Opinion No. 2/2020 of the Cooperation Network on the Chave Móvel Digital Portuguese eID scheme


Having regard to Article 12(5) and (6) of Regulation (EU) 910/2014 ("the eIDAS Regulation").

Having regard to Article 14(i) of Commission Implementing Decision (EU) 2015/296.

Having regard to Article 4 of the Rules of Procedure of the Cooperation Network.

Whereas:

Article 12 of the eIDAS Regulation obliges Member States to cooperate with regard to the interoperability and security of notified electronic identification schemes.

Article 14(i) of Commission Implementing Decision (EU) 2015/296 on cooperation mandates the Cooperation Network to adopt opinions on how an electronic identification scheme to be notified meets the requirements of the eIDAS Regulation.

On 23 December 2019, the Portuguese Republic, with a view to notify its electronic identification scheme Chave Móvel Digital (CMD), hereinafter referred to as "the CMD eID scheme", provided additional information addressing the concerns raised by the Member States in the Peer Review Report submitted on 10th October 2018 by the Peer Review Group according to Article 11 of Commission Implementing Decision (EU) 2015/296.

On 30th January 2020, the Cooperation Network has examined the information and the commitments put forward by Portugal and, in the light of the new elements provided, agreed to adopt an opinion on how CMD eID scheme meets the requirements of the level of assurance “High”.

Taking into account the additional information, the adjustments made to the CMD eID scheme, the supporting documentation provided by Portugal and the outcomes of the Cooperation Network discussion during the 15th Cooperation Network meeting

and that Portugal commits to

  • proactively monitor the risk against potential attacks on smartphones together with the Autenticaçao.gov App and to take immediate measures if and when such risks materialise;
  • cooperate on the creation of a common criteria security target in order to enable the development of a common criteria certification process for the CMD eID means with regard to an attacker with high attack potential;
  • start a common criteria certification process regarding the CMD eID means with regard to an attacker with high attack potential;
  • taking into account the findings of the above mentioned certification process, envisage a strategy on the usage of mobile devices with secure enclaves / secure elements (hereinafter referred to as SEs) or with trusted execution environments (hereinafter referred to as TEEs) as security measure based on  the assessment of the security of mobile devices with SEs/TEEs in order to obtain comparable assurance to certification and to increase the number of supported smartphones that provide certified SEs/TEEs;
  • disable the use of biometric authentication in Autenticação.gov App,

the Cooperation Network adopted the following opinion:

Opinion

Based on the examination of the updated additional information on the CMD eID scheme and the commitments made by the Portuguese Republic, the Cooperation Network is of the opinion that CMD eID scheme sufficiently demonstrates how it meets the conditions for level "High", in line with the requirements of Article 7, Articles 8(1)-(2) and 12(1) of the eIDAS Regulation and Commission Implementing Regulation (EU) 2015/1502.

According to Article 4(6) of the Rules of Procedure the Cooperation Network agrees to publish this opinion.

Brussels, 30 January 2020  

  • No labels