15th November 2023
Following years of engagement, we raised serious concerns that recent changes to the EU’s new eIDAS regulation will radically expand the capability of EU governments to surveil their citizens. We were joined in these concerns by over 500 cybersecurity experts, researchers and NGOs, as well as other members of industry and the wider security community. Although similarly dangerous legislation like the CSAM Regulation is facing strong opposition from the beginning, the changes to eIDAS have been made as it enters its final stages and from behind closed doors.
Last week, representatives of the European Parliament, Council and Commission announced they had signed off on the eIDAS Regulation and that a vote in Parliament’s ITRE committee will be held on November 28th. We understand that although no changes have been made to Article 45, there were last-minute changes to the accompanying Recital 32. However, the EU has still not published the agreed legal text. There are now less than 13 days until the vote and the cyber security community, civil society and the public are still unable to read the proposed regulation, let alone scrutinize its impacts.
In a media Q&A given by the European Commission on Thursday (9th November), the Commission characterized the risks raised in the open letter from cyber security experts and civil society as a ‘misunderstanding’. The Commission went on to state that the open letter had been discussed with their experts, who concluded ‘there is no risk of government spying, nor breaching the confidentiality of internet connections’.
We remain deeply concerned by the risks of Article 45 and the motives behind it. The provision has been championed by European Signature Dialog, an industry group whose members have a vested financial interest in selling QWACs. ESD held multiple meetings with the Commission during the closed-door Trialogue process and issued a statement last week claiming that browsers would be required to trust these certificates and would need to get ETSI’s permission to apply security checks like Certificate Transparency . These statements directly contradict the image that was portrayed in the media Q&A session on 9 November and highlight how the law could be used to radically harm web security.
The Commission has not disclosed which experts advised that the security and privacy concerns are unfounded, but it is difficult to square this assessment with the verdict of the overwhelming number of cyber security researchers and academics that signed the recent open letter. Particularly in light of the unfolding controversy regarding the consultation process for ChatControl regulation, it is essential that policymakers seek input from a diverse range of views and stakeholders, and are transparent about who is consulted and their motivations.
We call on the European Commission, Council and Parliament to:
Publish the final legal text of the eIDAS regulation as soon as possible.
Ensure that civil society and cyber security experts have adequate time to scrutinize this regulation ahead of any legislative action.
Be transparent about the advice the Commission has received regarding this regulation and who was consulted.
If browsers want to impose additional security requirements on QTSPs, they can bring their additional proposed requirements to ETSI and national Supervisory Bodies and ask them to be imposed on QTSPs. (Page 6)
The QWACs of an QTSP only need to be “recognized” or trusted by browsers on the basis of being listed on the EU Trusted List. (Page 6)
The Browsers can easily bring any additional rules they want to impose on QTSPs such as Certificate Transparency to ETSI. (Page 7)