How often must EUDI Wallet systems undergo vulnerability assessments?

The eIDAS 2.0 certification framework requires vulnerability assessments at multiple intervals. Initial assessments are required before certification, covering all components of the wallet infrastructure. After certification, regular assessments must be performed at least quarterly for internet-facing systems and semi-annually for internal infrastructure. Additional assessments are required after significant changes (new features, major updates, infrastructure modifications), after security incidents, and when new critical vulnerabilities are publicly disclosed that may affect the system. Continuous automated scanning is recommended as a supplement to periodic formal assessments.

What is the difference between vulnerability assessment and penetration testing?

Vulnerability assessment identifies and catalogues potential security weaknesses through automated scanning and analysis, producing a complete list of known vulnerabilities ranked by severity. Penetration testing goes further by actively attempting to exploit discovered vulnerabilities to determine if they can be used to gain unauthorized access or cause damage. In the EUDI Wallet context, both are required: vulnerability assessments provide breadth (finding all known weaknesses), while penetration tests provide depth (proving exploitability of specific weaknesses). Together, they give a complete picture of the system security posture.

What scoring system is used to prioritize EUDI Wallet vulnerabilities?

EUDI Wallet vulnerability assessments use the Common Vulnerability Scoring System (CVSS), currently at version 4.0, to rate the severity of discovered vulnerabilities on a scale from 0.0 to 10.0. CVSS scores consider the attack vector (network, adjacent, local, physical), attack complexity, privileges required, user interaction needed, and the impact on confidentiality, integrity, and availability. For EUDI Wallet systems, the eIDAS 2.0 certification typically requires that all critical vulnerabilities (CVSS 9.0-10.0) be remediated before certification and that high vulnerabilities (CVSS 7.0-8.9) be remediated or have documented mitigating controls within defined timeframes.

Vulnerability Assessment (Security Vulnerability Assessment)

Vulnerability Assessment

security

Full Name: Security Vulnerability Assessment

Definition

A Vulnerability Assessment is a systematic, methodical process of identifying, classifying, quantifying, and prioritizing security vulnerabilities in computer systems, network infrastructure, software applications, and operational processes. It involves using a combination of automated scanning tools, manual analysis techniques, and threat intelligence to discover known security weaknesses that could be exploited by attackers. In the EUDI Wallet ecosystem, vulnerability assessments are a mandatory component of the security assurance framework established by eIDAS 2.0, required for initial certification and ongoing compliance of all infrastructure components including wallet applications, credential issuer platforms, verifier systems, trust registry services, and wallet provider backends. The assessment process produces detailed reports that catalogue discovered vulnerabilities with severity ratings (using CVSS), affected components, potential impact, and recommended remediation actions, enabling EUDI Wallet operators to systematically reduce their attack surface and maintain the security posture required to protect the digital identity data of EU citizens.

Vulnerability Assessment Process for EUDI Wallet Systems

A complete vulnerability assessment for EUDI Wallet infrastructure follows a structured process that begins with asset discovery and scope definition. The assessment team identifies all systems in scope: the wallet mobile application (both iOS and Android versions), the wallet provider backend APIs, credential issuer endpoints (OpenID4VCI interfaces), verifier endpoints (OpenID4VP interfaces), trust registry query services, revocation status services, administrative portals, and supporting infrastructure (databases, message queues, key management systems). Each component is catalogued with its technology stack, version information, network exposure, and criticality rating.

The scanning phase employs multiple tools targeting different layers of the technology stack. Network vulnerability scanners (such as Nessus, Qualys, or OpenVAS) scan for known vulnerabilities in operating systems, network services, and middleware. Web application scanners (such as Burp Suite, OWASP ZAP, or Acunetix) test web-facing endpoints for OWASP Top 10 vulnerabilities including SQL injection, XSS, and authentication flaws. Static Application Security Testing (SAST) tools analyze the source code of the wallet application and backend services for coding patterns that introduce vulnerabilities. Dynamic Application Security Testing (DAST) tools test running applications from an external perspective. Software Composition Analysis (SCA) tools check all third-party libraries and dependencies against known vulnerability databases (CVE, NVD).

The analysis and reporting phase consolidates scan results, eliminates false positives through manual verification, and produces a prioritized vulnerability report. Each confirmed vulnerability is rated using CVSS, mapped to the affected EUDI Wallet component, and assigned a remediation priority. For EUDI Wallet systems, the report must also assess the potential impact of each vulnerability on the identity data protected by the system: could exploitation lead to credential theft, identity impersonation, privacy breaches, or disruption of identity services? This impact assessment helps operators prioritize remediation based on the actual risk to citizens rather than just technical severity scores.

EUDI Wallet-Specific Vulnerability Categories

Beyond standard web and network vulnerabilities, EUDI Wallet systems face vulnerability categories specific to their role as identity infrastructure. Cryptographic vulnerabilities are particularly critical: weaknesses in key generation, storage, or usage can undermine the entire trust model. Assessment must verify that all cryptographic implementations use approved algorithms (ECDSA with P-256 or P-384, RSA with adequate key lengths, SHA-256 or SHA-384 for hashing), that random number generation uses cryptographically secure sources, that key material is properly protected in TEE or HSM, and that deprecated algorithms or weak parameters are not supported even as fallback options.

Protocol-level vulnerabilities in the OpenID4VCI and OpenID4VP implementations are another critical category. Assessment must verify that credential issuance flows cannot be manipulated to issue credentials to unauthorized parties, that presentation flows cannot be replayed or redirected, that session management prevents token theft or session hijacking, and that error handling does not leak sensitive information. These protocol-level checks require assessors who understand the specific security properties of the EUDI Wallet protocols, going beyond generic web application security testing.

Privacy vulnerabilities represent a third category specific to identity systems. Assessment must check for correlation risks (can different transactions by the same user be linked?), data leakage (do logs, error messages, or API responses expose more personal data than intended?), consent bypass (can attributes be accessed without proper user consent?), and retention violations (is personal data stored longer than necessary?). These privacy-specific checks ensure that the system protects not just the confidentiality and integrity of identity data but also the privacy rights of the individuals whose data it processes.

Continuous Vulnerability Management in the EUDI Ecosystem

Given the critical nature of identity infrastructure, EUDI Wallet operators are expected to implement continuous vulnerability management rather than relying solely on periodic assessments. This includes automated daily or weekly scanning of internet-facing components, real-time monitoring of vulnerability intelligence feeds (CVE publications, vendor security advisories, threat intelligence services) for new vulnerabilities affecting the technology stack, and automated patch management processes that can rapidly deploy security updates when critical vulnerabilities are discovered.

The vulnerability management lifecycle for EUDI Wallet systems follows a continuous cycle: discover (identify new vulnerabilities through scanning and intelligence), assess (evaluate severity and impact), prioritize (rank remediation order based on risk), remediate (apply patches, configuration changes, or compensating controls), verify (confirm the remediation was effective), and report (document the process for compliance and audit purposes). This cycle operates continuously, with different components assessed at different frequencies based on their exposure and criticality.

Coordination between EUDI Wallet ecosystem participants is essential for effective vulnerability management. When a vulnerability is discovered that affects a shared component (such as a common library used by multiple wallet implementations, or a protocol-level weakness in OpenID4VCI), responsible disclosure and coordinated patching are necessary to protect the entire ecosystem. The EUDI Wallet governance framework includes provisions for security incident coordination, ensuring that critical vulnerability information is shared among authorized parties while preventing public disclosure before patches are available.

What is a Vulnerability Assessment?

Vulnerability Assessment: Security Vulnerability Assessment

Vulnerability Assessment

Definition

Vulnerability Assessment Process for EUDI Wallet Systems

EUDI Wallet-Specific Vulnerability Categories

Continuous Vulnerability Management in the EUDI Ecosystem

Related Terms

Penetration Testing

Security Audit

Frequently Asked Questions

Related Guides

→ Glossary Index

→ Penetration Testing

→ Security Audit

Sources

⚠️ Independent Information