With eIDAS 2.0 and its Implementing Acts being actualized, the work is cut out for Dutch governmental organizations and other QEAA issuers to step up their game, says Arvid van der Bruggen, Product Owner at Kiwa’s Digital Certification team.
As a global specialist in Testing, Inspection and Certification (TIC), Kiwa’s goal is to create trust around the world. The company is located across 29 different countries and employs over 10,000 people.
Moving toward digital licenses on land, at sea and in the air
Kiwa’s digital certification journey all started with a request from the European Aviation Authority, Arvid says. Kiwa issues documents on behalf of the Human Environment and Transport Inspectorate, for transport by road, on water, and through air. This includes documents such as licenses for taxi drivers, pilot’s licenses, and licenses for seafarers on ships that sail under a Dutch flag.
“The European Aviation Authority was looking to digitize pilot’s licenses. Having experience with digitizing taxi driver’s licenses, we felt called to use our knowledge in this area. Looking at the bigger picture, we realized that the demand for digital certificates would grow rapidly with eIDAS 2.0. Already in 2019, we started asking ourselves the question: how do we standardize these digital licenses?”
In the years that followed, Kiwa created a public key infrastructure (PKI) system that can issue personal documents. “In the absence of properly functioning wallets, we built our own,” Arvid says. “But in the end, our goal is not to be a wallet provider, it is to be an issuer.”
Kiwa’s digital certification team, which can be seen as a start up within the Kiwa company, has been working on this project since 2019. And now, the project is coming alive: two months ago, the team commenced the digital seafarers certification pilot.
The digital seafarers certification pilot
In May this year, Kiwa initiated a pilot together with the Dutch Ministry of Infrastructure and Water Management to issue digital certificates of competency (CoC) and digital certificates of competency (COP) for tankers to Dutch seafarers.
The certificates are issued in a digital wallet created by Kiwa. The app can be used by both the seafarers and the enforcement agencies. The enforcers can also use any other compliant ISO18013-5 app that supports the defined DocType.
The electronic certificates are legally recognized and have the same value as traditional paper documents. They are encrypted and secured with advanced digital signatures, based on ISO 18013-5, guaranteeing their authenticity and integrity.
To explain the digital certificates to international parties, the Dutch Ministry has issued a ‘To Whom It May Concern’ letter. Additionally, seafarers will also be provided with a physical document, to prevent ships from being stuck in harbors that do not accept digital documents.
The pilot runs for six months, until October 2024. Kiwa and the Ministry will then evaluate the pilot through interviews, data, and audit logs.
What’s next for governmental organizations?
Organizations such as Kiwa have not been sitting still throughout the development process of eIDAS 2.0. But governmental organizations have their work cut out for them as well, Arvid highlights.
“One of the most important steps that governmental organizations must take is making legislation suitable for the issuance of digital documents. At the moment, legislation has very literal descriptions of what documents should look like. So there is quite a bit of work on the policy side to review all your legislation. If the digital equivalent is not included, it simply cannot be accepted. A number of government departments have already been working on this, but there are also some departments that are running behind.”
“The next step is looking at the core registry. Usually, the data is not managed by the policy department, but by an executive department. And they will need to prepare on the basis of the legislation as well. What’s important is to decide whether the attributes can be issued as EAAs (electronic attestation of attributes), or QEAAs (qualified electronic attestation of attributes). In the latter case, you need to become a Qualified Trust Service Provider (QTSP) to be able to issue these QEAAs.”
Creating trust with eIDAS 2.0
Having built a wallet and platform to issue attributes, Kiwa is a step ahead of many organizations that will become attribute issuers. Yet, not everything around eIDAS 2.0 is set in stone yet, and the organization is also waiting for the 35 corresponding Implementing Acts. The European Commission plans to adopt the first set as early as November 2024.
“A lot will depend on that,” Arvid notes. “How will countries implement the legislation? Usually, the Netherlands aims to become a role model, so it will usually implement the strictest, and therefore the most expensive legislation. What does that imply for organizations that want to become a QTSP?”
Under the eIDAS 2.0 regulation, a QTSP must undergo an independent conformity assessment and audit by an accredited institution. “This is a difficult process, which means it will also only pay off with the right numbers”, Arvid says. “That’s why it makes sense for Kiwa to prioritize being an issuer, rather than a wallet provider: we have the knowledge and expertise to be a QTSP.” At the moment, Kiwa already holds the position of QTSP on behalf of the Ministry of Infrastructure and Water Management, which is specific to the issuing of taxi driver’s licenses.
Due to the difficulties in becoming a QTSP, the organizations in the Netherlands that will hold this position might be limited, Arvid says. “Given that eIDAS 2.0 is a European regulation, organizations can just as easily decide to work with a QTSP from another EU country. But is that what we want?”
“Ubiqu is one of the Dutch organizations that can provide the technology to become a fully certified wallet issuer with QTSP status. And that’s great, because we need that technology in the Netherlands. Without parties like Ubiqu, we will lose the knowledge here and will have to outsource everything to other countries. We need to prioritize expertise and innovation in our country to create a level playing field for QTSPs.”