Opinion No. 8 of the Cooperation Network on the Belgian eID scheme FAS/itsme


Having regard to Article 12(5) and (6) of Regulation (EU) 910/2014 ("the eIDAS Regulation").

Having regard to Article 14(i) of Commission Implementing Decision (EU) 2015/296.

Having regard to Article 4 of the Rules of Procedure of the Cooperation Network.

Whereas:

Article 12 of the eIDAS Regulation obliges Member States to cooperate with regard to the interoperability and security of notified electronic identification schemes.

Article 14(i) of Commission Implementing Decision (EU) 2015/296 on cooperation mandates the Cooperation Network to adopt opinions on how an electronic identification scheme to be notified meets the requirements of the eIDAS Regulation.

Belgium, with a view to notify its eID scheme FAS/itsme, in line with Article 7 (g) of the eIDAS Regulation provided the following information to the Member States on 18th April 2018 (hereinafter referred to as: "prenotifications"):

On 6th June 2019 the Cooperation Network:

  • agreed to peer review the Belgian eID scheme FAS/itsme according to Article 12(6) (c) of the eIDAS Regulation and Chapter III of Commission Implementing Decision (EU) 2015/296;
  • formed a "Peer Review Group" and
  • agreed which topics the peer review process would cover and how it would be organized according to the provisions of Chapter III of Commission Implementing Decision (EU) 2015/296.

The Peer Review Group submitted its report according to Article 11 of Commission Implementing Decision (EU) 2015/296 to the Cooperation Network on 27th September 2019. The Cooperation Network has examined and discussed the Peer Review Report today.

Taking into account the outcomes of the peer review and the cooperation network discussion and that

  • BMID ensures the continuous alignment of the electronic identification solutions of the banks participating in the Belgian eID scheme FAS/itsme with the requirements of eIDAS level “High”.

and that Belgium commits to

  • proactively monitor the risk against potential attacks on smartphones together with the Itsme App and to take immediate measures if and when such risks materialise;
  • start a common criteria certification process regarding the itsme eID means with regard to an attacker with high attack potential;
  • taking into account the findings of the above mentioned certification process, envisage a strategy on the usage of mobile devices with secure enclaves / secure elements (hereinafter referred to as SEs) or with trusted execution environments (hereinafter referred to as TEEs) as security measure based on  the assessment of the security of mobile devices with SEs/TEEs in order to obtain comparable assurance to certification and to increase the number of supported smartphones that provide certified SEs/TEEs;
  • disable the use of biometric authentication for assurance level “High”.

the Cooperation Network adopted the following opinion:

Opinion

Based on the examination of the pre-notification documents provided by Belgium, the findings of the Peer Review Report and the commitments made by Belgium, the Cooperation Network is of the opinion that the pre-notification documents and additional information provided by Belgium demonstrate sufficiently how the Belgian eID scheme FAS/itsme meets the requirements for assurance level “high” in line with the requirements of Article 7, Articles 8(1)-(2) and 12(1) of the eIDAS Regulation and Commission Implementing Regulation (EU) 2015/1502.

According to Article 4(6) of the Rules of Procedure, the Cooperation Network agrees to publish this opinion.

Brussels, 2nd October 2019

  • No labels