Q&A session at the end of presentation

Transcription

1 MODERATOR: Jon Shamah - EEMA Chairman SPEAKERS: TITOLO DIAPOSITIVA SOTTOTITOLO Andrea Servida - Head of Unit egovernment and Trust at DG CONNECT, European Commission Craig Le Clair - Vice President, Principal Analyst at Forrester Research Carmine Auletta Chief Innovation Officer at InfoCert Q&A session at the end of presentation

2 MODERATOR TITOLO DIAPOSITIVA SOTTOTITOLO Jon Shamah is a graduate of Southampton University, specializing in Aeronautics & Astronautics. Jon is a digital Identity & Trust Subject Matter Expert, specializing in maximizing the technology and operational value chain of very large scale eid schemes and national eid programmes. He is a frequent public speaker on issues surrounding identity and Trust and facilitated the ministerial eid workshop in Poznan, Poland which directly led to the eidas, Trust Services regulations. Jon was a long-term consultant on eid issues to the Nordic Banking and Payments Consortium, NETS, and contributes to European Programs such as SSEDIC, STORK2.0, ATTPS, FutureID, FutureTrust and LIGHTest. Jon is former co-chairman of ITU-T, SG17, Joint Coordination for Identity and is a member of the Advisory Board of a number of European organizations and projects.

3 Speaker TITOLO DIAPOSITIVA SOTTOTITOLO He joined the European Commission in 1993 and since January 2006 he is Deputy Head of the Unit "Internet; Network and Information Security" in the Information Society and Media Directorate-General. Besides co-managing the Unit, he is in charge of defining and implementing the strategies and policies on network and information security, critical information infrastructure protection and, last but not least, electronic signature. He also coordinates the team responsible for the European network and Information Agency (ENISA). Until 2005, he worked in the Information Society Technologies Thematic Priority of FP6 with management responsibilities for the research activities on security and dependability technologies and applications.

4 The eidas Regulation Webinar "The disruptive power of eidas" 31 January2018 Andrea Servida DG CONNECT, European Commission Unit "egovernment & Trust"

5 eidas: boosting trust & supporting businesses! TRUST CONVENIENCE eidas CROSS-BORDER SEAMLESS

6 eidas The Regulation in a nutshell 2 MAIN CHAPTERS SUBJECT TO DIFFERENT RULES AND REQUIREMENTS Chapter II Mutual recognition of e-identification means Chapter III Electronic trust services Electronic signatures Electronic seals Time stamping Electronic registered delivery service Website authentication Chapter IV Electronic Documents

7 Timeline eid Entry into force of the eidas Regulation Voluntary cross-border recognition eid DSI v.1 eidas compliant Mandatory crossborder recognition Trust Services esignature Directive rules Date of application of eidas rules for trust services

8 eidas: Key principles for Trust services Transparency and accountability Technological neutrality Trust services Non-mandatory technical standards ensuring presumption of compliance Non-discrimination in Courts of ets vs paper equivalent Specific legal effects associated to qualified trust services Risk management approach The Regulation does not impose the use of Trust services

9 eidas General principles for trust services Liability regime for Q & non-qtsps (art.13) Liability for damages caused intentionally or negligently Reversal of the burden of the proof only for QTSPs Possible limitations of liability for the use of the service by the TSP subject to clear information to customers Applicability of national rules on liability Recognition of 3rd countries TSPs (art.14) Only through international agreements between the Commission and a third country or international organisation Principle of reciprocity Accessibility for persons with disabilities (art.15) 9

10 eidas Obligations of TSPs Minimum security requirements + notification of significant security breaches by all TSPs (art.19) Specific requirements to be met by QTSPs (art.24): staff, trustworthiness of their systems, liability insurance scheme, identification of the certificate owner, Conformity assessment of QTSP (art. 20 & 21): Ex ante (prior authorisation scheme art.21) SB may grant the qualified status in a given timeframe Inclusion in the Trusted Lists ex post (every 24 months & ad hoc art. 19) May withdraw the qualified status building upon Regulation 765/2008 conformity assessment scheme

11 eidas Supporting tools Trusted lists for QTSPs and QTSs (art.22 and ID (EU) 2015/1505) Ensure continuity with the existing TLs established under the Service Directive. Ensure legal certainty. Foster interoperability of qualified trust services by facilitating a.o. the validation of e-signatures and e-seals. Allow citizens, businesses and public administrations to easily get the status of a trust service. EU trust mark for qualified trust services (art.23 and (EU) 2015/806) Usage by QTSP after qualified status has been indicated in the TLs Trustmark indicates in a simple, recognisable, and clear manner the qualified status of a trust service Link to the relevant TL has to be ensured by the QTSP

12 eidas QTS and QTSPs Qualified trust service providers are qualified everywhere in the EU Qualified trust services are qualified everywhere in the EU Art 4 - internal market principle a qualified trust service based on a qualified certificate issued in one Member State shall be recognised as a qualified trust service in all other Member States. Art 25.3 QeSig is a QeSig in all MS Art 35.3 QeSeal is a QeSeal in all MS Art 41.3 QtimeStamp is a QtimeStamp in all MS Questions & Answers on Trust Services under eidas Help understand the legal framework on trust services Regularly updated 12

13 eidas: Key principles for eid Cooperation between Member States Principle of reciprocity relying on defined levels of assurance Mandatory cross-border recognition only to access public services eid Sovereignty of MS to use or introduce means for eid Full autonomy for private sector Interoperability framework 13 *The Regulation does not impose the use of eid

14 Where does eidas have an impact? UMM&DS Uniform User Management and Digital Signatures ehgi ehealth Governance Initiative ECI European Citizens' Initiative ESSN European Social Security Number SUP Directive on single-member private limited liability companies PSD2 Revised Directive on Payment Services AML5 5th Anti-Money Laundering Directive 14

15 An exemple: the financial sector On 27 November adoption of Delegated Regulation on Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication reference is made to both eidas notified eid means and trust services. eidas notified eid means possible solution for strong customer authentication Qualified electronic seals or qualified website authentication certificates mandatory for the communication between payment providers. On 14 December adoption of Commission Decision C(2017) 8405 final setting up the Commission expert group on electronic identification and remote Know-Your-Customer processes Jointly managed by DG CNECT, DG FISMA and DG JUST composed of up to 36 members comprising regulators, supervisors, identity experts, financial institutions and consumer organisations Call for applications closed on explore how to facilitate the cross-border use of eid and KYC portability based on identification and authentication tools under eidas to enable financial institutions to identify customers digitally for onboarding purposes On 20 December political agreement on revised text of the Anti-Money Laundering Directive (AMLD5) explicit reference to eidas notified eid means as a possible way to fulfil Know-Your- Customer/Customer Due Diligence requirements for non-face-to-face interactions

16 eid schemes notified Germany National ID card registered users On 23 August 2017, DE eid formally notified Published to OJEU on ! A milestone towards establishing eid and trust services in Europe achieved!. and ITALY prenotified its private-sector led scheme SPID on ! 16

17 For further information and feedback Web page on eidas eidas Observatory s-observatory Text of eidas Regulation in all languages Connecting Europe Facility Catalogue of Building Blocks eidas twitter Andrea Servida DG CONNECT, European Commission Unit "egovernment & Trust" 17

18 Speaker TITOLO DIAPOSITIVA SOTTOTITOLO Craig serves enterprise architecture and business process professionals. He is an internationally recognized expert in helping companies transform from manual and analog processes to the mobile, digital, and cognitive world. His technology coverage areas include robotic process automation and the emerging digital workforce, AI solutions in financial services, and potential workforce disruption due to these technologies. Prolific writer and speaker, Craig authored How To Succeed In The Enterprise Software Market and has been quoted in The Wall Street Journal, USA Today, Forbes, and many other publications and media outlets. Education Craig earned a B.S. in economics from Georgetown University and an MBA from George Washington University

19 2017 FORRESTER. REPRODUCTION PROHIBITED.

20 The Disruptive Power Of eidas How the new EU Regulation accelerates digital transformation and creates opportunities Craig Le Clair, VP & Principal Analyst, Forrester January 30, FORRESTER. REPRODUCTION PROHIBITED.

21 Empowered Customers Open The Door For Disruption Age of manufacturing Mass manufacturing makes industrial powerhouses successful Age of distribution Global connections and transportation systems make distribution key Age of information Age of the customer Connected PCs and supply Empowered buyers chains mean those that demand a new level of control information flow customer obsession dominate Ford Boeing GE RCA Wal-Mart Toyota P&G UPS Amazon Google Comcast Capital One acy s Salesforce.com USAA Amazon 2017 FORRESTER. REPRODUCTION PROHIBITED. 21

22 Digital Transformation Can Start Today With Available Technologies 2017 FORRESTER. REPRODUCTION PROHIBITED. 22

23 Reviewed 25 E-Signature Production Implementations Digital Trends - Ease Of Implementation Drive E-signature Adoption Customer-facing Processes Remains Hot The European Market Shows Promise Eidas Will Foster Use Of Electronic Signatures Across Borders Within The EU FORRESTER. REPRODUCTION PROHIBITED. 23

24 SaaS Solutions Are Making Implementation Faster. More than 65% of Forrester inquiries on e-signature are from enterprises that have opted for software-as-a-service (SaaS). Implementations range from an average of nine months for larger enterprises, 5.5 for medium-sized, and 2.3 for small businesses. Browser incompatibility, integration with core systems, signature pad support, diverse signing solutions, and user training were cited as challenges FORRESTER. REPRODUCTION PROHIBITED. 24

25 Business Metrics Remain Strong, But Customer Experience Is A Key Success Criterion. Eighty percent error reduction, 85% productivity improvement, bank accounts being opened in just eight minutes, and 22,000 staff hours saved annually are some of the top business results A better audit process, reduced instances of fraud, and higher visibility into what has been signed all added to the value received. But customer perception outweighs these efficiencies as a benefit in the eyes of businesses FORRESTER. REPRODUCTION PROHIBITED. 25

26 E-Signature Workflow Has Many Touchpoints 2017 FORRESTER. REPRODUCTION PROHIBITED. 26

27 E- signature Use Cases Have Different Characteristics Global Energy Global Bank 2017 FORRESTER. REPRODUCTION PROHIBITED. 27

28 Digital Identity Verification For Online Banking And Fraud Prevention Bank located within the European Union with many physical branches. Executives wanted to simplify the customer experience for new accounts by providing a 100% digital experience. Posses excellent customer satisfaction scores with high ratings from hundreds of thousands of customers. Engaged with InfoCert for about two years with the Trusted Onboarding Platform providing the enabling technology for its digital channel. Net Present Value: 11,6M Return on Investment: 174% Payback Period: 0,6 months Increase signed customers: 30% Case study analysis provided by Forrester on behalf of Infocert 2017 FORRESTER. REPRODUCTION PROHIBITED. 28

29 Global And EU Trends Will Emphasize Authentication EU has in place the most advanced regulation in terms of digital signatures and digital trust services. Banks can rely on regulated Qualified Trust Service Providers to implement digital transformation projects. In this way enterprises can externalize part of its risk/liabilities i.e. Make TSP liable for its activities The bank is not just adopting a technology but, is outsourcing part of identificatifon, certificate issuing, signature, and preservation exposure 2017 FORRESTER. REPRODUCTION PROHIBITED. 29

30 Better Mobile Support And Real-Time Session Management Will Push The Market Most implementation cases offered mobile signing support. Real-time session management is becoming a requirement. Mobile solutions are improving (although mobile challenges remain) 2017 FORRESTER. REPRODUCTION PROHIBITED. 30

31 E-Signature Is Only One Component Of Digital E- Transaction Blockchain & Distributed Ledger Innovation- etransaction Management Efficient and lower-cost payments esignature Applications that execute electronic signatures Has Move to SaaS Challenged by Freeware Consolidation Digital Components Signature As Component Of Digital Platforms Functionality combined with E-forms, workflow, and CCM platforms Looks at end-to-end business transaction Negotiable instruments- Secondary market focus Requires deep expertise in compliance Currency transfers and securities settlement SSL certificate issuance, Timestamping, Tamper-proof asset ownership and tracking ( 2017 FORRESTER. REPRODUCTION PROHIBITED. 31

32 Digital Transformation Platforms Form A Rich Ecosystem InfoCert DTM DocuSign RPA 2017 FORRESTER. REPRODUCTION PROHIBITED. 32

33 Summary E-Signature Adoption Is Growing And A Component Of Digitizing Your Business Recognize That E-signature Solutions Require Changing Business Behavior. The Important Technologies Are Here Today eidas Reduces Uncertainty And Will Encourage Adoption 2017 FORRESTER. REPRODUCTION PROHIBITED. 33

34 Craig Le Clair Thank you FORRESTER.COM 2017 FORRESTER. REPRODUCTION PROHIBITED.

35 Speaker TITOLO DIAPOSITIVA SOTTOTITOLO Carmine is InfoCert s Chief Innovation Officer where he is responsible, among other things, of Innovation, New Products Development, Strategic Planning and International development. Prior to joining InfoCert, Carmine gained 12 years of work experience in the energy sector working for Terna where he covered the role of Chief Technology Officer and VP of Marketing and Innovation. While in Terna, Carmine was also designated Chairman of CASC Audit Committee, the European central auction office for cross-border energy transmission capacity with a Net Turnover of 1.8 bln. Previously, Carmine gained 10 years of international work experience within Bain & Company and Accenture. Carmine studied in Italy where he earned a Bachelor's degree in Computer Science and a Master's degree in Telecommunications; he completed his academic background in the USA with an MBA from the Kellogg Northwestern University. He has published several papers on Physical Review B and Physica C.

36 The Disruptive Power of e-idas Web-Seminar, January 31 st, /03/2018 Cannes, Nov 29th 2017 Carmine Auletta InfoCert - Chief Innovation Officer

37 InfoCert: the largest Certification Authority in Europe - ~ 4 Million Active Qualified Digital IDs in ,1 Million e-commerce Customers in 2017 > 6 Million ~ 100 Million TITOLO TOP Digital DIAPOSITIVA SOTTOTITOLO Transactions in Digital Signature Transactions in 2017 > 10 Countries > Enterprise Customers

38 The role of Qualified Trust Service Providers (QTSPs) Liability for the entire process Identity of the parties Strong customer authentication Validation & preservation QTSP Non repudiable edelivery Willingness to transact INFORMATION COPYRIGHT INFOCERT 38

39 InfoCert s distinctive factors in enabling an effective digital transformation 1. EIDAS REGULATION EXPERTISE 2. EIDAS IN CONJUNCTION WITH INDUSTRY-SPECIFIC REGULATIONS 3. COMPLIANCE TRIGGERED INNOVATION TITOLO DIAPOSITIVA SOTTOTITOLO 39

40 InfoCert: an innovation-driven Company 20% OF BUSINESS RESULTS FROM SOLUTIONS & PRODUCTS THAT DID NOT EXIST JUST 2 YEARS AGO 6% OF ANNUAL TURNOVER INVESTED IN R&D TITOLO DIAPOSITIVA #6 PROJECTS FUNDED SOTTOTITOLO BY EU RESEARCH FUNDS #14 REGISTRED PATENTS 40

41 TOP Trusted Onboarding Platform InfoCert revolutionized the Financial Services Industry introducing TOP, our patented solution for remote customer identification and digital subscription of contracts. Since its launch in 2013, we ve completed more than 6 million onboarding on TOP, enabling our customers to reduce time, costs and frauds. TITOLO DIAPOSITIVA SOTTOTITOLO 41

42 TOP a never ending innovation From prospect to customer in less than 10 minutes. Now also through Self Identification. AMLID eid WebID TITOLO DIAPOSITIVA SOTTOTITOLO SignID LiveID USER SelfID

43 TOP a never ending innovation A success story in Consumer Lending Market: the ING case From an old fashioned lending process... Paper signature and documentation Big customer s effort Poor customer experience to a distinctive instant lending experience Fully Digital Real time scoring Instant disbursement TITOLO DIAPOSITIVA SOTTOTITOLO Time to Cash up to 13 days Time to Cash in 5 Minutes Conversion rate increased by 40% Renounces rate dropped by 80% 43

44 GeoSign - Expand your proof of evidence GeoSign, another patented InfoCert s solution, certifies the geographic location (GPS coordinates) of the signer s hardened device and binds such data within the electronic signature. Thanks to the digital signature, georeferenced data gains integrity and enforceability to third parties. TITOLO DIAPOSITIVA SOTTOTITOLO Winner of Digital 360 Award* 2017 for Mobile Business Category 44 * Jury composed by 53 CIOs of the most important Italian companies

45 GDPR ready-solutions SecureDrive SecureDrive is an encrypted cloud platform where it's possible to store documents and guarantee their privacy. The use of asymmetric TITOLO key DIAPOSITIVA algorithms ensures the data SOTTOTITOLO secrecy, making it full compliant with GDPR Regulation, the new EU Law about privacy coming into force in May

46 GDPR ready-solutions SecureStream XXX SecureStream guarantees the integrity and non-repudiation of each single frame in any stream of digital data (audio and or video sequence, log etc..). TITOLO DIAPOSITIVA SOTTOTITOLO Each frame is digitally signed by InfoCert and dynamically bound to all previous frames in order to guarantee the integrity of the entire stream as it gets created. 46

47 What s about the future? Trusted Blockchain At the heart of Blockchain there is an algorithm which is pure perfection as long as it stays on paper. To be properly deployed at a business level it must be part of a secure Trust chain and within a clear Liability Framework. And it s at those areas where InfoCert is investing. INFOCERT IS A FOUNDING STEWARD OF SOVRIN NETWORK TITOLO DIAPOSITIVA SOTTOTITOLO Sovrin is a distributed identity network based on a software Open Source. A Founding Steward, like InfoCert, plays as a node of SOVRIN NETWORK: it is responsible to validate transactions, while the user s identity verification is made through Claims, Keys and Identifiers Pubblic and permissioned Consent receipt Keys 03 Public and private keys respectively used to verify and sign a transaction Claims Record referring to identiry: - Self asserted claim - Verifiable claim - Premium claim 04 Identifiers Cryptographic or noncryptographic, they uniquely identify each subject. They are saved on the ledger. Disclosures It allows the user to use only data and information useful for a particular identification

48 What s about the future? Trusted Internet of Things iot trends: the volume of connected objects on the internet is estimated to be in the range of 20 and 50 billion in 2020 Hack of IOT systems is growing: GPS spoofing Computer cars remote hacking control Power grid breaches Healthcare data breaches iot needs of TRUST for: Proof of identity Privacy Liability framework TITOLO DIAPOSITIVA SOTTOTITOLO InfoCert is piloting the concept of a Trusted IoT ecosystem 48

49 Thank you! Carmine Auletta Chief Innovation Officer INFORMATION COPYRIGHT INFOCERT

50 Q&A SESSION TITOLO DIAPOSITIVA SOTTOTITOLO

51 Q&A Session Can a citizen of a Member State be identified by a QTSP accredited in a different Member State in accordance with the identification methods listed in the CPS and receive a qualified certificate? Can he use this certificate in his/her Member State with full legal validity of the signed documents Yes, this is possible. If a citizen is identified in accordance to the procedures listed in the CPS of the QTSP, and these procedures are recognized valid ones in the accreditation process bytitolo the national DIAPOSITIVA supervisory body, the citizen can receive a qualified certificate and, as provided in thesottotitolo eidas Regulation, this certificate is recognized as a qualified certificate anywhere in Europe. In this regard, Article 24 provides that QTSP shall verify the identity of the natural or legal person to whom the qualified certificate is issued in accordance to the national law applicable in the Member State where the QTSP is accredited and from where it may offer qualified services to clients everywhere in Europe. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

52 Q&A Session How and where can a user of a digitally signed document, for example a Fiscal Authority, verify if a Trust Service Provider is certified to provide trust services? The information that a Trust Service Provider is a QTSP is already stated in a valid certificate. In addition, to verify if this is trustworthy information, the authoritative sources to be used are the Trusted Lists (article 17) where the Qualified Trust Service Providers are listed under the responsibility of the national supervisory body granting the status of QTSP. TITOLO DIAPOSITIVA SOTTOTITOLO Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

53 Q&A Session Does a public authority of a Member State, for example a Fiscal or Administrative Authority, need an explicit consent from the local Supervisory Body to accept a qualified certificate issued by another Member State QTSP? The answer is no. If a public authority is accepting at national level advanced electronic signatures, under the eidas Regulation it is obliged (Article 27) to accept electronic signature of the same or higher security level (i.e. up to qualified signatures), disregarding TITOLO DIAPOSITIVA SOTTOTITOLO whether such signatures are generated based on certificates or signature creation services provided in another Member State. This is particularly true for qualified electronic signatures. The Supervisory Body in the receiving Member States plays no role in this regard. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

54 Q&A Session Can any Member State Supervisory Body or Parliament issue a law, a guideline or any other measure which may affect a different Member State QTSP only because the latter is issuing a qualified certificate in a cross-border situation? No, eidas Regulation defines the legal framework for qualified trust services and qualified trust service providers. At the national level no legal act or administrative measure can be enacted or adopted to change the scope and validity of the provisions in eidas Regulation. TITOLO DIAPOSITIVA SOTTOTITOLO If that will be the case, there will be incompatibility between the European primary law (i.e. eidas Regulation) and, as provided under the Treaties, the national law will be invalid. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

55 Q&A Session Does eidas Regulation forbid remote identification to issue qualified trust services? Can a local Conformity Assessment Body or Supervisory Body approve it? eidas Regulation doesn t forbid remote identification. Qualified trust service providers can identify a person to whom they issue a certificate using a remote identification methods (for instance based on eid means that meets the requirements of Article 8) as long as such methods and the related procedures are recognized at national level and complies with the TITOLO DIAPOSITIVA SOTTOTITOLO eidas Regulation, i.e. they provide equivalent assurance (confirmed by a conformity assessment body) in terms of reliability to physical presence. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

56 Q&A Session A QTSP can identify a citizen to issue a qualified certificate with a notified or prenotified eid with a level of assurance substantial, or just the level high is allowed? In accordance with article 24 of the Regulation, when issuing a qualified certificate, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity of the person to whom the qualified certificate is issued. To this end, Art 24.1(b) sets out that electronic identification mean notified under eidas can be TITOLO DIAPOSITIVA SOTTOTITOLO used for remote verification provided that they meet the requirements set out in Article 8 with regard to the substantial or high level. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

57 Q&A Session Can a bank or another subject different from a QTSP keep the private keys associated to the qualified certificates of their customers, in an HSM system installed on the bank s premises? Annex II of the Regulation sets out the requirements for qualified electronic signature creation devices, including HSM, that may be used to create qualified electronic signatures. Point 3 of the Annex states that the generation or management of electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider. TITOLO DIAPOSITIVA SOTTOTITOLO Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

58 Q&A Session Why do you think that the supervisory body in the UK has still not published the processes for CABs? Although I'm not sure that the question relates to one of the tasks of the supervisory bodies as set out in the eidas Regulation, it is definitely a question for the UK authority. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission TITOLO DIAPOSITIVA SOTTOTITOLO

59 Q&A Session Given the global audience and interest for non-eu nation states with strong links to the EU, is it possible for the Regulation that non-eu schemes are notified by an EU MS? What advice would you give? Member States remain free to decide which electronic means may be introduced or recognized at national level for the purpose of electronic identification for accessing on line public services. It is their sole sovereign decision. However, when it comes to cross border recognition of eid means the provisions under eidas Regulation apply, in particular the TITOLO DIAPOSITIVA SOTTOTITOLO eligibility criteria for notification as set in Article 7. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

60 Q&A Session Spain normally accepts 5 different means of e-authentication: ID card, e-certificate, permanent password, temporary SMS password and STORK / eidas, using Cl@ve, a mandatory common service for authentication. You quickly mentioned that the different means of electronic ID acceptable for a transaction are defined by each member state. This means that probably not all authentication methods will work across borders. How does this work in terms of interoperability and how does it affect the eidas objective of seamless authentication? What consequences may this have for member states that will need to support a growing number of authentication methods? TITOLO DIAPOSITIVA SOTTOTITOLO Once again, Member States are free to decide which electronic means may be used at national level for the purpose of electronic identification for accessing on line public services. However, only eid schemes and associated means notified under eidas will be recognized (as of 29 September 2018) across borders in all Member States. Such notified eid schemes will be interoperable as, among others, they will comply with the criteria and requirements of the interoperability framework set in the eidas Regulation and related Implementing Act. Andrea Servida Head of Unit egovernment and Trust at DG CONNECT, European Commission

61 Q&A Session Which are the main differences between European landscape and the rest of the world in the area of digital trust? The main difference is simply that the US has settled upon a type of signature based on multiple authentication aspects, not based on the certificate, even if in some of the elements could seem bound to the European concept of advanced signature. US signature is based especially on knowledge-based authentication, and even biometrics is growing in TITOLO DIAPOSITIVA SOTTOTITOLO importance (voice printing, facial biometrics). This approach made possible a really rapid market progress, but is more focused on customer experience, and not much on trust. Craig Le Clair Vice President, Principal Analyst at Forrester Research

62 Q&A Session How do you see the future of QTSP market in Europe? Nowadays, there are more than 170 QTSP in Europe, most of them small-sized. This made sense before eidas, because each country had a specific regulation. I believe that the market will be consolidated and in the end, will have a small number of big players, providing innovation and better solutions to the market. TITOLO DIAPOSITIVA SOTTOTITOLO Carmine Auletta Chief Innovation Officer at InfoCert

63 Q&A Session How should discontinuity be handled in a multi-sided contract environment? For example: three companies want to sign a contract, each company needs two signatures to validly sign, so we need six signatures. The first two use qualified electronic signature, the next wants to sign by hand, and uploads the scanned document, the next signs electronically, the next by hand... How can be generated a single document with all electronic signatures (still able to validate electronically) and all manual signatures as well on it? The most TITOLO effective DIAPOSITIVA approach in a multi-sided contract environment is to decide whether the process has tosottotitolo be fully digital or analogic. It s not recommended to mix digital and wet signature, because the act of printing and scanning documents creates a discontinuity in the trust chain that can impact on its formal validity as well as create vulnerabilities. In complex cases like the one described, the best approach would be to design the entire signing process and validate it against legal, functional and organizational requirements. Carmine Auletta Chief Innovation Officer at InfoCert

64 Thank you! INFORMATION COPYRIGHT INFOCERT