Levels of Assurance (LoA): The Trust Index for Digital Identities
Imagine if digital identities had a clearly visible “trust index” that showed how reliable online identification really is. This is exactly how the three levels of assurance (LoA) work. They show how certain it is that a person in the digital space is actually who they claim to be. LoA thus create a common, Europe-wide basis for trust in digital processes – and are becoming the linchpin of modern identity and signature solutions.
Precisely because more and more business and administrative processes are becoming completely digital, this classification is not only helpful but essential: it provides clarity about what level of identity security is appropriate for which use case.
What does “level of assurance” mean?
A level of assurance is a graded measure of trust for electronic means of identification. It assesses the security of a digital identity along two interrelated elements:
Firstly, it concerns identification: in other words, how reliably a person was verified during onboarding. Secondly, it concerns authentication: in other words, how securely this person can log in again later.
The result is a clear statement: How high is the level of trust in the digital identity – measured in terms of the risk and protection requirements of the respective process?
The eIDAS trust levels: low, substantial, high
According to eIDAS, there are three levels of assurance. They are designed so that they can be used in a risk-oriented manner in practice.
Low
This level of assurance is intended for use cases where identity misuse would have only limited impact. Identity verification is less stringent here, and subsequent login procedures also follow a basic security standard. The aim is to provide a reasonable minimum level of protection for low-risk digital processes.
Substantial
The requirements are significantly higher for a substantial level of trust. This applies to processes where misuse would have noticeable consequences – for example, when sensitive data or important functions are affected. The identification check is correspondingly robust, and access is secured by stronger authentication mechanisms.
High
The highest level of trust is aimed at processes with a particularly high risk. Here, identification must be very strict, and authentication is also designed in such a way that attacks are very likely to fail, even with considerable effort. The digital identity should thus be established with almost no doubt.
Why levels of assurance are so important
Without levels of assurance, every organization would have to determine individually for each digital process how strict identification and login must be. This would be costly, difficult to compare, and would lead to inconsistent security levels.
Trust levels, on the other hand, create a structured framework: processes can be assigned exactly the level of security they require. LoA thus enable comparability, risk management, and consistent implementation of digital identities—even across national borders.
LoA in practice: Identification and authentication belong together
A trust level is never determined by a single step alone. The interaction between steps is crucial:
In identification, what counts is how the person is verified at the start of the digital lifecycle. The higher the level of trust required, the stricter the requirements for verification, verification quality, and protection against deception.
Authentication is about ensuring that the same person can reliably access their identity later on. Here, too, higher levels of trust require stronger procedures and a robust link between identity and means of access.
Only when both components meet the required security profile is a certain LoA achieved.
Levels of assurance (LoA) and the three signature levels: difference and interaction
In daily practice, people often ask how trust levels relate to the three levels of electronic signatures. Both concepts serve to build trust in digital processes, but they evaluate different levels.
A level of assurance describes the security of the digital identity. It answers the question:“How certain are we that someone is who they say they are?”
The three signature levels, on the other hand, describe the legal and technical resilience of a specific electronic signature. They answer the question:“How resilient is this signature?”
eIDAS distinguishes between three levels:
- The simple electronic signature (EES) is a broad category for electronic signatures without any special requirements for identification or signature creation.
- The advanced electronic signature (AES) must be uniquely attributable to a signatory and reveal any manipulation. This requires a reliable link between identity and signature.
- The qualified electronic signature (QES) is the highest level and has the same legal effect as a handwritten signature. It requires a qualified certificate and a qualified signature creation device.
The connection is clear: the higher the signature level, the higher the level of trust in the underlying identity must be.An electronic signature is only as trustworthy as the identity that triggers it.
Consequently, this means that
- In many cases, a lower level of identity is sufficient for an EES, as the risk and legal implications are typically lower.
- An FES already requires a reliable identity link, which is why a substantial level of trust is usually necessary here.
- A QES requires an identity that has been verified and secured at a high level of trust, because without this strong identity verification, neither qualified certificates can be issued nor qualified signatures generated.
LoA thus form the identity foundation on which signatures – especially at higher levels – are built.
Outlook: LoA as infrastructure for the digital future
Levels of assurance are more than just a regulatory detail. They act as an infrastructure on which digital relationships, contracts, and signatures can be reliably established. By clearly grading risk, they make digital ecosystems scalable and interoperable across Europe.
For organizations, this means one thing above all: they can combine identity security and legal validity in such a way that digital processes are not only convenient, but also traceably protected and legally valid.
Conclusion
Trust levels according to eIDAS create a clear order in digital trust. They define how securely identities must be verified and used – graded as low, substantial, and high. At the same time, they form the basis for the appropriate signature levels: the higher the desired legal effect of a signature, the higher the trust in the digital identity behind it must be.
Those who consistently combine LoA and signature levels can design digital processes that are risk-oriented, interoperable, and permanently reliable.
