Brussels has moved to strengthen its legislative clampdown on cybercrime in recent months by means of the revamped electronic identification, authentication and trust services regulation (EIDAS 2.0). This measure is designed to grant at least 80% of EU citizens a digital ID wallet by 2030.
The legislation should pass the trilogue discussions among the European Commission, Parliament and Council in the next couple of months, after which a transitional period will be in place for member states to set up their own processes for approving digital wallets. So says Andrew Bud, founder and CEO of iProov, a specialist in biometric authentication and ID verification.
“In terms of implementation, we are approaching the end of the beginning,” he reports.
Significant wrinkles still need to be ironed out. For starters, some existing (and successful) national schemes – Italy’s Sistema Pubblico di identità Digitale, for instance, which has almost 35 million active users – fall short of the highest level of verification assurance required by the new regulation.
“None of those users would be considered adequately onboarded, so they’d need to go through that process all over again to qualify for EIDAS 2.0 identities,” Bud says.
While the EU is working to limit such disruption, the task of developing the technical standards required to meet the highest levels of assurance is far from straightforward.
“The underlying standards – W3C verifiable credentials – are evolving, so it’s tricky to build upon a moving foundation,” Bud explains.
This all means that numerous unanswered questions remain about how the EIDAS 2.0 framework will work in practice.
Neil Slater is regional director, UK and Ireland, at Veridas, a Spanish firm specialising in biometric ID systems. He believes that there is “a significant challenge as to what the commercial model is going to look like and who’s going to be responsible for the data. There are still many things that need to be resolved. How will the people who provide that digital identity be compensated, for instance?”
Despite such uncertainty, most market watchers believe that EIDAS 2.0 will turn out to be a game-changer for digital ID schemes more broadly.
“This will disrupt the way digital identity is done worldwide,” Bud predicts. “The European digital identity wallet will be the first large international scheme to be based on verifiable credential technology. Until now, verifiable credentials have been a far-off aspiration for technologists. Adoption by the EU changes everything. It will lead to the adoption of this technology elsewhere.”
To what extent will the UK’s approach diverge from the EU’s?
Westminster is taking a different tack from Brussels by seeking to introduce a framework that gives private sector providers more leeway in how they develop solutions, as long as these meet certain criteria. That’s the view of Will Richmond-Coggan, a partner specialising in data privacy at law firm Freeths.
“It will be interesting to see whether the European approach – a top-down diktat about exactly what the verification technology needs to comprise – will be more successful than the more flexible approach we’re likely to see from the UK,” he says.
Richmond-Coggan adds that, as more countries develop digital ID programmes of their own, the need for a more harmonised set of global standards will become increasingly important.
“What drives EIDAS 2.0 is the recognition that digital identity verification is meaningless if it’s not transnational, given that so much commerce is cross-border in nature,” he says. “If you’re validating someone’s identity, you need that to be consistently recognised wherever you are in the world.”
Could big tech monopolise digital ID?
As the development of digital ID schemes gathers momentum globally, some analysts have voiced concerns that a significant proportion of this work could slip into the hands of big tech. The fear is that such an outcome could restrict innovation.
“Control of digital identity data is extremely commercially valuable to platform operators whose revenues depend on advertising or the monetisation of access to their platform users,” Bud explains. “The bigger players, which can more easily add identity data to their suite of revenue-generating services, will create barriers to those seeking to develop competitive alternatives.”
To reduce that risk, the EU has been enacting policies designed to ensure that innovation and competition continue unimpeded. For instance, the Digital Markets Act 2022 protects third-party identity service providers from being blocked or facing additional charges from big tech when accessing devices to verify users.
The recent advances in generative AI may also focus minds on the need for wider digital ID adoption to reduce the risk of online fraud, Bud notes.
“The ability to create highly sophisticated fake images and voices – and, indeed, conversations – has become available to almost everyone,” he says. “We will soon be unable to tell the difference between a fake image and a human being.”
This means that ID verification tech will need to incorporate so-called liveness detection systems. These are designed to ensure there is a real person involved and not computer-generated imagery.
Educating the public on the benefits of digital ID
Past ID initiatives have generally elicited either resistance or apathy from British consumers. With this in mind, a public education programme may soon be appropriate, according to Slater.
“We need to start really educating people on the benefits of having a digital identity and explaining that this is not one step closer to Big Brother having total control over our lives,” he says. “The brutal reality that people must understand is that it’s not if their identity is going to be compromised; it’s when – and that a digital ID can add a significant layer of security over what happens next.”
Bud believes that the prospects for digital ID are brighter in the UK than they have been at any time in the past decade, but he notes that challenges remain. The lack of a clear approach from policy-makers is a risk, he says, and the government has yet to map out how AI, privacy and cybersecurity regulation will work together.
“Lots of important plates are spinning just now,” Bud says. “It’s crucial that not one of them breaks.”