EN 18037, which was published in 2025, specifies a methodology for conducting risk and security analysis in complex multi-stakeholder ICT systems. This includes the identification of appropriate security and assurance level requirements to ICT products based on risks associated with their intended use in a dedicated sectoral system context. The presentation shows how this methodology can be used in support of the CRA, particularly in supporting product manufacturers and standard development organizations in determining risks that may be caused by ICT security incidents associated with specific products and in defining appropriate security requirements.

Traditional security assurance was built for static environments like smartcards. Today’s reality shatters that model: How do you certify a product when critical security functions (TSF) rely on external parties, e.g. Cloud Service Providers to Cloud applications? We analyze the friction between TOE boundaries and infrastructure, mapping security contributions across ownership lines. We discuss modeling EAL4 security functions when vendors lack source-code access, aiming to maximize assurance despite "black-box" dependencies. Our approach provides a roadmap for navigating shared responsibility in modern certification.

ETSI EN 303 645 is a world class standard for the security of Consumer IoT products. The new tool conformXpert allows to easily perform conformance assessments based on ETSI EN 303 645 with the test methodology of ETSI TS 103 701. The tool e.g., enables the simple creation of an Implementation Conformance Statements (ICS) and automatically generates the necessary IXITs for requesting documentation. conformXpert helps you complete the IXITs with guidance. The CRA product requirements will be closely aligned with EN 303 645. Therefore, you can use the tool to prepare yourself for the CRA.

Europe’s payments ecosystem, successfully initiated by PSD2 Open Banking, is now constrained by increasing fragmentation caused by proprietary, scheme-specific APIs and channel-dependent integrations. This complexity drives redundant development, higher costs, technical debt, and slower time-to-market, while limiting scalability, pan-European reach, innovation, and effective supervision.

A new wave of EU regulation (PSD3/PSR, FIDA, eIDAS 2.0, Digital Euro) provides a unique opportunity to move beyond Open Banking towards a truly harmonised Open Finance environment. This presentation introduces a coherent architectural approach: a Harmonised Universal API Stack based on a two-pillar model combining a shared pan-European Common Core API layer with scheme- or region-specific extensions.

The model demonstrates how harmonised data models, semantics, security, and channel-independent integration significantly reduce integration effort and lifecycle complexity, while enabling consistent service exposure across web, mobile, ERP, and treasury systems. The session outlines current ecosystem gaps, core design principles, harmonised capabilities (e.g., routing, onboarding, certification, alias services, liability), and the seamless integration of AI-driven agents. It concludes with a vision of a resilient European payments fabric where stakeholders compete on service value rather than integration friction.

The EUDI Wallet will become a core digital trust infrastructure in Europe, enabling secure identification, verified credentials, and qualified signatures. This talk outlines the current status of the German implementation, key architectural and security decisions, and lessons learned from prototyping and ecosystem onboarding. It concludes with a roadmap toward the 2026 rollout and the first wave of relying parties.

In the German healthcare system, all identities—whether card-based or fully digital—require the identification of natural persons. The General Data Protection Regulation (GDPR) imposes stringent trust requirements, which has led to a restriction in the variety of identification systems that have been approved for integration within the German healthcare system.

The recent approval of a video-based hybrid identification system for utilization in the regulated healthcare sector marks the conclusion of a three-year period during which card-based remote identification systems were the sole permitted option (next to on-site-procedures). An overview of the current situation regarding identifications in the healthcare sector.

The ISO/IEC 39794 series of standards specifies biometric data interchange formats based on ASN.1 (Abstract Syntax Notation One) and its the Distinguished Encoding Rules, yielding binary tag-length-value encodings and enabling future extensions. To make the new data formats adaptable to different purposes, only the core data elements are mandatory. Data elements that can be useful for some purpose but are not always necessary are optional. Application profiles may declare optional data elements as mandatory or deprecated for a par-ticular purpose, e.g. for storage in machine-readable travel documents (MRTDs). According to ICAO’s timeline, from January 2026 onwards, MRTD inspection systems must be ready to handle the new data for-mats because newly issued MRTDs may use them. From 2030 on-wards, all newly issued MRTDs must use the new data formats. In preparation of the roll-out, application profiles for face and fingerprint image data in MRTDs have been developed, and prototypes of MRTDs and MRTD inspection systems from multiple vendors have been tested multiple times for interoperability. However, some choices are still left to the national MRTD issuers. To assist in deciding which options to support when storing biometric data in MRTDs, this paper summarizes the application profiles for face and fingerprint image data and discusses the remaining options.

Confidential Computing secures data-in-use by leveraging hardware-based Trusted Execution Environments (TEEs) and Remote Attestation. This session explores how the technology reduces the trust gap in cloud and edge environments, covering TEE architecture principles, attestation flows, and secure secret provisioning patterns. Real-world use cases and practical implementation considerations are examined. The presentation provides security professionals with foundational knowledge for understanding and building robust Confidential Computing solutions.

Stateful hash-based signatures (SHBSs) are an important building block for post-quantum security. For example, for firmware signing only SHBSs fulfill the post quantum regulatory requirements from CNSA and BSI at the same time. On the one hand, SHBSs are based solely on hash functions, have a high maturity, and their signature verification is efficient. On the other hand, securely handling their state is often difficult in practice and signature generation is inefficient. In our presentation, we show how the state can be handled securely in practice and how the signature computation on constraint devices can be supported by the infrastructure.

Modern eID systems are typically penetration-tested and certified (e.g., under Common Criteria). Yet, they remain deployed for many years, during which new side-channel attacks can emerge, as seen recently with EUCLEAK and "Side Journey into Titan." We ask: as of 2026, are such attacks still limited to well-resourced organizations, or can individuals also perform them? Focusing on advanced electromagnetic (EM) side-channel attacks—commonly assumed to require expensive setups—we show that low-cost equipment alternatives now exist for most components. This suggests that even hobbyists could realistically mount such attacks.

Post‑quantum cryptography (PQC) migration poses significant strategic and operational challenges, as current RSA‑ and EC‑based systems risk becoming vulnerable with the advent of large‑scale quantum computers. Organizations must weigh short‑term mitigation measures against their limited long‑term effectiveness. A sustainable approach requires adopting PQC‑capable infrastructures, which includes redesigning key management architectures, updating chip‑card–based processes, and renewing the public key infrastructure. The transition introduces substantial complexity, particularly regarding certificate renewal cycles, key custodianship models, and the re‑encryption of sensitive archived documents.

Die Post Quantum Support Action (PQCSA) ist ein EU-Projekt, das die Sensibilisierung erhöhen und die Schritte zur Einführung von Post-Quanten-Kryptographie (PQC) unterstützen soll. Dieser Vortrag teilt praxisnahe Erfahrungen aus PQCSA-Workshops und zeigt auf, wie unterschiedliche Communities den Reifegrad und die Vorbereitung auf PQC verstehen und angehen. Wir stellen Lessons Learned aus praktischen Übungen und Diskussionen zu Migrationspfaden vor und legen dabei einen besonderen Fokus auf unsere Arbeit zur Integration von PQC in Identity- und Access-Management-Systeme. Diese Erfahrungen machen sowohl technische als auch organisatorische Herausforderungen sichtbar, die in realen Umgebungen typischerweise auftreten. Abschließend skizzieren wir zentrale Lücken, die wir in der europäischen PQC-Roadmap identifiziert haben, darunter fehlende praxisorientierte Handreichungen, unzureichende Koordination zwischen Standards sowie fehlende Unterstützung für sektorspezifische Übergänge.

A Trusted Execution Environment (TEE) is a secure area of the main processor of a connected device that ensures sensitive data is stored, processed, and protected in an isolated and trusted environment. A TEE is a key component to enable secure applications such as identification and payment. However, there are currently no suitable & mature TEE solutions for RISC-V, and current TEEs are also not yet secure against the threat of quantum computers. This talk will present our ongoing research work on enabling post-quantum security for TEEs on RISC-V, based on the open-source RISC-V SoC framework Chipyard and the open-source TEE framework Keystone. This includes algorithm selection, implementation optimization and hardware acceleration. Our results show that a post-quantum secure TEE is feasible for RISC-V, though more work is needed for a mature commercial solution.

Since 2012, the BSI has commissioned an ongoing study to document and analyze the Linux random number generator from a security perspective. This presentation will outline the current status of the Linux random number generator and discuss its compliance with the recently updated AIS 20/31 evaluation guidelines.

Since 2016, a harmonised market for trust services has developed in Europe based on the eIDAS Regulation. Thanks to CEN and ETSI standards, not only are data formats interoperable, but security levels and audit procedures are also comparable.

The amendment to the eIDAS Regulation now imposes numerous new NIS/2 requirements on trust service providers, particularly with regard to availability and the supply chain. In addition, PKI software is regulated by the Cyber Resilience Act (CRA), and further new testing requirements are imposed on hardware by the Commission Implementing Regulations (CIR).

The presentation will therefore address the question of whether the market for qualified trust services, currently estimated at €400 million per annum, will remain in its current form, especially since signature and identification services will be offered free of charge by government wallet providers from 2026 onwards.

The talk begins with an introduction to the GanDiff approach, which enables the targeted generation of realistic and consistent facial images—synthetic identities. This technology opens up new possibilities, such as creating legend material for OSINT analysts or reducing bias in AI training datasets. We then present our method for projecting real identities (facial images) into the system in order to work with them further, including use cases such as cold cases through synthetic age progression or the creation of photo lineups to support suspect identification. The talk concludes with a discussion of the risks posed by deepfakes in the context of identities and in general, and presents a deepfake detection solution designed to support decision-making within law enforcement agencies.

Discover the Future of Digital Identification: EU Initiatives and Pathways to High Assurance

Join us for a comprehensive overview of the global shift towards Mobile ID, highlighted by a successful European case study. This presentation delves into the various security options available, including cutting-edge Global Platform solutions. Looking ahead, we'll explore the possibilities of EU-wide interoperability, paving the way for a seamless and secure digital identity ecosystem.