The European Union Agency for Cybersecurity (ENISA) has laid out a set of standardisation requirements and recommendations for the proposed European Digital Identity Wallet (EUDI) to ensure that its issuance aligns with the EU’s cybersecurity policy.
The agency’s 15 recommendations cover standards across the digital identity infrastructure — from policy and governance to operational and technical aspects — and are based on ENISA’s analysis of available digital standards in relation to how they cover the identity management lifecycle, authentication capabilities, user control, data protection-enhancing technologies and the ‘trust model’ of digital identity.
The recommendations are directed at key stakeholders in the development of the EUDI: European Union policymakers; European standardisation organisations including the European Committee for Standardization (CEN), the European Committee for Electrotechnical Standardization (CENELEC) and the European Telecommunications Standards Institute (ETSI); and ENISA itself.
Policy recommendations
In relation to policy regarding the EUDI, the agency recommends that EU policymakers:
Provide a clear legal definition of the term ‘digital identity’;
Use the provisions of the Digital Markets Act and issue a standardisation request to European standardisation organisations to ensure full interoperability by various smartphone manufacturers;
Consider security and privacy evaluation methodology as a strategic issue and not only as a technical issue;
Require European standardisation organisations to standardise EUDI interfaces with trusted service providers, relying parties, existing national eID documents and other infrastructure relating to methods of recognition and authentication;
Require European standardisation organisations to standardise a privacy evaluation methodology for digital identity.
Standardisation recommendations
ENISA also recommends that European standardisation organisations:
Avoid duplicating standardisation activities by coordinating and agreeing a clear division of responsibility;
Make efforts to address the lack of a European standard for mobile application assessment methodology at European level;
Adopt ISO/IEC 18013-5 and the ISO/IEC DIS 23220 series of standards as European norms;
Define a harmonised mutual authentication protocol between the EUDI and relying parties;
Prepare a generic code of conduct for trusted service providers and the EUDI.
ENISA’s role
Alongside these recommendations, ENISA also states that the agency itself should:
Publish a regular overview of endorsed digital identity standards;
Publish an overview of existing digital identity models in Europe and beyond and identify their impact in terms of cybersecurity standards;
Encourage and support the creation of an ad hoc group to address vulnerabilities related to digital identity systems and the EUDI;
Work closely with European standardisation organisations to fulfil standardisation requests;
Establish a mechanism for assisting EU institutions, bodies and agencies, EU member states and private organisations regarding various aspects of digital identity management.
ENISA has published the recommendations in its Digital Identity Standards report, which “gives an overview of the most important standards and standardization organisation in this area” and “provides an analysis of standards related to different means of supporting digital identity” including “means created and managed by trust service, electronic identification means and the EU Digital Identity Wallet”.
The EU Commission is currently conducting four large-scale EUDI pilots, while in June the European Parliament and the Council of the EU agreed that the EUDI would be made available free of charge to all 450 million citizens of the EU.
EU cybersecurity agency lays out standardisation requirements for European Digital Identity Wallet was written by Tom Phillips and published by NFCW.