At a glance
- The UK eIDAS Regulations set out rules for UK trust services and establishes a legal framework for the provision and effect of electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services and certificate services for website authentication.
- Trust services increase confidence in the use of electronic transactions through mechanisms such as verifying the identity of individuals and businesses online and verifying the authenticity of electronic data e.g. documents.
- The UK eIDAS Regulations are an amended form of the EU eIDAS Regulation and retain many aspects of the EU regulation but are tailored for use within the UK.
- Although the UK eIDAS Regulations allows the legal effect of EU eIDAS qualified services to continue to be recognised and used in the UK, no reciprocal agreement currently exists. This means UK eIDAS Regulation qualified trust services are not automatically recognised and accepted as equivalent in the EU.
- The UK Regulation includes no provisions relating to electronic identification schemes and excludes chapter II of the EU eIDAS regulation.
- The ICO is the supervisory body for UK trust service providers. We can carry out audits, grant qualified’ status, and take enforcement action.
In brief
What does ‘eIDAS’ mean?
‘eIDAS’ is shorthand for ‘electronic identification and trust services’. It refers to a range of services that include verifying the identity of individuals and businesses online and verifying the authenticity of electronic documents.
Read the key definitions section of this guide for more detail on specific types of trust services.
What are the UK eIDAS Regulations?
The eIDAS Regulation is Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market. Following the UK withdrawal from the EU the eIDAS Regulation was adopted into UK law and amended by The Electronic Identification and Trust Services for Electronic Transactions (Amendment etc.) (EU Exit) Regulations 2019). In addition, the existing UK trust services legislation, The Electronic Identification and Trust Services for Electronic Transactions Regulation 2016 (2016 No.696)) was also amended. Taken together, these regulations are referred to in this guidance as the UK eIDAS Regulations.
If you offer trust services in the EU (rather than the UK), you will need to comply with the EU eIDAS Regulation, including operating under the supervision of a supervisory body from another EU member state.
Although the UK eIDAS supervisory body has no EU eIDAS regulatory obligations it continues to work closely with other EU supervisory authorities.
For background information on the EU eIDAS Regulation and relevant binding implementing decisions adopted by the European Commission, visit the Commission webpages on trust services and eID.
Further expert advice and recommendations on the implementation of the EU eIDAS Regulation, trust service providers and trust services can be found on the European Union Agency for Network and Information Security (ENISA) web site. Although these materials refer to the EU eIDAS Regulation, they are a useful resource for understanding the requirements of the UK eIDAS regulations
What does it cover?
Chapter III of the Regulation sets out requirements for trust services. It also sets out what trust service providers need to do if they wish to gain qualified status, which entitles them to be listed on the UK trusted list as a qualified trust service provider.
This guide focuses on the trust service provisions in Chapter III of the eIDAS Regulation.
What is the ICO’s role?
The ICO has responsibility for supervision of the trust service provisions of the UK eIDAS Regulations. The ICO can grant and revoke qualified status for trust service providers established in the UK, approve or reject qualified trust services, report on security breaches, carry out audits and take enforcement action.