The issuance of electronic
identity (eID) will become compulsory across the EU according to Regulation
(EU) 2024/1183 which amends Regulation (EU) 910/2014 as regards establishing
the European Digital Identity Framework. Estonia and Norway both have extensive
experience in the use of eID. Ample Norwegian and Estonian civil and criminal
case law exists analysing the eID owner’s liability in cases of misuse of eID
by a third person. Civil courts tend to take a different approach than criminal
courts. In civil proceedings, the eID owner is often found liable, whether in
contract or tort, in cases of misuse of eID by a third person. In criminal
proceedings, courts tend to find the misuser of eID guilty (in cases of
computer-related fraud) and ground the eID misuser’s liability in tort. This
creates a situation where the creditor can choose against whom to bring their
claim (depending e.g. on the financial status of the eID owner and the misuser)
in order to ensure that their interests are well protected. However, the eID
owner’s obligation to repay money to the creditor may depend on the type of
proceedings chosen by the creditor. Focusing on situations where a third party
has misused an owner’s eID, the authors analyse Estonian and Norwegian
legislation and case law in order to determine who should be held liable under
civil law.