OpenLobby.EU
Explore

Bundesdruckerei GmbH

Bundesdruckerei GmbH is a German federal state-owned company specializing in secure identities and digital infrastructure.

Lobbying Activity

Meeting with Christiane Kirketerp De Viron (Acting Director Communications Networks, Content and Technology)

5 Dec 2025 · European Business Wallets

Response to Formats of advanced electronic signatures and seals to be recognised by public sector bodies

30 Sept 2025

Annex II: The JAdES baseline profile should also be referenced in Annex II. This is essential for electronic seals, especially for digital credentials. In this respect, complete synchronization between electronic signatures and seals should be established.
Read full response

Response to General requirements for qualified trust service providers

30 Sept 2025

- In general: Harmonized regulations regarding liability coverage according to Art 24 Abs. 2 lit. c) eIDAS should be integrated into this Implementing Regulation, in particular through liability insurance. Currently, there is still a great deal of fragmentation in the supervisory practices of the member states in this field. Harmonization through uniform requirements is absolutely essential. - Art 1 Nr. 1: The obligation to notify supervisory bodies of the changes to terms and conditions should be deleted. Terms and conditions are legal instruments that primarily regulate the contractual relationship with customers. They already contain non-derogable provisions derived from legislation and supervision frameworks, meaning that their substance is defined by law rather than by the providers unilateral choice. - Art 1 Nr. 3: To avoid unimportant and redundant messages, only relevant and significant changes should have to be reported. - Art 3 Nr. 6: In order to harmonize administrative practice in the member states, concrete guidelines should be established on the basis of parameters for financial safeguards.
Read full response

Bundesdruckerei urges browser independence for qualified authentication certificates

30 Sept 2025
Topic — This consultation defines technical standards for qualified website authentication certificates under eIDAS rules.
Message — Bundesdruckerei requests that trust service providers remain independent from browser root store programs. They also advocate for mandatory certificate logging once European standards are available.12
Why — This prevents arbitrary exclusion of European certificate providers by global browser vendors.3
Impact — Browser vendors lose the power to set proprietary rules for qualified certificates.4
Read full response

Response to Detailed specifications regarding functional requirements for eFTI platforms

7 Jul 2025

We welcome the proposed use of eIDAS means to ensure authenticity and integrity. However, we would prefer the use of qualified eIDAS means, as the requirements for issuing these means are more harmonised and validation can be carried out free of charge via the EU TSL. The platform of the German electronic waste records procedure (Plattform des elektronischen Abfallnachweisverfahrens), which has been in operation for over fifteen years and in which well over 100 million qualified signatures have been provided, serves as a key reference in this respect. We also recommend taking into account the 2024 amendment of the eIDAS Regulation which introduced electronic attestations of attributes and qualified attestations of attributes, as well as the emerging ecosystem of European Digital Identity Wallets and, above all, the upcoming EU Business Wallet. In future, a significant proportion of electronic B2B and B2G communication will take place via this ecosystem.
Read full response

Response to Digital services for simplifying business operations and reducing administrative costs – the business wallet

11 Jun 2025

The initiative to create a legal act establishing EU-wide rules on a business wallet is very welcome. We see great potential for digitalisation, automation, and cost reduction in B2G- and especially B2B-processes, which have so far been underutilised. However, it must be emphasised that technical automation alone is not enough to reduce bureaucracy. A real effect also requires the simplification and consolidation of reporting and verification obligations. The Business Wallet Act must therefore avoid creating redundant structures or additional burdens. Its scope should focus strictly on current regulatory gaps and must not duplicate the eIDAS revision from 2024. A clear definition of the Business Wallets (EUBW) scope is essential. It remains unclear how the Business Wallet will relate to existing frameworks such as eIDAS Regulation (eIDAS) and the Single Digital Gateway Regulation. For example, identification and authentication of organisations, which are core to eIDAS, are mentioned as part of the Business Wallet. While the revised eIDAS mandates a European Digital Identity Wallet (EUDIW) for legal entities, implementation details remain vague especially around definitions and requirements for Person Identification Data (PID) for legal entities. These gaps should be closed within eIDAS itself to prevent fragmented governance. We see the EUBW Acts role more as practical application layer linking the EUDI-Wallet with enterprise systems to automate data transfer, receipt, issuance, and credential management. Core functions like identification and authentication should remain within eIDAS and EUDIW. If needed, member states should create regulatory conditions on the public side to enable automated B2G data exchange. For G2G or administrative processes, mandatory Business Wallet use should be avoided, since the SDG Regulation already provides appropriate mechanisms, which could be further adapted. The EUBW should instead focus on economic actors, to reduce bureaucracy and support digitalisation in the private sector. We also suggest limiting the Business Wallets use to medium and large enterprises. Only where complex structures and multiple B2G use cases exist can real simplifications be achieved. A universal solution would overcomplicate the technical architecture and undermine the Acts purpose. Small businesses and self-employed persons should continue using the EUDIW tailored to their legal form. One of the EUBWs most valuable components is rights and role management. It should enable companies to manage access and delegation internally without external proofs or public mandate registers. Existing enterprise systems for role management should seamlessly integrate into the wallet. Moreover, the wallet must be interoperable with the EUDIWs representation mechanisms to act as a transmission and authentication tool for public services. To enable this, the wallet should be operable centrally as a cloud wallet and offer interfaces to EUDIW relying party functionalities to fetch and forward data. To ensure trust, the EUBW must be certified. While this certification would differ from that of the EUDIW, it should reflect the requirements described above. Ideally, the wallet would be operated by a qualified trust service provider (QTSP) or meet the general criteria under Art. 24 eIDAS. This aligns with the EU Commissions 2025 work programme to expand QTSP roles and business models. The EUBW core system should offer a high assurance level by integrating EUDIWs for identification and secure transmission. At the same time, downward compatibility should allow support for different assurance levels. The wallets strength lies in its broad application potential. Regulatory frameworks and certification schemes must leave room for sector-specific requirements. One example is the healthcare sector, where secure, automated exchanges between insured persons, providers, and insurers could greatly benefit from business wallet integration
Read full response

Response to Qualified certificates for electronic signatures and electronic seals

13 May 2025

In general, it should be noted that additional requirements that deviate from the referenced standards should be viewed critically because they interfere with professional discussions and autonomy. Technical standards are written and approved by a large group of experts after thorough discussions and scrutinization. When referring to a standard in an implementing act, the Commission is entitled to overrule elements of a standard. This should only be done when deemed necessary and after a thorough review. However, the current draft implementing acts have a large number of such overruling requirements, where no rationale is given for their necessity. A few of the proposed adaptations are reasonable, some are superfluous, but some are also harmful to the trust services industry as the requirements will make existing qualified trust services non-compliant when the implementing acts enter into force without any transitional measures. Qualified trust service providers confidently base their services on the ETSI standards and are audited against them; the overruling by an implementing act may enforce changes that may be costly and where trust service providers may need time to adapt. Furthermore, referencing standards in a specific version number entails the risk that outdated standards will be referenced in the future. The legislator should therefore either choose a dynamic reference to the latest version or ensure that the implementing acts are regularly updated. Annex Nr. 1 (3) und Nr. 2 (3) OVR-5.3-01: If any changes are made to a CP as described in clause 4.2.2 which affects the applicability, then the policy identifier should be changed. Policy identifiers are not the same as document identifiers. Policy identifiers should never change. The requirement must be changed accordingly.
Read full response

Response to Verification of identity and attributes at qualified certificate or qualified attestation of attributes issuance

13 May 2025

In general, it should be noted that additional requirements that deviate from the referenced standards should be viewed critically because they interfere with professional discussions and autonomy. Technical standards are written and approved by a large group of experts after thorough discussions and scrutinization. When referring to a standard in an implementing act, the Commission is entitled to overrule elements of this standard. This should only be done when deemed necessary and after a thorough review. However, the current draft implementing acts have a large number of such overruling requirements, where no rationale is given for their necessity. A few of the proposed adaptations are reasonable, some are superfluous, but some are also harmful to the trust services industry as the requirements will make existing qualified trust services non-compliant when the implementing acts enter into force without any transitional measures. Qualified trust service providers confidently base their services on the ETSI standards and are audited against them; the overruling by an implementing act may enforce changes that may be costly and where trust service providers may need time to adapt. Furthermore, referencing standards in a specific version number entails the risk that outdated standards will be referenced in the future. The legislator should therefore either choose a dynamic reference to the latest version or ensure that the implementing acts are regularly updated. Annex Nr. 4 VAL-8.3.3-21 There is currently no accreditation and standards for laboratory tests and the measures for verifying ID documents without access to the chip of these documents. This requirement therefore comes to nothing and creates great legal uncertainty. The existing regulations from the ETSI standard are sufficient and the deviating requirement should therefore be deleted.
Read full response

Response to Provision of qualified electronic time stamping services

13 May 2025

In general, it should be noted that additional requirements that deviate from the referenced standards should be viewed critically because they interfere with professional discussions and autonomy. Technical standards are written and approved by a large group of experts after thorough discussions and scrutinization. When referring to a standard in an implementing act, the Commission is entitled to overrule elements of a standard. This should only be done when deemed necessary and after a thorough review. However, the current draft implementing acts have a large number of such overruling requirements, where no rationale is given for their necessity. A few of the proposed adaptations are reasonable, some are superfluous, but some are also harmful to the trust services industry as the requirements will make existing qualified trust services non-compliant when the implementing acts enter into force without any transitional measures. Qualified trust service providers confidently base their services on the ETSI standards and are audited against them; the overruling by an implementing act may enforce changes that may be costly and where trust service providers may need time to adapt. Furthermore, referencing standards in a specific version number entails the risk that outdated standards will be referenced in the future. The legislator should therefore either choose a dynamic reference to the latest version or ensure that the implementing acts are regularly updated. Annex Nr. 1 (6) TIS-7.6.2-06: A TSUs signing key shall not be imported into different secure cryptographic devices. These requirements are very difficult to implement, jeopardise existing infrastructures and are therefore disproportionate due to the associated requirement to only perform a backup in a secure execution environment. The existing regulations from the ETSI standard are sufficient and the deviating requirement should therefore be deleted.
Read full response

Meeting with Yvo Volman (Director Communications Networks, Content and Technology) and

3 Apr 2025 · Presentation of some of the digital initiatives and data-related activities of the Bundesdruckerei.

Meeting with Christiane Kirketerp De Viron (Acting Director Communications Networks, Content and Technology) and

17 Mar 2025 · Introduction to Bundesdruckerei and EU Business Wallet

Meeting with Sergey Lagodinsky (Member of the European Parliament)

18 Feb 2025 · Exchange of views Start of the new mandate

Meeting with Svenja Hahn (Member of the European Parliament) and Microsoft Corporation and

14 Feb 2025 · Exchange on upcoming digital EU legislation

Response to Security breaches of European Digital Identity Wallets

19 Dec 2024

The Bundesdruckerei Group, the German federal technology company, would like to contribute to this consultation as follows: Annex 1: The thresholds defined here conflict with the Implementing Regulation of 17.10.2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to [...] trust service providers. The threshold values from the NIS2 Implementing Regulation, which also apply in particular to all trust services (including non-qualified ones), are in some cases much stricter, especially with respect to the availability criterion, and trigger more reporting events than defined here for the EUDIW. As the EUDIW should be treated more sensitively with the confidence level. The threshold values should be adjusted accordingly.
Read full response

Response to Cross-border identity matching under the European Digital Identity Framework

19 Dec 2024

The Bundesdruckerei Group, the German federal technology company, would like to contribute to this consultation as follows: //Art 2 (4): The data which are included here (name, place of birth, date of birth and nationality) are not sufficient to achieve a clear match and should be supplemented.// //Art 2 (7): It should precisely be described what an exact match means.//
Read full response

Response to Qualified electronic attestation of attributes under the EDIF

19 Dec 2024

//Details specifying the requirement of functional separation of the provision of QEAA services laid down in Art 45h (3) eIDAS should be supplemented here (f.e. separate team structures, member at management level specifically responsible for QEAA, specific reporting channels) //Art 24 (2) h) eIDAS obliges QTSPs to retain all issued data for the time relevant to the provision of evidence in court. With respect to QEAA it should be stipulated here that this obligation only extends to the transaction data. Otherwise, a central register of verified user attribute data would be created, which would potentially entail high data protection risks.// /Art 3 (1):/ Please clarify here that QEAAs do not require a wallet binding but can also be issued or used without a wallet in accordance with the requirements of eIDAS. /Art 4:/ A mechanism should be defined as to how a QEAA QTSP is to be informed by an authentic source in cases where the content of an attribute changes. Otherwise, the QTSP is exposed to a high liability risk. This mechanism should be completely automated and based on machine-readable elements. /Art 6 (2) a:/ It should be "qualified" electronically sealed or signed to facilitate the validation via the EU Trusted List. /Art 7:/ In principle, the mechanism is welcomed. However, this open approach will result in confusing/redundant catalogues. Therefore, explicit consolidation mechanisms for merging similar attribute catalogues should be established here, as well as a clear commitment and mandate to standardize attribute catalogues at European level. /Art 7 (3):/ Annex VI of eIDAS, which is referred to, is too vague. To create legal certainty these attribute groups need further specification (e.g. which data are meant to be "financial data") or it should be stated that the minimum attribute list (Annex VI of eIDAS) will be specified by agreement of the European Digital Identity Cooperation Group. /Art 7 (5) and 8 (5):/ It should be "qualified" electronically sealed or signed to facilitate the validation via the EU Trusted List. It should also be made clear that applications can be submitted digitally. /Art 8 (3):/ It must be added here that the insertion of schemes that are already standardized at European level, as well as OOTS schemes created from the Single Digital Gateway framework, are automatically included proactively without the need for an application from a party. /Art 9 (1):/ It should be added, that only fully automated procedures are permitted as discovery mechanisms and that the design and requirements for these mechanisms should be made more specific. /Art 9 (1) c):/ The option of using QWAC and QSeal for the verification of attributes against authentic sources/intermediaries (in accordance with the PSD2 -model as per Delegated Act (EU) 2018/389) should be established here in order to strengthen interoperability. The PSD2-model allows authentication against the wallet interface by using QWACs or QSeals. The authentic sources should be obliged to publish an interface specification and provide a test environment so that QTSPs can easily connect to them. The QWAC and QSeal is validated against the trusted list by the responsible party at the authentic source in order to decide as to whether and how the QEAA QTSP should access the respective interface. //Annex 1:// Please reference ETSI EN 319 401 and ETSI EN 319 403 as general requirements on QEAA QTSP, unless already included in other referenced standards. This serves to harmonize and ensure a basic level of security in the provision of QEAA/PubEAA. //Annex 4// /(2):/ "May" should be replaced by "should" or "shall". This paragraph contains important measures to ensure the necessary level of protection and should not be optional. /(3):/ Mutual authentication between authentic source and QTSP using QWAC and QSeal by means of the PSD2 model (see above, Art 9 (1) c)) should be explicitly stated here as a possibility for authentic source authentication.
Read full response

Bundesdruckerei urges technology-open rules for digital wallet registration

19 Dec 2024
Topic — This consultation addresses the registration process for relying parties using European Digital Identity Wallets.
Message — Bundesdruckerei demands a technology-open legal definition to allow established security certificates. They argue that redundant double checks must be avoided to ensure efficiency. They also call for concrete rules regarding intermediaries acting for relying parties.123
Why — Using existing harmonized frameworks would lower implementation costs and ensure cross-border interoperability.45
Impact — Both businesses and users face delays if complex registration processes hinder wallet deployment.67
Read full response

Response to Digitalisation of travel documents and facilitation of travel

18 Dec 2024

The Bundesdruckerei Group, a German federal technology company, would like to contribute to this consultation as follows: // Regulation 2024/670 (EU Digital Travel Application) // /Article 4 Para 1:/ The proposal stipulates that the DTC contains the same data as the chip of the physical travel document (excluding fingerprints). We propose that the regulation be amended to allow additional data fields. Justification: To enhance security during border processes, it may be beneficial to include additional data, such as the full presentation of the name, place of birth, high resolution images, etc., in the DTC. /Article 8 Para 1:/ Article 8 proposes that the development and operation of the EU Digital Travel Application shall be managed centrally by eu-LISA. To align DTC more closely with the type of regulation used in Regulation EU 2024/1183 (EUDI Wallet), Article 8 should be amended as to only establish a common comprehensive technical architecture and reference framework, a set of common standards and technical references that enable different providers to independently develop and operate Digital Travel Applications. Furthermore, for EU citizens it should be possible to travel using the credentials of the (national) EUDI Wallet without the necessity to generate an additional account / credential with eu-LISA. Justification: Competition among providers fosters high-performance solutions and strengthens consumer rights. The reliability and availability will be enhanced through distributed systems. Avoidance of using multiple apps for the same purpose. The proposal also stipulates that the Backend Validation Service at eu-LISA will act as the central DTC issuer. We propose to amend the regulation allowing Member States to independently manage the issuance of the DTC. Justification: This approach is more future-proof regarding the evolution of the DTC standard in line with ICAO Types 2 & 3. This also helps to justify the necessary (national) investments in accordance with Article 8 of 2024/671 and can be easier implemented within national legislation. /Article 9 Para 1:/ The proposal stipulates that a secure connection must be established between national systems and the Traveller Router. We propose making an end-to-end encryption mandatory. Justification: Only end-to-end encryption methods can ensure protection throughout the entire transmission, effectively minimize attack vectors, and protect against unauthorized access. Pure transport encryption is not sufficient and should be excluded Regulation 2024/671 (Digital travel credentials based on identity cards) // Regulation 2024/671 (Digital travel credentials based on identity cards) // /Article 8:/ Article 8 states that Articles 2(1) and (2) shall apply 12 months after the entry into force of the technical specifications. Accordingly, a Member State must ensure that individuals who have applied for an identity card also receive a DTC upon request. We suggest harmonizing this 12-month deadline with the project schedule for the development of the EU Digital Travel Application at eu-LISA. Justification: It must be ensured that Member States begin issuing digital travel credentials only once the EU Digital Travel Application has been provided by eu-LISA. This ensures that Member States do not issue DTCs without there being a use case for them.
Read full response

Bundesdruckerei Advocates Mandatory eIDAS Security in EU Communications

6 Sept 2024
Topic — The act defines provisions for a secure electronic notification system for EU communication.
Message — The organization requests that Annex II mandate the use of eIDAS security means. They propose that every certificate and URL must be secured using these standards.12
Why — Mandating eIDAS standards would create a captive market for the company's certified security products.3
Impact — Security providers using alternative, non-eIDAS standards would be excluded from the notification system.4
Read full response

Bundesdruckerei Urges Technical Alignment for European Digital Wallets

6 Sept 2024
Topic — This consultation defines technical standards for interoperable and secure European identity wallets.
Message — They request aligning regulation wording with existing frameworks to avoid misunderstandings. They seek clear legal definitions for signature applications. They also suggest adding the SD JWT data format.123
Why — Uniform technical standards provide the company with legal certainty for development.4
Impact — Implementation becomes difficult for developers when regulatory requirements are contradictory and misleading.5
Read full response

Bundesdruckerei urges stricter identity standards for EU wallets

6 Sept 2024
Topic — Guidelines for managing identity data and electronic attestations within European Digital Identity Wallets.
Message — Bundesdruckerei requests that only qualified trust service providers issue access certificates. They also suggest adding address data and age verification to ensure unique identification.123
Why — This would protect their market position by excluding non-qualified trust service competitors.4
Impact — Non-qualified service providers would be excluded from issuing wallet access certificates.5
Read full response

Bundesdruckerei demands enhanced security and signature standards for wallets

6 Sept 2024
Topic — This initiative sets technical protocols and interfaces for the European Digital Identity Wallets.
Message — Bundesdruckerei recommends including interfaces for qualified electronic signatures and seals as core functionalities. They also advocate limiting wallet-to-wallet interactions to proximity use cases to mitigate fraud. Finally, they propose adding Open ID standards to ensure technical interoperability.123
Why — Aligning requirements with existing standards would reduce technical complexity for the organization.4
Impact — Digital wallet users may lose the convenience of remote peer-to-peer transactions.5
Read full response

Response to Rules specifying the obligations laid down in Articles 21(5) and 23(11) of the NIS 2 Directive

19 Jul 2024

Generally, the implementing regulation could have been limited to a reference to the implementation of current common standards, such as ISO 27001, ISO 27002 and ETSI EN 319 401, which are constantly adapted to the state of the art. /// Apart from this general consideration, we would like to comment on the individual proposed regulations as follows // Significant Incident Factors // Art. 3: / We suggest legal definitions of unspecific terms, such as considerable, media or material, in order to create uniform, harmonized and clearer reporting obligations for obliged entities. / Paragraph 1 lit. d) and e): Mechanisms for assessing the causality and liability should be specified. // Art. 4: "Same apparent root cause" is also an undefined legal term and should therefore be legally defined in the implementing act. // Art. 14: / lit. a-c): In general, it should be noted that a massive tightening has been made in the area of resilience, especially compared to the previously applicable guidelines. These requirements for trust services are far too strict. Apart from that, when it comes to the resilience criterion, different regulations should be made with regard to different kinds of trust services, functionalities and components: Ultra-high availability, as provided for in points a-c), only makes sense and is standard market practice for components that are necessary for validation, in particular OCSP responders. In the case of signing services and comparable trust services, however, such ultra-high levels of availability are neither customary nor necessary. For example, it is not clear why an eleven-minute outage of an application for creating advanced signatures for contract documents at three o'clock in the morning, without a customer even noticing it, should constitute a reportable incident. Significantly lower availability values apply here, as is customary in the industry. At this point, it should be noted that even compliance with an annual availability of 99.3% (in relation to lit. b), for lit. a) even above 99.99%), which can certainly be described as standard market practice, would regularly trigger a reportable incident in accordance with the thresholds set out here. With regard to the availability of trust services, contractually agreed service level agreements (SLAs) must also be taken into account when determining an incident. It is an obvious contradiction in terms, if temporary service failures do not constitute a breach of contract vis-à-vis the customer but do constitute a reportable incident. Therefore, it should be included as an additional requirement that the service outages must exceed contractual or other statutory availability requirements in order to trigger a reportable incident. The same applies to maintenance windows announced to customers in advance; these also do not represent a breach of resilience in the narrower sense but would have to be reported as an incident in accordance with this text. / Lit. c As the threshold value of 1% relates to the respective trust service, it is quickly reached in the case of differentiated and specialized services with very few customers, even though if only a single customer is affected and the outage therefore has very manageable effects. We therefore propose that the 1% should be based on the total number of all customers of the TSP or that interest-based thresholds be created for this point. "Large delays" is also an undefined legal term and should therefore also be legally defined. --- /// Technical and methodological requirements (Art. 2 and Annex) // The implementing regulation should not list the individual measures and requirements, but primarily reference suitable and existing standards according to which the obligated parties can be tested and certified. ETSI EN 319 401 and ISO 27001 are particularly suitable here. The ETSI standard has been recently explicitly adapted and updated to meet the requirements of NIS2.
Read full response

Meeting with Sergey Lagodinsky (Member of the European Parliament, Shadow rapporteur)

20 Sept 2023 · Artificial Intelligence Act

Bundesdruckerei Demands National Centralization of Carbon Removal Certification

23 Mar 2023
Topic — The European Commission's proposal for a regulatory framework for certifying carbon removals.
Message — Bundesdruckerei recommends establishing a territorial principle with one central certification system per member state. They request high-level identity management using eIDAS standards for all system participants to ensure security. Furthermore, they seek a strict separation of roles between certification systems and other market actors.123
Why — Centralizing certification per state would create demand for their national identity and security services.4
Impact — International certification schemes lose the ability to operate across different European national borders freely.5
Read full response

Meeting with Svenja Hahn (Member of the European Parliament, Shadow rapporteur) and Telefonica, S.A. and

15 Mar 2023 · AI Act, Standardisation

Meeting with Norbert Lins (Member of the European Parliament, Committee chair)

19 Oct 2022 · Carbon Removal-Zertifizierung

Meeting with Alin Mituța (Member of the European Parliament, Shadow rapporteur)

21 Jul 2022 · Data Act

Meeting with Pascal Arimont (Member of the European Parliament, Rapporteur for opinion)

19 Apr 2022 · Revision of eIDAS Regulation

Meeting with Mikuláš Peksa (Member of the European Parliament, Shadow rapporteur)

30 Mar 2022 · eIDAS

Meeting with Alin Mituța (Member of the European Parliament, Shadow rapporteur)

30 Mar 2022 · European Digital Identity proposal (eID)

Meeting with Marcel Kolaja (Member of the European Parliament, Shadow rapporteur for opinion)

29 Mar 2022 · discussion on the provisions of the European Digital Identity framework, especially on Article 45, which requires providers of web browsers to facilitate the use of qualified certificates for website authentication

Meeting with Mikuláš Peksa (Member of the European Parliament, Shadow rapporteur)

3 Feb 2022 · European digital identity

Meeting with Svenja Hahn (Member of the European Parliament)

3 Jun 2021 · Digital Policy

Response to Legislative framework for the governance of common European data spaces

27 Jan 2021

The Bundesdruckerei Group explicitly welcomes the European Commission's proposal as an effective legislative framework for the trustworthy and secure handling of data. The envisaged specifications for the use of Data Sharing Services (Art. 9-14) in particular can make a vital contribution to ensuring that personal and non-personal data are exchanged between individuals, companies and institutions securely and in accordance with data protection regulations. The use of such services offered by data intermediaries bears enormous potential for the transfer of scientific research data, the improvement of administrative services, but also for the protection of consumer interests and the promotion of entrepreneurial innovation. It will also prevent the emergence of data monopolies with their market-dominant and marketdistorting effects, which hinder independent data-driven business models and the creation of new businesses based on them. Given the sensitivity of the data involved, it must be ensured that data intermediaries have no vested interest in the data and that their neutrality is not jeopardised by any kind of financial dependency. The Bundesdruckerei Group very much welcomes the criteria relating to the trustworthiness and independence of data intermediaries. The current draft provides, inter alia, for that : - the provider may not use the data for which it provides services for other purposes than to put them at the disposal of data users (Art. 11 (1)); - the provider shall take measures to ensure a high level of security for the storage and transmission of non-personal data (Art. 11 (8)); - the provider of data sharing services shall be established in the Union or otherwise has to appoint a legal representative in of the Member States (Art. 10 (3)); - the provider shall submit a notification to the competent authority to a competent national authority to be named by the Member States and that the provision of data sharing services can be monitored and potentially be sanctioned in case of misconduct (Art. 10 (1), Art 12, Art. 13). Please refer to the attached document for the detailed Bundesdruckerei Group Statement.
Read full response

Response to European Digital Identity (EUid)

27 Aug 2020

Bundesdruckerei GmbH would like to contribute to the successful creation of a future-proof legal framework to support an EU-wide, trustworthy and secure system for identities and trust services in the digital space. Accordingly, with reference to the three "policy options" set out in the EU Commission's roadmap, we propose that the following three points be taken into account: 1) Establishing hardware security modules as a technical basis for EU-wide secure digital applications 2) Strengthening and expanding national eID usage 3) Strengthening the state design of national eIDs Please refer to the document attached for a detailed assessment of these proposals. The combination of Options 1 and 2 laid out in the roadmap offers the opportunity to make the best of the EU standards already developed by CEN and ETSI in Mandate 460 binding by means of Implementing Acts and to significantly improve the integration between eIDAS eID services under Part II and the trust services under Part III. The Member States’ uptake of the optimised eIDAS Regulation should then be made mandatory for special sectors, for example social and tax services. The window of opportunity for saving European digital sovereignty is very small and a practical implementation of the "better eIDAS" to enable the digital single market and seamless public services should be completed in 2021.
Read full response

Meeting with Anthony Whelan (Cabinet of President Ursula von der Leyen)

28 Jul 2020 · Digital issues

Response to Report on the Application of the eIDAS Regulation

25 Oct 2019

Vom Werkzeugkasten zur verbindlichen Nutzung In Deutschland sind eIDAS-Vertrauensdienste weitestgehend unbekannt und wurden auch noch nicht vollständig in das deutsche Recht integriert. Folglich werden sie kaum angewandt und in der Praxis schlicht umgangen (einen Überblick zur Nutzung in Deutschland gibt die angehängte Studie). Wie es zu einer verbindlichen Nutzung kommen kann, zeigt die PSD-2-Richtlinie: Sie ist ein gutes Vorbild, wie die Werkzeuge der eIDAS-Verordnung effektiv in einen Gesetzestext integriert wurden. Damit die eIDAS-Vertrauensdienste darüber hinaus noch stärker genutzt werden, sollten folgende Punkte beachtet werden: 1) Harmonisierung von Methoden und Arbeitsweisen im Rahmen der eIDAS-Anwendung Es braucht eine stärkere Harmonisierung der Voraussetzungen für die Zertifizierung und Validierung von Vertrauensdiensten, um Wettbewerbsnachteile innerhalb der EU zu vermeiden. Beim Validierungsprozess fehlt bisher ein standardisiertes Vorgehen für Überprüfungen und einheitliche EU-Vorgaben für die zeitliche Fertigstellung. Zudem sollten auch die Arbeitsweisen der Bewertungs- und Aufsichtsstellen harmonisiert werden. Auditreports können je nach EU-Mitgliedstaat unterschiedlich lange dauern und somit sehr unterschiedliche Kosten erzeugen. Die Aufsichts- und Bewertungsstellen könnten zudem von Interpretationsrichtlinien seitens der ENISA profitieren. Vor diesem Hintergrund wäre der Erlass von Durchführungsakten ein effektiver Schritt für mehr Harmonisierung. Diese könnten für Rechtssicherheit, Verbindlichkeit und EU-weite Interoperabilität sorgen. Ein einheitlicher Algorithmenkatalog für die Erzeugung und Prüfung von Vertrauensdiensten könnte dem bestehenden großen Interpretationsspielraum entgegenwirken. Je nach Land variieren zudem die Sanktionen bei Verstößen gegen die eIDAS-Verordnung. Auch hier ist eine verbindliche und EU-weit einheitliche Sanktionierung notwendig. 2) Einführung neuer Werkzeuge und einheitlicher Rahmen für Identitäten Eine bessere Verbindung zwischen den Kapiteln Identifizierung und Vertrauensdienste ist notwendig. Gleichzeitig braucht es einen Regulierungsrahmen für digitale Identitäten im Kontext sicherheitskritischer und privatwirtschaftlicher Transaktionen (und ebenso für mobile und blockchainbasierte Identitäten). Für Privatunternehmen sollen regulatorische Pflichten und Anreize geschaffen werden, dass sie eine Authentifikation, die auf in der eIDAS-Verordnung festgelegte Vertrauensdienste basiert, anwenden. Die Identifikation für Unternehmen kann harmonisiert werden, indem das Siegel zu einem Identifizierungsmittel für Organisationen weiterentwickelt wird. Wir schlagen ein verpflichtendes Set an Daten für die Identifikation von juristischen Personen vor, wie sie bei natürlichen Personen im Rahmen der eIDAS-Nodes entwickelt wurde. Nicht zuletzt empfehlen wir eine generelle Überarbeitung der Vertrauensniveaus, um die Vielschichtigkeit der Wirtschaft zu berücksichtigen. 3) Anerkennung qualifizierter Webseitenzertifikate (QWACs) Die Benutzeroberflächen von Plattformen enthalten bald (oder schon heute) keine besonderen Hinweise mehr zur Wertigkeit des Domain-Zertifikates. Damit wird die besondere Stellung der QWACs unterminiert. Eine Verpflichtung der Browserhersteller zur Anerkennung bzw. Akzeptanz von QWACs und die Kennzeichnung unterschiedlicher Sicherheitsstufen ist notwendig. Um den Verbraucherschutz in der Europäischen Union zu verbessern, erweist es sich als sinnvoll, europäische Standards einzuhalten. Auch sollte man sich für Gültigkeits- bzw. Überprüfungspflichten einsetzen.
Read full response

Meeting with Maximilian Strotmann (Cabinet of Vice-President Andrus Ansip), Vivian Loonela (Cabinet of Vice-President Andrus Ansip)

6 Mar 2018 · eGovernment, cybersecurity

Meeting with Maximilian Strotmann (Cabinet of Vice-President Andrus Ansip) and SK ID Solutions and

9 Oct 2017 · eIDAS regulation, trust services, cybersecurity

Meeting with Carl-Christian Buhr (Cabinet of Commissioner Mariya Gabriel), Carl-Christian Buhr (Cabinet of Commissioner Mariya Gabriel)

20 Sept 2017 · Cybersecurity