Standards Development

Scope

This document specifies cybersecurity requirements and associated assessment requirements for identity management systems that qualify as products within the meaning of Regulation (EU) 2024/2847. Such products are classified as important products (class 1) according to the implementing regulation Commission Implementing Regulation (EU) 2025/2392.

Identity management systems are products that provide mechanisms for authentication or authorisation and that may also provide mechanisms for the lifecycle management of identity credentials of natural persons, legal persons, devices or systems, such as identity registration, provisioning, maintenance, deregistration.

These systems include access management systems that control access of natural persons, legal persons, devices or systems to digital resources or physical locations.

Privileged access management software is an access management system that controls and monitors access rights to IT or OT systems and sensitive information within an organisation, including systems enforcing differentiated access control policies for privileged users.

This category includes but is not limited to authentication and access control readers, biometric readers, single sign-on software, federated identity management software, one-time password software, hardware authentication devices such as transaction authentication number (TAN) generators, authentication software and multi-factor authentication software.

This document covers:

• general description of the product belonging to that category and the product and/or components such product with digital elements;
• description of their use case;
• security analysis;
• definition of applicable risk profiles to be considered for these product with digital elements;
• applicable cybersecurity requirements for each risk profile;
• applicable cybersecurity assessment and test requirements for each risk profile.

Products within the scope of this document:

The following non-exhaustive categories of products are within the scope of this document where their primary or supporting function relates to identity management, authentication, authorisation, or logical and physical access control to natural persons, legal persons, devices or systems.

Logical and Physical Identity lifecycle management

Products for:

• identity registration and enrolment;
• credential issuance, provisioning and activation;
• credential maintenance, suspension, revocation and deletion;
• identity wallets and digital credential containers;
• EUDI Wallet, EU Business Wallet;
• crypto asset Wallet;
• digital travel credential;
• middleware enabling the use, validation or verification of identity credentials;
• national or sectorial identity registries implemented as products;
• biometric databases;
• enrolment stations;
• digital transaction control components;
• mobile driving license;
• electronic identification products, including systems supporting digital product passport.

Logical and Physical Authentication

Products for:

• authentication software;
• multi-factor authentication (MFA) systems;
• two-factor authentication (2FA) systems;
• one-time password (OTP) software and hardware tokens;
• online authentication tokens;
• hardware authentication devices;
• single sign-on (SSO) systems;
• federated identity management systems;
• authentication and access control readers;
• biometric readers;
• presentation attack detection (PAD) software;
• identity attack detection (IAD) software;
• biometric matching software;
• automatic border control product;
• entry/exist product; ESTIA application.

Logical and Physical Biometric identity management

Products for:

• capture biometric data for enrolment purposes;
• perform biometric verification or identification;
• biometric matching;
• remote data processing system of biometric reference data;
• incorporate artificial intelligence components for biometric recognition, verification, identification or fraud detection.

Logical and Physical Access management

Products for:

• logical access control systems;
• physical access control systems;
• access control readers and local control units;
• access control supervision and monitoring software;
• access management supervision systems;
• anti-intrusion systems;
• CCTV;
• smart lock.

Logical and Physical Privileged access management

• control and monitor access rights of privileged users;
• enforce differentiated access control policies;
• manage privileged credentials;
• monitor, record and audit privileged sessions;
• protect access to critical IT or OT systems and sensitive information.

Product not in the scope of this document:

All other important and critical products that are covered by harmonised standards as per the standardisation request Mandate M/606 2025-02-03 such as:

• chip, Embedded OS, Applets;
• PKI products;
• cyber security products needed for securing IT infrastructures (VPN, SIEM….);
• all products that are classified as default such as the anti-fire detectors products.