Experts from eIDAS supervisory bodies discussed recent security incidents, and exchanged information on trust services security and incident reporting at two-day expert meeting.
On the 1st and 2nd of December, the European Union Agency for Cybersecurity (ENISA) held the 16th meeting of the ENISA Article 19 Expert Group to focus on the security of Europe’s electronic trust services, which include digital signatures, digital certificates, electronic seals, timestamps and more. The expert group’s work focuses mainly on the security of trust services, and the technical details of security incident reporting and cross-border incident reporting between EU Member States.
At the two-day online meeting, 53 experts from eIDAS supervisory bodies, the European Commission and the EU Agency for Cybersecurity exchanged information and good practices on how to supervise security in the trust services sector. Experts discussed trust services security incidents occurring in the past six months, a recent digital signature vulnerability and steps to minimise the impact on trust services. Discussions also covered the security aspects of PDF Advanced Electronic Signatures (PadES), and the registration process and identification of signatories.
The Commission provided an update on the ongoing review of the eIDAS Regulation, which provides an EU framework for trust services and national eID schemes. The EU Agency for Cybersecurity presented its updated CIRAS tool for incident reporting, which facilitates cross-border collaboration on supervision topics. The Agency also presented its upcoming papers on the “Capability Maturity Model for eID Schemes” and on methods to carry out remote identity proofing.
About the ENISA Article 19 Expert Group
In 2015, the EU Agency for Cybersecurity set up the Article 19 Expert Group to support voluntary collaboration between Member States on the technical details of how to implement eIDAS Regulation Article 19, which sets the security requirements for trust service providers. The group meets two times per year, usually back-to-back with bi-annual meetings of the Forum of European Supervisory Authorities for trust service providers (FESA).
Currently chaired by Ulrich Latzenhofer, a representative of the Austrian Regulatory Authority for Broadcasting and Telecommunications (RTR), the expert group consists of more than 80 experts from national authorities of 31 EU, EFTA and EU candidate countries. The group produces technical guidelines on the implementation of the incident reporting under Article 19.
The EU Agency for Cybersecurity supports the expert group with reports, studies and analysis. In 2019, the Agency produced two reports assessing the relevance of specific standards for the implementation of eIDAS, and two reports exploring the harmonisation of security requirements for QTSPs and the technological landscape for eID schemes (see: ENISA News - Earning Trust: ENISA on eID and Trust Services). Every year, the Agency also publishes an annual summary report about major security incidents.
Background
Since 2013, the EU Agency for Cybersecurity has been at the forefront of the developments in eIDAS. The Agency has been supporting the Commission and the Member States in the area of trust services by providing security recommendations for the implementation of trust services; mapping technical and regulatory requirements; promoting the deployment of qualified trust services across Europe, and more. The EU Cybersecurity Act of 2019 has strengthened the Agency’s role is supporting the implementation of eIDAS.
Further Information
ENISA Incident Reporting webpage
ENISA Article 19 Expert group portal
Contacts
To learn more about the work of the ENISA Article 19 Expert Group, please contact us via resilience (at) enisa.europa.eu
For press questions and interviews, please contact press (at) enisa.europa.eu