LegalizeCommission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
Article 1
The specifications and procedures set out in the Annex shall be used to specify the assurance level of the electronic identification means issued under a notified electronic identification scheme by determining the reliability and quality of following elements:
(a) enrolment, as set out in section 2.1 of the Annex to this Regulation pursuant to Article 8(3)(a) of Regulation (EU) No 910/2014;
(b) electronic identification means management, as set out in section 2.2 of the Annex to this Regulation pursuant to Article 8(3)(b) and (f) of Regulation (EU) No 910/2014;
(c) authentication, as set out in section 2.3 of the Annex to this Regulation pursuant to Article 8(3)(c) of Regulation (EU) No 910/2014;
(d) management and organisation, as set out in section 2.4 of the Annex to this Regulation pursuant to Article 8(3)(d) and (e) of Regulation (EU) No 910/2014.
Article 2
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
ANNEX
Technical specifications and procedures for assurance levels low, substantial and high for electronic identification means issued under a notified electronic identification scheme
1. Applicable definitions
For the purposes of this Annex, the following definitions shall apply:
(1) ‘authoritative source’ means any source irrespective of its form that can be relied upon to provide accurate data, information and/or evidence that can be used to prove identity;
(2) ‘authentication factor’ means a factor confirmed as being bound to a person, which falls into any of the following categories: (a) ‘possession-based authentication factor’ means an authentication factor where the subject is required to demonstrate possession of it; (b) ‘knowledge-based authentication factor’ means an authentication factor where the subject is required to demonstrate knowledge of it; (c) ‘inherent authentication factor’ means an authentication factor that is based on a physical attribute of a natural person, and of which the subject is required to demonstrate that they have that physical attribute;
(3) ‘dynamic authentication’ means an electronic process using cryptography or other techniques to provide a means of creating on demand an electronic proof that the subject is in control or in possession of the identification data and which changes with each authentication between the subject and the system verifying the subject's identity;
(4) ‘information security management system’ means a set of processes and procedures designed to manage to acceptable levels risks related to information security.
2. Technical specifications and procedures
The elements of technical specifications and procedures outlined in this Annex shall be used to determine how the requirements and criteria of Article 8 of Regulation (EU) No 910/2014 shall be applied for electronic identification means issued under an electronic identification scheme.
| Assurance level | Elements needed |
|---|---|
| Low | 1. Ensure the applicant is aware of the terms and conditions related to the use of the electronic identification means. 2. Ensure the applicant is aware of recommended security precautions related to the electronic identification means. 3. Collect the relevant identity data required for identity proofing and verification. |
| Substantial | Same as level low. |
| High | Same as level low. |
| Assurance level | Elements needed |
| --- | --- |
| Low | 1. The person can be assumed to be in possession of evidence recognised by the Member State in which the application for the electronic identity means is being made and representing the claimed identity. 2. The evidence can be assumed to be genuine, or to exist according to an authoritative source and the evidence appears to be valid. 3. It is known by an authoritative source that the claimed identity exists and it may be assumed that the person claiming the identity is one and the same. |
| Substantial | Level low, plus one of the alternatives listed in points 1 to 4 has to be met: 1. The person has been verified to be in possession of evidence recognised by the Member State in which the application for the electronic identity means is being made and representing the claimed identity and the evidence is checked to determine that it is genuine; or, according to an authoritative source, it is known to exist and relates to a real person and steps have been taken to minimise the risk that the person's identity is not the claimed identity, taking into account for instance the risk of lost, stolen, suspended, revoked or expired evidence; or 2. An identity document is presented during a registration process in the Member State where the document was issued and the document appears to relate to the person presenting it and steps have been taken to minimise the risk that the person's identity is not the claimed identity, taking into account for instance the risk of lost, stolen, suspended, revoked or expired documents; or 3. Where procedures used previously by a public or private entity in the same Member State for a purpose other than the issuance of electronic identification means provide for an equivalent assurance to those set out in section 2.1.2 for the assurance level substantial, then the entity responsible for registration need not to repeat those earlier procedures, provided that such equivalent assurance is confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 of the European Parliament and of the Council (1) or by an equivalent body; or 4. Where electronic identification means are issued on the basis of a valid notified electronic identification means having the assurance level substantial or high, and taking into account the risks of a change in the person identification data, it is not required to repeat the identity proofing and verification processes. Where the electronic identification means serving as the basis has not been notified, the assurance level substantial or high must be confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 or by an equivalent body. |
| High | Requirements of either point 1 or 2 have to be met: 1. Level substantial, plus one of the alternatives listed in points (a) to (c) has to be met: (a) Where the person has been verified to be in possession of photo or biometric identification evidence recognised by the Member State in which the application for the electronic identity means is being made and that evidence represents the claimed identity, the evidence is checked to determine that it is valid according to an authoritative source; and the applicant is identified as the claimed identity through comparison of one or more physical characteristic of the person with an authoritative source; or (b) Where procedures used previously by a public or private entity in the same Member State for a purpose other than the issuance of electronic identification means provide for an equivalent assurance to those set out in section 2.1.2 for the assurance level high, then the entity responsible for registration need not to repeat those earlier procedures, provided that such equivalent assurance is confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 or by an equivalent body and steps are taken to demonstrate that the results of the earlier procedures remain valid; or (c) Where electronic identification means are issued on the basis of a valid notified electronic identification means having the assurance level high, and taking into account the risks of a change in the person identification data, it is not required to repeat the identity proofing and verification processes. Where the electronic identification means serving as the basis has not been notified, the assurance level high must be confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 or by an equivalent body and steps are taken to demonstrate that the results of this previous issuance procedure of a notified electronic identification means remain valid. OR 2. Where the applicant does not present any recognised photo or biometric identification evidence, the very same procedures used at the national level in the Member State of the entity responsible for registration to obtain such recognised photo or biometric identification evidence are applied. |
| (1) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30). | |
| Assurance level | Elements Needed |
| --- | --- |
| Low | 1. The claimed identity of the legal person is demonstrated on the basis of evidence recognised by the Member State in which the application for the electronic identity means is being made. 2. The evidence appears to be valid and can be assumed to be genuine, or to exist according to an authoritative source, where the inclusion of a legal person in the authoritative source is voluntary and is regulated by an arrangement between the legal person and the authoritative source. 3. The legal person is not known by an authoritative source to be in a status that would prevent it from acting as that legal person. |
| Substantial | Level low, plus one of the alternatives listed in points 1 to 3 has to be met: 1. The claimed identity of the legal person is demonstrated on the basis of evidence recognised by the Member State in which the application for the electronic identity means is being made, including the legal person's name, legal form, and (if applicable) its registration number and the evidence is checked to determine whether it is genuine, or known to exist according to an authoritative source, where the inclusion of the legal person in the authoritative source is required for the legal person to operate within its sector and steps have been taken to minimise the risk that the legal person's identity is not the claimed identity, taking into account for instance the risk of lost, stolen, suspended, revoked or expired documents; or 2. Where the procedures used previously by a public or private entity in the same Member State for a purpose other than issuance of electronic identification means provide for an equivalent assurance to those set out in section 2.1.3 for the assurance level substantial, then the entity responsible for registration need not to repeat those earlier procedures, provided that such equivalent assurance is confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 or by an equivalent body; or 3. Where electronic identification means are issued on the basis of a valid notified electronic identification means having the assurance level substantial or high, it is not required to repeat the identity proofing and verification processes. Where the electronic identification means serving as the basis has not been notified, the assurance level substantial or high must be confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 or by an equivalent body. |
| High | Level substantial, plus one of the alternatives listed in points 1 to 3 has to be met: 1. The claimed identity of the legal person is demonstrated on the basis of evidence recognised by the Member State in which the application for the electronic identity means is being made, including the legal person's name, legal form, and at least one unique identifier representing the legal person used in a national context and the evidence is checked to determine that it is valid according to an authoritative source; or 2. Where the procedures used previously by a public or private entity in the same Member State for a purpose other than issuance of electronic identification means provide for an equivalent assurance to those set out in section 2.1.3 for the assurance level high, then the entity responsible for registration need not to repeat those earlier procedures, provided that such equivalent assurance is confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 or by an equivalent body and steps are taken to demonstrate that the results of this previous procedure remain valid; or 3. Where electronic identification means are issued on the basis of a valid notified electronic identification means having the assurance level high, it is not required to repeat the identity proofing and verification processes. Where the electronic identification means serving as the basis has not been notified, the assurance level high must be confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 or by an equivalent body and steps are taken to demonstrate that the results of this previous issuance procedure of a notified electronic identification means remain valid. |
Where applicable, for binding between the electronic identification means of a natural person and the electronic identification means of a legal person (‘binding’) the following conditions apply:
(1) It shall be possible to suspend and/or revoke a binding. The life-cycle of a binding (e.g. activation, suspension, renewal, revocation) shall be administered according to nationally recognised procedures.
(2) The natural person whose electronic identification means is bound to the electronic identification means of the legal person may delegate the exercise of the binding to another natural person on the basis of nationally recognised procedures. However, the delegating natural person shall remain accountable.
(3) Binding shall be done in the following manner: Assurance level Elements Needed Low
The identity proofing of the natural person acting on behalf of the legal person is verified as having been performed at level low or above.
The binding has been established on the basis of nationally recognised procedures.
The natural person is not known by an authoritative source to be in a status that would prevent that person from acting on behalf of the legal person.
Substantial Point 3 of level low, plus:
The identity proofing of the natural person acting on behalf of the legal person is verified as having been performed at level substantial or high.
The binding has been established on the basis of nationally recognised procedures, which resulted in the registration of the binding in an authoritative source.
The binding has been verified on the basis of information from an authoritative source.
High Point 3 of level low and point 2 of level substantial, plus:
The identity proofing of the natural person acting on behalf of the legal person is verified as having been performed at level high.
The binding has been verified on the basis of a unique identifier representing the legal person used in the national context; and on the basis of information uniquely representing the natural person from an authoritative source.
| Assurance level | Elements needed |
|---|---|
| Low | 1. The electronic identification means utilises at least one authentication factor. 2. The electronic identification means is designed so that the issuer takes reasonable steps to check that it is used only under the control or possession of the person to whom it belongs. |
| Substantial | 1. The electronic identification means utilises at least two authentication factors from different categories. 2. The electronic identification means is designed so that it can be assumed to be used only if under the control or possession of the person to whom it belongs. |
| High | Level substantial, plus: 1. The electronic identification means protects against duplication and tampering as well as against attackers with high attack potential 2. The electronic identification means is designed so that it can be reliably protected by the person to whom it belongs against use by others. |
| Assurance level | Elements needed |
| --- | --- |
| Low | After issuance, the electronic identification means is delivered via a mechanism by which it can be assumed to reach only the intended person. |
| Substantial | After issuance, the electronic identification means is delivered via a mechanism by which it can be assumed that it is delivered only into the possession of the person to whom it belongs. |
| High | The activation process verifies that the electronic identification means was delivered only into the possession of the person to whom it belongs. |
| Assurance level | Elements needed |
| --- | --- |
| Low | 1. It is possible to suspend and/or revoke an electronic identification means in a timely and effective manner. 2. The existence of measures taken to prevent unauthorised suspension, revocation and/or reactivation. 3. Reactivation shall take place only if the same assurance requirements as established before the suspension or revocation continue to be met. |
| Substantial | Same as level low. |
| High | Same as level low. |
| Assurance level | Elements needed |
| --- | --- |
| Low | Taking into account the risks of a change in the person identification data, renewal or replacement needs to meet the same assurance requirements as initial identity proofing and verification or is based on a valid electronic identification means of the same, or higher, assurance level. |
| Substantial | Same as level low. |
| High | Level low, plus: Where renewal or replacement is based on a valid electronic identification means, the identity data is verified with an authoritative source. |
This section focuses on the threats associated with the use of the authentication mechanism and lists the requirements for each assurance level. In this section controls shall be understood to be commensurate to the risks at the given level.
Reading this document does not replace reading the official text published in the Official Journal of the European Union. We assume no responsibility for any inaccuracies arising from the conversion of the original to this format.