No EU Digital Identity Wallet Security and Privacy Without Certified Secure Hardware

Eurosmart's answer to EC public consultation on eIDAS implementing acts

The digital security industry is deeply concerned about the treatment of secure hardware in this proposal, as it contradicts the EU’s political commitment to supporting this sector through the Cybersecurity Act (CSA) and the Chips Act.

Eurosmart advocates for the inclusion of strong security certification mechanisms for the core components of the wallet

WSCD shall only be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+ AVA_VAN.5

WSCA(s) utilizing wallet cryptographic operations on critical assets shall only be certified under EUCC or shall be certified under a national schema based on EN 17640 (FITCEM)

Considering that eIDAS and its implementing acts will define the digital identity for 450 million European citizens, and the political promise to ensure a highly secure and privacy-by-design implementation, Eurosmart emphasizes that privacy and security cannot be achieved without the use of high-quality cryptographic mechanisms.

Cryptography has historically been a key challenge in Europe, and it is crucial to avoid a scenario where citizens may lack trust due to potential vulnerabilities or backdoors in the system.

To build the promised level of trust, the inclusion of hardware systems into reliable and harmonized security certification processes is essential.