Electronic identification and trust services (including e-signature)

Multi-application smart cards are already widely deployed and used nowadays in eGovernment, ePayment, eHealth and other domains. Addition of biometric authentication enhances reliability (more secure than PIN), safety and convenience (hygienic, no need to touch PINpads or terminals sensor in case of BSoC especially while pandemic), reference card holder data security (no vulnerable and GDPR sensitive central database for biometrics is needed, card holder data cannot be read out from stolen / lost smart cards) and availability (users with no education in poor countries to obtain subsidy).

This fellowship support my ongoing contributions to the Biometric System-on-Card (BSoC) and On-Card Comparison (OCC) related interindustry ISO/IEC standards address the following three key aspects:
Firstly, bridging Definition Gaps: Bridging existing gaps in definitions in the ISO/IEC 17839 and ISO/IEC 24787 series, specifically focusing on core, physical dimensions, and logical information exchange interfaces requirements. This involves a comprehensive examination of the latest hardware and software advancements prevalent in the market for biometric on-card verification-enabled smart cards also evaluating the need for potential scope extension to other non-smart card form factor holder verification devices with supplementary (e.g., BLE, NFC) communication interface support. The emphasis is on ensuring that the standards are not solely rooted in theory but are backed by practical use cases.

Secondly, enhancing Clarity and Consistency: addressing the ongoing challenge involves maintaining clarity and consistency in any standards revisions developed by ISO/IEC JTC1/SC17/WG11 (e.g., ISO/IEC 7816-11), particularly concerning other Standard Committees (SCs) and Working Groups (WGs) developed standards. This effort includes eliminating ambiguities and ensuring seamless alignment with cross-referenced ISO/IEC JTC1 SC37/WG3 and SC37/WG2 (e.g., ISO/IEC 19785-3) standards on BDIF (Biometric Data Interchange Formats) and CBEFF (Common Biometric Exchange Formats Framework) interfaces and formats.

Thirdly, prioritizing Practical Applicability: The standards development process places a significant emphasis on practical applicability by aiming for seamless integration in real-world interoperable scenarios. The main goal is to facilitate the straightforward integration, testing (e.g., through ISO/IEC 18584 series) and maintenance of the standard compliant biometric solutions within diverse-scale interindustry biometric systems, which typically accommodate hardware and software components provided by various vendors.

This standard boosts the creation of a certification system for biometric solutions to be used in different scenarios. One of the first scenarios to be addressed is the remote identification of citizens using videoconference tools, i.e., using facial recognition with the users’ digital devices. But other scenarios will be added during this proposal, such as the use of face recognition in the future EUDI Wallet.

This activity paves the path to the technical definition and implementation of the EUDIW and the services related. It is important to note that by reaching interoperable EUDIWs, the following sectors will benefit:
Service providers and Administrations will find their work easier in identifying the citizen using the service, without acquiring more information that the one really needed. Therefore, the accomplishment of GDPR policies will be easier.
Manufacturers and integrators will have to go only through one set of specifications, not creating products that may not be accepted by the context of eIDAS2.
Citizens will see their identity secured, and privacy enhanced by only disclosing the relevant information to the services being used.

By stating that the priority is electronic identification and trust services, this work directly impacts both electronic identification and trust services. Specifically, the ETSI Standard 119 462 (Wallet Interfaces) influences identification and trust services in the following ways:
it establishes a standardised mechanism for identification from the wallet to trust service providers, it creates a standardised mechanism for trust service providers to issue attributes that are used for identification, it sets up a mechanism for collaboration with trust service providers in the process of creating electronic signatures.

In terms of broader European interests, my fellowship contributes to EU goals of digital sovereignty, user empowerment, and privacy leadership on the global stage. As the EUDI wallet is adopted across Europe, this framework will provide a scalable model for data protection and user-centric identity management that can be extended beyond digital wallets to other data-sharing contexts, enhancing Europe’s role as a privacy leader. With data privacy becoming a key competitive factor, this initiative not only strengthens the protection of EU citizens’ rights but also sets a high standard for digital identity solutions globally.

My work supports fundamental societal values by helping define how citizens can safely and transparently share their personal data through the European Digital Identity (EUDI) Wallet. At the heart of this is the development of access control standards that ensure individuals are not just passive data subjects, but active participants who can decide what data is shared, with whom, under what conditions, and for what declared purpose.
By enabling these controls through enforceable, machine-readable policies, the standard empowers users to exercise real agency over their digital identity—moving beyond consent screens toward meaningful privacy protections embedded in the architecture of the wallet itself. This aligns with the EU’s commitment to privacy, data minimisation, and purpose limitation under the GDPR.
The work also supports societal inclusion by ensuring that access control mechanisms are transparent and usable, helping citizens understand their rights and obligations, while also simplifying compliance for service providers. The inclusion of ISO/IEC 27560 in this framework ensures that all lawful bases for processing—not just consent—are clearly documented and traceable, which is especially important for use cases like healthcare, education, or public services.
Importantly, the open availability of ISO/IEC 27560 as a free standard lowers the barrier for adoption, supporting uptake by public administrations, SMEs, and civil society. This ensures that privacy-enhancing technologies are not limited to large commercial actors, but can benefit all layers of European society.
Overall, this work contributes to a more trustworthy, transparent, and citizen-centric digital identity ecosystem—one that upholds European values while supporting innovation, cross-border interoperability, and regulatory alignment.

Standardised biometric data formats enable interoperability and exchanging system components like biometric capture devices, algorithms, storage systems

The standard promotes Biometric System-on-Card architecture, characteristics and interfaces. It is a technology that improves security and privacy for citizens in Europe and beyond, because personal data remains on a personal card.

Technology for Biometric System-on-Card (BSoC) has advanced significantly since the first publication of the ISO/IEC 17839 series from 2014-2016. This made an amendment of part 2 necessary in 2021 and a revision started 2022/2023. The major gaps are that the currently published standards partially refer to outdated technology and do not cover many recent industry developments in the field of BSoC. This includes enrolment methodologies, sensor and card manufacturing, but also processes and usage of biometric cards. The priority is to consider all inputs from national bodies, come to a consensus and progress the standard series according to the ISO business plan. Challenges are divers inputs from industry delegates targeting different solutions. It is important to include all contributions from national bodies while keeping the timeline mandated by the ISO business plan.