3 Dimensions of Digital Sovereignty

Thank you Yako. We, we could do Dutch today together.

Okay, well good to see you everybody. Indeed. We have in a moment.

Well, we already have Ben, we there. Ben WAIS is in France. He couldn't make it to come here. This is my, well, I missed one European identity conference and during the coffee break, a lot of people say How? How come? Why do I heard about one Welcome.

Well one, welcome. I welcome. I've been in Siam for 10 years.

We were, well that was our claim, at least European Siam provider. We cared a lot about user experience but also a lot about sovereignty, about protecting the data, about consent management and so forth. And October last year we got acquired by Tais Talls Digital Identity and Security and that is a large organization in digital identity, about 15,000 people with all kinds of technologies. Technologies for, well we are close by pass keys, but also like wallets, pki, HSMs.

So a lot of related technologies and the topic that we would like to talk about today is following up on Mark Schrems about sovereignty and then especially what kind of technologies we can deliver to provide the, the sovereignty. And we will take that from a few directions. We will look at it from a user's perspective. So how can we protect the sovereignty of the individual, the user? How can we provide sovereignty for our customers? So customers have to control their data. They need to comply to the rules that of the regulations that we just heard.

And last but not least, how can we live in a geopolitical area? So here we live in Europe, but there are other geopolitical areas that also want to protect their data and have regional rules here. Think about New Zealand and Australia. So combining all of this, we thought that it would be good to not only focus at pure IM, but take that a bit broader and that is exactly why I invited UA to present to you the broader perspective on sovereignty from all these three angles as well as from what we tend to call the edge and the core. So the user device and where the data resides.

So with that, I would like to give the word to . Hello.

So, so having said that, the picture you have is not me. Okay.

You see, I'm not, not a lion. And the second point is that it's not because you know, I spent several years in Bavarian, so I have the, no, you know, of the Bavarian lion.

It's just, you know, to illustrate the topic we are going to to cover in this presentation, which is about sovereignty, Martin, if we go to the next slide, the way, I mean we can define this, sovereignty is at three different levels. The first part is obviously at individual level. I want to be able in control of the data that I present. This is coming with all the notions that you all know around, you know, the cells identity.

The second element, the second level is at level you are an enterprise and you want for sure as an enterprise, as a company, as an entity to master, you know, the way I mean your data is, is being shared, is being protected. And there is as well, you know, this third notion, which is the most abuse one, which is at regional level, it was a bit, you know, covered in the precedent presentation.

You know, the fact that you want your data to reside in a dedicated region for instance, which can be a good discretion of the sovereignty concept as introduc by by Martin. The way we see that is not only at these three levels, individual, organizational and regional that we cover. We have for instance, couple of agreements that we signed, you know, to provide data security with the hips. But it's really, you know, at this edge and core side.

So meaning both, you know, in the way we can secure the data in the device that is in the hands of the individual and the way we can for sure, as I just mentioned, I mean protect the data when it's residing on the core, meaning on the cloud side.

To illustrate that, I would like that we think, you know, together that we review together six topics which are a bit seen as challenges, you know, in this adoption of this I would say digital sovereign or if we are a bit more precise, the adoption of this self-sovereign identity or even more precise, you know, we can take one example, which is the EU ID wallet. You know, what are these challenges? The first two that you have on the left part of the slide, security and convenience came first in a survey that we run within seven countries in Europe.

We had, you know, around thousand 800, you know, people that were interviews. So in these, in these seven countries, and we were asking, you know, what are the main, you know, blockers or challenges that you're seeing as an end user when deploying this EU ID wallet? And the two points that came first is the security. So we have to take this notion of security in the broad sense of the term, including, you know, the privacy elements that were covered in the precedent presentation.

But it's interesting to see that 60, 66% of the respondents, you know, highlighted this as being the main criteria. The second one is the convenience. And I have to say we don't have to undermine, I mean this one because depending on the edge, for instance, the, the younger, I mean the people were the more, you know, they were taking care about this convenience topic. So those who are really, you know, the two main pillars to ensure that people would feel at ease when deploying the EU ID wallet. I will not detail now all the topics which are there because I will cover a bit more into details.

Three of them, I will speak about security, I will speak about interoperability. I will come back on the regulation point, but let me speak about convenience, I just adjusted it. We have then the device dependency and recoverability. I mean this one is important because this is as well a mean for us to ensure that we have a good level on of inclusion when deploying this digital sovereignty. Meaning if the devices you know, are not compliant or cannot fit, you know, with the expectations or the type of technology we want to deploy to ensure the sovereignty, we have a problem.

So we have a huge challenge, I mean behind this one and last one is the, is the business model. The business model is an interesting one, it's an obvious one, but I was a couple of weeks ago in a, in a conference and we're speaking, you know, about, you know, challenges around, I mean these deployments and namely about business model. And I had one remark coming from someone you know at the api, so European payment initiative. And it was mentioning that when you are in such highly regulated, you know landscape, we have to be very careful about the way you data mine, I mean the business model.

Because if you are too strict, you know, given the fact that the regulation could completely change, you know the way the money flows, you know from one you know, entity to the other, you can put at stake your entire business model. So we have, and this is why I put here, you have to keep this flexible and clear business model to ensure the success of the deployment. So let's come now more into details on these three points.

I mentioned security first, the security as mentioned, we have to ensure it, I mean from the edge to the core and you know, this is of the points that we particularly have in mind. You know, at Teles we are present on the two sides of the, of the equation. We are delivering, I mean secure elements. I mean I'm sure you have, you know, in your pocket one of the devices we are providing, you know, and that, and that's, you know, one of these secure element can be a passport, it can be you know, a sim card, it can be a banking card wherever. This is on the other side.

I mean you have the, what I call them in the core, which is a bit Porwal of these secure element. We have the hsm, which are basically a sort of replication of the secure element.

You know, this is a safe that is sitting on the core part of the, of the equation you have as well, you know, all the kms or the key management solutions that we are providing. But when we are looking at that, we really want them to take it by the holistic approach. Not considering, you know, just one aspect and the other or the other, but really the entire chain. One message I would have to, I would like to pass here is that we should not try to reinvent them in the wheel.

I mean for sure we have, we'll be facing a new problematics, but we have as well fields proven solutions that have been used you know, since quite some time. And we have to benefit from this experiment when this deploying, you know, this digital sovereignty or this, you know, EU I d wallet. Moving to the next slide, you, you know, when you speak about security you could say oi, it's very good, okay, you spoke about, you know, the secure element, et cetera. But there may be cases where actually the device, I mean you want to address has no secure element, et cetera.

And I think it's true and we have to acknowledge that we have, I mean to have, you know, a certain level of flexibility in the way, you know, we want to shape this end-to-end security. But this is, you know, raising a number of challenges like the one, you know, I put here and Emily on the interoperability because if you have, you know, different ways of implementing the security, being sure that one is equivalent to the other, that you're not breaking, you know, the entire security cause the device is a weak point in your encryption. This is a very important point.

The second element I would like you know, to highlight here is the vast number of use cases we are addressing. And you could have as well, I mean, you know, there is a huge versatility in terms of use cases. If you look for instance after the document, you know, issued as per, you know, the new regulation, I mean there is a lot of use cases which are mentioned and this is, this can cause, you know, some issues in terms of interoperability. And the last point is that you could have in other factors and national regulations, which are telling you, okay, fair enough.

I mean you define, I mean this has to be implemented this way, but my own constraints, I mean my infrastructure is deployed this way. So it has to be that way. And there is behind that, you know, this interpretability challenge. Let's move to the last one, last one I mentioned is on the regulations. So I put here a number of regulations. So as you can notice, I mean the list is not, you know, complete. I did not put you o GS two, you know, there could be many, many others. There is no quiz.

So I will not ask you, you know, to tell me what are, you know, the precise, you know, meaning of each of the acronyms which are there, but you recognize in Digital Market Act, digital services Act, cyber Resilience Act, cybersecurity act and so on and so forth. What is interesting is that they're all part of the topic we are discussing and the the worry, you know, I have behind that is the consistency between all of them and the time that we have, you know, to implement that.

And I think it's very important that we have this capability, you know, to benefit, you know, from this return of experience to be sure that, you know, okay, there is, I mean the consistency that can be expected from, from all of us at the end of the day to solve the two topics I mentioned, you know, the one on interoperability and the one on clarity. I would like to advocate, you know, the, the need for a clear certification scheme.

We already have, you know, a lot of ingredients which have been working, worked out, you know, notably by the enza, which by the way has been mandated, you know, to work on this approach in terms of certification for the EU I d wallet. But I think it's really important that we have something that is clear with no discrepancy.

You know, if in one country it's on the paper, the same certification, but actually it's much more easier. I mean to get it in one country, we'll have a problem at the end of the day we will break, you know, this entire security I was mentioning, and again, if we are weak on the security side, we'll have a weak, you know, success from this digital sovereignty we are seeking for. Let's move to in this slide, what I wanted, so I spoke about, you know, some of the challenges I highlighted, you know, six of them and we went a bit more into details on, on particularly three of them.

What I want to mention here is that when we are working on this topic, we should look a bit forward, not just, you know, at what we wanna make to achieve today, okay, the digitalization for instance of an existing, you know, physical document, et cetera, which we look at as well, what is upcoming, you know, and I put here, and you are already conscious of that, you know, the fact that tomorrow, this type of solution we want to implement, if I'm creating a wallet, it could apply tomorrow for the iot market. And the iot market is very vast, very diverse.

Put here the example of the connected cars, but you have as well, I mean very low end devices, which are, you know, causing, I mean the type of issue I was mentioning, you know, in terms of having a constraint, I mean devices that needs to ensure instance the level of assurance high. The second point is on digital ID for virtual world. I mean we've been engaged, you know, with some of our customers on this merge between the web two and the web three and the metaverse.

But obviously, you know, this point is we have, I mean to have that in mind what we, we, what we are going, I mean to deliver will not only cover you know, the physical world and going a bit further when you are Francis the, in the metaverse in this virtual world, I mean there is, you know, the willingness, you know, to pay there is this notion of cryptocurrency, okay?

And you could have, you know, there implications of what we deploy in terms of KYC or a m l of or it could be, you know, in one of the use case that is popping up, I mean these days, which is about the c C, so the central bank and digital currents. The last point on the slide is related to a topic I already mentioned.

This is, you know, I mentioned, you know, in the long list of regulations that it was the cybersecurity act, the Cyber Resilience Act, which are claiming, you know, the fact that you will be able, you know, to upgrade, you know, your overall security case. I mean there is a bug or there is discovered them in weakness when, good example, you know, that we need all, you know, to take into account when deploying.

For instance, the E U ID wallet is on the pqc side, which is there we could say, okay, oi, you are dreaming, okay, we will not have any quantum attacks, you know, in the next, you know, 10 years, you know, on this type of solutions maybe, but what is the time then, you know, to protect what is the time, you know, how will you protect against attack with, you know, stealing and start storing you know, your data and waiting for the time and they can decrypt it, you know, to reveal, I mean your, your secrets.

So this is really something we check seriously into account we are intensively working with. To conclude, I would like to recap what I was mentioning in the in introduction and what I put, you know, on the top of the slides is almost, you know, the Talls logo. I mean this is building a future we can all trust actually what we want here all to achieve is building a future sovereignty.

We can address squeezed a bit, you know, the tells Mont, I may say it this way, I mentioned, you know, these six, you know, elements which are of utmost importance, you know, to be successful in this digital sovereignty. I took the example of the E Eid wallet giving you the result as well, you know, of a survey that we were conducting, which are by the way, available on our website. And if you go to our website and you do a search, you know, on this topic, you will get, I mean all the details around this, these surveys.

And the last point I wanted to mention is that when working on this at EU level, you know that there have been four large scale pilots being deployed. We are participating to two of them and we are really, you know, using, I mean this experience and this participation to, you know, adjust, you know, the way we will serve this digital sovereign. Thank you very much. Thank you both for this presentation. We do have one question from the audience.

It's, there is a view that HSMs cannot satisfy LOA high requirements. What is your opinion? I think I would then to the i f so the architecture reference framework, which was edited by the Digi Connect in its second version a couple of days ago. And the highlights, you know, in this edit version, which is by the way, very interesting. I really encourage you, I mean to read it three different ways, you know, of ensuring this uha high. And the first one is what I mentioned can be around the elements, et cetera. And one is precisely the usage of hsf.

So I would not pretend that, you know, what is right in Europe is totally wrong. So I would humbly, you know, refer, I mean to the, i f to say that I believe we can obtain, you know, a high level of insurance leveraging on hsa. Thank you. Thank you Martin.

Betel, thank you. Oi, thank you for this very interesting session. There are lots of challenges in front of us. Next time you'll come to us, you need to talk about the next steps. All right.