• Remote ID Proofing - Good practices

    Through this report, ENISA aims to enhance stakeholder awareness, facilitate risk analysis in evolving threat landscapes, and bolster trustworthiness in remote identity proofing methods.

    Published on March 12, 2024

  • Engineering Personal Data Protection in EU Data Spaces

    Common European data spaces (EU data spaces) are a novel concept introduced in the European strategy for data and elaborated further within the Data Governance Act (DGA). This report attempts to contextualise the main design principles regarding...

    Published on January 26, 2024

  • NIS Investments Report 2023

    This report aims at providing policy makers with evidence to assess the effectiveness of the existing EU cybersecurity framework specifically through data on how Operators of Essential Services (OES) and Digital Service Providers (DSP) identified in...

    Published on November 16, 2023

  • Trust Services-Secure move to the cloud of the eIDAS ecosystem

    This report includes a detailed analysis on the different technical requirements that must be addressed considering the relevant standards. It also gives an overview of practical experiences on the move of trust services to the cloud, based on the...

    Published on June 12, 2023

  • Embedded Sim Ecosystem, Security Risks and Measures

    eSIM is the generic term used for the embedded form of a SIM (subscriber identity module) card. Built into the device, the eSIM is hosted on a tiny chip that provide storage for the mobile subscription details in digital format. Like the regular...

    Published on March 09, 2023

  • Engineering Personal Data Sharing

    This report attempts to look closer at specific use cases relating to personal data sharing, primarily in the health sector, and discusses how specific technologies and considerations of implementation can support the meeting of specific data...

    Published on January 27, 2023

  • Deploying Pseudonymisation Techniques

    Pseudonymisation is increasingly becoming a key security technique for providing a means that can facilitate personal data processing, while offering strong safeguards for the protection of personal data and thereby safeguarding the rights and...

    Published on March 24, 2022

  • Cyber Threats Outreach In Telecom - Leaflet

    This leaflet provides basic guidelines for National Authorities and telecom providers on how to inform users about cyber threats.

    Published on March 10, 2022

  • Cyber Threats Outreach In Telecom

    In this paper, we aim to give guidance to national Authorities and providers of electronic communications networks and services regarding how to strike the right balance and carry out efficient and effective outreach to users about cyber threats.

    Published on March 10, 2022

  • Security and Privacy for public DNS Resolvers

    Domain Name System (DNS) resolution is a hierarchical distributed system of protocols and systems, whose main purpose is to map the human friendly domain names, such as www.example.com, to machine readable IP addresses, such as 123.123.123.123. DNS...

    Published on February 10, 2022

  • Data Protection Engineering

    Data Protection Engineering can be perceived as part of data protection by Design and by Default. It aims to support the selection, deployment and configuration of appropriate technical and organizational measures in order to satisfy specific data...

    Published on January 27, 2022

  • Digital Identity: Leveraging the SSI Concept to Build Trust

    The maintenance of continuity in social life, businesses and administration has accelerated the reflection on the possibility of a need for such decentralised electronic identity. This report explores the potential of self-sovereign identity (SSI...

    Published on January 20, 2022

  • Remote Identity Proofing - Attacks & Countermeasures

    Remote identity proofing is a crucial element in creating trust for digital services. The present study analyses the collection and validation of evidence provided by the applicant to complete the verification of his or her identity. More...

    Published on January 20, 2022

  • Countering SIM-Swapping

    In this study, we give an overview of how SIM-Swapping attacks work, list measures that providers can take to mitigate the attack and make recommendations for policy makers and authorities in the telecom sector and other sectors. Security of...

    Published on December 06, 2021

  • How to Avoid SIM-Swapping - Leaflet

    This leaflet, addresses the SIM-swapping attacks, how to recognise them and how to mitigate the risk connected to this fraud. In fact, subscriber Identity Module (SIM) swapping is a legitimate procedure performed by a customer to change their SIM...

    Published on December 06, 2021

  • NIS Investments Report 2021

    Following the 2020 NIS Investment publication, this report covers all 27 EU Member States and offering additional insights into the allocation of NIS budgets of OES/DSP, the economic impact of cybersecurity incidents and the organisation of...

    Published on November 17, 2021

  • Assessment of EU Telecom Security Legislation

    European Union telecom security legislation has been changing over the last few years. In light of these policy changes, ENISA carried out an assessment of the implementation of EU telecom security policy, to inform policy makers in the Commission...

    Published on July 13, 2021

  • Guideline on Security Measures under the EECC

    This document, the Technical Guideline for Security Measures, provides guidance to competent authorities about the technical details of implementing Articles 40 and 41 of the EECC: how to ensure that providers assess risks and take appropriate...

    Published on July 07, 2021

  • 5G Supplement - to the Guideline on Security Measures under the EECC

    This document contains a 5G technology profile which supplements the technology-neutral Guideline on Security Measures under the EECC. The document gives additional guidance to competent national authorities about how to ensure implementation and...

    Published on July 07, 2021

  • Guideline on Security Measures under the EECC

    This document, the Technical Guideline for Security Measures, provides guidance to competent authorities about the technical details of implementing Articles 40 and 41 of the EECC: how to ensure that providers assess risks and take appropriate...

    Published on July 07, 2021

  • 5G Supplement - to the Guideline on Security Measures under the EECC

    This document contains a 5G technology profile which supplements the technology-neutral Guideline on Security Measures under the EECC. The document gives additional guidance to competent national authorities about how to ensure implementation and...

    Published on July 07, 2021

  • Technical Guideline on Incident Reporting under the EECC

    This document describes the formats and procedures for cross border reporting and annual summary reporting under Article 40 of the EECC. Paragraph 2 of Article 40 describes three types of incident reporting: 1) National incident reporting from...

    Published on March 22, 2021

  • Conformity Assessment of Qualified Trust Service Providers

    This document provides an overview of the conformity assessment framework for QTSPs as set out in the eIDAS Regulation, i.e. aiming to confirm that the assessed QTSP/QTS fulfils its requirements. This report discusses the typical process flow and...

    Published on March 11, 2021

  • Recommendations for Qualified Trust Service Providers based on Standards

    This document provides recommendations to help qualified trust service providers and auditors understand the expected mapping between these requirements/obligations and reference numbers of standards, as well as practical recommendations for their...

    Published on March 11, 2021

  • Security Framework for Qualified Trust Service Providers

    This document proposes a security framework to achieve compliance with Article 19 of the eIDAS Regulation, to which both non-QTSP and QTSP are subject. Nevertheless, Article 19.1 states that the security measures “shall ensure that the level of...

    Published on March 11, 2021

  • Security Framework for Trust Service Providers

    This document proposes a security framework to achieve compliance with Article 19 of the eIDAS Regulation. As illustrated below, this security framework includes specific guidelines for TSP on: 1) Risk management related to the security of the eIDAS...

    Published on March 11, 2021

  • Remote ID Proofing

    This report provides an overview of the most common methods for identity proofing with some examples received by stakeholders, presents the current legal / regulatory landscape and supporting standards at the international and EU level and provides...

    Published on March 11, 2021

  • Data Pseudonymisation: Advanced Techniques and Use Cases

    This report, building on the basic pseudonymisation techniques, examines advanced solutions for more complex scenarios that can be based on asymmetric encryption, ring signatures and group pseudonyms, chaining mode, pseudonyms based on multiple...

    Published on January 28, 2021

  • NIS Investments Report 2020

    Four years after the NIS Directive entered into force and two years after the transposition by Member States into their national laws, this report presents the findings of a survey of 251 organisations across five EU Member States (France, Germany...

    Published on December 11, 2020

  • Telecom Security During a Pandemic

    The COVID-19 pandemic not only highlighted the importance of electronic communication networks and services for the EU’s society and economy, but it also triggered major changes and challenges in their use in the EU and worldwide. In this paper, we...

    Published on November 26, 2020

  • Power Sector Dependency on Time Service: attacks against time sensitive services

    This publication describes the threats against energy providers’ services which depend on the availability of precise timing and communication networks. It provides a typical architecture which supports the time measurement service. Then it...

    Published on May 12, 2020

  • Encrypted Traffic Analysis

    This report explores the current state of affairs in Encrypted Traffic Analysis and in particular discusses research and methods in 6 key use cases; viz. application identification, network analytics, user information identification, detection of...

    Published on April 23, 2020

  • Advancing Software Security in the EU

    This study discusses some key elements of software security and provides a concise overview of the most relevant existing approaches and standards while identifying shortcomings associated with the secure software development landscape, related to...

    Published on April 15, 2020

  • eIDAS compliant eID Solutions

    This report provides an overview of the legislative framework under eIDAS for electronic identification, presents the landscape of notified and pre-notified eID schemes and identifies key trends in the electronic identification field. Moreover, it...

    Published on March 15, 2020

  • Overview of standards related to eIDAS

    The scope of this document is to assess the suitability of the recently published ENs to fulfil the eIDAS Regulation requirements, and to describe the differences with the previous TSs, in view of a possible update of the list of standards...

    Published on December 18, 2019

  • Recommendations for technical implementation of the eIDAS Regulation

    The present report aims to propose ways in which the eIDAS assessment regime can be strengthened based on the current regime of the eIDAS Regulation, the stakeholders’ concerns and the legitimate need to move towards a more harmonised approach with...

    Published on December 17, 2019

  • Pseudonymisation techniques and best practices

    This report explores further the basic notions of pseudonymisation, as well as technical solutions that can support implementation in practice. Starting from a number of pseudonymisation scenarios, the report defines first the main actors that can...

    Published on December 03, 2019

  • Stock taking of security requirements set by different legal frameworks on OES and DSPs

    In order to support organisations in their process of identifying appropriate security measures, based on the provisions of both NISD and GDPR, this report uses as basis the pre-existing ENISA guidance and presents a mapping of already identified...

    Published on November 15, 2019

  • Assessment of ETSI TS 119 403-3 related to eIDAS

    This document assesses the eligibility of [ETSI TS 119 403-3], and the standards it builds upon, to be referenced in an implementing act adopted pursuant to Art.20(4) of the eIDAS Regulation. The findings suggest that if certain revisions take...

    Published on November 15, 2019

  • Challenges and opportunities for EU cybersecurity start-ups

    Based on extensive analysis of the identified challenges and opportunities, as well as on feedback collected from a panel of experts, this report proposes a set of recommendations to start-ups and SMEs active in the NIS market.

    Published on May 15, 2019

  • Towards a framework for policy development in cybersecurity - Security and privacy considerations in autonomous agents

    One of the key aspects in autonomous systems is the data collected, mainly for supporting the demanding functionality in a qualitative and timely manner. The current study highlights a number of relevant security and privacy considerations, such as...

    Published on March 14, 2019

  • Good practices on the implementation of regulatory technical standards

    MS approaches on PSD 2 implementation: commonalities in risk management and incident reporting - The main objective of this study is to identify the differences introduced by Member States in the implementation of the PSD2. In particular, the aim is...

    Published on January 24, 2019

  • Towards global acceptance of eIDAS audits

    The goal of the study is to explore the eIDAS Conformity Assessment Report (CAR), the corresponding audit requirements, gaps arising from comparison with competing audit schemes, and the emergent issues at the core of the global conversation between...

    Published on January 15, 2019

  • Assessment of Standards related to eIDAS

    In this report, ENISA presents aspects of QSCD certification and QTSP supervision to identify the way to combine respective elements therein, in line with the eIDAS requirements. In this context, this report seeks to support standards CEN EN 419...

    Published on December 14, 2018

  • Good practices on interdependencies between OES and DSPs

    This study is concerned with dependencies and interdependencies among Operators of Essential Services (OES) and Digital Service Providers (DSPs) as defined in the NIS Directive and addresses emerging dependencies and interdependencies across...

    Published on November 30, 2018

  • Guidelines on assessing DSP security and OES compliance with the NISD security requirements

    This report presents the steps of an information security audit process for the OES compliance, as well as of a self-assessment/ management framework for the DSP security against the security requirements set by the NIS Directive. In addition, it...

    Published on November 28, 2018

  • Handbook on Security of Personal Data Processing

    The overall scope of the report is to provide practical demonstrations and interpretation of the methodological steps of the ENISA’s 2016 guidelines for SMEs on the security of personal data processing. This is performed through specific use cases...

    Published on January 29, 2018

  • eIDAS: Overview on the implementation and uptake of Trust Services

    In the context of the eIDAS Regulation, ENISA conducted a study to present an overview of the implementation and uptake of Trust Services defined in the eIDAS Regulation one year after adoption to the new regime, and analyse the new opportunities...

    Published on January 15, 2018

  • Annual Privacy Forum 2017

    ENISA's Annual Privacy Forum 2017 encouraged dialogue with panel discussions and provided room for exchange of ideas in between scientific sessions. The two-day conference was well attended by more than 100 participants in addition to more than 70...

    Published on January 09, 2018

  • QWACs Plugin

    Proof of concept browser plugin to support the two-step verification of qualified certificates for web-site authentication

    Published on January 08, 2018

  • Recommendations for QTSPs based on Standards - Technical guidelines on trust services

    Following the publication of the eIDAS Regulation, a set of secondary and co-regulatory acts had to be published in order to provide technical guidance on how to implement the specific requirements of the eIDAS Regulation (in the TSP part of eIDAS...

    Published on December 19, 2017

  • Guidelines on Supervision of Qualified Trust Services - Technical guidelines on trust services

    This document is one deliverable out of a series whose objective is to propose guidelines aimed at facilitating the implementation of the provisions related to trust services of the eIDAS Regulation in the area of qualified trust services. It...

    Published on December 19, 2017

  • Guidelines on Initiation of Qualified Trust Services - Technical guidelines on trust services

    This document is one deliverable out of a series whose objective is to propose guidelines aimed at facilitating the implementation of the provisions related to trust services of the eIDAS Regulation in the area of qualified trust services. It...

    Published on December 19, 2017

  • Security framework for Trust Service Providers - Technical guidelines on trust services

    Article 19, which is the main focus of this document, of the eIDAS Regulation, states that Trust Service Providers have to demonstrate due diligence, in relation to the identification of risks and adoption of appropriate security practices, and...

    Published on December 19, 2017

  • Conformity assessment of Trust Service Providers - Technical guidelines on trust services

    Through this document, ENISA is supporting both Trust Service Providers and Conformity Assessment Bodies in the audit activities by presenting the auditing framework. It aims at helping Trust Service Providers fulfil the requirements defined by...

    Published on December 19, 2017

  • Guidelines on Termination of Qualified Trust Services

    This document proposes guidelines to SB and (Q)TSP aimed at facilitating the implementation of the provisions related to trust services of the eIDAS Regulation in the area of termination of trust services. Termination of QTS is addressed here in a...

    Published on December 19, 2017

  • Recommendations on European Data Protection Certification

    The objective of this report is to identify and analyse challenges and opportunities of data protection certification mechanisms, including seals and marks, as introduced by the GDPR, focusing also on existing initiatives and voluntary schemes.

    Published on November 27, 2017

  • Security guidelines on the appropriate use of qualified website authentication certificates

    This document addresses qualified certificates for website authentication and is one out of a series of five documents which aim to assist parties wishing to use qualified electronic signatures, seals, time stamps, eDelivery or website...

    Published on June 29, 2017

  • Security guidelines on the appropriate use of qualified electronic registered delivery services

    This document addresses qualified electronic registered delivery services and is one out of a series of five documents which aim to assist parties wishing to use qualified electronic signatures, seals, time stamps, eDelivery or website...

    Published on June 29, 2017

  • Security guidelines on the appropriate use of qualified electronic time stamps

    This document addresses qualified electronic time stamps and is one out of a series of five documents which target to assist parties aiming to use qualified electronic signatures, seals, time stamps, eDelivery or website authentication certificates...

    Published on June 29, 2017

  • Security guidelines on the appropriate use of qualified electronic seals

    This document addresses qualified electronic seals and is one out of a series of five documents which target to assist parties aiming to use qualified electronic signatures, seals, time stamps, eDelivery and website authentication certificates to...

    Published on June 29, 2017

  • Security guidelines on the appropriate use of qualified electronic signatures

    This document addresses qualified electronic signatures and is one out of a series of five documents which target to assist parties aiming to use qualified electronic signatures, seals, time stamps, eDelivery or website authentication certificates...

    Published on June 29, 2017

  • Recommendations on aligning research programme with policy

    The scope of this report is to review existing analysis reports on EU funded Trust and Security Projects, summarize achievements that have significantly promoted specific pillars of NIS, identify and summarize specific outcomes that can promote and...

    Published on May 08, 2017

  • Recommendations on aligning research programme with policy

    The scope of this report is to review existing analysis reports on EU funded Trust and Security Projects, summarize achievements that have significantly promoted specific pillars of NIS, identify and summarize specific outcomes that can promote and...

    Published on May 08, 2017

  • Annual Privacy Forum 2016

    In light of the data protection regulation and the European digital agenda, DG CONNECT, EDPS, ENISA and, Goethe University Frankfurt organized APF 2016. APF 2016 was held 7 & 8 September at Goethe University Frankfurt am Main, Germany.

    Published on March 09, 2017

  • Guidelines for SMEs on the security of personal data processing

    ENISA undertook a study to support SME’s on how to adopt security measures for the protection of personal data, following a risk-based approach. In particular, the objectives of the study were to facilitate SMEs in understanding the context of the...

    Published on January 27, 2017

  • Report on Annual Privacy Forum 2012

    The first Annual Privacy Forum1 (APF’12) was held in Limassol, Cyprus from 10–11 October 2012. The Forum was co-organised by the European Network and Information Security Agency (ENISA)2 and the European Commission Directorate General for...

    Published on December 12, 2012

  • Managing multiple identities

    Nowadays each person has the opportunity of living multiple lives in parallel, in the real as well as in the virtual world. A trend observed over the last years, first in the research community, but now also in commercial offerings is the increase...

    Published on April 20, 2011

  • Mapping security services to authentication levels

    This report reviews the authentication levels and their mapping to public electronic services in the eGovernment programme framework, which require an authentication of the user (security services). It gives a general overview of European efforts...

    Published on March 08, 2011

  • Mobile Identity Management

    This paper reports on information security risks and best-practice in the area of Mobile Identity Management (Mobile IDM). It also provides recommendations of systems, protocols and/or approaches to address these challenges.

    Published on April 13, 2010

  • Security Issues in Cross-border Electronic Authentication

    Improving the interoperability of electronic identification and authentication systems is a European task and a task for all Member States. Considerable efforts have been made in several projects to face the challenges of pan-European...

    Published on February 03, 2010

  • National eIDs in pan-European e-Government Services

    Since the beginning of the 21st century, European Member States have been planning, developing and implementing new solutions to offer electronic services to citizens and businesses on a digital platform in order to improve administrative...

    Published on January 24, 2010

  • Privacy and Security Risks when Authenticating on the Internet with European eID Cards

    Whenever we use internet services, the first steps we take are usually identification (we input our names) and authentication (we prove that it is us). How we actually identify and authenticate ourselves depends on the security level of the...

    Published on November 26, 2009

  • Privacy Features of European eID Card Specifications

    A national eID card is a gateway to personal information. Any unwanted disclosure of personal information constitutes a violation of the citizen’s privacy rights. Apart from considerations of fundamental rights, this is also a serious obstacle to...

    Published on January 27, 2009

  • Security Issues in the Context of Authentication Using Mobile Devices (Mobile eID)

    Mobile devices, like smart phones and PDAs, will play an increasingly important role in the digital environment. However, the pervasive use of mobile devices also brings new security and privacy risks. Persons who make extensive use of mobile...

    Published on November 11, 2008

Didn't find what you were looking for?

Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies