What can Estonia offer to the European digital identity?

February 26, 2024

by Peeter Vihma

Estonia introduced digital identity more than 20 years ago. It is the cornerstone of the functioning e-Estonia that connects the physical identity to an electronic identity in cyberspace. In light of the updates to the current eIDAS directive, we discuss how Estonia has influenced the new European regulation. And what Estonia has to offer for its implementation.

Arguing for an interoperable Europe

During the development of the eIDAS 2 regulation, all European countries were duly consulted. With the fast developments in digital identity technologies and use cases, there is no shortage of extremely competent specialists. So, instead of technical discrepancies, the discussions on the European level have mostly been between schools of thought.

“The two general principles — that all member states must issue an eID and that everyone can give an electronic signature that is equal to a handwritten signature were Estonia’s positions that we defended in the negotiations and that were eventually included at a generalised level,” says Mait Heidelberg, counsellor to the ministry in the Ministry of Economic Affairs and Communications on information society issues.

“For one, being so used to using digital identity, Estonia has always wanted secure, sensible electronic identity tools to be available all over Europe. For two, electronic signing is so widespread in Estonia that Estonians often encounter problems in other European countries. Where the ideas about electronic signatures are different or absent. As with the new eIDAS regulation, both of these issues seem to be solved; this is a very good development from our point of view,” says Mr Heidelberg.

One of the key developments proposed in eIDAS is the electronic identity wallet. The wallet is an app that can be used for identification, signing, and storing digital documents safely on a mobile phone. For Estonians, this would be a nice development which would build on existing eID and interoperable systems. In many other countries, the wallet would actually make the eID more popular.

“For Estonians, having an digital identity in itself is important. Everyone uses it daily. If we finally have something like a wallet in our mobile phone, it is reasonable to put various other attestations besides the identity,” says Riho Kurg, architect at the Information System Authority’s (RIA’s) electronic identity department.

“However, in many European countries, it is the reverse. For example, the Austrian wallet lets you put a driver’s license in it. Since people want to have their digital license, they will get a wallet. But to make full use of the wallet’s other possibilities, such as electronic signatures, people apply for an ID card that is otherwise not compulsory.”

Estonia offers a security solution that works

Since the first eIDAS regulation in 2014, new technologies have become available that can alter the way the security concerns of the wallet can be addressed. Since some of these have come from Estonian companies such as Cybernetica, Nortal and SK ID, we can provide new solutions that were not thought about previously.

“In developing the wallet for a mobile phone, people are naturally concerned about how it is kept safe,” says Riho Kurg. “Indeed, security features of mobile phones by Samsung or Apple or others can be very good. And we know that, for example, Singapore uses a mobile security element in its wallet. But relying on mobile phone security features may be an issue.”

“The first question is whether they will ever get certified or the manufacturers are even interested in certification. Europe is a relatively small market. This whole topic of trust services is very “foreign” when viewed in America or Korea,” explains Mr Kurg.

“The other thing is that we will be dependent on the latest models of phones. Quite a few people either don’t have the latest model or never want one.”

Estonia is developing its wallet on technologies independent of mobile hardware. The “split-key” technology it relies upon is actually being used in a “smart-iD” app. A large percentage of Estonians have been using it, and it has been recognised as a QSCD (Qualified Signature Creation Device) since 2018.

“The benefit of our wallet is that we can already share our European experience that such solutions exist, and they work well,” says Mr Kurg. “What we need to make sure is that this is recognised also elsewhere in Europe. If the regulation states that the private key must always be in one place, this technology won’t work. Luckily, we are not alone; the Netherlands are arguing for the same principle.”

Implementing eIDAS 2 for creating a lasting change

eIDAS is still quite fresh, and some of the aforementioned questions still hang in the air. The technical implementation of the identity wallet is yet to come. A legitimate question is whether the dream of interoperability in Europe can be achieved after all. At least everyone interviewed for this article seems to be carefully optimistic.

Laura Kask, Legal expert and CEO of Proud Engineer, a consultancy, suggests that eIDAS is a step in the right direction. It forces countries to issue an electronic identity. With this, for example, entering state portals to get immediate information about state services in other countries should become possible soon.

“However, in the hope that in the tailwind of eIDAS, we will quickly develop more profound interoperability between countries, I am not very optimistic. This would require that we think about identity in a similar way. But identity is very much a cultural issue,” says Ms Kask.

More probable is the quick development of interoperable business register solutions. There are not such big cultural differences in Europe with the identification of companies.

Substantial hope comes from the consortia that are focused on a specific domain. Estonia is engaged in one, named Potential, which aims to develop an interoperable driving license.

“The developments are promising. Besides us, RIA, and the IT companies, the Estonian Transport Administration is on board and very enthusiastic,” explains Mr Kurg. “They are actually looking to add the vehicle’s registration certificate into the wallet, too. The technical standards are ready for the driver’s licence, and we are waiting for the lawyers to do their part.”

With the enthusiasm and working examples developed in Potential and other consortia, Europe is proceeding case by case towards international interoperability. New eIDAS regulation is just the first push. This can lead to a wider and deeper cultural turn regarding how we think about electronic identity in Europe.

Riho Kurg’s photo: Rene Riisalu
Laura Kask’s photo: Jaana Süld

Recouse: e-estonia

Estonians can now purchase prescription medications in Greece

February 15, 2024

Starting this week, citizens of Estonia and Greece can use cross-border e-prescription and Patient Summary services, marking a significant step in the digitalisation of healthcare services and supporting the mobility of citizens across Europe.

Estonians can now purchase medications in Greece based on an Estonian e-prescription and vice versa; Greek citizens can buy medications in Estonia with a Greek e-prescription. Additionally, healthcare professionals in both countries can access each other’s health data, ensuring better continuity and quality of care across borders.

“This innovation means much more than just convenience. It represents a sense of security and assurance that our health is protected while travelling,” said Aurelia Mihk, the manager of cross-border data exchange services at the Health and Welfare Information Systems Centre (TEHIK). “For example, if an Estonian family is vacationing in Greece and a family member unexpectedly needs medical care, local healthcare professionals can immediately access their health data in their native language or purchase the necessary medication based on an Estonian ePrescription. This makes treatment faster and more effective while also reducing stress and worry.”

“I can imagine how important this service is for the elderly, for instance, who spend the winter months in warmer countries,” Mihk added. “Previously, their continuous medical monitoring could be challenging, but now their health data and e-prescriptions are accessible across borders, ensuring continuous and quality care.”

For Estonian citizens, the process in Greece is as simple as at home: going to a pharmacy with an ID card or passport allows the pharmacist to access e-prescriptions based on the personal identification code. For Greeks, the national social security number (AMKA) is used for identification, which must be presented to the pharmacist along with an identity document.

“The steps taken today not only improve the quality and availability of healthcare services but also create closer ties between European countries,” concluded the service manager. “This proves how technology can make our daily lives better, safer, and more convenient.”

Prescription medications to be available from southern neighbours

This initiative is part of a broader European Union cross-border data exchange project, which already includes several member states: Spain, Croatia, Poland, Portugal, Finland, the Czech Republic, and now Greece. More countries, including Latvia, are expected to join soon, further expanding the opportunities for Estonian citizens to use healthcare services across Europe.

In addition to cross-border digital prescription data exchange, Estonian patients’ health data is now accessible to healthcare workers in Luxembourg, the Netherlands, France, Portugal, Croatia, the Czech Republic, Spain, Malta, and Greece.

More detailed information about all participating countries and services can be found on the TEHIK website: https://www.tehik.ee/en/cross-border-data-exchange

Resorce: e-estonia

Digital wallet and eIDAS 2.0: a boost for Estonian companies

February 14, 2024

by Peeter Vihma

In November 2023, the European Commission agreed upon the new eIDAS regulation that will change Europe’s digital identity and digital wallet landscape and beyond. Estonia has been the leading country in digital identity proliferation and use, and Estonian IT companies have always been part and parcel of its development. Now, these companies are at the forefront of domestic and international engagement with the new direction that eIDAS proposes: the digital identity wallet.

Building on Estonian e-ID track record

Cybernetica is an Estonian cybersecurity company with a special place in the development of e-Estonia, as it provided the baseline cybersecurity knowledge necessary for creating the foundations of digital identity in Estonia in the early 1990s.

Now, Cybernetica, in a strategic collaboration with the Estonian Information System Authority (RIA), has embarked on a pivotal analysis of the technical architecture of the forthcoming Estonian digital identity wallet that has the potential to influence the entire European market.

The new eIDAS regulation makes use of a digital identity wallet — a mobile application designed to serve as an alternative to conventional physical documents such as ID cards and driver’s licenses — mandatory for European countries. However, eIDAS allows member states to direct their citizens to whichever wallet they deem proper. This kind of regulation creates a market for developers such as Cybernetica. Since Estonian digital identity has a long and trusted track record, Cybernetica has a good starting position.

“Together with RIA, Cybernetica aims to craft a wallet solution tailored to Estonia’s needs and aligned with existing information systems. This wallet should seamlessly integrate with national information systems, ensuring compatibility and adherence to EU standards for authentication, citizen data submission, and creating digital signatures,” said Aivo Kalu, Cybernetica’s lead security engineer.

Technology-agnostic security solution for the digital wallet

Cybernetica is actively working on the SplitKey CSP product destined for the future digital wallet in tandem with the wallet development.

“Wallets will contain documents that can be used to access critical information systems such as online banks and public sector portals. Therefore, it is extremely important that these documents remain in the possession of the wallet user and that no one else can present your credentials under their name,” Cybernetica’s software architect Mattias Lass elaborated. “SplitKey CSP offers a solution by linking documents in the wallet to cryptographic keys utilising SplitKey technology. The other part of the key remains in the possession of the owner. In this way, copying becomes impossible. It is special because this approach does not require high-end phone hardware, and the technology behind the solution is transparent and certified.”

Despite these advanced and proven technological solutions, what makes the development of the digital wallet complicated is the ongoing policy development of the European Union. According to Yuliia Kravchenko, Risk and Compliance Expert at Cybernetica, the final technological solutions for the identity wallet depend on many simultaneous implementation acts.

„For example, the European Cyber Security Certification Scheme has just been adopted. Previously, the protection profiles were nation-specific, but to make the wallet interoperable in all European countries, there needs to be a unified cyber security protocol, its definitions and requirements,” says Ms Kravchenko. “However, to create one that is technology agnostic is quite complicated, and if it is unskilfully done, it may lead to poorer implementation of the wallet by technology lock-ins or extreme bureaucracy.”

Making international recognition easier

European Union’s digital policies are known to have a global influence, and the new eIDAS is a good case in point. Proud Engineers, a high-level consultancy that advises countries in digital development, sees the critical value of eIDAS in their work.

“We see how countries that we consult want their digital identity systems built based on eIDAS, or at least want their frameworks to be recognized in the European Union,” says Laura Kask, CEO of Proud Engineers. “The new eIDAS creates a clearer basis for mutual recognition of digital identity frameworks.”

“Hence, the new eIDAS directly influences our work. Ukraine was the first to achieve partial recognition under the old eIDAS, but this will have a strong legal basis.”

In our portfolio, Egypt and Armenia, whom we advise on their trust services framework, aim to base their upcoming digital identity services on eIDAS. Ideally, a document – such as a driver’s license or a university diploma — issued in Armenia, which is stored in its digital identity wallet, will be accepted by European Union’s countries.”

The critical question of Big Tech vs Digital Nations

While member states are now obliged and eager to start implementing eIDAS, the critical question is the relationship between government-issued and Big Tech-issued wallets. According to Laura Kask, since the market for wallets is theoretically open for everyone, it may be that the identity business is slipping from nation-states to technology companies. This may have detrimental consequences.

On the one hand, it is the question of user comfort. While states need to retain certain control over the issue of identity, they still need to value the ease of use. Otherwise, private providers who might not be keen to safeguard transparency but prioritize user comfort will have the upper hand.

On the other hand, it is the question of introducing the state-provided digital wallet into the big tech platforms and social media.

“In the case of eIDAS, what is interesting now is that this wallet should be mandatory for use on large platforms such as Facebook, Google and so on,” says Ms Kask. “In the future, we should be able to enable authentication to log in using this EU identity wallet. However, we have not seen their reaction yet. Hopefully, this won’t change the paradigm to the point where we end up using Apple Wallet instead, which isn’t actually audited or controlled by member states. I hope the basic principle will remain: the state issues the first basic identity, and a chain of trust can be built on it for the private sector to use it, too.”

Hence, the eIDAS is definitely a step in the right direction, but it opens up opportunities for different developments. A supportive but critical attitude is surely advisable.

Laura Kask’s photo: Jaana Süld

Resource: e-estonia

e-Estonia is collecting success stories for our 15th birthday

February 7, 2024

Article content

This year, the e-Estonia Briefing Centre is turning 15, and to celebrate it globally, we are looking for digitalisation stories worldwide.

During these 15 years, the centre has hosted over 6000 delegations and an impressive 87,000 guests from more than 130 countries worldwide.
Many of them have resulted in fruitful international collaborations by offering over 800 custom-made events to cater to their need for innovation. We frequently assist and consult other countries with digitalisation initiatives and match them with credible, leading IT partners to empower their efforts and boost innovation and international cooperation.

Of course, Estonia is not shy in sharing our experience of over 20+ years of building our digital nation with the rest of the world, and there are tens and tens of examples of digital solutions built with the help of Estonian experts around the world.

For example, did you know that the Mexican state of Queretaro uses Estonian-built interoperability software, the X-Road, that Roksnet helped them set up? Or that Nortal conducted the first-ever e-Census in the Sultanate of Oman, with 95% data quality.

Or how do you inspire a nation and scale innovation? Assisting in the digital transformation of Ukraine’s public sector is compelling evidence of Estonia, a relatively small nation, excelling significantly in exporting e-governance expertise. Ukraine’s path to digitalisation owes much to Estonia, which has been at the forefront of digital government and served as a model and early adviser to Ukrainian efforts. Even today, more than 30 Estonian advisers are embedded within the Ministry of Digital Transformation.

For our birthday, we are collecting stories. Share with us a spark of inspiration, a start to collaboration, or a lightbulb moment you had after learning about e-Estonia. Let us know your story in the comments or write to us: press.e-estonia@eas.ee

Resouce: e-estonia

Estonia and Iceland: a tale of innovation and collaboration in digital identity

February 5, 2024

Article content

In the ever-evolving landscape of digital identity solutions, the collaborative journey between SK ID Solutions from Estonia and Auðkenni from Iceland has not only addressed complex challenges but has also accelerated the digital transformation of the two nations. With a combined experience of over 40 years in electronic identity, these two companies have showcased the power of enduring relationships and innovative solutions. Let’s explore how one groundbreaking solution, Smart-ID, seamlessly delivered electronic identities to Estonia and Iceland.

The Estonian chapter and the Icelandic Odyssey

SK ID Solutions, an industry leader in electronic identity, has supported the Estonian government for over two decades. With services ranging from authentication and signing certificates to the widely adopted Mobile-ID and Smart-ID solutions, SK ID Solutions has played a vital role in the lives of over 4 million people in the Baltic countries.

Auðkenni, a private Icelandic company turned government-owned entity, embarked on a transformative journey with SK ID Solutions in 2005. As of 2024, over 94% of Iceland’s population utilises Auðkenni’s diverse authentication and signing services, reflecting the company’s evolution into a trusted entity for Icelandic residents.

Challenges led to successful integration

Auðkenni’s history includes the introduction of Mobile-ID in 2012, a SIM card-based solution that met stringent security standards. However, challenges arose in 2016, leading to the upgrade of Mobile ID to the European Union’s highest security level, QSCD. The search for a tool independent of SIM cards that could provide the same level of trust and security became a crucial question.

This journey led to the birth of Smart-ID in Estonia, a mobile application-based electronic identity tool upgraded to QSCD level in 2018. Auðkenni, recognising the need to break free from dependence on mobile operators and SIM card vendors, decided to implement Smart-ID technology to address these challenges.

The integration work began in 2020, and by 2021, Smart-ID was seamlessly integrated into Auðkenni’s identity app in Iceland. The Auðkenni app has witnessed a remarkable rise in popularity, earning the trust of banks, major Icelandic companies, and the public sector. Active accounts tripled in the first year, showcasing the solution’s user-friendly and trustworthy nature.

Auðkenni’s strategic move

In 2019, Auðkenni initiated discussions with SK to explore opportunities for accelerating digital advancements among Icelandic citizens using Smart-ID. The comprehensive business validation stage ensured the feasibility and effectiveness of the proposed model. Auðkenni’s strategic objective was to establish a local certification authority, leading to the development of a white-labelled version of Smart-ID named Auokenni.

Following successful implementation, Auðkenni enabled thousands of Icelandic citizens to engage in secure digital transactions. Recognising the value and impact, the state decided to acquire Auðkenni, enhancing citizens’ trust and confidence in the platform.

Iceland’s unique business environment

With its Nordic island charm and strategic focus on renewable energy, Iceland offers a unique business environment that combines natural resources, sustainability, and a growing international appeal. The collaboration between SK ID Solutions and Auðkenni aligns seamlessly with Iceland’s commitment to innovation.

Auðkenni’s journey, intertwined with SK ID Solutions, exemplifies the power of enduring collaborations in addressing complex challenges. The implementation of Smart-ID technology showcases how modern solutions can empower nations to build secure and trustworthy tools recognised by major international organisations such as the European Union. Celebrating the success of Smart-ID in Estonia and Iceland underscores the importance of partnerships in driving digital innovation and transforming the digital landscape for the better.

Resouce: e-estonia