BSI: Bundesamt für Sicherheit in der Informationstechnik

BSI (Bundesamt für Sicherheit in der Informationstechnik) is Germany's federal cybersecurity authority, responsible for managing information security for the German government and critical infrastructure. In the EUDI Wallet ecosystem, BSI plays a central role by defining technical guidelines, conducting security certifications, and providing oversight for Germany's AusweisApp -- the German national EUDI Wallet implementation. BSI's technical specifications, particularly the TR-03127/128/130 series, form the foundation of Germany's eID infrastructure and significantly influence European-level EUDI Wallet security standards.

BSI has published a complete series of Technical Guidelines (Technische Richtlinien) that define the security architecture for Germany's electronic identity infrastructure. TR-03127 specifies the electronic identity (eID) architecture of the German Personalausweis (national ID card), defining how the chip communicates with readers, how authentication protocols work, and which cryptographic algorithms are used. This guideline forms the basis for the high-assurance identity proofing used to activate the EUDI Wallet.

TR-03128 defines the eID server interface, specifying how relying parties (government services, banks, etc.) interact with the eID infrastructure to verify citizen identities. For the EUDI Wallet context, this guideline ensures that the wallet activation process, which involves reading the eID chip via NFC, follows standardized and secure protocols. TR-03130 covers the eID client implementation, providing detailed specifications for the AusweisApp software that citizens use on their smartphones.

These technical guidelines are regularly updated to reflect evolving security requirements and technological capabilities. BSI maintains a publicly accessible repository of all guidelines, allowing other EU member states to reference Germany's approach when developing their own EUDI Wallet implementations. The guidelines are particularly influential because Germany's eID infrastructure, based on the Personalausweis with its contactless chip, has been operational since 2010 and represents one of the most mature national eID systems in Europe.

The AusweisApp (originally AusweisApp2) is Germany's official eID client application, developed under BSI's supervision and now being extended to serve as Germany's EUDI Wallet. The app enables citizens to use the eID function of their Personalausweis for online authentication with government services and private-sector relying parties. With the EUDI Wallet extension, the AusweisApp will also support the issuance, storage, and presentation of verifiable credentials beyond the core eID function.

BSI certifies the AusweisApp through rigorous security evaluations that verify the app's resistance to reverse engineering, tampering, and man-in-the-middle attacks. The evaluation covers the app's secure communication with the Personalausweis chip (via NFC), the protection of session keys, the integrity of the user interface (preventing phishing attacks), and the secure storage of credential data on the device.

Germany's approach to the EUDI Wallet is distinctive in its reliance on the hardware security of the Personalausweis chip for identity proofing. While other member states may use video identification or other remote proofing methods, Germany uses the existing installed base of over 60 million eID-capable Personalausweis cards to provide Level of Assurance High identity proofing for wallet activation.

As the cybersecurity authority of the EU's largest member state, BSI's technical decisions carry significant weight in European standardization. BSI actively participates in ETSI, CEN, and ISO working groups that develop the technical standards underpinning the EUDI Wallet ecosystem. The agency's expertise in smartcard security, secure communication protocols, and cryptographic implementation informs the Architecture Reference Framework (ARF) that all EU member states must follow.

Through the SOG-IS (Senior Officials Group for Information Systems Security) mutual recognition agreement, BSI's Common Criteria security certifications are recognized by 17 European countries. This means that security evaluations conducted by BSI for the AusweisApp and related components are accepted across these countries without requiring duplicate certification, reducing costs and accelerating cross-border interoperability.

BSI also operates the national CERT (Computer Emergency Response Team) for Germany, which coordinates with other member states on cybersecurity incident response. For the EUDI Wallet ecosystem, this includes vulnerability disclosure, coordinated patching of security issues, and sharing threat intelligence about attacks targeting digital identity infrastructure.