Beltug

eIDAS - what is 'qualified' in eArchiving and eSignatures? Takeaways from the N-sight of 24 Jan 2019


Date:24/01/2019


In a digitised world, where communication and transactions move ever-faster, trust provides a solid foundation that enables us to interact with each other at the speed of light.

 

During this session, we threw a spotlight on two trust topics that are increasingly present in our private and corporate lives: eArchiving and digital signatures. We heard from the experts on the current state of affairs, starting with an introduction to the Belgian context. Then we zoomed in on the upcoming qualification criteria for eArchiving services, before hearing from market players Doccle and itsme® about how they each take their services a step further.

 

The presentations from the event are available for Beltug members (after log-in):

 

 

Digital signature and eArchiving – the Belgian context

 

Claude Rapoport, president of the Beltug board and former CEO of Portima, started by explaining that digital signatures come in many forms. However, he identified some main, common elements:

 

  • controls are key, to address the risk of high scale fraud due to hacking
  • there is one master digital copy of a signed document
  • trust is required, so any change must be detectable.

 

He also touched on the eIDAS regulation, which makes sure that trust services are binding throughout the EU, and the Digital Act, which transposes eIDAS in Belgian law (see slide 3).

 

We can distinguish different types of digital signatures: from a little to highly trustworthy.  Each has different business processes (see slides 4-8).

 

Zooming in on eIDAS, Claude explained the technical concept behind the regulation: the signing process works with a hash value, unique to that pdf and changing when the pdf changes.  The verification process verifies the authenticity of the pdf by comparing the hash to a public key that it must match.

 

Next, we moved on to the eIDAS definition of the concept 'qualified':

 

  • ‘a qualified trust service provider’ = a trust service provider who provides one or more qualified trust services and is granted the ‘qualified’ status by the supervisory body
  • ‘a qualified certificate for electronic signature’ = a certificate for electronic signatures that is issued by a qualified trust service provider and meets the requirements laid down in Annex I of the eIDAS.

 

'Qualified' is an important concept - it has a well-defined impact and implies that a trust service provider is prepared to be audited by an accredited auditor. The eIDAS clearly stipulates that even an electronic signature, whether qualified or not, has a legal standing.

 

Claude concludes with a look at another topic in the eIDAS regulation: eArchives. There are, again, various types (see slide 16), some of which are more trustworthy and stable than others.

 

A key note: the Belgian law doesn't acknowledge 'non-qualified' archiving (as it does for electronic signatures) - so only qualified archiving services are valid services.

 

Qualification of electronic archives - the current state of play

 

Marc Wouters, Advisor at FPS Economy, then highlighted the current status of eArchives in Belgium. The purpose of an eArchive is essentially the same as that of a paper archive: preserving documents to be able to consult them later (slide 6).

 

With a non-qualified e-Archive (which can still be very valuable) the 'burden of proof' for conformity is with the archiving company.  Conversely, with a qualified eArchive, there is a 'presumption of conformity'.

 

In the qualification process for a trust service provider, we can distinguish 4 parties (slide 8):

 

  • Trust service provider
  • Conformity assessment body
  • National accreditation body
  • eIDAS supervision body

 

The conformity assessment of the service provider needs to be repeated every 2 year.

 

When we move from theory to practice, we see that while the legislative frame has been created in Belgium, there is neither an accredited conformity assessment body nor an accepted accreditation scheme.  Foreign assessment bodies are not yet interested to come to the Belgian market.

 

The norms published by the European Commission (based on the EU law) include a 'presumption of conformity'.  There is no legal obligation to comply with these norms - yet complying with them holds that presumption.

 

Marc sees 5 reasons to start implementing an eArchive today:

 

  • It is permitted by law - The legal framework has been established
  • Digital transformation is not waiting - Where do you keep digitally-born documents?
  • Effective implementation requires expertise - Learn from practical implementation
  • eArchive qualification of is still in progress - A long journey to qualified e-Archive
  • Balance - Balancing costs, risks and benefits …

 

When starting the exercise, companies may well conclude that not all documents need to go into a qualified eArchive.  For some, a non-qualified solution can be an acceptable answer. However, the implementation requires expertise, so use the building blocks, norms and tools available (see slides 13-15).

 

itsme® Sign, the cherry on the cake

 

After the break, Remy Knecht, COO at Belgian Mobile ID - itsme®, gave an insight in the itsme® platform.  Itsme®, a reference tool for digital identification and authentication in Belgium, has a clear ID scheme and ecosystem, according to the context and user role. For example: the trusted identity delivered by ID registrars (for banks and for the eID card), but also the hardware security element of SIM cards for telecom operators.

 

Companies partnering with itsme® are more and more diverse (see slide 4): public sector and banking, but also real estate, insurance companies, retail, utilities, HR, etc.

 

Sharing your ID is a highly valuable use case, Remy explained:

 

  • No more forms to complete
  • Easy onboarding of clients
  • Accurate data
  • Verified ID
  • Replaces the KYC (Know your Customer) process
  • Transparent

 

(See slides 7 and 8).

 

Soon, itsme® will also offer the possibility to sign contracts and official documents (see slide 14).

 

eBox/Doccle integration- the start of a digital tsunami

 

Topping off the afternoon, Bram Lerouge, CEO at Doccle, talked about the integration of the Doccle platform with the government's eBox (and itsme®).  Doccle sees many use cases in its application - and even more with the integration of eID signing and itsme® (launch in February).

 

Providers using Doccle see a significant drop in late payments: an interesting element in a company's relationship with its customers.

 

The eBox online platform for citizens to consult their official documents has been around for a few years, but didn’t fundamentally shift citizens' behaviour.  But in 2018, a few market evolutions opened up new opportunities to renew the eBox approach (see slide 19).  The new eBox is an online channel that allows every citizen to receive documents from various government organisations.  Multiple public organisations are already using eBox, and the number will increase with the Doccle integration.

 

For citizens, the added value is extensive (see slide 23). The rollout is foreseen before the new elections in May.

 

 

 

 


 

 

 

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login




>>> Back to overview