(13)
Member States should remain free to use or to introduce means for the purposes of electronic identification for
accessing online services. They should also be able to decide whether to involve the private sector in the provision
of those means. Member States should not be obliged to notify their electronic identification schemes to the
Commission. The choice to notify the Commission of all, some or none of the electronic identification schemes
used at national level to access at least public online services or specific services is up to Member States.
(14)
Some conditions need to be set out in this Regulation with regard to which electronic identification means have to
be recognised and how the electronic identification schemes should be notified. Those conditions should help
Member States to build the necessary trust in each other’s electronic identification schemes and to mutually
recognise electronic identification means falling under their notified schemes. The principle of mutual recognition
should apply if the notifying Member State’s electronic identification scheme meets the conditions of notification
and the notification was published in the Official Journal of the European Union. However, the principle of mutual
recognition should only relate to authentication for an online service. The access to those online services and their
final delivery to the applicant should be closely linked to the right to receive such services under the conditions set
out in national legislation.
(15)
The obligation to recognise electronic identification means should relate only to those means the identity assurance
level of which corresponds to the level equal to or higher than the level required for the online service in question.
In addition, that obligation should only apply when the public sector body in question uses the assurance level
‘substantial’ or ‘high’ in relation to accessing that service online. Member States should remain free, in accordance
with Union law, to recognise electronic identification means having lower identity assurance levels.
(16)
Assurance levels should characterise the degree of confidence in electronic identification means in establishing the
identity of a person, thus providing assurance that the person claiming a particular identity is in fact the person to
which that identity was assigned. The assurance level depends on the degree of confidence that electronic iden
tification means provides in claimed or asserted identity of a person taking into account processes (for example,
identity proofing and verification, and authentication), management activities (for example, the entity issuing
electronic identification means and the procedure to issue such means) and technical controls implemented.
Various technical definitions and descriptions of assurance levels exist as the result of Union-funded Large-Scale
Pilots, standardisation and international activities. In particular, the Large-Scale Pilot STORK and ISO 29115 refer,
inter alia, to levels 2, 3 and 4, which should be taken into utmost account in establishing minimum technical
requirements, standards and procedures for the assurances levels low, substantial and high within the meaning of
this Regulation, while ensuring consistent application of this Regulation in particular with regard to assurance level
high related to identity proofing for issuing qualified certificates. The requirements established should be tech
nology-neutral. It should be possible to achieve the necessary security requirements through different technologies.
(17)
Member States should encourage the private sector to voluntarily use electronic identification means under a
notified scheme for identification purposes when needed for online services or electronic transactions. The
possibility to use such electronic identification means would enable the private sector to rely on electronic
identification and authentication already largely used in many Member States at least for public services and to
make it easier for businesses and citizens to access their online services across borders. In order to facilitate the use
of such electronic identification means across borders by the private sector, the authentication possibility provided
by any Member State should be available to private sector relying parties established outside of the territory of that
Member State under the same conditions as applied to private sector relying parties established within that Member
State. Consequently, with regard to private sector relying parties, the notifying Member State may define terms of
access to the authentication means. Such terms of access may inform whether the authentication means related to
the notified scheme is presently available to private sector relying parties.
(18)
This Regulation should provide for the liability of the notifying Member State, the party issuing the electronic
identification means and the party operating the authentication procedure for failure to comply with the relevant
obligations under this Regulation. However, this Regulation should be applied in accordance with national rules on
liability. Therefore, it does not affect those national rules on, for example, definition of damages or relevant
applicable procedural rules, including the burden of proof.
EN
28.8.2014 Official Journal of the European Union L 257/75