The European eIDAS regulation took effect on Sept. 29, 2018. It is now possible for Europeans to use the digital services of European, public organizations with their own national login medium. We speak with Freek van Krevel, senior policy officer at the Directorate for Information Society and Government (DIO) and Egbert Verweij, systems specialist, Systems Knowledge and Innovation Department at the Rijksdienst voor Identiteitsgegevens (RvIG) about this step in the integration of European, digital services.
Van Krevel: "The regulation eIDAS stands for 'electronic IDentification, Authentication and trust Services'. Very simply put: it regulates that within Europe it is possible to check that someone is indeed who he says he is. The eIDAS regulation ensures that a citizen or company can use their European-recognized credentials across borders. This was still lacking in the single, European market. With this, the European Union (EU) wants to regulate that it becomes easier and safer to do business with companies or governments online within Europe.'
'For now, the regulation focuses on an obligation for government organizations, but part of the EU's vision is that in the future it should also be possible to use this in the private domain. In the Netherlands we use DigiD for government services, in private companies this is still limited. So there is potential here when it comes to using an electronic identity. You see that the EU is working to involve sectors such as SMEs, aviation and transport in eIDAS. Ultimately to "entice" them to use it as well. And rightly so. You see, for example, that a bank has the same question as the government: is the person I am doing business with indeed the person they say they are? It is not always possible to directly speak to someone in person and verify. If this can be replaced by an electronic process that is reliable and secure, it could save a lot of time and expense.
Verweij: 'If, for example, a German has worked in the Netherlands and is entitled to a tax refund, as of September 29 he has the right to file that application online with his 'German' means with the Dutch Tax Office. Soon it will also be possible the other way around: Dutch pensionados in Spain will soon be able to log in with their DigiD at Spanish government organizations.'
Van Krevel: "We have been mainly concerned with mutual recognition of electronic identification as it is officially called. We focused on enabling the acceptance of incoming foreign login means. From now on we will start working on the registration of Dutch means. There are some requirements that a national means has to meet, but if it meets these then the EU will accept the means for logging in across the border.'
Verweij: "Under the eIDAS regulation, the linking must take place on a small set of data (name and date of birth). In the Netherlands, everything revolves around the citizen service number (BSN). A Dutch service provider needs the BSN to provide a service to that German. The small set of data is then not enough. That is why RvIG provides the central facility to be able to link to the BSN. It makes sense to do this BSN linking centrally rather than with each service provider individually. RvIG has decided to unburden the service providers and take on this central process. We built the BRPk for this purpose.'
Van Krevel: "In this, the Netherlands is quite unique at the moment. No other country currently has a facility like the Netherlands has. There is therefore interest from other countries in how the Netherlands does this. We recently gave a presentation to a Slovenian delegation. There is also interest from a number of Scandinavian countries.'
Verweij: "With the BRPk, we are able to provide reliable personal data to service providers. This saves organizations the effort of building their own system and it increases the chances of finding the correct BSN. RvIG uses an advanced search functionality for this purpose, so that the BSN belonging to the holder is found with a high degree of certainty. But it may happen that the BRPk links the data of a citizen with an EU resource to a BSN of another person with the same date of birth and a very similar gender name. If things go wrong for whatever reason, such as a mismatch, then the BRPk provides the option to unlink.
Van Krevel: 'By using the BRPk, service providers do not have to build their own facility to search for a BSN. This allows service providers to more efficiently carry out their services in accordance with the eIDAS regulation and safeguards citizens' privacy.
'RvIG had an important role to play here: after all, in the Netherlands the processing of a BSN is quickly involved. RvIG has steered this process in such a way that mainly the standards we are already used to were used. In addition, RvIG believes that you have to be careful when distributing a BSN. And if a BSN is passed on, it must be done securely and reliably.
Van Krevel: "We first started small. In the so-called 'Dialogue Table' we consult with a number of (large) service providers, for example UWV, Sociale Verzekeringsbank (SVB), RVO and RDW. By now, most service providers are represented in our consultations. Many organizations saw the importance of getting this right. It is ultimately about more than just arranging something digitally. As the Netherlands, we are an open economy and strive for a good business climate, for example. This made it very pleasant to work together.'
Van Krevel: "eIDAS is the fuse and the firecracker is yet to come with another European regulation: the Single Digital Gateway. The Single Digital Gateway must become the online gateway for citizens and companies. In the Netherlands, we have that well organized with the Basic Registration of Persons (BRP). The implementation of the Single Digital Gateway has yet to take shape.'
This article can also be found in the Digital Transformation and Information Security files
Source: National Office of Identity Data
