KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
And thanks for the opportunity to present here. I would have left to be in person about due to in Corona family situation. I'm in a quarantine situation at the moment I'm I'm I'm well, and everyone is well, in fact, but I can be with you at, at the moment. So I hope we will make it work remote. Yes. So I think in the, in the panel, we just learned, of course, that cybersecurity is a quite multidimensional game and game.
And I am gonna speak about a specific topic that I think is probably a little underestimated at times, but I think in the, in the, in the midst of the particular discussion right now, this is trusted identity. Next slide please. Yeah.
So here, here, I've, I've tried to show some of the dimensions that we just learned about. Yeah, of course there is like budget to buy technology infrastructure there's processes. And of course there are people and certifications of all types of, of things. And I think you're going to hear about this in the upcoming conference a lot, but I wanna really focus on a topic that is probably, as I said, a little underestimated in times, which is the topic of identity. And of course we all know that we, we, we probably have hopefully control of identity of the user's insight.
But the question is when you interact with external entities, which of course is the standard case and many systems, the question is how do you control the identity of these users and what I, what is the infrastructure that lies beyond that? And I'm going talk a little bit about current vision that the EU is actually establishing and I think is going, be quite a vital part of the discussions also of cybersecurity. Next slide please.
Yeah, here, you see the already quite complex landscape that we see at EU level, and that is gonna be relevant for everyone who is providing services in the EU. And of course you see it's quite a bunch of regulations and I'm just running through this very quickly. So in general, there's EU cybersecurity act that is really laying out a new certification framework and also it's is giving Anisa quite prominent role. We of course also see that, of course, privacy is a big topic.
We know GDP GDPR has been a big game changer and also be quite transparent signal to other countries and other states that data privacy is important. Of course, then of course, where we have the ni, which is addressing the infrastructure topics also interesting because it means there will be new supervisory activity on infrastructure that we have D a and DMA digital service act, especially, which is going to regulate platforms.
It's probably more directed to the, to the global platforms of the big GFA and the last piece and the cake, so to speak is what is called the Ida regulation, where Ida stands for electronic ID authentication and signature. And this is actually regulating as of 2014 already the topic of identification and trust services. And there is a new revision that's just being positioned by the commission few weeks ago. And I'm gonna speak a little more about this, the next slide. Next slide please. So in the, in the, in the, in the core, of course, it's really the question whom can I trust?
And of course this is, this is vital both internally as, as well as externally. I mean, internally, of course, you probably have processes in place to regulate who is working in your system and who is he full member as he qualified whatever. But of course we, we are acting in a global space and, and so you have to interact with, with a lot of entities all the time, and it's not always clear if you are really interacting with the right person. And of course, a lot of the cybersecurity breaches that we see there are not due to some big mathematical or technology advice.
They are simply due to the fact that it's possible to, to assume an identity because of some social engineering or others. And there is no way for the relying party to really know who you are speaking to. And of course, we, we see two general trends here. The first one is, is of course that there's a whole trend working for more decentralized structures. So of course, blockchain and DLT come into mind here as this, I has been a big discussion, and of course there are all the other customed technologies. And we see on the other hand, a big technology trend, a political trend.
That means there is a trend towards regulation as you saw on the previous slide. And so I'm now going to dive into this vision of the EU to establish identity framework and the trust space. And what this about. I'm gonna show the next slide. Next slide.
This, yeah. So I'm really gonna explain, try to explain this in, in a like trio. So we'll start with trusted ID. We will then explain what the role of the mobile environment is in this. And finally we are addressing trust services. Next slide please.
So, so basically at the core of all, this is a quite small step, but it's a very significant one. So the new regulation actually imposes an obligation onto every member, state of the EU to actually issue digital identities, which is not the case for, for all the countries, but of course already for a majority, but even more important. There is the obligation to actually recognize these identities cross border, as, as if these are actually analog identities, of course, you know, analog documents like the passports and identity cards are already established and they have to be recognized.
There is now in this proposal and obligation to actually recognize identities in a digital form for every citizen and company cross border within the EU. And so of course, this is already claims the vision of establishing finally, a digital trust space within the EU common market. Next slide please.
So, so how is this gonna work? And the idea is that this is going to happen by the introduction of the architectural concept of the European digital identity wallet. So maybe in this point of the discussion, we have to be a little careful.
Of course, everyone in Germany has been aware that there has been a specific specific project in, in September, right before the election, where there was an ID wallet introduced. And it was only out for a day and was UN shut down for, for technical and other reasons. So this is a very specific implementation of a technology here. The wallet really not refers to a specific technology at the moment. It's really an architectural concept.
So that the idea is that every EU citizen gets such a piece of software, especially on its mobile device, which is either issued by the member state itself or on with some agencies or companies on its behalf. And this technology, which is right now in the definition should of course be secure interoperable. And as I said before, mutually recognized, but I think what we can read from, from the proposal of the commissioner right now, it's, it's at the moment, really technology agnostic approach. So there's no not a specific technology, be it PKI or SSI or, or something else.
It's more an architectural concept that has to be filled out than by the individual member state. But basically of course, this wallet land should be the basis for the digital identity within this trust space. And of course it's a sovereign task of the individual member state. Next slide, please.
Now, of course, if you, if you move it to a mobile environment, which of course is, is, is a key success factor for making this happen, then it's clear that to establish appropriate security. We need some, some technical security anchors, some trust anchors. So it's quite clear that access to secure elements is probably the most vital point that needs to be addressed.
So you are probably aware that I would say almost all mobile devices that are issued now come with a secure element, which is basically secure micro controller, very comparable to what we know from banking cards or government ID documents. So it is a very secure trust anchor, but of course within the big platforms like, like apple or Android, it's not clear how the access to this is actually and which how broad the access actually is.
So also as we travel to, to the other regulations that we've seen, especially as the digital market and digital service act, it's quite clear that this could actually be a possibility to, to govern this access, at least for governmental purposes and therefore allow business users and provide us of, of, of accelerate services to also secure the element in smartphones. So it's from our point of view, quite crucial that at least some type of access is made possible here in a global way. And perhaps right now, there is no proper legal basis for this.
So it's certainly to be expected that either from the DMA or DSA side of the game, or from Theda revision itself, there will be something like an obligation to open up these secure trust anchors for the usage, at least of the trusted ID wallet. And of course, this is going to be one of the big policy discussions, I would guess in the next month or years course, of course, this is something that these big big platforms have to consider very carefully. And it's not the first choice of course, as, as secure element is also their primary trust anchor, next slide.
And of course, having addressed already the topic of, of security and certification, it's also clear that we will have UI recognition, but this of course needs to be done on standards that are being established right now, of course, it's, you know, that in this process that has been started now, there is the so-called tree log in which the parliament, the council and the commission are discussing, and of course so-called implementing X needs, needs to be written.
And of course it's clear that these implementing X will, will also need to reference appropriate standards that typically will be on the Etsy level, or maybe even on the ISO level. You, you should be aware that for the mobile driving license, for example, which is one typical way of, of using such a mobile thing, there is already an ISO standard that's quite capable. It's also the standard that for example, apple and I think also Google with an Android has implemented. So it's clear that there's already some international standards underway or already present.
And of course then based on this, there needs also be a certification scheme so that the security of this wallet can be recognized by third parties and can also be verified by by third parties. And of course, this is, I guess, also a vital component in establishing the right trust for this EU wallet, next slide piece. And here you see a very rough architecture really of how this wallet will probably look like and, and, and work.
So in the, in the, in the middle, you see the application itself, that's once on, on, on the mobile device of the citizen. And on the left hand side, you see, of course there needs to be mechanisms of provisioning this wallet as software from the appropriate stores. So once the wallet then is in place, and of course there needs to be some provisioning of identity, which really refers to the governmental identity, meaning there is then a trusted governmental thing. Interestingly enough, the model is much broader than the classical ID card.
When you look at your German ID card, for example, there's your name, maybe your academic title, that's addressed your date of birth and, and that's it more or less, but the idea of the wallet is that it's really much broader. So next to your identity, that comes from a government source. There are other attributes that can be provisioned onto this. This of course can be other personal attributes, like your email address, contact data, also maybe a specific job related thing. You are a doctor, you are a nurse, you have some legal certificates, other things.
And of course for this, there's also a provisioning process. And of course the source of this also has to be a proper source to make this attribute actually verifiable. And this is also a process that's being defined in a certified way. And once you have all this data in the wallet, then of course, on the right hand side, you see the relying party that can access the, the wallet over at API. And of course, much important here is, is the topic of validation.
So there are also validation mechanisms so that you can make sure that an attribute on idea that you read out from the wallet is actually authentic. And of course, for all this on the right hand side, you see there is trust to be established in form of a so called trust list where you can look up, is this actually a trusted provision from a member state? And of course there is certification that supervision of all this to make sure that the whole ecosystem stays in a secure state.
This is basically the general architecture that is being worked out now and will be laid down in implementing X and should be ready to go really by end of next year. Next slide please. So finally then of course, when you have the trusted ID, then the question is what do you do with it? And of course, this is where the concept of trust services comes into it. So trust services is, is what the, the IDAs regulation refers to and has formally been known, for example, as something like qualified signature and other things, but it's a much broader concept now.
So basically these are the consumers of the trusted IDs that, that we have inside the bullet now. And it's probably important to, to note that with the new revision, this trust services and the digital identity that really grow together, and the EU actually is very much using this as a toolbox to implement trusted processes in the digital form within other regulations. So some of you from the financial sector may be aware of the so-called PST two, the second payment directive in which new services are being defined, and they are secured by means of this Ida trust services.
But we also see new trust services here. And as I said before, the, the, the issuing of the attestation of attributes is also defined as a qualified trust service because of course the, the quality of this attributes is vital for the success of this whole identity architecture. So basically we see that these trust services will, will then form.
So to say, say the, the second half of the game, once the trusted idea is established. And, and of course we see an enormous opportunity here for the digital single market for all European citizens to make use of this. And of course, for relying parties companies to, to, to use this, to enhance the security of the processes and all of this, it's a rather steep timeline's gonna be finished specification wise, end of next year. Next slide please.
So of course, one of the topics that, that we see is as, as in all of these things, we probably need Harmon is a stronger harmonization for the requirements also of the certifications. Cause at the moment the national supervisory bodies are not always aligned on what they're doing. And therefore the conformity assessment is not always happening on a plain level playing field, so to speak. So we certainly need a more centralized approach. And of course, one of the big questions is in za going to play a stronger role here where we see a different agency from Brel coming up.
And of course, certainly we need to transition period in which the already existing systems will, will migrate into this common trust space. Next slide please. Okay. So this is already I, I come to, to the end.
So I was trying to, to convey you a little bit of the identity vision and the trust vision that the commission is laying out with a trusted idea as a basis with trusted mobile IDs and wallets to make this happen as an implementation and with trust services to, to, to really make use of this in the ecosystem that we are all establishing all this based in the end on secure hardware as trust. So finally, next slide please. Yeah. So summing up, we see cybersecurity is a complex game and has a multidimensional approach that we will all need need to make happen.
But we, as of course, are, are convinced that trusted identities for users will actually play a vital role in the, the general security of such an infrastructure and the upcoming regulation and implementation. We feel will build up a strong infrastructure that could be of immense use for the EU cybersecurity infrastructure. And so it's certainly going to play a wider role, I think in all discussions that we see in the upcoming month and years, but thanks very much.
