Playbook for National Coordinators
- Deploy Prerequisites
- Deploy an Intermediary platform
- Deploy Common Services
- Test
- Review Security
- Integrate with operational processes
Deploy Prerequisites
Required
Introduction
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
The OOTS reuses the eDelivery Building Block and uses its Access Point specification for the evidence exchange process. Being connected to the eDelivery network of nodes with an Access Point set up is a prerequisite to implementing the OOTS in your Member State. An Access Point in the Once-Only Technical System performs key security and reliability functions. It signs and encrypts messages and, in a delegated role, provides integrity, confidentiality, authenticity and non-repudiation of origin and receipt as explained in the Security Controls guidance document.
The eDelivery Access Points will enable the secure exchange of evidence between European countries required in administrative procedures (such as birth certificates, university diplomas and alike) with one another.
You can access the eDelivery building block here:
Configuring my Access Point to the OOTS
To configure your Access Point to the OOTS, you will need to have first implemented the eDelivery Building Block. The current version of OOTS requires implementations of eDelivery that support the following features of AS4 1.15:
- the Common Profile;
- the Four Corner Profile enhancements.
To ensure that your eDelivery Access Point conforms to the eDelivery AS4 profile, you are strongly encouraged to reuse an Access Point solution that is already conformant or to have your solution conformance tested.
Upon a successful outcome of a conformance test, the next step will be to get in contact with your solution provider to correctly configure your Access Point to the OOTS TDDs.
For more details about configuring eDelivery to OOTS go to eDelivery configuration for OOTS
For more details about Access Points specifications go to Access Points specifications
Secure Access Point messaging
To secure Access Point messaging, you can choose to use your certificate. Otherwise, you can request an X.509 certificate from the eDelivery PKI.
To do this, you should follow the instructions detailed in the OOTS Onboarding Toolkit
What if I don't have an Access Point set up?
If you are not yet connected to the eDelivery network of nodes with an Access Point set up or need support with regards to your eDelivery Access Point, please contact the eDelivery Service Desk
Introduction
Domain:
eIDAS
eIDAS domain refers to the eIDAS digital identity building block components required by OOTS to enable identification and authentication of citizens and entities across Member States.
In the execution of an electronic procedure, there are two situations in which the user has to be identified and authenticated:
- to use the procedure and;
- to use the Once-Only Technical System to retrieve a particular evidence for use in that procedure.
The Once-Only Technical System uses the eID Building Block, as it is today, to identify and authenticate the user. Should the eID building block change, the technical specifications would be adapted to support the changes. Specifically, it uses the assured eIDAS user identity attributes obtained from the user authentication in evidence requests. It may also be used by the Data Service if the user is asked to re-authenticate.
Use my eIDAS node for OOTS
The OOTS uses eIDAS eID for the authentication of users. To find more information on the use of your eIDAS node for OOTS, you can follow the link below.
eIDAS eID schemes are classified according to their Level of Assurance. It is important to understand the eIDAS Levels of Assurance, because some service providers may require an eID to be of a certain level for users to authenticate.
More information on the eIDAS Levels of Assurance can be found via the link below:
Secure user authentication
The Once-Only Technical System relies on the use of eIDAS and the existing infrastructure of eIDAS nodes to authenticate the user and to obtain assured identity attributes. A Data Service can use these identity attributes to match evidence requests to any relevant evidences. The identity attributes are received from the Online Procedure Portal or as a result of re-authentication.
However, the use of eIDAS does not preclude the use of other mechanisms to provide complementary or additional security measures. This section describes two such mechanisms.
- An authentication verification service that a Data Service can use to verify that the user identity attributes in the evidence request link to a recent eIDAS authentication transaction.
- Authorization of requests for evidence relating to represented persons.
What if I don't have a node connected to the eIDAS network of nodes or a notified eID scheme?
The DIGITAL eID support team can be contacted via the dedicated service desk: DIGITAL eID Service Desk
Developed by the European Commission with the Member State technical sub-committee of the eIDAS Expert Group, the eIDAS-Node software is a sample implementation of the eID eIDAS Profile.
The Node integration package can be used to help set up and manage a node in a Member State.
The notification process refers to the selection, peer review and official addition of national eID schemes to the eIDAS Network. Notification ensures that the eID schemes connected to the eIDAS Network satisfy the conditions of quality and security set out by the eIDAS Regulation. As a general rule, all eID schemes connected to the eIDAS Network must be notified, though in some specific cases, service providers may make use of non-notified eID schemes.
STEP 2
Deploy an Intermediary platform
Strongly Encouraged
Introduction
Domain:
Member State
Member State domain refers to the OOTS specific components and activities usually under Member States control.
An intermediary platform (Implementing Act, Article 1(6)) is a technical solution through which evidence providers or evidence requesters connect to the common services referred to in Article 4(1) (i.e., the Evidence Broker and Data Service Directory) or to evidence providers or evidence requesters from the other Member States.
Intermediary Platforms are a component of the OOTS architecture that is optional and serves the purpose of providing integration interfaces to evidence providers and/or requesters. This helps them to integrate into the system without having to know the intricate technical details of OOTS, reducing the complexity and investment required.
An intermediary platform can provide integration services to either evidence providers, evidence requesters, or both. In a member state, there might be multiple intermediary platforms that offer services to different groups of evidence providers and/or requesters, depending on the level of regional or domain decentralization. For example, there may be a dedicated service organisation in a Member State that stores and makes available, on request, educational evidences on behalf of many educational institutions, such as universities.
Configure Intermediary Platform to OOTS
Only the intermediary platform needs to implement a DSD for the types of evidence it makes available
Only the intermediary platform needs to implement (or connect to) an Access Point and needs to be integrated to OOTS
Evidence Requester connect to Intermediary Platform
Evidence Requesters may need to connect to an Intermediary Platform
A prerequisite for Evidence Requesters to connect to the Intermediary Platform is that the Evidence Requesters must be as secure as eDelivery
Evidence Provider connect to Intermediary Platform
Evidence Providers may need to connect to an Intermediary Platform.
A prerequisite for Evidence Providers to connect to the Intermediary Platform is that the Evidence Providers must be as secure as eDelivery
STEP 3
Deploy Common Services
Strongly Encouraged
Introduction
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
To support the exchange of evidences between Data Services and Online Procedure Portals, the Once-Only Technical System uses Once-Only supporting services. Article 4 of the draft Implementing Act refers to these services as the Common Services. The Common Services do not process data about citizens or businesses. Instead, they contain and serve operational data parameters that support the operation of the Once-Only technical system. The Common Services are:
- Evidence Broker;
- Data Service Directory;
- Semantic Repository.
If you implement your own Common Services instance, you need to request the OOTS support team to configure the evidence requests received by your country to be forwarded to your national Data Service Directory.
If you need help adding new evidences, take a look at the Evidence Mapping section in the
Data Service Directory (DSD)
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
The Data Service Directory is a registry containing the list of evidence providers, and the evidence types they issue together with the relevant accompanying information, such as geolocation so that the OOTS can support the user in selecting the correct evidence provider.
Evidence Broker (EB)
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
The Evidence Broker is a common service allowing an evidence requester to determine which evidence type from other Member States is equivalent to the evidence that it requires for the purposes of its national procedure.
Semantic Repository
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
The Semantic Repository is a collection of semantic specifications, linked to the evidence broker and the data service directory, composed of machine-readable definitions of names, data types, and data elements associated with specific evidence types to ensure mutual understanding and cross-lingual interpretation for evidence providers, evidence requesters, and users, when exchanging evidence through the OOTS.
Common Services Administration Tool
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
The OOTS Common Services Administration Tool allows Member States to create and manage configurations related to the procedures in scope of the OOTS. The following procedures can be carried out using the Tool:
Evidence Providers can:
- Create a data service
- Create an evidence provider
- Create an evidence type
- Link an evidence provider to an evidence type
- Link an evidence type to a requirement
- Link a requirement to a group of evidence types
Evidence Requesters can:
- Link a procedure to requirement(s)
For more information on user roles and permissions go to
For information on assets workflows and statuses go to
If you need specific instructions for onboarding and operating Common Services Admin Tool you can visit the specific section in the OOTS Onboarding Toolkit
Life Cycle Management (LCM) Interface Specification
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
Member States can also create and manage configurations related to the procedures in scope of the OOTS using the LCM APIs provided by Common Services.
STEP 4
Test
Voluntary
Introduction
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
Testing services are a useful resource for development teams in the Member States while developing their OOTS components or integrations. E.g. the testing services allow developers to have a look at how the interfaces look like and what the expected behaviour is of the different components. They can start with the sample projects in the testing tools while their components are under development and gradually replace the testing tools with their own components.
The details of the testing service will further be discussed and elaborated in the testing and deployment sub-group.
The testing information currently available is intended as testing services for Member State teams:
- to get early access to the services and tools as prepared by the EC team.
- to familiarise yourselves with the testing approach and to see if this fits within their development and integration procedures.
- to provide feedback and think about further improvements or additions, to be picked up by the testing and deployment sub-group.
To access the testing roadmap and other relevant information about testing tools, please refer to the OOTS Onboarding Toolkit
Projectathons
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
For both Evidence Requesters and Evidence Providers, once you have explored the standalone tests that you can execute at any time, in any order and on your own against the Test Platform, the following step is to attend one or more Projectathon events. These events bring together teams, either physically, virtually or in a hybrid format, to ensure functionality, interoperability and production-like scenarios and data flows.
All relevant information to plan and prepare your participation to a Projectathon is available via the link below:
For any questions or support requests on the Projectathon, reach out to the EC OOTS Support team by mailing EC-OOTS-SUPPORT@ec.europa.eu
STEP 5
Review Security
Strongly Encouraged
Get Security Aware
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
OOTS provides information on security policy and objectives, as mandated by the legal framework. Each security objective is mapped to either a system functionality or a responsible for procedural or operational arrangement. Information on OOTS security policy and objectives is available via:
OOTS also provides recommendations on security and policy requirements for the management of eDelivery Access Points. The recommendations on security for the management of eDelivery Access Points is available via:
ANNEX: Security Framework
To learn more about how to report a security incident take a look at the OOTS OO Hub
STEP 6
Integrate with operational processes
Required
Integrate with operational processes
Domain:
Once Only
Once - Only domain refers to the OOTS specific system components, activities, and policies usually under the European Commission control.
Operation of OOTS infrastructure and applications will require Member States to adhere to some basic processes in order to facilitate coordination between Common Services components managed by European Commission and OOTS components managed by Member States.
If you need specific instructions for carrying out operational tasks required for onboarding OOTS operations you can visit the specific section in the OOTS Onboarding Toolkit
