Low Security in the European Digital Identity Wallet:

An Unacceptable Risk for Citizens and Businesses

The European Commission pledges future EU digital Identity (EUDI) wallets that will provide a safe, reliable and private means of digital identification for everyone in Europe. The current technical and regulatory developments raise serious doubts about the security and protection of the personal data of citizens and businesses who will use this wallet. In recent proposal for implementing acts, the European Commission has chosen not to mandate strict and rigorous cybersecurity certification of the physical components that form the core of the wallet.

Without a stringent requirement to rigorously assess the hardware component’s resistance to skilled attackers, there can be no assurance that the private keys stored in the wallet will remain secure from compromise or theft.

Private keys are pivotal in upholding EU citizens’ fundamental right to privacy and in enforcing Article 8 of the EU Charter of Fundamental Rights.

The widespread use of EUDI wallets and their reach across EU citizens will undoubtedly motivate actors with bad intention to probe the robustness of wallet implementations. Where the confidentiality of the private key cannot be entrusted to the highest level of protection, it is reasonable to expect these actors will find a way to retrieve these private keys.

Given the uncertainty regarding the level of security required at EU level for the development of national and interoperable electronic identity wallets, citizens and businesses that are using them will be exposed to serious and unacceptable risks.

The development of both political and technical requirements should be grounded on a comprehensive risk analysis. Furthermore, given the rapidly evolving nature of cyber threats, the digital security industry urges ENISA to incorporate the risks associated with EUDI wallets in its annual threat landscape report.

The threat exposure is expending with by the obligation of mutual recognition: a compromission of a single wallet design will lead to widespread exploited vulnerabilities and have systemic impact across all the Member States.

Read more...