Standards Development

Scope

Smart Cards

• Definition of a Smart Card that is in the scope of the Regulation (EU) 2024/2847, Annex 4, Category 41 o In reference to TC47X/WG3 work on Security MCU/MPU

• Distinction between applicative part and general part of the architecture that is essential for composite evaluation

 • Expectation on applicative and composite evaluation in accordance with EUCC scheme

 Similar Devices

• Definition of similar devices that are in- or out-of-scope of this standardisation category – for example:

o Products in-scope that fully comply with architectural description of a compliant Smart Card but do come in different packaging (e.g. SIM-card form factors, key fobs, tokens, IoT embedded ID elements), etc.

 o Products out-of-scope that come packaged as a smart card but contain microcontrollers with security functions or tamper resistance appropriate for evaluation under other categories

Secure Elements

 • Definition of a Secure Element that is on the scope of the Regulation (EU) 2024/2847, including description of possible architectures and required security capabilities, in alignment with TC47X

 • Distinction between applicative part and general part of the architecture that is essential for composite evaluation

• Expectation on applicative and composite evaluation in accordance with EUCC scheme 

• Alignment of security capabilities of secure elements with microcontrollers and microprocessors with security functions and/or tamper resistance capabilities

Related remote data processing 

• Technical criteria characterizing a remote data processing

• Identification of remote data processing e.g. life cycle management, security update services….

 • Standardized expectations on lifecycle management of Smart Cards and

Secure Elements

As part of the work, the group will cover at least the types of PwDE and their intended purposes in relation to use cases described in the list below. In addition, for some types of PwDE, expertise from external organizations which are recognized will be leveraged to ensure the project is relevant and in line with the reality of markets.

 Type of the Product with Digital Elements:

1. Secure element, Smart Cards and similar devices for critical use cases – high risk profile

2. Secure element, Smart Cards and similar devices for critical use cases – low risk profile

3. Remote data processing systems / services

The list above is not finite, it represents initial state.

 The work of the group will first focus on delivering precise scope related to intended purpose and dependant use cases, in collaboration with other standardisation workgroups and industry representatives.

Note on the use cases

 - Standard may cover specific aspects of particular use cases

Note on risk profile

 - The mapping of compliance criteria with EUCC may be given

 - Standard may cover aspects of newer version of Common Criteria CC:2022, and other established schemes

Purpose

 The New Work Item aims to extend and complement the work of CENELEC/TC47X, in particularly of the WG3 but also in relation to WG1 and WG2, towards creation of the harmonized standard that shall define conditions and requirements on product with digital elements as defined in Article 3.1 and 3.2, in particular coverage of Annex IV, line 3, Smartcards or similar devices, including secure elements of the Regulation (EU) 2024/2847.

Extension/complementing of the TC47X work will be focused on application layer on top of the Secure MCU/MPU.

Justification:

Standardization efforts delegated to multiple technical committees and workgroups within ETSI, CEN and CENELEC aiming to produce standards for 41 categorized security practices and product groups, may rely on interdependency between multiple categories, resulting in possible composition of final standards to help vendors of products with digital elements on the way towards regulated compliance. This NWI shall bring applicable precision for vendors and manufacturers of

- Smart Cards, including the definition of a compliant smart card, including distinction between architectures

- Similar devices, including the distinction of devices that are in-scope and out of scope of this compliance

- Secure Elements, including the aspects of applicative/composite evaluation and related architectures

Achieving appropriate level of clarity for manufacturers of these products with digital elements will require creation of multiple standards, to respond to variety of intended purposes and use cases.

In scope of these standards are also requirements for mechanisms used for security updates in compliance with Regulation (EU) 2024/2847, applicable security levels for regulative category, relation to particular use cases where these standardized products or their digital elements are used.