When the European Union's General Data Protection Regulation (GDPR) was finally implemented for most businesses, solution providers felt they could breathe a sigh of relief. However, GDPR is proving to be only the beginning of more regulations that can impact businesses worldwide and solution providers should not rest on their laurels, since there will be much more regulatory work to be done. Those new forthcoming regulations could prove to be a boon for solution providers ready to help businesses comply, or a potential nightmare for those solution providers not thinking far enough ahead.
While GDPR initially only impacted businesses that did any type of electronic commerce with citizens of the EU, many other nations and states saw the potential benefits offered by the EU style of electronic privacy. Take for example the state of California, which is in the midst of creating GDPR-like regulation in the form of the California Consumer Privacy Act, which will potentially impact any organization that does e-commerce in that state.
California is not alone. States including Alabama, Colorado, Iowa, Louisiana, Nebraska, Oregon, South Carolina. South Dakota, and Vermont are all pursuing new legislation that will impact privacy rules. The appeal of GDPR-like legislation extends beyond US territories, and nations such as Brazil, Canada, and Japan are seeking to strengthen their electronic privacy laws as well.
Yet, while those potential regulatory changes are sure to come in the not too distant future, there are more immediate changes on the horizon that will impact any organization conducting business with EU citizens and organizations. This includes the forthcoming EU Payment Services Directive 2015/2366, which, when it comes into effect in June, will require banking and financial services companies doing business in the EU to use Qualified website certificates for stronger identity assurance.
Akin to GDPR, the new directives will impact businesses located outside the EU, if those businesses interact with EU citizens. Of course, that means solution providers will need to be prepared to help their clients meet that legislation.
However, the implementation processes may prove to be a bit easier than GDPR was. Much of the groundwork has been already laid out by the EU's Digital Single Market Policy, which establishes trust services and electronic identification, often referred to as eIDAS. The directive's goal is to provide a predictable regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities.
That roughly translates into making changes to how secure transactions are processed, culminating in some new public key infrastructure (PKI) requirements, along with related changes to the procedures around creating, managing, distributing, storing and revoking digital certificates. So what does all this mean to solution providers?
It will all come down to garnering an understanding of how organizations will conduct business in the EU, and then determine if those organizations will need to deploy new certificates and PKI methodologies. However, for businesses located outside the EU, gaining access to those new PKI technologies may prove to be a challenge. Simply put, solution providers will need to partner with a certificate authority that is a qualified trust service provider (TSP).
Currently, there are only a few certificate authorities that can provide Qualified certificates. One of the most notable of those providers is QuoVadis, an organization that offers qualified certificates for website authentication (QWAC), qualified personal certificates, qualified electronic time stamps and qualified electronic signatures and seals, including software and cloud signing options.
For solution providers located outside the EU, gaining access to eIDAS-approved technology proved to be somewhat difficult, forcing those solution providers to deal with certificate authorities located within the EU. However, US-based DigiCert recently acquired QuoVadis, providing a solution to what may have become a complex problem come June of 2019.
With the acquisition, QuoVadis Qualified digital certificates will be backed by DigiCert and the company will incorporate Qualified TLS certificates management, along with QuoVadis PrimoSign and other signing platforms into its bandolier of services. That allows Digicert to offer data integrity management for electronic records, as well as other digital signature technologies as required by the EU, and potentially other governments and organizations.
There is no denying that eIDAS is coming and businesses will need to be prepared. However, if the success of GDPR is repeated with eIDAS, other countries will be sure to take a long, hard look at the new PKI spawned by eIDAS and potentially revamp or adopt their own certificate requirements.
Some say performance, others say money but it may be systems and processes that carry the day
All categories for our upcoming European MSP Innovation Awards ahead of the 15 April deadline
Download our latest webinar, sponsored by SherWeb
COO of German firm says it wants to break new cybersecurity vendors into the DACH market