In his Feedback on the consultation on the eID implementing regulations Jaap-Henk Hoepman is highly critical of the European Commission’s proposals.

He is of the opinion that first and foremost, the current approach of issuing five separate implementing regulations is broken, as it will introduce inconsistencies and it will allow that important issues fall between the cracks and are not properly regulated. And:

More fundamentally though, trying to properly and precisely specify a technical artefact (like an eID system) through a legal instrument using legal language, will not work. The current implementing regulation proposals are not all specific enough to guarantee certain security and privacy properties, as these fundamentally depend on the nitty-gritty details.

Hoepman also thinks the individual proposals are inadequate, include violations of the principle of privacy by design and resulting in unacceptable risks to citizens. Read e.g. his comment on the revocation system:

The regulation leaves unspecified who should be the entity hosting the server with the revocation statuses accessed through this URL. This could very well be the provider of PID or attribute attestation itself. In that case, the provider can keep perfect track of which users are using the PIDs or attestations it issued, and when and where. This is strong violation of privacy, essentially rendering void any of the privacy protections offered or presumed by the regulation. It would in fact turn the attribute based approach of the regulation completely equivalent to the network based social logins, that allow Facebook or Google to keep track of all accounts that you log in with through their account.

His comments show that the European legislator is far from being ready for the digital society, as that legislator proves incapable of mitigating risks to citizens in a high-quality manner.