Goals and success criteria

From DE4A
Jump to navigation Jump to search

Back to Doing Business Abroad main page

Back to main page of D4.7 Initial Running Phase Report

Back to Previous Chapter: 2. Current Status of Pilot

[Work in progress]

3.1 Introduction

3.2 Learning towards Adoption

3.2.1 Lessons learned from analysing and designing national integration of cross-border OOP

id topic observations lessons for wider adoption and implementing SDG
1 design process Designing national integration required in-depth knowledge of both eIDAS and OOTS. This knowledge (specifically the combination of both) is not broadly available in Member States. Knowledge of both domains should be brought together in order to prevent designing based on false assumptions of the other domain. DBA advises Member States to invest time to bring together the eIDAS and OOTS knownledge. This requires organising and prioritising as this knowledge is scarce.
scoping The project ran into a lot of complex topics that needed to be solved in the pilot design. The pilot lead has organised a series of meetings to discuss these topics.

To keep focus at the core research questions and to limit resources needed, the pilot partners agreed to simplify whenever adequate, e.g. focussing at most important evidence type instead of all possible types, accepting request for one single evidence type at the time (instead of allowing requests for multiple evidence types), limiting to full powers validation to start with. The pilot benefitted from strict scoping.

DBA advises the European Commission and Member States not to solve all user scenario's at once, but to focus on the most frequently used ones. Please focus on core functinality. And at the same time organise follow-ups on improvements and additions to address later on.
company representation Use of eIDAS including legal entity attributes (company representation) is not widespread in the EU. Currently, there are just two eID scheme's notified including legal person attributes. For piloting the partners set up a pilot network of eIDAS nodes including legal person attributes to allow for piloting eProcedures for companies. In preparing for the pilot, Member States turned out to communicate company representation in different ways. Especially regaring the use of the eIDAS representative attributes (representative prefix). Furthermore, during pilot preparation eIDAS node 2.4 became available. This version of the CEF reference software enforced the eiDAS 1.2-specification that turned out to be in conflict with the agreed use of eIDAS attributes in the DBA pilot. The eIDAS 1.2 specification regarding representation is not necesarilly backwards compatible. As a result, this raised additional confusion and led to inconsistent deployments. DBA advises the European Commission to clarify in advance which version of the eIDAS specificaton should be implemented for the SDGR to prevent incompatibility between Member State.
powers validation Validating full powers has been proven to be a first (and good) step in implementing cross-border OOP for businesses (requiring company representation). It allows for moving ahead with eIDAS as is available today and seems fitting for SME's (it will be an official representative initiating business abroad most of the time). DBA advises Member States to focus at implementing full-powers validation flows to start with. Adding more fine grained powers validation is required for 100% implementing the eProcedures, but also adds complexity to the solutions.


Furthermore, DBA advises the European Commission to facilitate validating full-powers using currently available eIDAS. this requires an additional policy rule - please see DBA design documentation regarding this topic.

record matching The pilot partners agreed to provide the national company registry numbers as eIDASLegalIdentifier in the authentication flow (eIDAS authentication proxy role). This diminished the need to do record matching on companies at the data owner. There was not a substantial need to do record matching on the natura person by the data owners of the DBA pilot. DBA advises Member States to use the national company id's as eIDASLegalIdentifiers when extending the pilot to SDG-wide implementation.
explicit request In some cases, users need to express consent for the retrieval of attributes (GDPR). In almost all cases when using the OOTS, the user needs to express explicit request (SDGR). Although legally sound, in practise the difference between both is difficult to understand for data evaluators. DE's furthermore expect that users will ignore such requests and just click "ok". DBA advises data evaluators to integrate (1) request to consent and (2) explicit request into one joint question to the user to prevent adding to the confusion - of course in case both are applicable at the same time.
Multiple-MS scenario's Three- or multiple Member State scenario's (add examples) tend to get really complex, requiring disproportionate resources to analyse, design and implement. DBA advises Member States to start SDG-implementation with the simplest interaction patterns involving just two Membert States.
eIDAS non-notified eID Most of the participating Member States dind't operate a notified eID at the moment of piloting. On a bilateral basis non-notified eID's were accepted for piloting purposes, although pilot partners expressed their doubts regarding acceptance of non-notified eIDs for large scale SDG. Notification of eID's is a strong prerequisite for implementing SDG. Mandatory eID-notification as expected under the new eIDAS regulation (eIDAS revision) will not be in time for SDG-implementation. DBA advises The European Commission and the Member States without notified eID's to agree on a temporarily solution for using non-notified eID's in SDG-procedures.
sector specific systems For the DBA pilot alignment to - or integration with - BRIS has been an important topic from the start of the project. A lot of time has been spent on workshops, desk research and analysis. In the end, re-use of BRIS has been limitied to semantics. Re-use of information flows, building blocks, etc. was not possible due to difference in legal framework, governance, authorities involved, , solution implemented, etc.The solutions have been developed for different porposes and hence are not easily aligned. Integration of the OOTS with sectoral systems (BRIS in this pilot) has proven to be not so straight forward as many expexted at the start of the project. Please take this into account.
user interaction design Several data evaluators needed to implement the same logic in their specific systems, including user iteraction (general explanaition, explicit request, preview). The user interaction design across participating Member States turned out to show some differences in informative texts, detail of explanation, use of buttons, etc. This may lead to confusion for the user that deals with multiple data evaluators as well as a slow learning curve. DBA decided to provide a pilot-wide reference in the form of wireframes to allow for more uniformity across the pilot. DBA advises the Europeon Commissin to provide wireframes in order to have generic steps (like Explicit Request and Preview) implemented in a similar way in all MS.

3.2.2 Lessons learned from implementing and testing the DE4A OOTS

id topic observations lessons for wider adoption and implementing SDG
1 planning and organising tasks The components to be used (in the pilot) were distributed over several authorities in a Member State, requiring the commitment from all authorities. This commitment is not obvious and must be secured beforehand. Also, as the systems are distributed, the teams working on the systems are distributed as well. Collaboration took more time and in each team, a battle for prioritizing needed to be fought. DBA advises to allocate a multi-month phase for involving all organisations involved, aligning between them, prioritising, allocating financial means, etc.

Furthermore, it is necessary to have a coordinating team (having sufficient knowledge about the solution) in each Member State to make sure that legal, semantical, technical and managerial issues are being resolved in a timely manner.

2 handing over Design documents and specification have sometimes been interpreted by different piot partners in different ways. During preperation of the pilot or during interoperabuility testing such differences surfaced. It would be better to have a detailled common understanding of all the design details prior to the testing phase. Take the time for handing over Solution Architecture to WP3 and 5, and make sure that everything is understood. DBA advises the European Commision to put additional efforts in explaining the workings of the SDG OOTS components to public authorities involved. The better the solution is understood by all, the smooher the SDG implementation will be.

Please do not underestimate the national complexity that the SDG imposes on Member States, e.g. record matching.

3 documenting For developers of the common components, there's a lot of logic behind its internal logic, structure, configuration, etc. Deploying these components by the Member States in the DBA pilot raised several questions regarding the use of Docker images, configuration items that needed to be set correctly, required firewall and DNS settings, etc. Things were not always as straight forward as expected. DBA advises the European Commission to invest in proper and clear documentation for developers in Member States, so they can get the OOTS up and running with as less as possible efforts. Documentation should not be too cryptic and short, but definately also be not too extensive. Feedback on the documentation from first movers has proven to be very useful in the DBA pilot.
4 configuring The components needed for SDG rely heavily on use and exchange of certificates for server authentication, signing, etc. The process of acquiring the certificates turned out to be time-consuming and error-prone (all details must be in place when requesting the certificates). Furthermore, the procedure of requesting certificates is regulated in a way it requires signatures of responsible people within the requesting institution that do not on a daily basis work with - and understand the use of - certificates. Or people that are not available imidiately (company executives). DBA advises Member States to prepare for the steps to be taken to request the certificates needed to operate the OOTS.

DBA advises the European Commission to investigate whether the process for acquiring the OOTS certificates can be simplified.

DBA advises the European Commission to design a procedure for communication between Member States in case of change of certificates and to provide for certificate-rollover to guarantee OOTS-connectivity.

5 integrating DE and DO

When integrating to the DT/DR, expect to run into existing problems in the DO/DE systems that need resolving as well. This will create extra work, although the work is not directly being created due to integration with the DT/DR. The problems in the DE/DO systems were existing already, but were not causing real issues until then (problems were accepted) but might need to be resolved in order to achieve good integration to the DT/DR.

DBA advises Member States to take impact on existing systems into account. Including the backlog of items that might need to be resolved before being abble to connect to the OOTS.
6 interopability testing The speed of development varies per Member State. Therefore readiness for cross-border testing (and piloting, for that matter) is also distributed in time. MS A can have their DE ready months before MS B has (due to several impediments). Testing on fixed moments in time for all DEs and all DOs has proven not realistic, as does starting pilots at one moment in time. Wider OOTS implementation requires more inter-Member State coordination regarding exchange of connectivity details, configuration and cross-border interoperability testing. Planning of these activities requires the attention needed and lots of flexibility from the Member States. DBA advises to take this into account when connecting the decentralised SDG OOTS components. We refer also to the eIDAS lessons learned with regards to exchange fo certificates etc.
7 interopability testing The DBA pilot has proven that a lot of settings need to be configured corectly to allow succesful cross-border evidence exchange. During interopatbility testing (connecthatons) Member States sometimes had different views on what components or parameters had to be set in order to start testing. As a result, not in all cases the complete flow could be tested at once. Establish clear readiness criteria for DE/DO/DE4A Connector before starting connectathons.
8 interoperability testing Proper interoperability testing is only possible with the required test eID means. These national eID means have not always been easily available (depending on the MS-specific situation - dependancies on IdP's may exist). This hindered cross-border interoperability testing at some occasions. The effect of lacking test credentials will be much greater in case of large scale implementing the SDGR. DBA advises the European Commission to coordinate exchange of test credentials between Member States. Many-to-many "requesting and sending of eID's on a bilateral basis" should be prevented.
9 reliance on eIDAS DBA pilotting - just as SDG implementation - relies on use of eIDAS. Unfortunately, eIDAS is not fully up and running in all Member States. In preparing for the DBA pilot, Member States had to setup eIDAS as well (pilot network of eIDAS nodes). In interoperability testing, several eIDAS related setup-issues needed to be solved. DBA advises the Member States to setup and test national eIDAS deployment prior to implementing the SDGR, to prevent this delaying SDGR.
10 SDG implementing acts DBA pilot implementation has been delayed by numerous discussions (within Member States and between Member States) on alignment with the SDG OOTS that was being sketched at the same time. Although this approach had been deliberately chosen and agreed upon at the start of the DBA project (to enable real piloting and provide input to SDG), in practise discussions were raised over and over again. DBA advises the European Commission and Member States to be aware no such thing as 'a final version' exists in the area of inter-Member State information exchange. Moving forward step-by-step with versions currently available is crucial to progress. Note that continuous alignment with all European initiatived during single steps is not feasible and will delay each initiative started.
11 Cooperation Slack seems to be a good means to have developers of different MS / WPs collaborate DBA advises to facilitate technical experts of the Commission and the Member States to easily ask eachother questions, respond, etc. using a tool for this purpoise, e.g. Slack.

3.2.3 Technical, semantic and organisational/legal knowledge provided to other WPs

id topic observations lessons for wider adoption and implementing SDG
communication Implementation of the Oncle Only Principle might be interpreted as abstract by users / companies that might benefit from it. From a user perspective, there's not too much to see in the OOP-process. OOP might be interpreted as 'not a big deal' by the user. Large parts of the solution are "complexity under the hood". Hence, additional efforts are needed to explain in an understandible way the hugh difference that OOP makes. Use visual tools to show the benefits of OOP to users, e.g. presentations and videos.

Prepare the creation of an animation by setting up a good storyline and slides that illustrate the flow of the animation.

3.2.4 Pilot learning for Sustainable impact and new governance models

id topic observations lessons for wider adoption and implementing SDG
1 harmonisation For fine-grained powers validation, Member States need to agree on a harmonised set of services. In the DBA pilot: the SDG procedures of annex II to start with. DBA advises the European Commission to organise the hamonisation process of services for cross-border powers validation (see SEMPER project results and DBA pilot for sample harmonisation).
2 harmonisation For subscribing and notifying on company events / changes there needs to be a specified set of harmonised company event types. DBA advises the European Commission to organise the hamonisation process of event types for cross-border subscription & notification. See DBA pilot for example of harmonisation.

3.2.5 Lessons from interaction with other initiatives

id topic observations lessons for wider adoption and implementing SDG
scoping (Potential) differences between the DE4A scope and the Implementing Act distract and demotivate participants from prioritizing development and deployment of changes in their national infrastructures. Focus at the agreed project targets and stick to the plan.
focus It turned out to be difficult to focus on the pilot activities whlist at the same time a lot of initiatived gain momentum in the EU, like the eIDAS revision, SDG implementing act, etc. The added value of the OOP TS compared to other developments / pilots / experiments in the EU must be broadcasted continuously in order to keep authorities involved and secure commitment.

3.3 Summary

Next Chapter: 4. Pilot Procedures