Regulation on Digital ID in Germany



  • Investigate the transnational regulations around digital identity and extract key insights which several entities in Germany have in common
  • Secunet, Signicat, Jolocom, Verimi, Gemalto



  • Scope of application
    • GDPR:
      • Definition of personal data
      • Regulation on Collecting and processing personal data
      • Data subject rights
    • eIDAS:
      • Definition of Electronic Identification (eID) and trust services
    • PSD2:
      • Promotion of FinTech through open API
      • Regulation on Strong Customer Authentication
    • AMLD5:
      • Regulation on money laundering through cryptocurrency-related services
      • Regulation on extensive KYC (know your customer) process
  • GDPR
    • Articles needed to be mentioned
      • Article 4: Definition of the term “personal data”
      • Article 6: Purpose of processing personal data
      • Article 15~21: Related Rights
    • Data processing through blockchain should be interpreted and protected differently from others
      • Definition of personal data and stakeholders
      • Data Subject Rights
  • eIDAS Regulation
    • There should be the guideline about implementation requirements of Self-Sovereign Identity, which are necessary for eIDAS-compliant
      • DIDs are not accepted by the EU as electronic signatures under eIDAS
      • How to create cryptographic keys
      • Verifiable Credentials
  • PSD2
    • SCA (Strong Customer Authentication) must be confirmed using a combination of two independent authentication factors from the following categories
      • Something you own (Possession) - mobile phone, card, TAN generator
      • Something you know (Knowledge) - PIN, password
      • Something you are (Inherence) - fingerprint
  • AMLD5
    • While identities and their data will not be on the blockchain, wallets will be required to have the ability to validate a claimed identity against an authoritative source
    • Standards related to digital identity are ISO/IEO 15408, 19784, 24760, 27000, 29146
    • Common Criteria (ISO/IEO 15408) certification is specified for the products and systems related to information technology, thus standards about interoperation, system management and user training are not its business. ( → ISO 27001 etc.)