Incident Response: Handling Security Events in the EUDI Wallet Ecosystem

Incident response (IR) is a structured methodology for handling security incidents -- events that compromise the confidentiality, integrity, or availability of information systems. An effective IR process enables organizations to quickly detect incidents, minimize damage, reduce recovery time and costs, and learn from events to prevent recurrence. For the EUDI Wallet ecosystem, incident response is critical because security events can affect millions of users across multiple Member States. A compromised credential issuer key, a data breach at a wallet provider, or a successful attack on Trusted List infrastructure would require coordinated, rapid response across organizational and national boundaries.

The EUDI Wallet ecosystem faces unique incident types that require specialized response procedures:

• •Issuer key compromise: If a credential issuer's signing key is compromised, all credentials signed with that key become suspect. Response involves revoking the issuer certificate via CRL/OCSP, removing the issuer from the Trusted List, notifying wallet providers to update their cached trust data, and coordinating mass credential re-issuance to affected users.
• •Wallet app vulnerability: A critical vulnerability in the wallet application could expose credentials or keys on user devices. Response involves issuing an emergency app update, potentially disabling affected wallet versions through remote configuration, and assessing whether any credentials were actually compromised.
• •Trusted List compromise: The most severe scenario -- if the Trusted List signing key is compromised, attackers could insert fraudulent issuers. Response requires immediate revocation, emergency Trusted List update through an out-of-band mechanism, and potentially reverting all wallets to a known-good trust anchor.
• •Cross-border credential fraud: A pattern of fraudulent credential presentations across multiple Member States. Response requires coordination between national authorities, analysis of the fraud pattern, identification of the compromised component, and coordinated remediation across the affected countries.

Effective incident response in the EUDI ecosystem requires coordination across multiple organizational levels:

Organizational CSIRTs: Each EUDI wallet provider, credential issuer, and major relying party maintains its own Computer Security Incident Response Team. These teams handle incidents affecting their specific systems and serve as the first line of response.

National CSIRTs: Each EU Member State has a national CSIRT (as required by the NIS2 Directive) that coordinates incident response at the national level. For EUDI incidents, the national CSIRT coordinates between the affected wallet provider, the national eIDAS supervisory authority, and the Data Protection Authority.

EU-level coordination: For cross-border incidents, ENISA facilitates coordination between national CSIRTs through the CSIRTs Network. The EUDI framework may also establish a dedicated coordination mechanism for digital identity incidents, ensuring rapid information sharing and coordinated response across Member States.

After every significant incident, a thorough post-incident review (also called a post-mortem or lessons learned exercise) is conducted. The review covers: a detailed timeline of the incident from initial compromise to full recovery, what detection mechanisms worked and what was missed, whether containment actions were timely and effective, whether communication to stakeholders was adequate, and what changes are needed to prevent recurrence.

The findings are used to update IR plans, improve monitoring and detection capabilities, patch technical vulnerabilities, enhance staff training, and potentially update the EUDI Wallet architecture or trust framework. In the EUDI ecosystem, post-incident findings from one Member State or provider are shared (in anonymized form) across the ecosystem to benefit all participants. This collective learning approach ensures the entire European digital identity infrastructure becomes more resilient with each incident.