Author: Ingolf Rauh

eIDAS 2.0, NIS2 and Trust Services - The EU on the road to over-regulation?

In the future, trust service providers will fall under critical infrastructure according to the NIS-2 directive. However, these providers are already regulated by the EU regulation eIDAS. Are the services now threatened by rampant bureaucracy and what does the possible double regulation mean for the market environment? Ingolf Rauh, Head of Product and Innovation Management at Swisscom Trust Services, shows what the current situation means for companies that use digital trust services.


On January 16th 2023, the EU directive NIS2 came into effect and EU member state must transpose it into their national law by fall 2024. The goal is modernizing the legal framework for the operation of critical infrastructure, which must keep pace with the increasing threat on the internet. Overall, this will ensure that member states appropriately equip and secure a country's critical infrastructure, such as hydropower plants or energy supply facilities. As with large companies, Computer Security Incident Response Teams (CSIRT) are taking action and work together with central state offices and the Network and Information Systems Authority (NIS). Member states are to cooperate with each other and ensure the exchange of information, and check critical infrastructures for compliance with security technology.

In addition, the EU Parliamentary Committee voted in favour of the eIDAS2.0 proposal on 9 February 2023. The usual trilogue of the EU legislative process will now begin on this matter. Unlike NIS2, however, eIDAS 2.0 is a regulation that will become directly applicable throughout the European Union once it enters into force, without the need for prior transposition into national law.

Double the effort for audits

The new NIS2 directive applies also to trust service providers. It is very reasonable because a trust service provider is a critical infrastructure of the country or even the entire EU. However, an issue is that trust service providers are already highly regulated, controlled and audited by the EU regulation eIDAS since 2014 and they will remain in the future through eIDAS 2.0.

Now, trust service providers must also comply with NIS2, i.e. the tranposed national laws of the EU member states. In the worst case, it could lead to contradictory audit requirements. Moreover, it has not yet been clarified which federal agencies take the supervisory responsibility. Probably, various ministries and authorities of the respective EU member state will take on this responsibility resulting in higher complexity. Standardization organisations such as ETSI are already trying to bring together those responsible for eIDAS and NIS2 in order to harmonize the different audit requirements.

Impact on the trust service provider market

On the one hand, the threat of double regulation and increased audit requirements will lead to higher operating costs for trust services. This cost pressure will further promote consolidation in the market. In addition, there will be increasing demands on the infrastructure. Smaller trust service providers that do not yet have geo-redundant operations could face problems. The consolidation of the market means that companies have to look for a trust partner today that has sufficient resources, experience and strategic foresight to cover all future regulations.

Furthermore, the design of eIDAS 2.0 presents the entire market with a crossroads. In the case of a strict interpretation with a high level of trust, as demanded by the EU Council and Parliament, the video identification procedure could suddenly no longer be possible. In some southern European countries, electronic signatures based on the eID approved there could even become impossible altogether, as the eID regulations there have so far been less strict than in Germany, for example. The regulation speaks here of a trust level of "high" instead of "substantial".

The original eIDAS Regulation of 2014 was still very much characterized by national regulations or specifications of the national supervisory authorities. Today, for example, a trust service for remote signatures from Germany or Austria must prove auditing according to the ISO EN 419 241-1 standard for remote signatures in order to be approved. Other European countries, on the other hand, sometimes handle auditing less strictly.

In the two processes taking place at the same time, eIDAS 2.0 trilogue and implementation of NIS2 in national law, it will now be important to find a middle way between strong security rules on the one hand and a healthy market environment on the other. Otherwise, over-regulation or conflicting regulation threatens to do immense damage to an entire market and set back digitisation in Europe by years.

Share this post

printer Copied! copy email facebook linkedin twitter