Ms Mairéad McCabe:

I wish the Chairman and members of the committee "Good morning". The Department of the Environment, Climate and Communications is happy to attend the meeting today to discuss the proposed revision of the eIDAS regulation.

I am Mairéad McCabe, principal officer leading the telecommunications policy and regulation division of the Department. Joining me are my colleagues, Ms Catherine McDonald, assistant principal, working in the same division, and Mr. Rory Hinchy, staff engineer of the office of the chief technical officer.

The primary policy focus of our division in the Department is on the telecommunications sector. While the eIDAS regulation is not a telecommunications issue, the EU Telecommunications and Information Society Working Party is currently considering this proposal at European level and this Department is leading discussions in the negotiation. It is expected that the negotiating period will be approximately one year from June of this year.

Our main area of interest in the Department is the oversight of the trust services element of the proposal and we are taking expert inputs from the Office of the Government Chief Information Officer, OGCIO, on the e-identification, eID, aspects of the revision. Inputs from the Department of Justice and the Data Protection Commissioner will also be needed in respect of GDPR and data protection aspects, and other Departments and bodies will be consulted as necessary.

The working party, having held an initial discussion with the European Commission earlier in the summer, is now engaged in ongoing detailed discussions on the proposed revision. This is currently at a very early stage and involvement of a range of stakeholders will be required as we move towards finalising agreement. Planning for implementation, particularly in and around the toolbox which is to be established, will require at national level significant cross-departmental inputs.

Having been fully in force since July 2016, the regulation is now facing a revision, and the intention is that putting new rules in place will pave the way for more successful application of secure digital identities into the future.

The new proposal provides a framework for a European digital identity which will be available to all EU citizens, residents and businesses in the EU. The EU aims to introduce a more harmonised approach to digital identification rather than the current divergent approaches in place across the various member states. Citizens will be able to prove their identity and share electronic documents from their European digital identity wallets, which will be accessible from their phone or other devices. They will be able to access online services with their national digital identification, which will be recognised throughout Europe. Very large online platforms will also be required to accept the use of European digital identity wallets upon request of the user.

For the main proposed revisions to the regulation, the significant changes include: mandatory provision by EU states of digital wallets; improvements to management of remote signature; establishment of a common toolbox for European digital identity; harmonisation with other relevant pieces of EU legislation; adaptation to the much-changed digital landscape since 2014 - the time of the original regulation; and the proposal also foresees four new qualified trust services to meet market demand.

With regard to ensuring the security of the eIDAS regulation, the regulation requires notification regarding cases of security incidents. The supervisory body must currently provide the European Union Agency for Cybersecurity, ENISA, with a summary of notifications of breach of security and loss of integrity received from trust service providers.

While it is the intention of the European Commission that security aspects of the regulation be replaced with rules and procedures under the EU network and information security directive, NIS II Directive, that directive, as the committee will be aware, is currently under active negotiation at EU level. Accordingly, whatever alignment is necessary will only emerge once that legislative file has progressed to an advanced level.

As to trust services in Ireland, there are two qualified trust service providers established here. One provides qualified time stamp services and the other provides qualified electronic signature and electronic seal services. This small market has the potential to grow and is not a hindrance to the development of digital services in Ireland.

Customers can purchase trust service products, such as an e-signature, from any trust service provider in any member state in the EU. If they want a product that is a qualified and therefore a trustworthy product, then they get it from a qualified trust service provider.

In terms of implementation of the 2014 eIDAS regulation in Ireland and formal appointment of a supervisory body for trust services, Article 17 of the regulation requires member states to designate a supervisory body to regulate trust service providers within its jurisdiction. The Minister for the Environment, Climate and Communications has approved the designation of ComReg as the supervisory body under, and for the purposes of, the 2014 regulation. Work is now under way now to progress this designation, including considering the practicalities of formal designation, the legislation necessary to amend ComReg’s statutory functions, either primary or secondary, the provision of appropriate enforcement powers and an appropriate funding mechanism. The Department will engage extensively with ComReg and other stakeholders, as appropriate, with a view to designation as soon as possible.

It should be noted that the fact that a supervisory body has yet to be designated in Ireland under the 2014 regulation does not mean that trust services are not available in Ireland. Such services exist and an oversight mechanism was put in place in 2010, provided for under the Electronic Commerce Act 2000. This is operated by the office of the chief technology officer in the Department. However, formalising the designation under the 2014 regulation now requires a much more comprehensive regulatory regime to be put in place for ComReg, which includes enforcement powers and will necessitate the development of the requisite level of expertise in the body being nominated as supervisor. The regulation sets out certain tasks for the supervisory body, requiring it to supervise trust service providers; investigate breaches of the regulation and take enforcement action as appropriate to remedy such breaches; co-operate with supervisory bodies in other member states; and report annually to the European Commission and ENISA on activities and breaches.

An integral part of the role of the supervisory body is to grant and withdraw qualified status to trust service providers. The term "qualified" is used for those service providers which can prove that the services provided by them fulfil the requirements laid down in the eIDAS regulation. It does this based on the results of audits of trust service providers conducted either by itself or by a conformity assessment body.

As regards the main changes proposed in trust services in the revised regulation, while the proposal is ambitious in terms of the digital wallet, the changes proposed to the trust services element are generally less so. In response to the dynamics of the markets and to technological developments, it is proposed to expand the current eIDAS list of trust services with the introduction of four new additional services, including the provision of electronic attestations of attributes, electronic archiving services, electronic ledgers and the management of remote electronic signature and seal creation devices. The introduction of a trust service framework for the electronic attestations of attributes is significant and will be fundamental to the introduction of a digital wallet.

The other main changes to the trust service provisions of the 2014 regulation include proposing to align the cybersecurity risk management obligations with those in the NIS 2 directive, permitting the Commission to introduce implementing Acts to set out the conditions applicable to trust services established in third countries, a suggestion that the tasks of supervisory bodies could be supplemented by the Commission using implementing Acts, and a requirement on providers of web browsers to facilitate the use of qualified certificates for website authentication. Initial views are supportive of the regulation.

We are happy to take questions on the proposal and to hear the views of members.