If you, as an identity provider, would like to offer an electronic identification solution that is also recognised at European level, you must meet the necessary legal requirements of the eIDAS Regulation and have your identification system notified accordingly. The three security levels - low, substantial and high - are of crucial importance here. They express the degree of trust in the identity of the persons behind them and go hand in hand with increasing security requirements that you must fulfil when identifying, authenticating and managing identities.
We can support you in the eID area as follows: In a workshop format, we go through the relevant verification requirements with you, answer your individual questions and optimally prepare you for an upcoming verification and notification. As part of a GAP analysis, we assess the current level of security and identify weaknesses. Following a document review and an on-site audit, we certify the level of security you have achieved. In addition, our training courses provide you with initial insights into the world of eIDAS & ETSI.
Our offer is aimed at a wide range of organisations involved in the secure, legally binding distribution and use of electronic identification:
This is how we support you holistically:
Training & Qualification
Concept & preparation
Testing and conformity assessment
Standards according to which we audit:
Certification & re-certification
The aim of electronic identification systems in accordance with eIDAS is to considerably simplify identification for the cross-border processing of administrative services at European level. Companies also benefit from these eID systems, as they can be used in the corporate environment. This saves time and effort and facilitates communication with customers, among other things. Electronic identification systems have already been introduced in numerous member states (such as the online ID function of the ID card in Germany).
The eIDAS Regulation provides for harmonisation of the various national eID systems at a (security) technical level. The regulation aims to establish interoperability between the systems. This is ensured by a voluntary notification procedure of the European Commission, in which member states can have their national systems notified. The eIDAS Regulation regulates the legal framework for mutual recognition. It distinguishes between three levels of assurance: "low", "substantial" and "high".
Notified eID systems are recognised across borders and enable access to national administrative services both for citizens of the member state and for EU citizens of other member states. To this end, the notified eID system used must have an equal or higher level of security than that required for the administrative service.
These three levels describe the confidence in the accuracy of a person's identification in the digital space.
The security level depends on the protection requirements of the respective application. The more sensitive the data or legal implications of a process are, the higher the security level should be. The selection is made taking into account risks, legal requirements and user groups. A GAP analysis can help to validate the desired level and define specific measures to achieve the target.
The requirements for technical, organisational and legal measures increase depending on the level of assurance:
Identification refers to the initial establishment of a person's identity, for example through identification documents. Authentication is the repeated verification of this identity, for example using passwords, biometric features or two-factor procedures.
Data used for electronic identification is predominantly personal and is therefore subject to strict data protection regulations in accordance with the GDPR and eIDAS.
The duration depends heavily on the preparation of the provider - with preliminary analyses, GAP analyses and documentation, periods of between 3 and 9 months are common.
Certification bodies such as TÜV NORD carry out the tests on the basis of the eIDAS specifications and relevant standards such as ETSI or BSI.