What do firms need to know about eIDAS?

The requirement for firms to request and share information online has been enabled through PSD2. But, like all online services, these interactions need to be secured and the parties involved need to be able to trust one another. The EU RTS-SCA regulation requires the industry to adopt certificates compliant with a specific EU regulation on electronic identification, known as eIDAS, to identify payment service providers engaging with each other online. But there are industry concerns about the clarity of these requirements and use of these certificates by the final implementation deadline of 14 September.

To those uninitiated in the dark arts of cyber-security, the principles of online security and trust networks can seem exceedingly opaque. Yet the internet is founded upon the use of digital ?certificates? that are responsible for keeping your data secure (encrypted) and making sure that the sites and information that you access can be trusted (signed). These two principles are handled seamlessly by your internet browser - a padlock symbol within your browser's navigation bar may be the only visible sign that a site is trustworthy.

One quirk of this system is that the certificates a browser trusts, and those it doesn't, are decided by the private company that provides your software. Under eIDAS this European regulation specifies an ultimate 'trust source?: the European Commission. Under its regulatory requirements, backed up with quality requirements, the eIDAS regulation should mean that anyone can use certificates provided by companies within this trusted list and know that they are safe.

While there are no domestic providers of eIDAS certificates within the UK, there are a number of EU institutions authorised to produce qualified certificates. The European Commission has produced a navigable version of the list.

Some firms have been unsure whether this requirement will remain in UK law. The FCA has confirmed this to be the case within their Approach Document. Additionally, the eIDAS regulation has gone through an onshoring process to bring it within the UK's regulatory environment in the case of a no-deal Brexit; this process recognises that certificates qualified under the EU regulatory framework will be counted as such within the separate UK framework. While the UK onshoring of the technical requirements of PSD2 is currently under consultation with the FCA, it looks probable, whatever the result of Brexit, that this requirement will remain in some form for UK firms.

Within the UK, the open banking ecosystem has not yet been engineered to utilise eIDAS certificates. The UK's Open Banking Implementation Entity (OBIE) has reworked its directory service to provide support - there are many live products in the market that will likely need to readjust their security protocols to use these credentials.

It is ultimately down to the industry to find a way to reach the compliance required by regulation. Although precisely what regulation will apply at the time of implementation is, admittedly, somewhat dependent upon the wider political context.

Area of expertise: