Skip to main content

What is the eIDAS Regulation?

Contents

At a glance

  • The UK eIDAS Regulation (UK eIDAS) sets out rules for UK trust services and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.
  • Trust services increase confidence in the use of electronic transactions through mechanisms such as verifying the identity of individuals and businesses and verifying the authenticity of electronic data e.g. documents.
  • UK eIDAS is an amended form of the EU eIDAS Regulation and retains many aspects of the EU eIDAS Regulation but is tailored for use within the UK.
  • Although UK eIDAS allows the legal effect of EU eIDAS qualified trust services to continue to be recognised and used in the UK, no reciprocal agreement currently exists. This means UK eIDAS qualified trust services are not automatically recognised and accepted as equivalent to qualified trust services in the EU.
  • UK eIDAS contains no provisions relating to electronic identification schemes and excludes chapter II of the EU eIDAS Regulation.
  • The ICO is the supervisory body for UK trust service providers. We can carry out audits, grant qualified status, and take enforcement action.

In brief

What does ‘eIDAS’ mean?

‘eIDAS’ is shorthand for ‘electronic identification, authentication, and trust services’. It refers to a range of services that include verifying the identity of individuals and businesses and verifying the authenticity of electronic documents.

Read the key definitions section of this guide for more detail on specific types of trust services.

What are the UK eIDAS Regulations?

The UK eIDAS Regulation is Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (UK eIDAS). Following the UK withdrawal from the EU the eIDAS Regulation was adopted into UK law and amended by The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019). In addition, the existing UK trust services legislation, The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696) was also amended. Taken together, these regulations are referred to in this guidance as the UK eIDAS Regulations.

If you offer trust services in the EU (rather than the UK), you will need to comply with the EU eIDAS Regulation, including operating under the supervision of a supervisory body from an EU member state.

Although the UK eIDAS supervisory body has no EU eIDAS regulatory obligations it continues to work closely with other EU supervisory authorities.

For background information on the EU eIDAS Regulation and relevant binding implementing decisions adopted by the European Commission, visit the Commission webpages on trust services and eID.

Further expert advice and recommendations on the implementation of the EU eIDAS Regulation, trust service providers and trust services can be found on the European Union Agency for Network and Information Security (ENISA) web site. Although these materials refer to the EU eIDAS Regulation, they are a useful resource for understanding the requirements of UK eIDAS.

What does it cover?

Chapter III of UK eIDAS sets out requirements for trust services. It also sets out what trust service providers need to do if they wish to gain qualified status, which entitles them to be listed on the UK trusted list as a qualified trust service provider.

This guide focuses on the trust service provisions in Chapter III of UK eIDAS.

What is the ICO’s role?

The ICO has responsibility for supervision of the trust service provisions of UK eIDAS. The ICO can grant and revoke qualified status for trust service providers established in the UK, approve or reject qualified trust services, report on security breaches, carry out audits and take enforcement action.