The Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (referred to as the eIDAS -- electronic IDentification and Authentication Services) was published by the European Union as Regulation (EU) No 910/2014 on August 28, 2014. Most of its provisions took effect July 1, 2016, and it repeals the existing eSignatures Directive.
Because it is a regulation and not merely a directive (as was predecessor eSignatures), eIDAS is not open to interpretation and represents European Union law. eIDAS was developed to ensure the ability to safely conduct electronic transactions online when dealing with businesses or public services, allowing both the signatory and the recipient a higher level of convenience and security. The main goals of the regulation include:
The eIDAS regulation has been instrumental in setting standards for electronic identification and trust services across the EU. Since eIDAS originally came into effect, technology has continued to rapidly advance as both businesses and governments continue to digitally transform their services. This has resulted in the original framework needing to evolve to meet the changing needs of the market. Building upon the existing eIDAS framework, eIDAS 2 (EU Regulation No. 2024/1183), was introduced in May 2024, with a phased implementation period and various deadlines for Member States to fully adopt and apply the new measures.
Some of the main differences, new features and enhancements listed below highlight how eIDAS 2 adapts to the changing digital landscape and aims to promote secure and efficient electronic interactions across the European Union:
Interoperability of government issued ID
This section of the eIDAS mandates EU Member States to mutually recognize each other’s electronic identification (eID) systems when accessing online services. This cross-border recognition makes eID from any EU Member State interoperable between all other Member States. Although this is a mandate for the public sector, the private sector will follow suit, if it indeed proves to make business transactions easier, faster, and cheaper and truly opens up business opportunities across borders.
Single digital market
While the eSignatures directive guaranteed the admissibility of electronic signatures, eIDAS will go a step further in defining and providing requirements associated with Trust Services to ensure the security of electronic transactions. With eIDAS, Electronic Trust Services (eTS), including electronic signatures, electronic seals, time stamps, electronic registered delivery service, and website authentication, will work across borders and will have the same legal status as paper-based processes. The goal is to increase confidence in the safety and reliability of digital transactions, which will lead to growing adoption and usage.
eIDAS recognizes electronic signatures as legally binding and identifies different levels of electronic signature.
Common Criteria is an international set of guidelines and specifications for evaluating information security products, specifically to ensure they meet an agreed-upon security standard for government deployments. Common Criteria (CC) certification is a pre-requisite for qualified digital signatures under the eIDAS Regulation.
Smart cards and tokens are a secure and cost-effective solution to enable eIDAS compliant digital signature for a specific group of users.
Portable and simple to use, Thales OneWelcome smart cards and tokens allow your employees or customers to use the same device for multiple secure operations in addition to digital signatures: passwordless phishing-resistant multi-factor authentication, files or emails encryption/decryption.
To accommodate the variety of users and environments that large organization may face, Thales offers various versions of common criteria certified products, all EAL5+ and PPQSCD certified. Choose the product that best suits your needs based on the authentication technology (FIDO, PKI) you are looking for and the type of workstations or mobile devices used in your organization (equipped with smart card readers, USB port or supporting NFC).
Thales Luna HSMs (versions: 7.7.0, 7.7.1 & 7.7.2), is certified in accordance with Common Criteria (CC) at EAL4+ level against the electronic IDentification, Authentication and Trust Services (eIDAS) Protection Profile (PP) EN 419 221-5. Luna HSM 7 has also received eIDAS certification as both a Qualified Signature and Qualified Seal Creation Device (QSCD).
In addition, Luna HSMs have achieved multiple certifications as a standalone QSCD or as part of a composite QSCD with various remote signing solution vendors from the conformity assessment bodies (CAB) in Austria, Italy and Spain (in accordance with Article 30.3.b [Alternative Processes]). These certifications provide Thales customers and partners within and outside Europe with the highest levels of assurance and conformity for seamless cross border electronic identification and trust services.
Qualified Trust Service Providers (QTSP)s as well as public or private companies that issue digital certificates and provide local or remote digital signatures and seals (advanced and qualified), timestamp, electronic delivery, and website authentication services, can now use Luna HSM 7 as a part of their eIDAS-compliant solution. QTSPs can also issue qualified certificates for customers using on-premises Luna HSM 7 for eIDAS QSCD purposes.
Both cloud-based and on-premises HSM solutions comply with eIDAS, but the HSM employed must be certified as a QSCD device. In remote work environments users and applications must be able to access digital signature keys whenever and wherever they are needed. HSMs are used to manage and protect the private signing keys of signatories, without the signatory being in possession of the key (as is the case when smartcards are used). As such, HSMs facilitate the creation of mutually binding legal documents across all EU/EEA member states.
These keys are maintained in the TSP environment (yet controlled by the HSM), which is certified by an accredited national body. For the secure execution of their operations and services, TSPs deploy and maintain the required HSMs to be used as qualified devices for electronic signature creation. Essentially, these HSMs act as a root of trust.
Electronic signatures, electronic seals, high-volume code signing, and other sensitive cryptographic operations require high-throughput performance. Furthermore, Luna HSMs are designed to protect sensitive key material for its entire lifecycle, regardless of the environment. In addition, a broad partner ecosystem enables organizations to secure many mainstream and specialized applications.
As eIDAS certified devices, Luna Network and PCIe card HSMs provide the strong performance, high-assurance key protection, and centralized administration/monitoring of crypto operations required for eIDAS compliant electronic signatures, seals and other trust services. As the market leader, Thales’ Luna HSM is the foundation of trust for enterprise and government organizations worldwide.
Remote signing applications utilize a Signature Activation Module (SAM) to authorize the signing operation and authenticate the user’s identity, and HSMs to protect the private keys associated with the digital signatures and secure cryptographic operations. Luna HSMs are integrated with SAMs from industry-leading Thales Technology Partners Ascertia and Nextsense to deliver secure solutions that comply with the remote signing requirements outlined in the eIDAS regulation for Qualified Trust Service Providers (QTSP). These SAMs can integrate with your own signing solution or function as a part of the full signing suite from Ascertia and Nextsense, offering flexibility and seamless operation:
External SAM for Luna HSMs:
Thales and Ascertia work together to guarantee essential digital trust products and services that deliver complete digital signature solutions. Ascertia’s ADSS SAM Appliance, integrated with Luna HSMs, enables the strongest utilization of digital signatures and delivers the essential trust services and certifications required by public and private organizations to conduct global business. The ADSS SAM Appliance is a Common Criteria Certified Remote Qualified Signature Creation Device (RQSCD) that enables TSP to deliver qualified digital signature services for natural persons, legal representatives, timestamps, and eSeals for any document, web form, or transactions. The ADSS SAM Appliance integrates externally with Luna Network HSMs via the HSMs interface to authorize the signing or sealing keys securely and deliver a complete eIDAS compliant solution for digital signatures.
Learn more in the Solution Brief
Embedded SAM for Luna HSMs:
Nextsense Signature Activation Module (NSSAM), embedded in Luna Network and PCIe HSMs, provides a highly secure, Common Criteria EAL 4+ AVA_VAN.5 certified, EN 419 241-2, EN 419 221-5 and eIDAS compliant solution, scalable and robust for secure remote digital signing and cryptographic operations. The NSSAM ensures that only the authenticated and authorized user activates the process of creating QES under the user’s sole control. These QES cannot be easily disputed or revoked, supporting legal admissibility. NSSAM together with Luna HSMs comprise a QSCD for a signing service that adheres to the remote signing requirements as part of the eIDAS regulation.
Secure your sensitive data and critical applications by storing, protecting and managing your cryptographic keys in Thales Luna Network Hardware Security Modules (HSMs) - high-assurance, tamper-resistant, network-attached appliances offering market-leading performance and...
Secure sensitive data and critical applications by storing, protecting and managing cryptographic keys in Thales Luna PCIe HSMs – high-assurance, tamper-resistant PCIe cards. Provide applications with dedicated access to a purpose-built, high-performance cryptographic...
Thales Luna Hardware Security Module (HSM) v.7.7.0, our flagship product, is certified in accordance with Common Criteria (CC) at EAL4+ level against the electronic IDentification, Authentication and Trust Services (eIDAS) Protection Profile (PP) EN 419 221-5.
As cybercriminals get smarter and more determined than ever, more and more businesses and government agencies are coming to the realization that single-factor authentication solutions using simple usernames and passwords are not enough. Thales, the world leader in digital...
As cybercriminals get smarter and more determined than ever, more and more businesses and government agencies are coming to the realization that single-factor authentication solutions using simple usernames and passwords are not enough. Thales, the world leader in digital...
To protect identities and critical business applications in today’s digital business environment, organizations need to ensure access to online and network resources is always secure, while maintaining compliance with security and privacy regulations. SafeNet eToken 5110...
Support FIDO and PKI use cases. Available in USB-A and USB-C. Help organizations meet international and European regulations: Common Criteria, eIDAS, French ANSSI
Discover how Nextsense and Thales deliver eIDAS-compliant remote digital signing solutions, ensuring security, compliance, and efficiency for regulated industries.
Learn how Thales Luna HSMs and Ascertia PKI solutions deliver high-trust digital signatures, eIDAS compliance, and secure global digital business operations.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
