, so that elaborate. It sets the objective “to enable an anyone in the territory can have access to these services.

301 Ministry of the Interior (2019), Law on Amendments to the 304 Act Identity Cards, available at https://e- https://administracionelectronica.gob.es/pae_Home/dam/jcr: uprava.gov.si/.download/edemokracija/ 0d4cfaad-3df4-46a1-8b87- datotekaVsebina/403236?disposition=inline aa3dc602e90b/Plan_de_trans_Estrategia-TIC_ingles.pdf 302 Luana Pascu (2019), Slovenia Adheres to EU Regulation, 305 Boletín Oficial Del Estado number 266 (2019), available at Will Release Biometric ID Cards in 2021, available at https://www.boe.es/boe/dias/ https://www.biometricupdate.com/ 2019/11/05/pdfs/BOE-A-2019-15790.pdf 201910/slovenia-adheres-to-eu-regulation-will-release- 306 https://boe.es/boe/dias/2015/10/02/pdfs/BOE-A-2015- biometric-id-cards-in-2021 10565.pdf 303 https://avancedigital.gob.es/programas-avance- 307 digital/DescargasPlanesAvanza/Plan%20Avanza/plan_avanza- https://portal.mineco.gob.es/RecursosArticulo/mineco/prens Documento_completo.pdf a/ficheros/noticias/2018/Agenda_Digital_2025.pdf

81

Moreover, the document includes a section on What plans are there for new or updated eID means? multiplatform accessibility of public services, with the According to the new “DNIe Digital Identity Project311” a aim of evolving the existing identification and signature new version of the electronic DNI (Spanish eID card), DNI systems towards more simple and usable models, also 4.0, will be implemented. on mobile phones.

How is the national eID ecosystem set up? What eID means are available? In Spain, the State has a central role in relation to digital The main eID means available in Spain is: identity, providing the main eID means in use - eID card. • The Documento Nacional de Identidad electrónico In addition, the Spanish Government set up the (DNIe):308 the Spanish electronic ID card which authentication service Cl@ve, providing an includes an authentication certificate allowing the authentication solution (with username and password, recognition of the digital identity of the citizens, as or digital certificate) that could be integrated by online well as providing also the possibility to electronically public services onto their website. signing documents. This identification means was Still, it is worth mentioning that in Spain there are a lot notified for cross-border use in 2018 under the of private authorities issuing certificates that citizens can authority of the Ministry of the Interior. The DNI is use to access eGovernment services, among which: mandatory for Spaniards over 14 years old, so every • Camerfirma S.A. citizen above that age has this eID. • Firmaprofesional S.A. • Electronic certificates • Law Certification Authority Another available eID means is Cl@ve,309 a platform for • Notary Agency of Certification identification, authentication and electronic signature that avoids public administrations having to implement • Certification Service of the Property Registry and manage their own systems for authentication and Officers signature. Moreover, it complements the already These authorities issue certificates that differs from the existing eID means to access online public services (such eID card since they do not only provide citizens with a as the electronic ID card and electronic certificates) and digital identity but also with the evidence of their has the objective of allowing citizens to identify professional status. And the reason why these themselves to the Administration by means of certificates are important is that without them, the concerted keys (username and password), without holders of the eID card would not be able to exercise having them to remember different keys310. through telematic means the rights derived from their

profession312.

308 https://www.dnielectronico.es/ 311 309 https://clave.gob.es/ http://www.interior.gob.es/es/web/interior/noticias/detalle/- 310 Website – Agencia tributaria, What Is the Cl@ve System?, /journal_content/56_INSTANCE_1YSSI3xiWuPH/10180/12525 available at 577/ https://www.agenciatributaria.es/AEAT.internet/Inicio/La_Ag 312 https://link.springer.com/article/10.1007/s12394-010- encia_Tributaria/Campanas/Cl_ve_PIN/_INFORMACION/Preg 0041-3 untas_frecuentes/_Que_es_el_sistema_Cl_ve_.shtml

82

No plans have been identified to take specific actions to

What is the level of use of eID? ensure compliance with Regulation (EU) 2019/1157.

According to a study of the OECD313, over 44M of Spanish citizens hold a DNIe (the DNI is mandatory for Spanish citizens over 14 years). This number increased drastically in the past few years, after the country developed an Sweden updated version of the document featuring a dual What is the national strategy for eID? interface chip allowing services to be accessed through card readers and devices supporting NFC (Near Field The Swedish digitalisation strategy “For a sustainable 316 Communication)314. Before that, there were digitized Sweden - a digitalisation strategy ” has been 317 compatibility challenges with some platforms with only implemented by the Government Offices in 2017 , and a limited number of private services supporting the has a section dedicated to eID. According to the strategy, previous version of the card. digital identity is a socially critical infrastructure and is a prerequisite for the continued development of digital Within the public sector, the eID card can be used to service for individuals and companies. Therefore, it is access all online public services provided by the crucial for individuals to be able to access digital services following bodies: in both the private and public sectors, by being able to • General state administration prove their digital identity in a simple and secure way. • Autonomous communities Moreover, the strategy states that although a large

• Local administration proportion of Sweden's population today has e- credentials, it is important that everyone who needs to • Other public organizations can access simple and secure e-credentials. These The eID card can also be used in private sector solutions must meet high standards of security and services315. usability. The procedures for identification and Meanwhile, more than 7,600 organisations have signatures in connection with the use of digital services integrated Cl@ve as a means of authentication on their should work in a simple way for the user, whether in website providing online services. Sweden or in another country.

Alongside this strategy, the report, “Reboot - restart for Are actions planned to increase the security of identity cards (and eID means)?

313 https://www.oecd-ilibrary.org/docserver/9ecba35e- 316https://www.regeringen.se/49adea/contentassets/ en.pdf?expires=1592389619&id=id&accname=guest&checksu 5429e024be6847fc907b786ab954228f/digitaliseringsstrategin m=F28DD9056BB3A597FE60AF34731FEBEF _slutlig_170518-2.pdf 314 Website – National police body, Differences between DNIe 317 and DNI 3.0, available at https://www.government.se/49c292/contentassets/117aec2 https://www.dnielectronico.es/PortalDNIe/PRF1_Cons02.acti b9bf44d758564506c2d99e825/2017_digitaliseringsstrategin_f on?pag=REF_038&id_menu=1 aktablad_eng_webb-2.pdf 315 https://www.dnielectronico.es/PortalDNIe/PRF1_Cons02.acti on?pag=REF_500

83

the digital administration318”, on the effective 3. Making it easier for businesses to introduce and use governance of national digital services suggests digital identity solutions. additional measures to be undertaken to reboot public Two additional projects are very relevant to the further sector digitalisation. The report emphasises the development of eID in Sweden: importance of electronic identity. • The Nordic Mobility Action Programme 2019– The report recognizes that electronic identity, if 2021320 developed under the authority of the provided on a mobile means for example, can be easily Ministers for Nordic Co-operation. The programme, lost. The user, in order to recover it, must use another which includes a vast range of projects, has within eID means (for example BankID). In this regard, the its key enablers the implementation of cross-border report suggests to provide citizens with a unique eID electronic identification. document that can function as a back-up solution. • The Nordic-Baltic eID Project (NOBID) 2018-2020321 The report also points out that currently public which aims at speeding up the implementation of authorities present their online eServices through eIDAS in the Nordics and Baltics. different pages, making their management an “onerous” task for the user. The report suggests the creation of a What eID means are available? centralized governmental portal through which citizens In this context, five different eID means were established and businesses can access all online public services and and approved by the Swedish authority: gather any type of public information. • 322 Finally, the report states that the state must commit National eID card: it is issued by the Swedish Tax itself to guarantee citizens both physical and electronic Agency and contains e-identification, which is 323 services, which in turn means that it must guarantee that provided by AB Svenska Pass (a subsidiary of anyone who needs an electronic identity document can Thales Group) obtain it. • BankID,324 a personal and easy method of secure

In this regard, the most important challenges the state is electronic identification and signing on the Internet facing are319: which in turn takes the form of 3 different options:

1. Making it easier for the individual to obtain an o Mobile BankID: an app on the user’s electronic identity document without sacrificing smartphone or tablet security. o BankID on a card: a physical smartcard

2. Strengthened focus on the user; o BankID in a file: computer software

318 Government Official Investigations (2017), Reboot - Restart 321 https://www.norden.org/en/news/milestone-nordic- for the Digital Administration, available at baltic-e-id https://www.regeringen.se/48df42/contentassets/aa8c1ad04 322 https://polisen.se/tjanster-tillstand/pass-och-nationellt-id- ae24e0b890e79e76a0ae64b/reboot--omstart-for-den- kort/ digitala-forvaltningen-sou-2017114-.pdf 323 Terms and Conditions for AB Svenska Pass e-Identification, 319 Website – Digitaliseringsradet, available at available at https://digitaliseringsradet.se/sveriges-digitalisering/digital- https://www.skatteverket.se/download/18.515a6be615c637 trygghet/digital-identitet/ b9aa4133ae/1504087196775/1596_01_web.pdf 320 http://norden.diva-portal.org/smash/record.jsf? 324324 https://www.bankid.com/en/ pid=diva2%3A1290244&dswid=-9553

84

• Freja eID+,325 smartphone or tablet app that allows identification and e-signature for public sector e- users to identify themself when accessing online services. The Swedish eID infrastructure is characterized services by a federated approach where private and public

• Telia E-legitimation,326 used to store personal issuers of eID and relying parties are connected through information on the user’s computer or on an an identity federation provided by the DIGG. As noted by electronic identity card provided by Telia and to the agency, “the federation is open to all public and electronically sign documents online. private issuers of eID fulfilling the requirements set up in the soft law framework328”. The identity federation

assigns four different levels of trust which correspond to What plans are there for new or updated eID means? different degrees of technical and operational security of • Sweden has an open model for new eID means. the issuer. The federated approach opens up • There is a proposal for a new Swedish National competition between the different eID providers, identity card with a national eID (Report SOU speeding up the development of new solutions.

2019:14). Sweden has therefore implemented a public-private • Organisational eID is on the rise both domestically cooperation model whereby private suppliers, who fulfil and in a cross-border context. The use of certain requirements, are allowed to provide eID organisational eID is therefore part of the services. Some eID solutions are publicly procured committee directive for the ongoing report (I however, for example, the national eID card and 2020:01) aiming to increase and standardise the use European residency card.

of trust services in the public administration (due on To facilitate the use of these multiple different eID the 30th of December 2020). solutions, DIGG provides the “E-identification329” system Sweden Connect, which also functions as the eIDAS-

How is the national eID ecosystem set up? node Online services integrate this on their web pages allowing users to verify their identity online with their Sweden has always been one of the front-runners on eID of choice. eID. Prior to EU action on eID, the state was already looking to find a way to provide better services to citizens, to improve security and facilitate travel, and to What is the level of use of eID? offer citizens the best possible national eID cards. In terms of numbers, BankID is the most widespread eID DIGG327 - the Agency for Digital Government – plays an solution adopted by Swedish citizens, and was used by important role in the Swedish ecosystem. It is 84% percent of the population in 2019330. In 2019, more responsible for the promotion and coordination of e- than 4.1 billion use cases of BankID were recorded331.

325 https://frejaeid.com/en/home/ 329 DIGG (2018), How e-Identification Works, available at 326 https://cve.trust.telia.com/TeliaElegNG/ https://www.e-legitimation.se/inenglish/ 327https://www.digg.se/about-us howeidentificationworks.4.769a0b711614b669f2953f.html 328 Joinup (2014), Swedish eID, available at 330 https://svenskarnaochinternet.se/rapporter/ https://joinup.ec.europa.eu/collection/eidentity-and- svenskarna-och-internet-2019/the-swedes-and-the-internet- esignature/document/swedish-eid-swedish-eid 2019-summary/ 331https://www.bankid.com/assets/bankid/stats/2019/statisti k-2019-12.pdf

85

eGovernment is decentralized in Sweden and access to public services is provided through different sector- specific websites.

For the purposes of communication, the Agency for Digital Government provides individuals with comprehensive information on e-identification, e- signature and security and on how to obtain an eID means332,333.

Are actions planned to increase the security of identity cards (and eID means)?

There is a proposal for a new Swedish National identity card with a national eID (Report SOU 2019:14) aiming to increase the security of the identity cards. It should be noted that Swedish eID cards already contain biometric data. All eID means in Sweden that are approved by Digg fulfil the LOA standards according to eIDAS. The quality stamp “Svensk e-legitimation” is only granted to eID providers that have the capacity of dynamic security upgrades in order to eliminate new kinds of cyber security threats.

332 See https://www.digg.se/digital-identitet/e-legitimering 333 DIGG (2018), Final report of the government assignment "to promote increased and broader use of electronic identification in public sector digital services", available at https://www.elegnamnden.se/ download/18.14dfc9b0163796ee3e77736e/1532350395511/ Slutredvisn%20uppdrag.pdf

86

CONCLUSIONS

05

The multiple aspects related to eID which have been vision. analysed in this paper offer a thorough understanding of Among countries with eID strategies, the promotion of the eID state of play across Europe and of the adoption existing eID means and the extension of the services of national eID strategies. These insights could be used available via eID are often acknowledged as strategic to shape future EU actions on eID, taking into account objectives. Those countries which have not formalised the different levels of maturity and objectives of the 27 such objectives may fall behind in the race to extend the Member States. reach of these eID means. However, it has not been The study highlights that there are a substantial number possible to establish whether this is the case in this of countries without a specific eID strategy, some of report. which, have briefly mentioned eID within their wider Considering the legal framework, it is notable that the national digitalisation documents or dedicated a small adoption of mandatory eID means as the official means section to the topic in their strategic papers. to authenticate and identify citizens at national level, is Nevertheless, this has not prevented EU countries to not correlated with the existence of a formal eID develop and implement eID means. In many cases these strategy. Of the 10 countries which have eID cards as the eID means are provided both by public and by private official identification document, only one (Estonia) entities. approved its specific strategic document on eID, and this This indicates that many EU Member States have was after the roll-out of its eID card. foregone formalising national strategies and have Finally, looking at the portals that make online services instead directly adopted new eID means through an ad- available for citizens, the large majority of countries (21) hoc approach, recognizing the importance of providing have a single national eGovernment gateway which can secure and reliable digital identification means to their citizens above the need of publishing a national strategic

87

be logged into using eID334 (and not with other alternative means), providing direct access to national digital services. However, different access models to digital public services are also available, although to a lesser extent. Three countries have decentralised portals335, which only provide information about the available services, redirecting then the citizens to the specific webpage where the service is provided, and where the log in can be finally made (using eID). Finally, in three countries336 digital services are centralized on a single portal which however can be accessed with a simple registration (i.e. without an eID means). In this case it should be also remembered that two of the three countries (Bulgaria and Cyprus) have not yet developed any eID means and thus will probably move into one of the other categories once their eID means will become fully operational.

While different models of promoting eID have been identified in this report, as well as different levels of eID maturity, there is a common recognition that eID is a key enabler of user-centric digital public services. By providing an overview of these different models, this report has aimed to contribute to the discussion over how best to promote access to eID solutions across the EU.

334 Austria, Belgium, Croatia, Czech Republic, Denmark, 335 France, Germany, Italy Estonia, Finland, Greece, Hungary, Ireland, Latvia, Lithuania, 336 Bulgaria, Cyprus, Romania Luxembourg, Malta, Netherlands, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden

88

ANNEX: OVERVIEW TABLE

The following table provides for every country a summary of the most relevant means, Portals, Service provider, Formal commitment taken to comply with information gathered during the desk research (described in detail in the previous Regulation (EU) 2019/1157. chapter), namely: Strategy name, eID strategy formalization, Legal framework, eID

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 Austria • Digital Roadmap Section of clear and eID means exists • Citizen card • Accessible through State as identity Not explicitly confirmed Austria well-defined eID but is not (“Bürgerkarte“) eID only provider • eGovernment vision strategy within a mandatory • Health Insurance 2020 wider national Card (EHIC) • Aus Verantwortung für digitalisation strategy • Profession card Österreich. Regierungsprogramm 2020–2024 Belgium • Digital Belgium Partial reference to eID (eID Card) is • Belgian Citizen • Accessible through Mix between the two Explicitly confirmed eID within the mandatory eCard and Foreigner eID listed id means options national digitalisation (associated to eCard depending of the • State as identity strategy mandatory • ITSME Mobile App required LoA provider for eID national ID) • Kids-eID Card cards, and • TOTP + username / TOTP/Token/SMS pswd OTP/email OTP + • Token + username / username/pwd pswd + username / • State as identity pswd broker for ITSME

89

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 • Sms-otp + username / pswd • Email-otp + username / pswd Bulgaria • Governance Partial reference to No eID means N.A. • Accessible with Not applicable Programme of eID within the currently different means Bulgarian Government national digitalisation available from eID means for the period 2017 – strategy 2021 Croatia • Croatian Government Section of clear and eID means exists • Personal Identity • Accessible through Mix between the two Explicitly confirmed Program 2016-2020 well-defined eID and is mandatory Card (eOI) eID only options • e-Croatia 2020 strategy strategy within a for new national • mToken • State as identity wider national IDs • ePass provider for digitalisation strategy • AAI@EduHr Personal Identity Other forms of eID Card (eOI), included in the NIAS are mToken, ePass, Croatian Post, Croatian AAI@EduHr telecom inc., banks • State as identity whom provides their broker for bank customers with eID eID means (so far 9 of them) and 2 state-owned agencies FINA and AKD that are market-oriented and represented on the free market with their eID products. Altogether, there are 21 eID means in NIAS.

90

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 Cyprus • Digital strategy for Section of clear and No eID means N.A. • Accessible with Not applicable Cyprus well-defined eID currently different means strategy within a available from eID means wider national digitalisation strategy Czech Republic • Strategic Framework of Partial reference to eID means exists • National • Accessible through Mix between the two Explicitly confirmed the Development of eID within the and is mandatory Identification eID only options Public Administration in national digitalisation for new national Scheme of the Czech State as identity the Czech Republic for strategy IDs Republic (National provider 2014-2020 eID card) – it State as identity broker • Digital Czech Republic includes several eID for eID means issued means provided by by private companies. the state and private companies Denmark • Digital Strategy 2016- Clear and well- eID means exists • NemID • Accessible through State as identity broker Not applicable 2020 defined eID strategy but is not • NemLog-in3 eID only mandatory

Estonia • Digital Agenda 2020 for Section of clear and eID means is • ID card • Accessible through Mix between the two Explicitly confirmed Estonia well-defined eID mandatory for • Residents permit eID only options • Internal Security strategy within a citizens card • State as identity Development Plan wider national (associated to • e-Resident’s digital provider for ID 2020-2030 digitalisation strategy mandatory ID card, Residents national ID) • Digital ID permit card, e- • Mobile-ID Resident’s digital Residents permit • Diplomatic Identity ID, Digital ID, card (RP card): is Card Mobile-ID, an obligatory • Smart ID – private Diplomatic identity sector Identity Card document with • State as identity digital broker for Smart functionalities for ID 91

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 domestics use for foreigners who are not citizens of EU member states and who are in Estonia on the basis of a residence permit or right of residence. Finland • Action Plan 2008–2011 Section of clear and eID means exists • Bank ID • Accessible through • State as identity Not explicitly confirmed • National architecture well-defined eID but is not • Mobile ID eID only broker for public for digital service strategy within a mandatory • Citizen certificate online services wider national • Organisation • as identity digitalisation strategy Legal framework certificate provider for FIN for national eID certificate notification and cards supervision of eID Private means and • eID means brokering services • brokering providers State as regulatory and supervisory body for nationally notified eID services France • Stratégie Internationale Section of clear and eID means exists • AMELI • Accessible with Mix between the two Explicitly confirmed de la France pour well-defined eID but is not • Imposts.gouve.fr eID only after options l’Identité Numérique strategy within a mandatory • La Poste Digital redirecting the • State as identity • Accelerating the Digital wider national Identity user to other provider for Trasformation of the digitalisation strategy • Mobile Connect portals AMELI, Public Service • Alicem Imposts.gouve.fr and Alicem • State as identity broker for La Poste 92

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 Digital Identity and Mobile Connect

Germany • Digital strategy 2025 Section of clear and eID means exists • National eID Card • Accessible with Mix between the two No explicitly confirmed • Blockchain Strategy of well-defined eID but is not • PostID eID only after options the Federal strategy within a mandatory • Identity Giro redirecting the • State as identity Government wider national • YES user to other provider for digitalisation strategy • Verimi portals National eID card • State as identity broker for PostID, Identity Giro, YES and Verimi Greece • National Digital Policy Partial reference to eID means exists • ERMIS eID Cards • Accessible through State as identity Explicitly confirmed eID within the but is not eID only provider national digitalisation mandatory strategy Hungary • Hungarian National Partial reference to eID means exists • eSzemelyi (National • Accessible through State as identity No explicitly confirmed Infocommunications eID within the but is not eID Card) eID only provider Strategy 2014-2020 national digitalisation mandatory strategy Ireland • eGovernment strategy Section of clear and eID means exists • MyGovID • Accessible through State as identity Not applicable 2017-2020 well-defined eID but is not • MyAccount eID only provider • Doing More with Digital strategy within a mandatory – National Digital wider national Strategy for Ireland digitalisation strategy Italy • 2025 Strategy for Section of clear and eID means exists • SPID – Public System • Accessible with Mix between the two Explicitly confirmed Technological well-defined eID but is not of Digital Identity eID only after options Innovation and strategy within a mandatory • Italian eID based on redirecting the • State as identity Digitalisation of the wider national National ID Card user to other provider for CIE Country digitalisation strategy (CIE) portals and CNS • National service • State as identity Card (CNS) broker for SPID

93

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 Latvia • Information Society Partial reference to eID means is • eID Karte • Accessible through State as identity No explicitly confirmed Development eID within the mandatory • eParaksts Karte+ eID only provider Guidelines 2014–2020 national digitalisation (associated to • eParaksts Mobile strategy mandatory • Smart ID • Digital Transformation national ID) Guidelines for 2021- 2027 Lithuania • Digital Agenda of the Partial reference to eID means exists • Lithuanian National • Accessible through Mix between the two Explicitly confirmed Republic of Lithuania eID within the but is not Identity Card (eID / eID only options 2014-2020 Information national digitalisation mandatory ATK) • State as identity Society Development strategy • Mobile ID provider for Program • Smart ID National Identity Card (eID/ATK) • State as identity broker for Mobile ID and Smart ID Luxembourg • The Data-Driven Partial reference to eID means is • LuxTrust • Accessible through Mix between the two Explicitly confirmed Innovation Strategy for eID within the mandatory • Luxembourg eID only options the Development of a national digitalisation (associated to National Identity • State as identity Trusted and Sustainable strategy mandatory Card (eID Card) provider for eID Economy in national ID) Card Luxembourg • State as identity broker for LuxTrust Malta • Digital Malta Section of clear and eID means exists • National eID • Accessible through State as identity No explicitly confirmed • Mapping Tomorrow: A well-defined eID and is mandatory eID only provider Strategic Plan for the strategy within a for new national Digital Transformation wider national IDs of the Public digitalisation strategy Administration

94

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 Netherlands • Netherland’s Agenda Section of clear and eID means exists • DigiD • Accessible through Mix between the two No explicitly confirmed for Digital Government well-defined eID but is not • eHerkenning eID only options (under the strategy within a mandatory Digital Government wider national ACTdigital access to digitalisation strategy public services is allowed also through digital identity solutions developed by private companies or in a public private partnership) Poland • Paperless and Cashless Section of clear and eID means exists • Trusted Profile • Accessible through Mix between the two No explicitly confirmed Poland well-defined eID and is mandatory • National eID Card eID only options • Strategy for strategy within a for new national • Bank Polski Identity • State as identity Responsible wider national IDs • Inteligo provider for Development digitalisation strategy • mIdentity Trusted Profile, National eID Card and mIdentity • State as identity broker for Bank Polski Identity and Inteligo Portugal • Estrategia TIC 2020 Section of clear and eID means is • Cartão de Cidadão • Accessible through State as identity No explicitly confirmed well-defined eID mandatory • Sistema de eID only provider strategy within a (associated to Certificação de wider national mandatory Atributos digitalisation strategy national ID) Profissionais • Chave Móvel Digital Romania • National Strategy on Section of clear and eID means exists • National Health • Accessible with State as identity Explicitly confirmed Digital Agenda for well-defined eID but is not Insurance Card different means provider Romania" (2014-2020) strategy within a mandatory from eID means wider national digitalisation strategy

95

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 Slovakia • Strategy of the Digital Section of clear and eID means exists • Slovak Citizens • Accessible through State as identity Explicitly confirmed Transformation of well-defined eID and is mandatory eCard eID only provider Slovakia 20230 strategy within a for new national • Foreigner eCard • Strategic Document for wider national IDs Digital Growth and digitalisation strategy Next Generation Access Infrastructure (2014- 2020) Slovenia • Digital Slovenia 2020 Partial reference to eID means exists • SI-PASS • Accessible through Mix between the two Explicitly confirmed "Development strategy eID within the but is not • Mobile Identity eID only options for the information national digitalisation mandatory smsPASS • State as identity society 2020" strategy • Qualified Digital provider for SI- Certificates PASS and smsPASS • State as identity broker for Qualified Digital Certificate Spain • Digital Transformation Partial reference to eID means is • Documento • Accessible through Mix between the two No explicitly confirmed Plan for the General eID within the mandatory Nacional de eID only options Administration and its national digitalisation (associated to Identidad • State as identity Public Agencies (ICT strategy mandatory Electrónico (DNIe) provider for Strategy) 2015-2020 national ID) • Cl@ve Documento • Plan Avanza • Electronic Nacional de • Agenda Digital 2025 Certificates Identidad Electronico (DNIe) and Cl@ave • State as identity broker for Electronic Certificates

96

Formal commitment to comply with the security eID strategy Digital services on Country Strategy name Legal framework eID means Service provider requirements from formalization online Portal Regulation (EU) 2019/1157 Sweden • For a sustainable Section of clear and eID means exists • BankID • Accessible through Mix between the two No explicitly confirmed digitized Sweden - a well-defined eID but is not • Freja eID+ eID only options337 digitalisation strategy strategy within a mandatory • Telia E-Legitimation • State as identity • Reboot – Restart for wider national • National eID Card provider for the Digital digitalisation strategy • Residence Card National eID Card Administration (European and Residence • Proposal for a new Residence Permit) Card Swedish National (publicly procured) • State as identity identity card with a broker for BankID, national eID (Report Freja eID+ and E- SOU 2019:14) Legitimation

337 In Sweden some private eID issuers do not even ask the state for brokering information. 97

European Commission

Overview of Member States’ eID strategies

2020 – 98 pages