How to ensure safe and compliant email communication
Email phishing accounts for over 90% of cyber attacks, and with the implementation of privacy regulations like GDPR, secure and compliant information exchange has become crucial. To address the security flaws in email transportation protocols, such as SMTP (simple mail transfer protocol), the EU has established the eIDAS regulation's eDelivery building block.
By implementing eDelivery for email, you can connect to a closed network of verified sender and receiver organisations. Additionally, you can use EU-approved e-ID to sign and encrypt emails, providing the recipient with information about the sender and their organisation, similar to a national digital post system. This standardised approach aligns with the European Interoperability Framework (EIF), reducing costs, time, and administration for safe and compliant email communication by 99.9%.
The need for an international secure email solution
In the past, designing and packaging an international, secure, and compliant email and digital post solution was not practical or user-friendly. However, such a solution is now available as an option. Secure email standards were defined back in October 1995, and the EU introduced eID and electronic signature laws through the eIDAS regulation* on July 1st, 2016. Today, digital post systems in different countries resemble the digital version of ordinary postal services, lacking cross-border functionality and failing to adhere to international treaties. The European Commission has addressed this issue by defining eDelivery in the eIDAS regulation, which enables secure and compliant information exchange across Europe based on open source and ISO standards.
Implementing safe and compliant email
E-Boks in Denmark is an example of a digital post provider that uses eDelivery for security and GDPR compliance. They have exported this solution to Greenland, Ireland, and Norway. E-Boks describes digital post as a protected platform, safeguarding users against unwanted emails, advertisements, phishing attempts, viruses, and spam. The EU widely uses eDelivery in 2023 to integrate the Single Digital Gateway (SDG), facilitating secure information exchange between member states' authorities. SDG aims to provide citizens with a single domestic site that connects to all relevant EU authorities behind the scenes, covering real-life events for individuals and businesses.
Governments can leverage the eIDAS regulation, law, and SDG to implement safe email practices for Europe's public sector, citizens, and companies. By exchanging signed emails using approved eIDs and the secure eDelivery system, senders can have digital proof of delivery, while receivers can verify the sender's identity and ensure safe information transfer. With the majority of cyber attacks originating from email phishing attempts, implementing such a system becomes crucial.
Benefits and future developments
Most individuals in Europe are now familiar with using email and would be able to utilise eID and send secure emails easily. The public sector is guided to use the European Interoperability Framework (EIF) to establish interoperable digital public services. By adopting a unified solution across Europe and using one encryption certificate per receiving organisation instead of per user, costs and administration can be reduced by 99.9%. Brazil serves as a role model in this regard, as their central bank made mobile instant payment a free service for all individuals and companies, and they may adopt a similar approach to digital post/email in the future.
In Sweden, an ongoing project called SDK (Säker digital kommunikation) aims to enable secure and compliant information exchange exclusively within the public sector. However, an obstacle arose from the inability to determine the individual sender's digital signature of the message and its attachments in SDK, despite knowledge of the corresponding organisation. Instead of using email standards and the internationally recognized sign and encrypt email standards, SKD uses non-message standard and non-cross-border solutions. Adopting international standards would be more efficient. This approach would significantly reduce costs and administration as a single certificate could replace the need for individual public certificates. Users could continue using their normal email clients in most cases or opt for a separate email system for higher security classification. SDG will also create repositories of links (URLs) to establish a whitelist of entities that should be part of the SDG eDelivery networks.
To ensure safe and compliant email communication, organisations should consider implementing the eIDAS regulation's eDelivery building block. This approach provides a secure network with verified senders and receivers, enabling the use of approved e-IDs to sign and encrypt emails. The European Interoperability Framework (EIF) provides guidance for setting up interoperable digital public services. By adopting one standardised solution and using one encryption certificate per receiving organisation, costs, time, and administration can be significantly reduced.
With these measures in place, email communication becomes safer and helps combat the high prevalence of cyber attacks starting with email phishing attempts and help the purpose of European Cybersecurity Competence Centre (ECCC). The ECCC aims to increase Europe’s cybersecurity capacities and competitiveness, working together with a Network of National Coordination Centres (NCCs) to build a strong cybersecurity Community.
*The eIDAS regulation defines an electronic signature as follows: "data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign" (eIDAS Article 3.10).
On the other hand, a digital signature refers to a mathematical and cryptographic concept extensively used to provide practical instances of electronic signatures. According to the definition provided by ETSI TR 119 100, it is "data appended to, or a cryptographic transformation of a data unit that enables the recipient to verify the source and integrity of the data unit and guard against forgery, such as by the recipient."
It is important to distinguish these two concepts since not all electronic signatures qualify as digital signatures. Moreover, there are limited standards governing the association between the electronic/digital signature and the signed data. Examples include signed/encrypted email, eDelivery's ebXML format for structured data, and in unstructured data as a PDF file, where the signature can be displayed to the user by the application. Discover eSignature FAQs gathered by the European Commission by clicking here.
We would appreciate your comment on your interest of signed PDF for Single Digital Gateway (SDG) by sharing your thoughts on the short questions below.