WP4: Legal Expertise Center
Implications of eIDAS Regulation for eHealth
Version Final Draft, incorporating input from the joint JASeHN-eSENS workshop
Date February 3, 2017
Authored by Zoi Kolitsi, Soeren Bittins, Jean Marc Pellet
Implications of eIDAS Regulation for eHealth
1
Table of contents
1.
2.
Introduction .......................................................................................................................... 3
eIDAS in the cross-border eHealth context ............................................................................. 4
2.1. Scope of eIDAS is relation to eHealth .............................................................................. 5
2.2. Electronic identification ................................................................................................... 6
2.3. eHealth specific Attributes ............................................................................................... 8
2.4. Trust services.................................................................................................................... 9
Electronic signatures ........................................................................................................................... 9
Electronic Documents ........................................................................................................................ 10
Electronic seals .................................................................................................................................. 11
Qualified Electronic registered delivery services ............................................................................... 11
Implications of eIDAS Regulation for eHealth
2
1. Introduction
Regulation (EU) N°910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing
Directive 1999/93/EC (hereinafter the eIDAS Regulation) is widely recognised as a landmark in the
world of cross-border electronic exchanges. This paper aims at assessing its impact over eHealth and
providing a basis for discussion among members of the eSENS eHealth pilot community and beyond.
The Regulation introduces a coherent framework with a view to providing a high level of Trust s and
legal certainty of trust services and also a general legal framework for the use of trust services (recital
23 and Chapter III). eIDAS ensures that people and businesses can use their own national eIDs to
access public services in other EU countries where eIDs are available. Furthermore, it ensures that
electronic Trust Services (TS), namely electronic signatures, electronic seals, time stamp, electronic
delivery service and website authentication, will be recognised across borders while it is left for national law to define the legal effect of electronic signatures.
In order to contribute to their general cross-border purpose of use, it should be possible to use trust
services as evidence in legal proceedings in all Member States and according to complementing national legislation. These legal effects should be achievable by any technical means provided that the
requirements of this Regulation are met (recital 27).
This framework encompasses Electronic Identification, Trust services and Electronic Documents and
defines the broad array of elements including criteria, processes for establishment, supervision and
conformity assessment that are necessary to allow for mutual recognition of notified national eID
schemes, electronic signatures and electronic seals. The Regulation foresees enhanced supervision
mechanisms for qualified trust service providers by MS as well as reporting by these mechanisms to
enable the Commission and the Member States to assess their continuing conformance.
The Regulation also provides for the liability of all trust service providers. In particular, it establishes
the liability regime under which all trust service providers should be liable for damage caused to any
natural or legal person due to failure to comply with the obligations under this Regulation and allows
trust service providers to set limitations, under certain conditions, on the use of the services they
provide and not be liable for damages arising from the use of services exceeding such limitations.
Customers should be duly informed about the limitations in advance. These limitations should be
recognisable by a third party, for example by including information about the limitations in the terms
and conditions of the service provided or through other recognisable means. Providing a legal
framework to facilitate cross-border recognition between existing national legal systems related to
electronic registered delivery services is also an important enabler.
The Regulation furthermore promotes IT security certification based on international standards and
related evaluation methods. Processes could be facilitated by a peer review. Notification of security
breaches and security risk assessments is essential with a view to providing adequate information to
concerned parties in the event of a breach of security or loss of integrity.
The Regulation comprises six chapters:
-
General provisions, including definitions;
-
Electronic identification, laying out the conditions for mutual recognition of electronic identification means and their different assurance levels (low, substantial, high);
o
The chapter on trust services includes general provisions on supervision and on qualified trust service providers, before setting out the provisions for each of the five trust
Implications of eIDAS Regulation for eHealth
3
services: electronic signatures; electronic seals; electronic time stamps; electronic
registered delivery services and website authentication;
-
electronic documents - a very short chapter, merely states that an electronic document (defined as any content stored in electronic form, in particular text or sound, visual or audiovisual recording) shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form;
-
Delegations of power and implementing provisions;
-
Final provisions, which deal in particular with the dates for the Regulation’s application:
o
Voluntary recognition of electronic identification means has been applied since September 2015
o
Mutual recognition of electronic identification means will apply as of September 18th
2018
o
The provisions on trust services have been applied since July 1st 2016.
2. eIDAS in the cross-border eHealth context
For eHealth, the eIDAS Regulation can provide a holistic framework and a toolbox for establishing
trust in cross border eHealth services. Table 1 summarizes how the different components of the Regulation may be articulated to establish trust. The table below, does not intent to be a thorough account - but rather provide an overview – of how the eIDAS Regulation resolves liability issues and
once fully implemented, will create enabling conditions for transfer of health data across borders in
the EU.
Implications of eIDAS Regulation for eHealth
4
2.1.
Scope of eIDAS is relation to eHealth
As evidenced by its second recital, the Regulation’s spirit is to create a foundation for secure crossborder electronic transactions, including public authorities for the purposes of healthcare. The regulation, in its Recital 10, makes explicit reference to the provisioned eHealth Network guidelines on
‘on cross-border access to electronic health data and services, including by supporting ‘common identification and authentication measures to facilitate transferability of data in cross-border healthcare’.
Furthermore, it is important to note that (Recital 12) “This Regulation does not aim to intervene with
regard to electronic identity management systems and related infrastructures established in Member
States. The aim of this Regulation is to ensure that for access to cross-border online services offered
by Member States, secure electronic identification and authentication is possible”.
Article 2 confirms this wide encompassing approach by only mentioning two instances where the
Regulation does not apply to trust services:
“1. This Regulation applies to electronic identification schemes that have been notified by a Member
State, and to trust service providers that are established in the Union.
2. This Regulation does not apply to the provision of trust services that are used exclusively within
closed systems resulting from national law or from agreements between a defined set of participants.”
This paper supports the view that the mention of closed systems needs to be understood in reference to systems that are only in operation within an organizational framework that allows them to
manage internal processes. As cross border eHealth services are eventually broadly addressed to all
European health professionals and citizens, cross-border eHealth systems therefore cannot be construed as closed systems and it is clear that eIDAS applies to cross-border eHealth services.
Recommendation 1: Given that the eIDAS Regulation applies to cross border eHealth, it imposes
mandatory conditions, not only for the notification of eID schemes to be used for access to cross
border eHealth services but also for the cross-border eHealth e-delivery infrastructure and the use of
the associated trust services; this in turn requires a thorough review of the current security architecture and transport infrastructure.
Implications of eIDAS Regulation for eHealth
5
2.2.
Electronic identification
Electronic identification issues have been always perceived as of great important for eHealth and as
such, at national level, electronic identification, authentication and authorisation of individuals that
may be granted access to personal health data are addressed in ways that guarantee sufficiently
privacy, security and protection of data, consistent with national policies and legislation. epSOS did
not address the entire dimension of cross border eID, but limited specifications and developments
policies and architecture exclusively to the following premises:
(a) Health professional identification, authentication and authorisation is a national responsibility; trust was secured through contractual means of creating transparency and undertaking liability and
(b) the patient identification was limited to an act performed by the health professional allowing
him to request the retrieval of the right document for the right person.
An extensive analysis on electronic identification and authentication requirements and open issues
was produced within the eHGI predecessor of JASeHN1, which is a good starting point for contectualizing eID aspects of eIDAS for eHealth. Furthermore, in an eIDAS environment, it is possible to place
the patient in the driver seat, identifying him/herself through his national eID infrastructure and enabling the request by the specific physician, during the specific encounter to be provided access to
his personal data. The recommendations in this document are therefore limited to patient identification. Health professional identification and authentication, for the purposes of carrying out the current cross border eHealth services (ePrescription and Patient Summaries) has been earmarked for a
later processing due to overwhelming and very practical regulatory, technical, and availability constraints.
Electronic identification (eID) within eIDAS is regarded as one of the tools to ensure secure access to
online services and to carry out electronic transactions in a safer way. EU patients, health professionals and citizens in general will be able to use the same eID means they are already using at a national
level to seamlessly access cross border eHealth services, provided the following conditions are met:
1. The primary electronic identification means used is issued under an electronic identification
scheme that is included in the list published by the European Commission in the Official
Journal of the European Union. The Regulation sets out conditions for electronic
identification means to be notified and recognized2. An electronic identification scheme
specifies assurance levels: low, substantial and/or high for electronic identification means
issued under that scheme. It is noted that there is neither an obligation nor a restriction to
notifying health specific identification schemes. Any notified cross-sectoral national/regional
e-Identification schemes may be used for the purposes of cross border eHealth; however, for
health care purposes additional requirements need to be met.
2. The assurance level of the electronic identification means corresponds to an assurance level
equal to or higher than what the eHealth Network will define under the provisions of
1
eHGI Deliverable 7.4
2
Member States are not obliged to notify their electronic identification schemes to the Commission. The choice to notify
all, some or none of the electronic identification schemes used at national level is up to Member States
Implications of eIDAS Regulation for eHealth
6
Article 14, para 2 of Directive 2011/24 EU3, to access a certain eHealth service online,
provided that the assurance level of that electronic identification means corresponds to the
assurance level substantial or high. Member States remain free to recognise electronic
identification means having lower identity assurance levels.
The technical specifications for the eIDAS interoperability framework have been developed by the
European Commission together with the Member States in order to ensure the interoperability of
the electronic identification schemes which Member States notify to the Commission.
The reference implementation of this technical specifications has been released by the CEF eID
team4. The solution is primarily based on the following software components:

A package for Member States to become eIDAS enabled. This package includes the
necessary modules to communicate with other eIDAS enabled Member States in a
centralised or distributed fashion.

Additional tools for setting up a demo environment for testing purposes.
Assurance levels should be taken into utmost account in establishing minimum technical requirements, standards and procedures within the meaning of eIDAS.
Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 sets out minimum technical specifications and procedures for assurance levels for electronic identification means. The implementing act covers requirements for Enrolment, Credential management and Authentication as
well as additional guidance for management and operational aspects such as information security
management and legal compliance, which affect the identification and authentication of a “person”
both legal and natural.
The Regulation foresees that requirements established should be technology-neutral. It should be
possible to achieve the necessary security requirements through different technologies (recital 16)
and whenever electronic identification schemes require specific hardware or software to be used by
relying parties at the national level, cross-border interoperability calls for those Member States not
to impose such requirements and related costs on relying parties established outside of their
territory (recital 19 and 20).
Different cross border eHealth situations may require different assurance levels. There is therefore a
need to agree on specific levels for specific Cross Border eHealth Information Services (CBeHIS). One,
however, should not be expected to have different eID means for different uses.
Recommendation 2: The eHealth Network should consider, in the relevant guidelines, appropriate
assurance levels for electronic identification and authentication for the purposes of cross border
eHealth services supported by the eHealth DSI balancing the risks associated to individual or groups
of health services and existing national laws and infrastructure capabilities.
relevant to the role of the eHN in adopting guidelines to…“support Member States in developing common
identification and authentication measures to facilitate transferability of data in cross-border healthcare”.
4
https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS-Node
3
Implications of eIDAS Regulation for eHealth
7
2.3.
eHealth specific Attributes
Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability
framework defines amongst others the minimum set of person identification data uniquely representing a natural or a legal person and the minimum data set for a natural person representing a
legal person and they have been included in the eIDAS SAML Attribute Profile.
It is however noted that exchanging identification data alone (name, place of birth and unique identifier) will answer the “who are you” and the “are you who you say you are” questions but additional
attributes are needed in order to complete a cross border eHealth transaction.
Firstly, for accessing patient data in another MS it is necessary that the clinical document or other
types of health information being requested are uniquely matched to the identified person and their
authenticated electronic identity.
eIDAS-Services must support at least all mandatory attributes as specified in the eIDAS Attribute Profile. Optional attributes defined in the implementing Regulation should be also supported. Other
optional attributes, for example domain specific attributes, may be supported. Injecting eHealth attributes into the eIDAS attribute profile, would have the obvious benefit of enshrining them with the
same level of assurance and therefore secure their automatic recognition. However, for this to become possible, it is necessary that at the national level, the injected attributes are created and managed at equivalent assurance levels and that the eHealth attribute providers satisfy the relevant requirements.
Member States have introduced patient identifiers as unique properties facilitating the retrieval of
such documents or information. Consequently, and in addition to the fundamental citizens identity
traits as encoded in the eIDAS Minimum Data Set (eIDAS MDS), the patient identifier uniquely referencing the assigned clinical information is included in the cross-border authentication. This additional
attribute (i.e. “patient identifier”) enables a secure linkage between the electronic identity of a citizen with the information stored in the national healthcare information systems.
It is furthermore noted that offering of Patient Summary and ePrescription services whether at or EU
level
(i)
(ii)
(iii)
requires the existence of national level patient identifiers for identifying citizens in their
health and health information systems,
national authentic sources for patient identifiers meet national requirements for unique
identification of patients at the assurance level needed for health care purposes, according to national legislation
that there is good convergence at EU level on the needed level of protection of health
data.
Recommendation 3: It is recommended that the «patient identifier» linking uniquely health records
and other clinical documents to individuals is included as an «additional optional attribute» into the
structure laid out in the [eIDAS-Attr-Profile]5, in order to enshrine this attribute with the same level
of protection as the eIDAS minimum data set, irrespective of national choices for notification of cross
sectorial or health specific eID schemes for the purposes of cross border eHealth.
5
It is noted that at the time of the release of this document the eIDAS Expert Group has already adopted a
proposal to include the “patient identifier” as an «additional optional attribute» into the [eIDAS-Attr-Profile
Implications of eIDAS Regulation for eHealth
8
2.4.
Trust services
eIDAS Trust Services are an integral part of the eIDAS Regulation and are associated to certain legal
effects. Trust services are generally acceptable in court and their evidences can be used in legal proceedings. Each trust service supports specific claims i.e., originator authenticity, integrity, date +
time, etc. Robustness of evidences correlates with TS type with the qualifier “qualified” indicating the
the highest evidentiary value. The following paragraphs provide an overview of the current status
and an initial unearthing of issues; at this stage however it is not possible to formulate specific Recommendations besides recognizing the need for further in depth analysis.
Electronic signatures
The Regulation is very much in the continuity of the Directive it repealed. Four levels of electronic
signature are distinguished: “simple” (not explicitly mentioned) signatures, advanced signatures,
advanced signatures based on a qualified certificate (according to the Directive – there are transition
measures, most likely ending in July 2017 or when qualified certificates expire) and qualified electronic signatures. Requirements providing for a reasonable level of assurance are attached to the
advanced level, as set out in Article 26:
“An advanced electronic signature shall meet the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using electronic signature creation data that the signatory can, with a high level of
confidence, use under his sole control; and
(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is
detectable.”
In terms of legal effects, recital 49 explains that “it is for national law to define the legal effect of
electronic signatures, except for the requirements provided for in this Regulation according to which a
qualified electronic signature should have the equivalent legal effect of a handwritten signature.”
Article 27 goes on to give the conditions for mutual recognition in public services: essentially, if a
Member State requires a certain level of signature to access an online service, it must recognise this
level and higher, starting from advanced electronic signatures.
The e-SENS eSignature building block is based on and supports the eIDAS policy basis. It supports the
eIDAS Trust List Decision (EU) 2015/150 and the eIDAS Format Decision (EU) 2015/1506, thus allowing to create and validate eSignatures defined in this interoperability framework. Given the similarity
of eSignatures and eSeals from a technical viewpoint, the e-Signature BB also facilitates interoperability for eSeals.
Electronic signatures are routinely applied, validated, and their use is well specified throughout the
NCPeH. Recent developments of the NCPeH reference OpenNCP implementation have also lead to
updates of the technical specification. All eID-related electronic signatures are now processed exclusively by the CEF eSignature Building Block that is inherently compliant with the eIDAS specification
and the specific requirements of such signatures. It is also anticipated that through the use of the CEF
eSignature component, the NCPeH may lessen the burden of the mandatory certification towards the
Implications of eIDAS Regulation for eHealth
9
application and processing of qualified signature material significantly in particular in combination
with processing qualified electronic signatures (QES) by a Qualified Signature Creation Device (QSCD).
The legal definition of requirements towards a qualified signature creation device (QSCD) are commonly applicable through the eIDAS Regulation, however, the national recognition and certification
may differ. The current NCPeH currently relies entirely on software-based solutions to activate an
electronic signature, which could lead to recognition issues in some Member States due to a more
exhaustive list of specific national requirements towards QSCD. The same issue of significant differences in recognition through national law applies to the remote signature facility (Recital 52 eIDAS
Regulation) as a fundamental enabler of mobile eID use cases.
The fundamental legal instruments, assumptions, and objectives that influence the definition and
enforcement of the epSOS security architecture have also changed over time. The specification may
need a proper review in the light of these changes to still be considered applicable, efficient, and
secure.
It is therefore necessary to consider the newly created reality in electronic signatures appropriately
and update the epSOS security architecture accordingly. The latter was created exclusively on the
basis of a now repealed legal instrument and suffers from a different definition of electronic signatures. In particular the newly defined protection properties of the signature-related tools, i.e., electronic signature, electronic seal, and electronic time stamp, need to be thoroughly assessed and to
preserve, evolve, and enforce the adequacy and efficiency of the NCPeH security architecture. Notable examples are non-exhaustively listed in the following table:
Electronic Documents
Directive 2011/24/EU states that MS shall not refuse to dispense prescriptions issued in another MS.
The regulation furthermore states that an electronic document shall not be denied legal effect and
admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form.
However, while the legal basis for the recognition of the two currently specified electronic epSOS
documents exchanged through the services of the NCPeH is robust, there are open challenges relating mainly to patient safety issues arising from our ability today to uniquely identify and interpret
their content such as uniquely identifying prescribed drugs across the different MS, or to update
patient records with information generated across borders. This does not impede the legal recognition of the Patient Summary or the Electronic Prescription but reflects the need of further work.
Consequently, the eIDAS provisions towards electronic documents have no negative nor positive
effect on the current cross-border provision of eHealth services through the NCPeH.
Implications of eIDAS Regulation for eHealth
10
Electronic seals
The provisions on electronic seals are, mutatis mutandis, the same as for electronic signatures, in
particular in terms of electronic recognition. Only three levels exist: “simple” electronic seals (not
explicitly mentioned), advanced electronic seals and qualified electronic seals. Electronic seals are a
useful addition in the sense that they give a legal existence to server signatures and can therefore be
used in mass processing.
There is, however, one notable difference when it comes to legal effects: where a qualified electronic
signature shall have the equivalent legal effect of a handwritten signature, a qualified electronic seal
“shall enjoy the presumption of integrity of the data and correctness of the origin of the data to which
the qualified electronic seal is linked”.
The original epSOS specification called for a functional and legal equivalent to the eIDAS eSeal in
order to maintain and transport the authenticity, origin, timely sequence, and integrity of exchanged
(clinical documents) and collected evidences. At the time of piloting in epSOS, a consolidated legal
framework for eSeal definition and ecosystem was unavailable and its technical – yet far from being
legally synonymous – equivalent in the form of qualified electronic signatures was proposed but
could not be enforced and operated in a piloting or regular operation mode. eIDAS eSeals may partially fill this gap by enabling a NCPeH to electronically seal the to-be protected information passing
through the NCPeH in an automated fashion and in a sufficient degree of legal certainty.
In the specification of the traditional epSOS security infrastructure, electronic time stamps have been
considered but eventually at least functionally substituted by a combination of electronic signatures
and Audit Trails to document the specific time when an event took place. Furthermore, transactional
and document time-stamping for the services and documents were primarily provided through the
contents of the medical document itself. After the eIDAS Regulation being in full effect, this approach
may not be acceptable anymore. Consequently, it might be necessary to assess whether a combination of electronic seals and electronic time stamps are capable of satisfying the protection demands
when integrity, date/time, and originator authenticity need to be safeguarded/documented.
Qualified Electronic registered delivery services
One of the most notable additions brought about by the eIDAS Regulation is the concept of electronic registered delivery service. Electronic registered delivery services are a secure channel for the
transmission of documents bringing evidence of (the time of) sending and receiving the message.
Nevertheless, the Regulation does not assimilate (qualified) electronic registered delivery services to
registered postal mails (registered items) defined under the Postal Directive. Member States remain
free to establish such equivalence at national level.
eIDAS establishes the principle that an electronic document should not be denied legal effect on the
grounds that it is in an electronic form. Having this objective in mind, it introduces Electronic Registered
Delivery Service (ERDS) as a new trust service. eIDAS defines ERDS as a service that makes it possible to
transmit data between parties by electronic means and provides evidence relating to the handling of the
transmitted data, including proof of sending and receiving the data, and that protects it against the risk of
loss, theft, damage or any unauthorised alterations.
Despite the assurances provided by this basic level and similarly to other trust services, an explicit
legal effect is only attached to the qualified level: “Data sent and received using a qualified electronic
registered delivery service shall enjoy the presumption of the integrity of the data, the sending of that
data by the identified sender, its receipt by the identified addressee and the accuracy of the date and
time of sending and receipt indicated by the qualified electronic registered delivery service”. Here the
11
Implications of eIDAS Regulation for eHealth
solution is identical as for electronic seals: practically, the effect could be that a document bearing a
qualified electronic signature sent to a Member State that does not grant the presumption of integrity of the data and of correctness of the origin of that data to such documents would benefit from
such a presumption were the document to be sent through a qualified electronic registered delivery
service.
In the eHealth domain, the participating MS communicate through an interconnected network of
single contact points, the National Contact Points for eHealth (NCPeH). The NCPeH forms a secure
technical infrastructure for an interoperable, multilateral data exchange, provides the foundation for
anchoring trust and liability, and delimits the boundaries of applicable jurisdiction. A reference implementation of NCPeH has been implemented in epSOS and has become sustainable and maintained by the OpenNCP community, under the responsibility of DG SANTE.
Based on the original epSOS specifications, any compliant NCPeH already fulfils or supports the requirements of being considered a gateway for electronic registered delivery services. In practice,
these functionalities have not been operated at their full potential due to divergent national policies.
Some of the services introduced by eIDAS may relieve a significant operational burden and may assist
in formalising the strict application of the mandated security safeguards. Especially the extended use
of the eIDAS eSeals may address the following dimensions of trustworthy eHealth applications towards a qualified electronic registered delivery services:





authenticity of medical information, legal responsibility and applicable jurisdiction
origin of the communicated information and documented evidences
integrity of the communicated information and documented evidences
timely sequence (time stamping) of the communicated information and documented evidences
anchoring of trust and documentation of adequate trust bootstrapping between NCPeH
The prospect of the eHealth Digital Service transport infrastructure being considered as a qualified
electronic registered delivery services appears tempting for eHealth as it may help overcome many
of today’s legal and cost barriers concerning liability e.g. through the above mentioned legal effects
of the collected evidences. It would however mean that
(i)
(ii)
(iii)
the eHealth e-delivery services will be assessed as falling within the definition of qualified
electronic registered delivery services
the requirements for qualified electronic registered delivery services, of para 1, Article 44
are properly profiled to address eHealth needs
the providers of these services (national NCPeH) would have to become qualified trust
service providers, with the attached costs in terms of certification.
Recommendation 4. It is proposed that a thorough review of the Open NCP reference implementation is performed the light of the eIDAS Regulation and the tools it provides in order to determine the
specific additional mandatory requirements for the health sector that are not covered by the general
eIDAS operational implementation. The list of issues presented in this document, though not exhaustive, is indicative of the breadth of issues that need to be examined.
Implications of eIDAS Regulation for eHealth
12