Opinion No. 03/2019 of the Cooperation Network on the Dutch Trust Framework for Electronic Identification
Having regard to Article 12(5) and (6) of Regulation (EU) 910/2014 ("the eIDAS Regulation").
Having regard to Article 14(i) of Commission Implementing Decision (EU) 2015/296.
Having regard to Article 4 of the Rules of Procedure of the Cooperation Network.
Article 12 of the eIDAS Regulation obliges Member States to cooperate with regard to the interoperability and security of notified electronic identification schemes.
Article 14(i) of Commission Implementing Decision (EU) 2015/296 on cooperation mandates the Cooperation Network to adopt opinions on how an electronic identification scheme to be notified meets the requirements of the eIDAS Regulation.
The Netherlands, with a view to notify its Trust Framework for Electronic Identification (“eHerkenning”), hereinafter referred to as "Dutch Trust Framework", in line with Article 7 (g) of the eIDAS Regulation provided the following information to the Member States on 11 December 2018 (hereinafter referred to as: "prenotifications"):
- Notification Form
- Supporting Documentation.
On 30 January 2019 the Cooperation Network:
- agreed to peer review the Dutch Trust Framework according to Article 12(6) (c) of the eIDAS Regulation and Chapter III of Commission Implementing Decision (EU) 2015/296;
- formed a "Peer Review Group" and
- agreed which topics the peer review process would cover and how it would be organized according to the provisions of Chapter III of Commission Implementing Decision (EU) 2015/296.
The Peer Review Group submitted its report according to Article 11 of Commission Implementing Decision (EU) 2015/296 to the Cooperation Network on 29.05.2019. The Cooperation Network has examined and discussed the Peer Review Report today.
Taking into account the findings in the peer review report regarding:
- the non-disclosure of proprietary information related to Digidentity’s solution;
- the strong dependence on the available non-evaluated hardware functionalities - Secure Enclave (SE), Trusted Execution Environment (TEE), etc.- offered by the citizen’s mobile devices;
- the missing evidence on resistance against high attack potential for these devices
and that the Netherlands confirms
- that Digidentity’s solution relies on the usage of SEs and denies the usage on devices without SE
and commits to:
- proactively monitor the risk against potential attacks on smartphone SEs together with the Digidentity App and commits to take immediate measures if and when such risks materialise;
- exclude smartphone SEs with known vulnerabilities from usage with Digidentity’s solution;
- an ongoing strategy to assess the security of mobile device SEs in order to obtain an equivalent assurance to a certification and to increase the number of supported smartphones that provide certified SEs,
the Cooperation Network adopted the following opinion:
Based on the examination of the pre-notification documents provided by the Netherlands, the findings of the Peer Review Report and the commitments made by the Netherlands, the Cooperation Network is of the opinion that the pre-notification documents and additional information provided by the Netherlands demonstrate sufficiently how:
- Platform 1 – KPN, Reconi – meets the requirements for assurance levels “substantial” and "high";
- Platform 2 – Connectis, Unified Post, iWelcome and QuoVadis – meets the requirements for assurance levels “substantial” and "high";
- Platform 3 – Digidentity – meets the requirements for assurance levels “substantial” and “high”
in line with the requirements of Article 7, Articles 8(1)-(2) and 12(1) of the eIDAS Regulation and Commission Implementing Regulation (EU) 2015/1502.
According to Article 4(6) of the Rules of Procedure, the Cooperation Network agrees to publish this opinion.
Brussels, 6 June 2019