Legal compliance of services provided under ID operated by Evrotrust

The services provided under ID operated by Evrotrust are certified and registered in Europe, so that they enjoy legally binding effect for the market agents. They are treated by courts as valid proofs of evidence. Learn why:

ID operated by Evrotrust provides  a unique technology for remote electronic identification, remote signing with qualified electronic signatures and remote registered delivery service. These are legally regulated services, while Evrotrust is audited for compliance with all applicable EU standards by independent conformity assessment bodies, registered and supervised by the national supervisory authorities. Thus all services benefit legal recognition by law.

The technology and the qualified trust services are regulated by a special supranational law in EU – Regulation (EC) 910/2014 for the Electronic Identification and Trust Services (eIDAS). This Regulation has a direct effect and is obligatory applicable in all EU member states without necessity of being nationally transposed. Since Evrotrust Technologies JSCo is registered in an EU Member State, the qualified services it provides are valid throughout EU. The registration at the EU Trust List is available here.   

In The Republic of North Macedonia eIDAS is fully transposed and qualified trust services enjoy full legal recognition on its territory, according to the national Law on Electronic Documents, Electronic Identification and Trust Services. Further, due to specifics of the North Macedonian legislation, the scheme for electronic identification is registered and provided by a local company – Evrotrust Technologies DOOEL, Skopje. The registration in the North Macedonian Trust List of Trust Service Providers and Issuers of eID Schemes is available here.

Remote electronic identification

The remote electronic identification is developed as a national private scheme for e-identification. It aims at remote identifying of natural and legal persons. The latter corresponds to assurance level “high” according to Art. 8, para 2 (c) of eIDAS and the Implementing Regulation (EU) 2015/1502. The scheme is based upon attestation of the identity of the person from a smart device towards any interested third party by issuing one-time attribute qualified certificates, as regulated in Art. 28 (3) of the eIDAS. In the Republic of North Macedonia the electronic identification is officially registered as a service provided by an issuer of an eID scheme and is listed in the North Macedonian Trust List of the Trust Service Providers and Providers of eID Schemes.    

Remote issuance of qualified certificates and signing with qualified e-signatures  

Present technologies for using qualified e-signatures require from the user to hold devices (smart cards, tokens, card readers), to possess technical knowledge (installation of drivers, certificate chains) by staying dependent on a particular computer. From usability point of view these facts create barriers for wide use of e-signatures. Moreover, the conventional technologies are vulnerable to hacking interventions (man-in-the-middle, man-in-the-browser). The ID Operated by Evrotrust technology provides the customer an option to issue and store his private key for signature creation in a remote highly secure hardware cryptomodule (HSM) and sign remotely with qualified electronic signature (QES) independent from any device and any technical knowledge whatsoever. The signing is authorized via the most widely used device worldwide – smart mobile phone/tablet. The issuance and maintenance of qualified certificates for e-signatures and e-seals service is certified for eIDAS compliance and is registered as a qualified trust service in the EU Trust List.

The remote signing with qualified e-signatures is a separate service, which is audited for compliance with the applicable EU standards by an independent conformity assessment body.    

Qualified electronic registered delivery service 

Handing over of electronic documents and other digital content and proving in an ambiguous way the identity of the sender and the receiver, the time for sending and receipt, as well as the content integrity, is a legally recognised alternative to the registered mail service in the paper-based world throughout Europe and on the territory of the Republic of North Macedonia. The service developed makes legally possible immediate and secure handover of documents (invoices, payment reminders, terms and conditions, contracts etc.) to the another registered in Evrotrust addressee directly to their mobile phone by generating respective return receipts.  The qualified electronic registered delivery service is certified for eIDAS compliance and is registered as a qualified trust service in the EU Trust List.

The technology, the services and the whole infrastructure meets numerous technological standards. The compliance of whether Evrotrust meets the above standards is made by conformity assessment bodies (auditors), accredited under national accreditation schemes. The list of these auditors is available on the website of the EU Commission. In order to provide qualified eID and trust services, the trust service provider must undergo full conformity assessment audit of its activities and of each qualified trust service it provides every two years. Evrotrust is audited for conformity assessment for the above standards by the Czech conformity assessment body TayllorCox and the Norwegian auditing body DNV GL.  

ISO Standardisation
  • ISO/IEC 27001: Information Security Management System; 
  • ISO 22301: Business Continuity Management System; 
  • ISO/IEC 20000-1: IT Service Management System; 
  • ISO 9001: Quality Management System.

eIDAS Standardisation
  • ETSI EN 319 401: General Policy Requirements for Trust Service Providers; 
  • ETSI EN 319 411-1: General requirements; 
  • ETSI EN 319 411-2: Requirements for trust service providers issuing EU qualified certificates; 
  • ETSI EN 319 421: Policy and Security Requirements for Trust Service Providers issuing Electronic Timestamps; 
  • ETSI EN 319 102-1: Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation; 
  • ETSI EN 319 521: Policy and Security Requirements for Electronic Registered Delivery Service Providers; 
  • ETSI EN 319 531: Policy and Security Requirements for Electronic Registered Electronic Mail Service Providers; 
  • ETSI TS 119 431-1 and ETSI TS 119 431-2: Creation of remote qualified electronic signatures and seals
  • eIDAS Art. 24 (1) (d): Remote electronic identification with level of assurance as to a physical presence for the purposes of issuing of qualified certificates for qualified electronic signatures and seals under Art. 24 (1) (d) of eIDAS; 
  • eIDAS Art. 8(2)(c) and IR (EC) 2015/1502: Level of assurance high of the remote electronic identification trust service from a smart device, according to Art. 8, para 2 (c) of eIDAS and Implementing Regulation (EC) 2015/1502. 

ID operated by Evrotrust employs as a service a new method for electronic identification based on trust service, which from a legal point of view does not rely on the technologies used (video identification, 3D liveness, etc.), but on an eIDAS trust service provided by a qualified trust service provider through the issuing of a qualified certificate, relying on the consultation of national registers, and a remote biometric identification. The certificate bears more identity attributes than the normal certificates. This method for remote e-identification is explicitly regulated as meeting the AML requirements under Art. 13 (1) of Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU (the 5th AML Directive, in force as of 9th July 2018). Under Art. 13 of 5th AMLD “identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source, including, where available, electronic identification means, relevant trust services as set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council ….”. All EU Member States and Acceding States have transposed the rule. 

As an advantage, eIDAS rules regarding responsibilities and mutual recognition apply to such an identification through a qualified certificate.

This method is more favorable to financial institutions and other obliged under 5th AMLD persons than the direct use of video identification. If the obliged persons only use video identification (with 3D liveness, etc.), they rely on the technology and the risk of wrong identification remains on the obliged person. If it identifies the client through a trust service (qualified certificates with more attributes), it would rely on a regulated trust service, ruled by eIDAS. The risk of wrong identification rests with the trust service provider by law. The method explained is thus equally legal in all EU member states and Acceding countries.

Evrotrust eID solution was recognized in an official report of the European Commission as one of the 7 possible methods for remote on-boarding in the financial sector, which meet the requirements for AML/KYC. The report is available at the webpage of the European Commission here.

In the Republic of North Macedonia, the solution is AML compliant under the explicit provision of Art. 4 (1) of the Law on Electronic Documents, Electronic Identification and Trust Services. The full text is available here.

The solution allows for legal attestation of substantial part of the consumer’s data for KYC purposes, while it is based on collection and validity check of personal data, copies of ID documents and self-signed declarations (PEP, money source, true shareholder, etc.) – the solution provides a legal tool for signing those with a qualified e-signature having the same legal effect as signed on a paper with handwritten signature. These are needed for the conclusion of contracts for financial services or processing financial transactions. Thus basic KYC check requirements could be fully met.

The electronic identification service is compliant with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR). The company has been certified for GDPR compliance by an accredited conformity assessment body. The measures for personal data processing and storage go far beyond the security requirements set forth by the GDPR.

Evrotrust solution is fully compliant with the Directive 2015/2366 (PSD2). Particularly it meets the requirements for Strong Customer Authentication (SCA). Payment service providers (PSP) must ensure that security measures are in place to protect the confidentiality and integrity of personalized security credentials. Article 97 of PSD2 requires payment service providers to authenticate users when 1) accessing an online payment account, 2) initiating an electronic payment transaction, and 3) carrying out an action through a remote channel that may imply a risk of payment fraud or other abuses (See European Banking Authority – Regulatory Technical Standards on strong customer authentication and secure communication under PSD2 – RTS). The basic definition of “strong customer authentication” is presented in article 4 (30) of PSD2. It states that authentication must be based on the use of two or more possible authentication elements, categorized as: i) knowledge (i.e., something only the users knows, such as a password), ii) possession (i.e., something only the user has, such as a token or device), and inherence (i.e., something only the user is, which a fingerprint or a face scan proves). RTS creates requirements around the application of two-factor or multi-factor authentication in the context of PSD2. Mobile phone, used within the ID operated by Evrotrust solution, establishes a ‘known’ object that consumers possesses, creating a method for two-factor authentication. The solution establishes biometric security, like fingerprints and facial recognition, independent of presence of smartphone integrated feature (like in iPhone X). These methods allow regulated financial organizations to accurately verify the identity of a user requesting access. Evrotrust technology as integrated by the payment service provider and delivered to the end-user meet all these requirements. As already mentioned, it rests on a technology, which is based on certified qualified trust services, which undergo security, organizational and other audits every two years. It is a 2FA strong authentication method, which embeds OTP and other dynamic methods for credentials exchange, involve multi-factor knowledge-biometrics access, and is based on asymmetric cryptology, based on regulated qualified service. Referring to such services is directly envisaged by the Delegated Regulation on Implementation of PSD2. Particularly, it meets the requirements of Article 29 which requires for the purpose of identification qualified certificates for electronic seals and qualified certificates for website authentication.

Evrotrust Technologies JSCo., Sofia, Bulgaria as a qualified trust service provider is registered in the EU Trust List. The registration could be found here. As a qualified TSP, Evrotrust is supervised by the Bulgarian Communications Regulation Commission (CRC)

Evrotrust Technologies DOOEL, Skopje, North Macedonia is a registered on the territory of the country as an issuer  of an electronic identification scheme and is registered in the North Macedonian Trust List. The registration could be found here. As an issuer of eID scheme, Evrotrust is supervised by the Macedonian Ministry of Information Society and Administration (MISA)         

Evrotrust is obliged by law to keep documentation with respect to qualified trust services and electronic identification up-to-date. All documents are published on the website of Evrortust as a qualified trust service provider here.

For providing ID Operated by Evrotrust service from a smart device on the territory of Republic of North Macedonia, following documents must be consulted by the end-users: