Consultation response to the federal eID law

The krm has drafted a consultation on the draft of the eID law. We are happy to provide these for free use.

Attention: Deadline for submission of own statement is 20.10.22


Here are the most important facts in brief:

The issuance of a simple digital ID card (eID) must be implemented as soon as possible.

Before ecosystems are to be considered, this ONE eID must be implemented IMMEDIATELY (usable for the federal government and cantons) with the utmost urgency. We find it unnecessary that the present preliminary draft or the envisaged infrastructure provides for different electronic proofs and describes an extensive ecosystem according to ambition level 3. The latter leads to a dispersal of forces and will unnecessarily delay the introduction of the urgently needed eID. A restriction to the essentials is the key to success.

Without massive simplification, the eID is threatened with the fate of the ePD (electronic patient dossier).

While meeting security requirements and privacy concerns are important, they are clearly secondary to the simplicity and open usability of the eID.

Third-party use of infrastructure creates unknown risks.

The use of the infrastructure for other electronic proofs outside of the eID must be reconsidered. The associated risks should not be underestimated and may have consequences for the federal government that cannot be assessed. This does not exclude that underlying ID issuers can use the eID (in the foreground are e.g. the cantons), but they are then only consumers and have no influence on the security of the overall system. Whether other users can use the eID in individual cases would have to be subject to rigorous risk assessments (to be included in the law).

The principle of technology neutrality was well taken into account.

Technology neutrality is well implemented in the draft and should not be watered down. In particular, a detailed description of the technical procedures and systems should be omitted from the end users.

Use what already exists: A law already exists for the eID infrastructure!

It seems to have been completely overlooked that laws already exist for the implementation of the infrastructure in Chapter 5, namely the ZertES and the VZertEs. We strongly recommend that these laws be harmonized. The ZertES contains 80-90% of the procedures described in the eID draft: Delete chapter 5 from the law and enact a separate infrastructure law or better adapt the ZertES. The eID law should be limited to the procedures for implementing the “root” identity (=eID).

No use cases into law

We welcome the fact that it was decided not to include specific cases of application in the law. These do not belong in the BGEID.




Submit a Comment

Your email address will not be published. Required fields are marked *

Related articles

On 16.3. is Digital Cleanup Day

On 16.3. is Digital Cleanup Day

Tidying up is clearly not everyone's cup of tea, but we all know the good feeling that a tidy room, a tidy desk or ... a tidy drive! You can feel proud with a clear conscience, because deleting data also has an important effect on energy consumption. I have calculated...

read more
Dealing with data risks: Data breach notification

Dealing with data risks: Data breach notification

A data breach notification or "data breach notification" refers to the process by which an organization or company is required to notify the relevant data protection authorities and, if applicable, data subjects of a data breach that is likely to result in a high risk...

read more