Opinion No.7 of the Cooperation Network on the Latvian eID scheme
Having regard to Article 12(5) and (6) of Regulation (EU) 910/2014 ("the eIDAS Regulation").
Having regard to Article 14(i) of Commission Implementing Decision (EU) 2015/296.
Having regard to Article 4 of the Rules of Procedure of the Cooperation Network.
Article 12 of the eIDAS Regulation obliges Member States to cooperate with regard to the interoperability and security of notified electronic identification schemes.
Article 14(i) of Commission Implementing Decision (EU) 2015/296 on cooperation mandates the Cooperation Network to adopt opinions on how an electronic identification scheme to be notified meets the requirements of the eIDAS Regulation.
Latvia, with a view to notify its eID scheme, in line with Article 7 (g) of the eIDAS Regulation provided the following information to the Member States on 4th February 2019 (hereinafter referred to as: "prenotifications"):
- Notification form
- Supporting Documentation.
On 6th June 2019 the Cooperation Network:
- agreed to peer review the Latvian eID scheme according to Article 12(6) (c) of the eIDAS Regulation and Chapter III of Commission Implementing Decision (EU) 2015/296;
- formed a "Peer Review Group" and
- agreed which topics the peer review process would cover and how it would be organized according to the provisions of Chapter III of Commission Implementing Decision (EU) 2015/296.
The Peer Review Group submitted its report according to Article 11 of Commission Implementing Decision (EU) 2015/296 to the Cooperation Network on 27th September 2019. The Cooperation Network has examined and discussed the Peer Review Report today.
Taking into account the outcomes of the peer review and the Cooperation Network discussion and that
- the Latvian eID scheme ensures the continuous alignment of the electronic identification solutions of the eParaksts app with the requirements of eIDAS level “High” in the case of storing keys in hardware keystore secure enclaves (hereinafter referred to as SEs) or trusted execution environments (hereinafter referred to as TEEs),
- the Latvian eID scheme ensures the continuous alignment of the electronic identification solutions in eParaksts app with the requirements of eIDAS level “Substantial” in the case of storing keys in software keystores of Android and iOS,
and that Latvia commits to
- proactively monitor the risk against potential attacks on smartphones together with the eParaksts app and to take immediate measures if and when such risks materialise;
- advise customers to use mobile phones with SEs/TEEs in order for the eParaksts app to reach eIDAS level “High”;
- exclude smartphones SEs/TEEs with known vulnerabilities from usage with eParaksts app in eIDAS level “High”;
- to assess the security of mobile device SEs/TEEs in order to obtain comparable assurance to certification and to increase the number of supported smartphones that provide certified SEs/TEEs;
- disable the use of biometric authentication for assurance level “High”.
the Cooperation Network adopted the following opinion:
Based on the examination of the pre-notification documents provided by Latvia, the findings of the Peer Review Report and the commitments made by Latvia, the Cooperation Network is of the opinion that the pre-notification documents and additional information provided by Latvia demonstrate sufficiently how:
The Latvian eID scheme:
- meets the requirements for assurance level “High” for eID karte, eParaksts karte, eParaksts karte+ and eParaksts with use of hardware keystore;
- meets the requirements for assurance level “Substantial” for eParaksts with use of software keystore;
in line with the requirements of Article 7, Articles 8(1)-(2) and 12(1) of the eIDAS Regulation and Commission Implementing Regulation (EU) 2015/1502.
According to Article 4(6) of the Rules of Procedure, the Cooperation Network agrees to publish this opinion.
Brussels, 2nd October 2019