In an era where digital identities are the cornerstone of secure online interactions, the EU is striving to set global standards in cybersecurity through regulation and standardisation. However, the challenge remains: how do we foster innovation while ensuring compliance with evolving legal frameworks? This keynote will incentivise addressing the balance between security, interoperability, and technological advancement. From the complexities of the Cyber Resilience Act to the evolving eIDAS framework, opportunities and roadblocks through regulatory innovations try paying respect to the dynamic nature of cybersecurity. Can Europe lead the way without stifling technological innovation? Join us as we navigate the path toward a secure and future-proof digital landscape.

Wireless is in. Many products are now equipped with wireless interfaces to connect them to the Internet. This increases the risk of being exposed to cyberattacks. From August 1, 2025, only radio equipment that have implemented basic cybersecurity protection may be placed on the European market. In addition to the protection of the network, the protection of personal data and privacy and protection against fraud will also be an essential new requirement of the European Radio Equipment Directive (RED). These risks can be assessed using the new EN 18031-x series of standards.

As early as 2012, the first drafts of the eIDAS regulation were already pursuing the objective of harmonising both trust services and state eID procedures in the European single market. While trust services can now interact in a uniform manner thanks to the ETSI and CEN standards for formats, protocols and certification policies, this is not yet the case for European eID services. In his presentation, Arno Fiedler shares his views on the success factors of the amended eIDAS regulation, which must be implemented by the end of 2026.

The LSPs (Large Scale Pilots) funding program was launched in 2022 with a primary focus on introducing digital technology to citizens, businesses, and public administration. One of the key objectives of the LSP is to implement pilot projects for the EUDIW (EU Digital Identity Wallet). As of April 2023, four LSP projects have been initiated to work towards this goal.

The EUDIW aims to drive innovation across various use cases, particularly in governmental applications (PID- Personal Identity) and industry applications (ODI-Organizational Digital Identity). These application areas are recognized to have significant untapped potential in enhancing trust and security within the digital ecosystem.

The speech shows the evolution of the eIDAS regulation and highlights the identified obstacles and challenges based on an analysis of an LSP that focuses on the combined use cases of ODI and PID.

The talk will present the status and overall architecture of the EUDIW as well as the architecture of the German EUDIW ecosystem. It will also shed some light on the current rollout plan.

Die EU-Verordnung DORA markiert einen entscheidenden Wendepunkt in der IT-Sicherheitslandschaft: Anstelle von rein formalen Compliance-Anforderungen werden nun auch belastbare Nachweise gefordert, dass etablierte Schutzmaßnahmen auch tatsächlich wirksam sind. Für IT-Sicherheitsexperten bedeutet dies: Klassische Maßnahmen wie Penetrationstests, Schwachstellenscans und der Einsatz spezialisierter Sicherheitsprodukte gewinnen an Relevanz, werden aber gleichzeitig einer strengeren Prüfung unterzogen. Zusätzliche Anforderungen in der täglichen Praxis ergeben sich aus zentralen Neuerungen wie der verpflichtenden Root-Cause-Analyse von Vorfällen, der nachhaltigen Beseitigung von Schwachstellen und der Meldung schwerwiegender Sicherheitsvorfälle.

Darüber hinaus rücken mit DORA auch Bereiche stärker in den Fokus, die bisher vernachlässigt wurden: Die systematische Überprüfung von Open Source-Komponenten und proprietärer Software, die bisher oft nur in Ansätzen umgesetzt wurde, wird in Zukunft zu einer zentralen Aufgabe.

Die Verordnung verspricht zwar langfristig eine deutliche Verbesserung der Cyber-Resilienz. Sie erfordert aber auch erhebliche Investitionen in Personal, Prozesse und Werkzeuge.

Der Vortrag zeigt anhand konkreter Beispiele, wie Unternehmen ihre Sicherheitsstrategien weiterentwickeln und den erhöhten DORA-Anforderungen erfolgreich begegnen können.

For several years, efforts have been underway to establish technical standards for the European digital Identity Wallet (EUDI-Wallet), a digital wallet designed for use across Europe. Technical details are still being refined within international standardization bodies.

One of the main challenge is developing secure solutions that comply with the stringent data protection and security requirements for the data of over 400 million EU citizens. In Germany, a temporary solution involving HSM-based central key storage has been adopted until decentralized storage becomes feasible for the majority of users.

This paper examines the challenges of implementing a secure and privacy-preserving decentralized wallet and outlines potential approaches for decentralized mobile solutions leveraging current and future secure hardware.

Recap and outlook, looking back on one year of the German eHealthID and talk about how to improve the digital identity for the German health area more. Which new features are available with the January update and what to expect in 2025 when using the eHealthID to access your electronic patient record? With patient consent new options are available to the users allowing individual settings and security measures fitting to their needs. Biometric sensors, limited single sign on and extended device binding validity times are now available.

As the European Union advances its Digital Identity Wallet initiative, the established Berlin Group Open Finance standards, already adopted by 80% of the European market and beyond, are strategically positioned to enhance the EU Digital Identity Wallet's payment capabilities, creating a seamless bridge between digital identity and financial services. This presentation explores how standardised Open Finance APIs serve as crucial building blocks for integrating payment functionalities into EU Digital Identity Wallets.

The new eIDAS Regulation stipulates (among others) that all member states (either themselves or via authorized service providers) must provide their citizens with an EUDI Wallet. In addition, areas of services are also defined in which the service provider shall (as an obligation) accept the EUDI Wallet in future for the purposes of user identification and authentication. “Banking and financial services” are explicitly mentioned in the regulation as one of these areas. However, the exact scope of this acceptance obligation in banking services is currently still controversial. The presentation provides an overview of the current state of developments and shows various scenarios for use in payment and banking applications.

• Sign8 (München)
• Infrafon (Freiburg)

European states are facing challenges posed by global IT platforms that dominate identity provision, creating conflicts with national interests related to digital sovereignty and data protection. This presentation will highlight contributions to digital ID, electronic wallet, and confidential computing technologies, as exemplified by RISE ID solutions for the German public health sector. This initiative has the potential to serve as a model for other nations looking to enhance digital identity security and reclaim digital sovereignty.

Four characteristics are essential for the design of e-ID eco systems:

• ensuring full user control over their identity,
• establishing and maintaining trust in the eco-system,
• enforcing attack robustness,
• and (preferably) supporting offline use cases.

This presentation illustrates the resulting challenges arising from different e-ID technologies, the initial identity provisioning, the relationship between assurance and attack resistance and decentralized designs, based on examples like the German e-Health Infrastructure, the EU Digital Identity Wallets, and systems handling classified data.

The digital transformation has led to the adoption of electronic identities and cryptographic technologies in eJustice and eNotary applications. These technologies enhance security, efficiency, and accessibility while ensuring compliance with legal and regulatory frameworks. eIDs facilitate secure authentication and authorization of users e. g. in digital court proceedings. Cryptographic mechanisms, such as digital signatures and encryption, provide integrity, confidentiality, and non-repudiation. This presentation demonstrates their applications in eJustice and eNotary services and challenges in their implementation.

Future quantum computers of a sufficient size and quality are able to break many widely deployed cryptographic algorithms. To tackle this threat, post-quantum cryptography (PQC) has been researched and standardized.

The migration we are facing is comprehensive and profound, as almost every IT security solution has to be adopted to use PQC. There is a particular urgency when it comes to sensitive information and systems with long migration times.

This talk illustrates PQC migration using the example of working with classified information.

As quantum computing advances rapidly, the cryptographic foundations underpinning modern digital security face significant threats. This is particularly critical for trust services within the European Union's eIDAS (electronic Identification, Authentication, and trust Services) framework, and related ecosystem which ensures secure and trusted electronic transactions. Current cryptographic algorithms, such as RSA and ECC (Elliptic Curve Cryptography), are vulnerable to quantum algorithms like Shor’s algorithm, which can potentially break these encryption schemes. With the imminent rise of quantum computing, the necessity for Post-Quantum Cryptography (PQC) and an implementation of crypto agility becomes evident to preserve the integrity, confidentiality, and authenticity of the eIDAS ecosystem and the related services. The eIDAS framework, which relies heavily on digital signatures, seals, and timestamps, must transition to crypto agility and quantum-resistant algorithms to ensure trust in electronic identities, cross-border recognition, and secure transactions in a post-quantum world. This talk emphasizes the urgency of adopting PQC solutions to safeguard eIDAS trust services, highlighting the need for early preparation, standards development, and timely integration into current infrastructures. Failure to adapt could undermine the very essence of digital trust and security across the EU.

Innerhalb der kommenden 10 bis 20 Jahre werden Quantencomputer voraussichtlich so leistungsfähig sein, dass sie die derzeitigen kryptografischen Algorithmen brechen und die digitale Sicherheit gefährden können. Dokumente wie eIDs die heute ausgestellt werden und viele Jahre gültig sind, müssen vor künftigen Angriffen durch Quantencomputer geschützt sein. Das gilt auch für verschlüsselte Nachrichten und E-Mails, die heute verschickt werden. Diese können gespeichert und später von Quantencomputern angegriffen werden. Post-Quanten-Kryptografie-Algorithmen wie der Module-Lattice-Based Key Encapsulation Mechanism (ML-KEM) sollen diesen Angriffen widerstehen und die Integrität der digitalen Infrastruktur stärken. Eine sichere Implementierung dieser Algorithmen ist entscheidend, um klassische Sicherheitsangriffe abzuwehren.

Der Vortrag gibt eine kurze Einführung über die Thematik, geht auf die allgemeine Herausforderung an die Industrie sowie für die Implementierung und CC Zertifizierung ein.

Smartphones, once mere communication devices, have become an integral part of our daily lives. For security-critical use cases such as mobile banking, ensuring the secure and untampered state of applications and the mobile device they run on is of paramount importance. This presentation delves into the world of mobile remote attestation, exploring the state of the art in the field and demonstrating its real-world applicability. Remote attestation allows a verifier to confirm that a prover's system (such as a smartphone) is in a trusted state and has not been tampered with.

The BaseSec project enhances 5G/6G security by addressing base station vulnerabilities to ensure high data rates, low latency, and reliable QoS.

It designs a hardware security module with a secure element and protected storage to safeguard cryptographic keys, detect tampering, and enforce authorized configurations.

After analyzing security gaps and compliance with standards like the CRA, the project now focuses on integration, protocol enhancements, system resilience and certification.

BaseSec will provide certification recommendations and input for technical guidelines and protection profiles to support secure 5G/6G deployment and a resilient communication infrastructure.