COMMISSION IMPLEMENTING REGULATION (EU) 2015/1502
of 8 September 2015
on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
(Text with EEA relevance)
Article 1
Article 2
ANNEX
Technical specifications and procedures for assurance levels low, substantial and high for electronic identification means issued under a notified electronic identification scheme
1.
Applicable definitions
2.
Technical specifications and procedures
2.1.
Enrolment
2.1.1.
Application and registration
Assurance level |
Elements needed |
||||||
Low |
|
||||||
Substantial |
Same as level low. |
||||||
High |
Same as level low. |
2.1.2.
Identity proofing and verification (natural person)
Assurance level |
Elements needed |
||||||||||
Low |
|
||||||||||
Substantial |
Level low, plus one of the alternatives listed in points 1 to 4 has to be met:
|
||||||||||
High |
Requirements of either point 1 or 2 have to be met:
|
2.1.3.
Identity proofing and verification (legal person)
Assurance level |
Elements Needed |
||||||
Low |
|
||||||
Substantial |
Level low, plus one of the alternatives listed in points 1 to 3 has to be met:
|
||||||
High |
Level substantial, plus one of the alternatives listed in points 1 to 3 has to be met:
|
2.1.4.
Binding between the electronic identification means of natural and legal persons
Assurance level |
Elements Needed |
||||||
Low |
|
||||||
Substantial |
Point 3 of level low, plus:
|
||||||
High |
Point 3 of level low and point 2 of level substantial, plus:
|
2.2.
Electronic identification means management
2.2.1.
Electronic identification means characteristics and design
Assurance level |
Elements needed |
||||
Low |
|
||||
Substantial |
|
||||
High |
Level substantial, plus:
|
2.2.2.
Issuance, delivery and activation
Assurance level |
Elements needed |
Low |
After issuance, the electronic identification means is delivered via a mechanism by which it can be assumed to reach only the intended person. |
Substantial |
After issuance, the electronic identification means is delivered via a mechanism by which it can be assumed that it is delivered only into the possession of the person to whom it belongs. |
High |
The activation process verifies that the electronic identification means was delivered only into the possession of the person to whom it belongs. |
2.2.3.
Suspension, revocation and reactivation
Assurance level |
Elements needed |
||||||
Low |
|
||||||
Substantial |
Same as level low. |
||||||
High |
Same as level low. |
2.2.4.
Renewal and replacement
Assurance level |
Elements needed |
Low |
Taking into account the risks of a change in the person identification data, renewal or replacement needs to meet the same assurance requirements as initial identity proofing and verification or is based on a valid electronic identification means of the same, or higher, assurance level. |
Substantial |
Same as level low. |
High |
Level low, plus: Where renewal or replacement is based on a valid electronic identification means, the identity data is verified with an authoritative source. |
2.3.
Authentication
2.3.1.
Authentication mechanism
Assurance level |
Elements needed |
||||||
Low |
|
||||||
Substantial |
Level low, plus:
|
||||||
High |
Level substantial, plus: The authentication mechanism implements security controls for the verification of the electronic identification means, so that it is highly unlikely that activities such as guessing, eavesdropping, replay or manipulation of communication by an attacker with high attack potential can subvert the authentication mechanisms. |
2.4.
Management and organisation
2.4.1.
General provisions
Assurance level |
Elements needed |
||||||||||
Low |
|
||||||||||
Substantial |
Same as level low. |
||||||||||
High |
Same as level low. |
2.4.2.
Published notices and user information
Assurance level |
Elements needed |
||||||
Low |
|
||||||
Substantial |
Same as level low. |
||||||
High |
Same as level low. |
2.4.3.
Information security management
Assurance level |
Elements needed |
Low |
There is an effective information security management system for the management and control of information security risks. |
Substantial |
Level low, plus: The information security management system adheres to proven standards or principles for the management and control of information security risks. |
High |
Same as level substantial. |
2.4.4.
Record keeping
Assurance level |
Elements needed |
||||
Low |
|
||||
Substantial |
Same as level low. |
||||
High |
Same as level low. |
2.4.5.
Facilities and staff
Assurance level |
Elements needed |
||||||||
Low |
|
||||||||
Substantial |
Same as level low. |
||||||||
High |
Same as level low. |
2.4.6.
Technical controls
Assurance level |
Elements needed |
||||||||||
Low |
|
||||||||||
Substantial |
Same as level low, plus: Sensitive cryptographic material, if used for issuing electronic identification means and authentication is protected from tampering |
||||||||||
High |
Same as level substantial. |
2.4.7.
Compliance and audit
Assurance level |
Elements needed |
||||
Low |
The existence of periodical internal audits scoped to include all parts relevant to the supply of the provided services to ensure compliance with relevant policy. |
||||
Substantial |
The existence of periodical independent internal or external audits scoped to include all parts relevant to the supply of the provided services to ensure compliance with relevant policy. |
||||
High |
|