The European Union continues on its path to eIDAS 2.0, which includes the controversial Article 45 that basically tells browsers which certification authorities (CAs) to trust. eIDAS, which stands for electronic identification and trust services, is a framework aimed at regulating electronic transactions. As part of this proposal, the EU wants to support embedding identities in website certificates. In essence, the goal is to bring back Extended Validation (EV) certificates.

Browsers—of course—don’t want that, but the real problem is the fact that, with the legal text as it is at the moment, in its near-final form, the EU gets the final say in which CAs are trusted. The global security community has been fighting against Article 45 for more than two years now; we wrote about it on a couple of occasions. As of November 2023, the European Council and Parliament have reached a provisional agreement. The next step is for the law to be put to the vote, which is usually a formality.