 Hi everybody, thank you I'm Still motioned after more than 10 Europe Python I am Roberto bolly and they work at part tech on secure resilient cloud platform And I spent the last five years in the digital transformation in the time digital transformation team working on API interoperability and standards and Today in this opinionated talk opinions are my own I will present the current state of digital services in the European Union with a focus on normative and technical changes and the rip impacts on digital platforms this requires introducing the European institutions and the strategy that the union has on cross-border services It will then present the digital identity as a case study to show some cross border interoperability challenges and finally He I will show the European interoperability framework that helps improving the user experience cybersecurity and maintain ability of Digital public platforms, but these applies to every service that has to work cross border So if you have a service that need to work between different countries Roughly the same principles apply if we have time we will speak about the Impacts of the several resilience act on open source, but there have been panels on on this so Let's let's check. So what's the European Union? Well, it's a lot of people languages wonderful places like Prague a great wave to Prague And Well for me is having 27 member states that stop at fighting each other and that's really great but Conway's law applies and the Union structure affects digital services. So Let's meet the Union broadly speaking European laws Required the agreement of three institution Legislative that is the parliament elected by citizen and the council composite by member state ministers reunited by sector and Executive that is the European Commission that is agreed by member states and the parliament. Well shortly you have Two lane governance on one side there is the parliament is elected directly by citizen and on the other there are member states and As you can see every institution Works per sector and this really affect our lives might be We don't know but it actually does the parliament works in committees the council Per ministry and the European Commission that is divided in a sort of Ministries per directorate general. So we have vertical Structure and sectoral structure Don't be afraid and since the Union is founded on international treaties the Commission can only propose laws cited in a Specific policy areas mentioned by treaties. What does it mean for digital that for digital? the policy areas that motivates What we experience every day for example from the digital green certificate to the European digital system or the sub-resilience act or all the laws About mobile phones mobile chargers that the European Union has made uniform are based on This policy areas for example the functioning of the internal market see the phone chargers and the European telecommunication networks and All the stuff materializes in two principle low types the regulation See the GDPR regulation at the same low for all countries GDPR is one low in all countries another low that is Regulation is the idea circulation that he establishes the identity framework for Europe and the other one is Directive a directive sets a goal all the countries want to do something for example And this is the case for digital payments in Europe. We want to enable digital payments. Okay a directive Decided that goal and every country implemented This directive in their way there are other types of Lows, but we are not interested in that shortly. It's very easy Three institutions the parliament the council and the Commission discuss for at least at least two years and then Everybody agrees on regulation binding the same law in all Europe or directives implemented by member states governance is shared between member states and the European Parliament and The one of the real issue, but it applies to many stuff, okay? Digital is affected by different policy areas. So it's a very complex math digital is pervasive is a very complex matter So while digital is affected by different policy areas, there is one Strategy the digital decade It's at four goals and associated indicators skilled population and professional secure infrastructures digital transforming Transformated business and digital public services. There are the main focus of this presentation Okay, this is seems very general, but actually Legislative actions like the cyber resilience act the digital service act the artificial intelligence act that made Regulations that regulates all this part of our lives map to those goals and well there are various monitoring instruments such as the indicators provided by the digital compass there is the DZ index and the knife or interpretability of the cemetery Well, the next thing of those monitoring system is that they're published So you can go on the website you can download the slides you can click on those links and check your country There are all these reports some as some nice infographics And so you can monitor if your country is if your country is doing okay or not And you can even try to support your country because our countries our member states need us So let's zoom on digital services always more difficult maybe Nobody knows remembers the the do's trouble hysterics But I grow with that with the hysterics and double X running on and off between These bro bureaucratic offices looking for the past 838 so the Europe want to get rid of that And today we will present the European digital identity that is established by the EI does regulation It allows cross-border Electronic identification identification and trust services. What's that? For example a citizen me with an Italian digital identity I have one well actually have to Cannot indicate to a Dutch digital service for example to file a complaint I I did it. Well, I didn't file the complaint because I was not User of that digital service by the words able to login and start falling falling the forums or for example, I can digitally sign a document with my Italian digital identity and send it to a French company And it is a valid digital signature and another example Do you remember the COVID digital green certificates? No, nobody You were lucky. Okay. Well, they were exactly digital signed documents and knowledge by all European countries And it was a stepping stone for the second revision of the EI this regulation another Important thing is the once-only principle that is established by the single digital get a regulation So you can see infrastructures and regulation because you need a regulation you need a law to create infrastructure It's not something that you can say let's create something Why do you want to do it? You need regulation even for spending money your countries Need to write regulation before spending money or invest in something So the once-only principle states well, that's mind-blowing administration must reduce administrative burden reorganizing their internal processes and Exchanging data provided by citizen business Eventually creating cross-border services That's stunning and then there is software they use It is incentivized via the open source software strategy, but is then threatened by the last The current proposal because it has not been Approved yet and is still under this cute discussion discussion So let's start with the European digital identities instituted by the II does regulation Yeah, this is more than digital identity, but we just have time for this now Sorry a member state that is Italy France a Czech Republic can qualify its digital identity system as yeah It is compliant. What does it mean qualify? It means that your country is not forced to do it it can do it and in this case Those identities can be used to login to qualified digital services provided by other member states and this system is working right now and check whether your country provides you and European digital identity and you can Try on the next screen prepare your phone on the next screens Prepare your phone that will be a QR code for logging in into the European Union website But since every member states has its own list of identity providers and different user attributes They require a national gateway national components So you see there are two user different countries that are trying to Use the service of a Belgian University The Italian the user with the Italian identity is redirected to the Italian Identity infrastructure that does all the check and replies to and then brings back the user on the Belgian University and this is the same for the Dutch user the Fact is that you have 27 of those blocks so there are a lot of stuff a lot of checks you have you will be requested to Continuously give consents for your data going from your national identity provider to a foreign country and The general architecture is quite complex but works and a major challenge is the re identification of a user from another member states in time Member states might not rely on identifiers that persist over time not on unique identifiers This means that the same German citizen can access an Italian service using a given identifier in 2020 and a different identifier in 2024 Well, how can I recognize him? His identity have been changed But what this is not a problem inside a single state since internally Every state can implement for the checks and use different sources in case of homonyms In cross-border interaction our online member states cannot access all the information of the country of origin So in case of homonyms a service May not be granted Well, this is probably I don't want to focus on the odd this problem But on the general case the case of persistent identifiers is the better between member states Some says it is a threat into privacy Some says that whatever we do Facebook already has all your information. So why don't use it to provide services, but my personal Opinion what I've noted is that This kind of issue only hinders Services for citizens this is because in case of issuing sanction The regulatory framework of all the countries Already allows gathering all the information they need. So if you have you need to be sanctioned for something you have done There are all the legal background to identify you, but if You need To consume a service There are Since the framework doesn't allow all those exchanges There are data protection concerns. So but the point is this is And a topic where not all member states agree This was the screen if you want to try your AI that's login experience you can try on the European Union website You will be prompted with all the countries that currently have Yeah, it does supported identities and the other countries will eventually Join in time But the first time that you will be asked is which is your country because you will be redirected on your country's getaway Currently You should just focus on the yeah, that's Login there are other ways of login, but they are I mean facility logins For example Google, but they are not Capable of identifying yourself. Well, if you look in with your European identity, they will know that it's you. Okay, so it's another way quality of The quality of the identification is different so Yeah, this identification is a great case of study for interoperability changes challenges It has a critical component organizational challenges and so on the European interoperability framework Support the creation of user centered interoperable digital services and the governance layers are one of the pillars and classify possible challenges number one legal constraints Is my service legal in all other states? Do I need to implement further functionalities? For example, I take out functionalities This means that creating cross border service requires to address at first legal issue Do you remember GDPR and all the stuff legal issues first then comes organizational issues? They are related to the inner functioning of organization such as Institution on our companies. Well, it's Conway Conway's law again Then we have semantic issues that cover both meaning and syntax of exchange of data Do my API use the same format? If our API use different format our system cannot cooperate if I use SAMLA and your Identity system use open ID connect. We cannot interoperate Do use the same currency or temperature scale? Otherwise we are communicating information, but they have not the same meaning I made that talk on this topic and if you're if you're interested in that just come back And then there is the technical interoperability that defines all the required standards protocol infrastructure such as open ed specification TLS encryption algorithm URLs and and so on So you can see this as a design pipeline if you don't address a legal issue in a in the legal layer it will shift to Organizational layer and so on until reaching the technical layer and the more issue you shift right The more you'll see your service will be Unusable Okay We can see that all the issues Well, this is a split up of the EID on the various layers. I'm not just Going all through that, but I want to go back to the first example All the issue that I haven't addressed at the legal layer that is where members states couldn't agree in a suitable time Eventually shift rights so Since there is no agreement on cross-border identification in case of a monomy Service providers have to establish Organizational identity identification procedures. So they have to identify procedures, maybe they will call each other is Bruno guns the same Bruno guns that came back with this identity Well, they won't go probably hopefully by phone, but it means that the issue Had shift bet shift right and So this is for fear of providing data to the wrong person at this point organization and service providers can decide To ensure Identification this is always an example on the ideas decide another Topic for example digital payments and you will have similar issues So at this point organization and service providers can decide to ensure identification with further data exchanges Creating one-to-one agreements. So instead of having one single European framework All the Shifted right topics are solved by member states For example since Italy and Germany has for example Five million people. I just throw a number. Maybe it's It's more that work or interoperate cross-border five million citizens They decide that what they cannot agree at the European side they create specific infrastructure for communicating or checking identities between the Italian revenue system and the general revenue system for example This means procedure and eventually technical components more hardware more Software more tests that have to pass So Shortly shift left Interoperability legal and organizational interoperability Enable direct communication between services because the legal and organizational framework is clear shifting right issues to the technical layer might increase The overall complexity to one square because we have all to to implement outside the legal Organizational framework all the possible interaction and conversion and unit tests and integration tests and to break all the platforms whenever Regulation in a single country is updated. So such point-to-point connectors address specific issues need to be maintained Overrated and eventually aligned with each member states regulation this increase architectural and transactional complexity and affects the security posture of the components and clearly of the whole Ego system so shifting left on the interoperability by plan is key To ensure and to create secure Manageable cross-border services one of the example for example not on a National digital identity was open ID connect You don't need to sign any agreement or a specific or to create specific company to translate Open ID token from Google and Facebook. You just use open ID Tokens from Google from Facebook they have the same Fields I mean Clearly they don't do not provide the same guarantees that Certain identification does but again, it's just an example every Block that shift writes to the technical layer requires specific technical specification That are fall data subject to the following risks these These are those are the risks that you have when you define technical specification over complexity Bureaucratic non-digital processes are mipped method to convoluted API design without a proper redesign time constrained engineering We have five people we have six months to release the new specification for this topic and whatever We do it will be released in six months, and it doesn't care We are a scripted group. There is a very small feedback and This is very problematic another one close development the IT community is rarely Involved in all these kind of specification development hi happens in a closed environment or for security reason Sometimes even the specifications are closed and redundancy when built on variation of existing standard without keeping in touch with the original communities you will eventually end in Messy complicated and redundant Specification well, we have five minutes and I can Just I just want to say one thing about open source and the cyber resilience act my understanding is Is that the problem is related to? Facing this topic by different A Different institutions then not every situations have the same knowledge about the topic of open source for example the Internal market committee made some good amendments and improvements to the resilience act Proposal while the industry committee made some Pro further amendment that doesn't help improving this is because the industry mindset is different from the Market of people that from the mindset of people that works on Intermarket and in general products or software product products so the the main topic is this one it's and it is important for us to discuss and Support the discussion in our companies On this topic and even with our friends at work in legal departments, for example, the legal Legal people is really they are good at legal, but they don't understand software software is not easy digital is pervasive so and It is very Very very complex topic so I Am finished Sorry for the rush and thank you. Don't know if we have one minute for Q&A but if we have What that's it? Okay. Well, if there are no question you have one no, please. Okay One one example for is a on on the critic parts of the CRA the Equipment professional software developers and manufacturers like Google or Samsung Is this one when you say why open source should require all the qualifications that that you have asked even for single developers and Industry the industry mindset tell us a mobile phone manufacturer for example a Google might refuse to provide security upgrades Telling that they just provided open source software and it is provided as is so they are not forced They should be exempted of providing security upgrades on your mobile phone because it's open source so This is for saying that When we see all those regulation the first thing we we think is they are crazy The fact is that they are not they have a different mindset. We need to Learn the different mindset the different culture and try to exploit them and explain better and discuss better Why? The dosage relation are problematic. So now it's