ANNEX I
List of minimum information to be provided in the levels of assurance mapping document for the peer review referred to in Article 2(1), point (a)
The level of assurance mapping document for the peer review referred to in Article 2, paragraph 1, point (a) shall include at least the following information:
(1)
general information, including:
(a)
the name of the notifying Member State;
(b)
the title of the electronic identification scheme (if any);
(c)
the level or levels of assurance of the electronic identification scheme, indicated as low, substantial or high.
(2)
the authority or authorities responsible for the electronic identification scheme, including:
(a)
the name or names of the authority or authorities responsible for the electronic identification scheme;
(b)
the email address of the authority or authorities responsible for the electronic identification scheme.
(3)
information on relevant parties, entities and bodies involved in the electronic identification scheme, including:
(a)
the name of the entity or entities managing the registration process of the unique person identification data;
(b)
the name of the party or parties issuing the electronic identification means, and where applicable, an indication whether the party or parties are referred to in Article 7(a), point (i), (ii) or (iii) of Regulation (EU) No 910/2014;
(c)
the name of the party or parties operating the authentication procedure (the ‘eIDAS node’);
(d)
the name or names of the governance organisation or organisations participating in the supervisory regime related to the electronic identification scheme.
(4)
a description of the electronic identification scheme, including:
(a)
where applicable, the document or documents that shall be enclosed for each of the following topics:
—
a brief description of the electronic identification scheme, including the context in which it operates, its scope, and availability to private relying parties;
—
a list of the additional attributes which may be provided in relation to natural persons under the electronic identification scheme if requested by a relying party;
—
a list of the additional attributes which may be provided in relation to legal persons under the electronic identification scheme if requested by a relying party.
(b)
the applicable supervisory, liability and management regime, including:
—
a description of the supervisory regime of the electronic identification scheme including the evaluation process with respect to the following:
—
the supervisory regime applicable to the party or parties issuing the electronic identification means;
—
the supervisory regime applicable to the party or parties operating the eIDAS node.
Where applicable, these descriptions shall include the roles, responsibilities and powers of the governance organisations that participate in the supervisory regime referred to in point 3(d), and the entity to which they report. If the organisations do not report to the authority responsible for the scheme, full details of the entity to which they report shall be provided.
—
a description of the applicable national liability regime, including:
—
a description of the liability of the Member State under Article 11(1) of Regulation (EU) No 910/2014;
—
a description of the liability of the party or parties issuing the electronic identification means under Article 11(2) of Regulation (EU) No 910/2014;
—
a description of the liability of the party or parties operating the eIDAS node under Article 11(3) of Regulation (EU) No 910/2014.
—
arrangements for managing, suspending or revoking either the entire identification scheme, or specific electronic identification means, or the eIDAS node, or its compromised parts.
(c)
a description of the electronic identification scheme components, including:
—
a description of how the requirements in relation to minimum technical specifications and procedures for assurance levels for electronic identification means, as set out in Implementing Regulation (EU) 2015/1502, have been met, to substantiate the indicated assurance level for the enrolment;
—
a description of how the following processes are addressed under the electronic identification scheme, including documentation for the combination of options that were chosen by the Member State, for:
—
application and registration;
—
identity proofing and verification of a natural person:
—
identity proofing and verification of a legal person;
—
binding between the electronic identification means for natural and legal persons.
—
with regards to the electronic identification means management, a description of how the following processes are addressed under the electronic identification means:
—
characteristics and design of the electronic identification means, including, where appropriate, information on security certification;
—
issuance, delivery and activation;
—
suspension, revocation and reactivation;
—
renewal and replacement.
—
with regards to authentication, a description of the authentication mechanism, including terms of access to authentication by relying parties other than public sector bodies;
—
with regards to the management and organisation, a description of the management and organisation of the following aspects:
—
general provisions on management and organisation;
—
published notices and user information;
—
information security management;
—
record keeping.
—
facilities and staff;
—
technical controls.
—
compliance and audit.
(d)
a description of how interoperability and minimum technical and operational security requirements are met;
(e)
a list of all the supporting documentation submitted and a statement to which of the elements above they relate, including references to any domestic legislation which relates to the electronic identification provision relevant to the notification and relevant audit reports, certification practice statements, and test reports.
(f)
the relevant documents and information as regards the certification of the electronic identification scheme pursuant to Article 12a(1) and, where applicable, to Article 12a(5), of Regulation (EU) No 910/2014.