The Cyber Resilience Act harmonizes cybersecurity requirements that products made available in the EU Single Market, as well as particular processes related to those products, must satisfy. In the CRA, these include the requirement to provide an appropriate level of cybersecurity based on the risks, which, in turn highlights particular risk management obligations. This talk shall address the key risk management aspects that arise in the application of the CRA, scope the respective risk categories, and elaborate on the different tiers where the obligation to assess risks arises. Personal wearable devices shall provide the backdrop upon which to illustrate the application of these tiers. Moreover, the respective cybersecurity measures specific that the – currently under intense development harmonized standard EN 304 634 provides shall be presented.

This contribution presents a Cyber Resilience Act standard for applications running on secure elements, smart cards and similar devices, aligned with the essential cybersecurity requirements of Annex I of EU Regulation 2024/2847. It addresses application-level security across diverse platforms, from bare-metal implementations to advanced Java Card environments, and extends to secure IoT devices and smartphones. The standard enables consistent risk-based security, vulnerability handling and lifecycle resilience for embedded applications.

EN 18037, which was published in 2025, specifies a methodology for conducting risk and security analysis in complex multi-stakeholder ICT systems. This includes the identification of appropriate security and assurance level requirements to ICT products based on risks associated with their intended use in a dedicated sectoral system context. The presentation shows how this methodology can be used in support of the CRA, particularly in supporting product manufacturers and standard development organizations in determining risks that may be caused by ICT security incidents associated with specific products and in defining appropriate security requirements.

Europe’s payments ecosystem, successfully initiated by PSD2 Open Banking, is now constrained by increasing fragmentation caused by proprietary, scheme-specific APIs and channel-dependent integrations. This complexity drives redundant development, higher costs, technical debt, and slower time-to-market, while limiting scalability, pan-European reach, innovation, and effective supervision.

A new wave of EU regulation (PSD3/PSR, FIDA, eIDAS 2.0, Digital Euro) provides a unique opportunity to move beyond Open Banking towards a truly harmonised Open Finance environment. This presentation introduces a coherent architectural approach: a Harmonised Universal API Stack based on a two-pillar model combining a shared pan-European Common Core API layer with scheme- or region-specific extensions.

The model demonstrates how harmonised data models, semantics, security, and channel-independent integration significantly reduce integration effort and lifecycle complexity, while enabling consistent service exposure across web, mobile, ERP, and treasury systems. The session outlines current ecosystem gaps, core design principles, harmonised capabilities (e.g., routing, onboarding, certification, alias services, liability), and the seamless integration of AI-driven agents. It concludes with a vision of a resilient European payments fabric where stakeholders compete on service value rather than integration friction.

Kurze Vorstellung ATHENE Digital Hub Cybersecurity durch Clara Pfeuffer und Überleitung zum Pitch.
Pitch des Startups Infrafon GmbH.

ETSI EN 303 645 is a world class standard for the security of Consumer IoT products. The new tool conformXpert allows to easily perform conformance assessments based on ETSI EN 303 645 with the test methodology of ETSI TS 103 701. The tool e.g., enables the simple creation of an Implementation Conformance Statements (ICS) and automatically generates the necessary IXITs for requesting documentation. conformXpert helps you complete the IXITs with guidance. The CRA product requirements will be closely aligned with EN 303 645. Therefore, you can use the tool to prepare yourself for the CRA.

Traditional security assurance was built for static environments like smartcards. Today’s reality shatters that model: How do you certify a product when critical security functions (TSF) rely on external parties, e.g. Cloud Service Providers to Cloud applications? We analyze the friction between TOE boundaries and infrastructure, mapping security contributions across ownership lines. We discuss modeling EAL4 security functions when vendors lack source-code access, aiming to maximize assurance despite "black-box" dependencies. Our approach provides a roadmap for navigating shared responsibility in modern certification.

The project presented addresses the structural limitations of centralised, HSM-based WSCD architectures within the emerging EUDI Wallet ecosystem and motivates the need for a long-term transition towards decentralised, device-integrated Secure Elements and eUICCs. It proposes a multi-phase project to experimentally validate this architectural shift, taking into account technical, regulatory and operational challenges and enabling a gradual migration through transitional architectures. The objective is to generate empirical evidence on security, interoperability, scalability and offline capability, thereby laying the foundation for a sovereign, high-assurance and future-proof European digital identity infrastructure.

The EUDI Wallet will become a core digital trust infrastructure in Europe, enabling secure identification, verified credentials, and qualified signatures. This talk outlines the current status of the German implementation, key architectural and security decisions, and lessons learned from prototyping and ecosystem onboarding. It concludes with a roadmap toward the 2026 rollout and the first wave of relying parties.

In the German healthcare system, all identities—whether card-based or fully digital—require the identification of natural persons. The General Data Protection Regulation (GDPR) imposes stringent trust requirements, which has led to a restriction in the variety of identification systems that have been approved for integration within the German healthcare system.

The recent approval of a video-based hybrid identification system for utilization in the regulated healthcare sector marks the conclusion of a three-year period during which card-based remote identification systems were the sole permitted option (next to on-site-procedures). An overview of the current situation regarding identifications in the healthcare sector.

The ISO/IEC 39794 series of standards specifies biometric data interchange formats based on ASN.1 (Abstract Syntax Notation One) and its the Distinguished Encoding Rules, yielding binary tag-length-value encodings and enabling future extensions. To make the new data formats adaptable to different purposes, only the core data elements are mandatory. Data elements that can be useful for some purpose but are not always necessary are optional. Application profiles may declare optional data elements as mandatory or deprecated for a par-ticular purpose, e.g. for storage in machine-readable travel documents (MRTDs). According to ICAO’s timeline, from January 2026 onwards, MRTD inspection systems must be ready to handle the new data for-mats because newly issued MRTDs may use them. From 2030 on-wards, all newly issued MRTDs must use the new data formats. In preparation of the roll-out, application profiles for face and fingerprint image data in MRTDs have been developed, and prototypes of MRTDs and MRTD inspection systems from multiple vendors have been tested multiple times for interoperability. However, some choices are still left to the national MRTD issuers. To assist in deciding which options to support when storing biometric data in MRTDs, this paper summarizes the application profiles for face and fingerprint image data and discusses the remaining options.

Confidential Computing secures data-in-use by leveraging hardware-based Trusted Execution Environments (TEEs) and Remote Attestation. This session explores how the technology reduces the trust gap in cloud and edge environments, covering TEE architecture principles, attestation flows, and secure secret provisioning patterns. Real-world use cases and practical implementation considerations are examined. The presentation provides security professionals with foundational knowledge for understanding and building robust Confidential Computing solutions.

Stateful hash-based signatures (SHBSs) are an important building block for post-quantum security. For example, for firmware signing only SHBSs fulfill the post quantum regulatory requirements from CNSA and BSI at the same time. On the one hand, SHBSs are based solely on hash functions, have a high maturity, and their signature verification is efficient. On the other hand, securely handling their state is often difficult in practice and signature generation is inefficient. In our presentation, we show how the state can be handled securely in practice and how the signature computation on constraint devices can be supported by the infrastructure.

Modern eID systems are typically penetration-tested and certified (e.g., under Common Criteria). Yet, they remain deployed for many years, during which new side-channel attacks can emerge, as seen recently with EUCLEAK and "Side Journey into Titan." We ask: as of 2026, are such attacks still limited to well-resourced organizations, or can individuals also perform them? Focusing on advanced electromagnetic (EM) side-channel attacks—commonly assumed to require expensive setups—we show that low-cost equipment alternatives now exist for most components. This suggests that even hobbyists could realistically mount such attacks.

Post‑quantum cryptography (PQC) migration poses significant strategic and operational challenges, as current RSA‑ and EC‑based systems risk becoming vulnerable with the advent of large‑scale quantum computers. Organizations must weigh short‑term mitigation measures against their limited long‑term effectiveness. A sustainable approach requires adopting PQC‑capable infrastructures, which includes redesigning key management architectures, updating chip‑card–based processes, and renewing the public key infrastructure. The transition introduces substantial complexity, particularly regarding certificate renewal cycles, key custodianship models, and the re‑encryption of sensitive archived documents.

Die Post Quantum Support Action (PQCSA) ist ein EU-Projekt, das die Sensibilisierung erhöhen und die Schritte zur Einführung von Post-Quanten-Kryptographie (PQC) unterstützen soll. Dieser Vortrag teilt praxisnahe Erfahrungen aus PQCSA-Workshops und zeigt auf, wie unterschiedliche Communities den Reifegrad und die Vorbereitung auf PQC verstehen und angehen. Wir stellen Lessons Learned aus praktischen Übungen und Diskussionen zu Migrationspfaden vor und legen dabei einen besonderen Fokus auf unsere Arbeit zur Integration von PQC in Identity- und Access-Management-Systeme. Diese Erfahrungen machen sowohl technische als auch organisatorische Herausforderungen sichtbar, die in realen Umgebungen typischerweise auftreten. Abschließend skizzieren wir zentrale Lücken, die wir in der europäischen PQC-Roadmap identifiziert haben, darunter fehlende praxisorientierte Handreichungen, unzureichende Koordination zwischen Standards sowie fehlende Unterstützung für sektorspezifische Übergänge.

A Trusted Execution Environment (TEE) is a secure area of the main processor of a connected device that ensures sensitive data is stored, processed, and protected in an isolated and trusted environment. A TEE is a key component to enable secure applications such as identification and payment. However, there are currently no suitable & mature TEE solutions for RISC-V, and current TEEs are also not yet secure against the threat of quantum computers. This talk will present our ongoing research work on enabling post-quantum security for TEEs on RISC-V, based on the open-source RISC-V SoC framework Chipyard and the open-source TEE framework Keystone. This includes algorithm selection, implementation optimization and hardware acceleration. Our results show that a post-quantum secure TEE is feasible for RISC-V, though more work is needed for a mature commercial solution.

Since 2012, the BSI has commissioned an ongoing study to document and analyze the Linux random number generator from a security perspective. This presentation will outline the current status of the Linux random number generator and discuss its compliance with the recently updated AIS 20/31 evaluation guidelines.

Since 2016, a harmonised market for trust services has developed in Europe based on the eIDAS Regulation. Thanks to CEN and ETSI standards, not only are data formats interoperable, but security levels and audit procedures are also comparable.

The amendment to the eIDAS Regulation now imposes numerous new NIS/2 requirements on trust service providers, particularly with regard to availability and the supply chain. In addition, PKI software is regulated by the Cyber Resilience Act (CRA), and further new testing requirements are imposed on hardware by the Commission Implementing Regulations (CIR).

The presentation will therefore address the question of whether the market for qualified trust services, currently estimated at €400 million per annum, will remain in its current form, especially since signature and identification services will be offered free of charge by government wallet providers from 2026 onwards.

Discover the Future of Digital Identification: EU Initiatives and Pathways to High Assurance

Join us for a comprehensive overview of the global shift towards Mobile ID, highlighted by a successful European case study. This presentation delves into the various security options available, including cutting-edge Global Platform solutions. Looking ahead, we'll explore the possibilities of EU-wide interoperability, paving the way for a seamless and secure digital identity ecosystem.

The talk begins with an introduction to the GanDiff approach, which enables the targeted generation of realistic and consistent facial images—synthetic identities. This technology opens up new possibilities, such as creating legend material for OSINT analysts or reducing bias in AI training datasets. We then present our method for projecting real identities (facial images) into the system in order to work with them further, including use cases such as cold cases through synthetic age progression or the creation of photo lineups to support suspect identification. The talk concludes with a discussion of the risks posed by deepfakes in the context of identities and in general, and presents a deepfake detection solution designed to support decision-making within law enforcement agencies.