Approval of private providers of identification and authentication solutions for interoperable user accounts

type: Article

Private providers of identification and authentication solutions can have their identification procedures recognized for access to interoperable user accounts.

Source: Federal Ministry of the Interior, Building and Community; Bundesdruckerei GmbH

For this purpose, the Technical Guidelines of the Federal Office for Information Security (BSI) TR-03107-1 and TR-03147 must be complied with nationally. Within the EU, the requirements of the eIDAS Regulation (Implementing Act 1502 and the Guidance) apply.

For the national recognition of private identification and authentication solutions, the Federal Government has designated division DVI 4 at the Federal Ministry of the Interior, Building and Community (BMI) as a “single point of contact”.

The following procedure applies to the recognition process:

• The project group eID-Strategy of the IT Planning Council with the participation of the BSI decides which levels of assurance are used in interoperable user accounts.
• Similarly, the PG eID-Strategy of the IT Planning Council with the participation of the BSI, decides which means of identification are used for the different levels of assurance in the interoperable user accounts.
• If a provider of an identification and authentication solution is interested in recognition for interoperable user accounts, i. e. for the registration for interoperable user accounts and authentication at a user account, the first step is to contact the division DV 2 at the Federal Ministry of the Interior, Building and Community.
• DV 2 agrees to a detailed examination by the BSI in the context of a decision of principle or rejects the application. The criteria for the decision are
• the technical and organizational framework conditions of the provider, such as the business model, as well as
• the intended processing and storage of user data.
• In the case of approval, the BSI shall assess the extent to which the provider meets the requirements for the aimed level of assurance set out in TR-03 107-1 and TR-03 147. For verification, it is necessary that the provider supply all the necessary documentation.
• The BSI forwards the result of the assessment to the BMI.
• Subsequently, the Federal Government and the Federal States are free to enter into specific agreements with the respective provider based on compliance with the Technical Guidelines of the BSI and eIDAS regulations confirmed by the BSI.

Contact

Please note the following information:

• In the interests of a consistent approach, members of the of the IT Planning Council should refrain from concluding bilateral agreements with individual providers as long as they have not received national recognition in accordance with the above-mentioned process.
• An evaluation by the BSI cannot be replaced by a TÜV certification or the like.
• Providers seeking national recognition must provide all the necessary documents and information for the assessment process to enable a complete assessment.
• An assessment process can begin at the earliest after all documents have been submitted.