https://identityassurance.blog.gov.uk/2015/11/20/the-eu-approach-to-identity-assurance-an-update/

The EU approach to identity assurance: an update

European Member States want people to be able to identify themselves online for digital services in other countries. This post is for anyone interested in keeping up-to-date with developments in this area.

At the start of November the European Union agreed the last stages of new laws to make online public services more efficient and more secure across the EU. These are the final pieces of a legislative process we first blogged about last November.

We want to share with you what these rules mean, and how they’ve been shaped to fit with the approach we’re using to develop GOV.UK Verify. To do that, we’re going to publish some posts on different aspects of these rules.

How EU countries’ identity assurance systems will work with each other

European Member States want to improve the EU’s digital economy and make online cross-border interactions for citizens and businesses seamless, reliable and secure. To help this, Member States have agreed to set up a system that will allow people to use a digital identity verified in one country to access public services in other countries.

A user will be able to choose to verify their identity with one country’s system, in order to use a digital service from another country. For example, it will be possible to use your GOV.UK Verify account to prove your identity to the Danish tax authorities, making it easier to file your tax return if you live or work there.

When a user wants to access a service in a different country to the one that has verified their identity, those two countries’ identity assurance services will need to be able to trust and talk to each other securely. The EU has passed a Regulation that sets out the rules of how this will work, and recently the standards and supporting details have been agreed.

Most Member States will build a ‘node’: a central point that will be used to send requests for digital identities from government services into and out of other Member States as outlined in this Implementing Regulation on interoperability. Some countries, such as Germany, will do things slightly differently but with the same outcome for the user, as explained in this eIDAS discussion paper.

EU eID process cross border

This network of ‘nodes’, and the standards upon which they are built, enables digital identity information to be transferred safely, securely and speedily across borders. This builds on previous European large-scale pilots such as STORK, which we’ve blogged about before.

What this means for GOV.UK Verify

The plan is for citizens to use their trusted national digital identity scheme to sign-in to any relevant EU Member State service. So long as the digital identity scheme used by a Member State meets the assurance levels set down in the Regulation, the scheme can be used to transfer identities across the system to a service. This means the UK can continue using GOV.UK Verify, while other countries can use their national ID card schemes. These different approaches can work together to make it possible for users to access digital services across borders.

This federated approach avoids a central EU database, and means GOV.UK Verify users can access services in other EU countries in a way that complies with our identity assurance principles. Users will remain in control of their identity data, and only minimal data will be passed to the service they want to use (as is the case when using GOV.UK Verify to access services in the UK).

Users will not have to prove their identity multiple times using different national systems, and they won’t need to provide identity evidence to anyone other than their chosen national scheme. This international approach mirrors that taken by GOV.UK Verify where we separate the functions of those providing digital identities (our certified companies), and those providing a digital service.

No body, organisation or service has more information than the minimum needed to perform their function, and there is no central storage of information.

What’s next?

Now that the relevant standards and legislation have been agreed, we are looking at how to implement them in the UK (and the EU are blogging about next steps). Over the next year we will begin to build GOV.UK Verify’s connection to the system. We’ll also start to become involved in the analysis of other Member States’ national identity schemes through a process known as peer-review - more on this soon.

For the latest news on GOV.UK Verify and the EU approach to identity assurance subscribe to the blog.

3 comments

  1. Comment by Josh Tumath posted on

    This is really good. A decentralised approach is always best.

  2. Comment by MarkK posted on

    This would suggest that both Verify and the services using it are expected to be determined to provide/require at least 'Substantial' assurance, and also that the UK is intending to notify. Can you confirm this interpretation of both of these significant steps?

    • Replies to MarkK>

      Comment by Luke Reynolds posted on

      The eIDAS Regulation is about the cross-border mutual recognition of identity systems. It recognises three levels of assurance - low, substantial and high.

      From 2018 any digital public service in Europe will have to be able to recognise digital identities from the notified identity systems of other Member States. This will only be mandatory if the level of assurance from the other Member State's identity scheme is at least equivalent to that required by the service domestically. Mandatory recognition only applies at levels substantial and high. The Regulation does not set any rules for the level that must be used in any Member State.

      The UK are considering whether to notify GOV.UK Verify and we will publish further blogs on this.