| Dokumendiregister | Politsei- ja Piirivalveamet |
| Viit | 15.1-1/1-1 |
| Registreeritud | 06.02.2026 |
| Sünkroonitud | 11.02.2026 |
| Liik | Väljaminev kiri |
| Funktsioon | 15.1 Isikut tõendavate dokumentide arendamine |
| Sari | 15.1-1 Materjalid isikut tõendavate dokumentide arendamise küsimustes (AV) |
| Toimik | 15.1-1/2026 |
| Juurdepääsupiirang | Avalik |
| Juurdepääsupiirang | |
| Adressaat | European Commission |
| Saabumis/saatmisviis | European Commission |
| Vastutaja | Kristel Laurson (arendusosakond, identiteedi ja staatuste büroo) |
| Originaal | Ava uues aknas |
Pärnu mnt 139 / 15060 Tallinn / [email protected] / www.politsei.ee
Registry code 70008747
Mrs Henna Virkkunen
Executive Vice President
European Commission
Our ref 06.02.2026 no 15.1-1/1-1
Notification of Estonian eID schemes
Dear Mrs Virkkunen,
The implementation of the eIDAS Regulation across the EU is important in building trust in
digital transactions and in reaching the full potential of the digital single market.
It is essential to enable EU people and businesses to use their trusted national eID means for
digital authentication in online services across the EU and, by this, facilitate cross-border
interoperability. Estonian eID functions meet the requirements for the highest possible
assurance level according to the eIDAS Regulation.
Therefore, with this letter, we are pleased to initiate the notification process of the Estonian
electronic identification scheme for Estonian ID card, residence permit card and diplomatic
identity card. We hereby invite the Member States to participate in peer review, because we
believe that this is significant for the notification process.
Yours sincerely
(Digitally signed)
Egert Belitšev
Director General
All related documents will be uploaded to CEF DIGITAL environment under corresponding
page.
Estonian eID schemes fulfilment of interoperability requirements according to (EU) 2015/1501
Version 1.0
Version History
Date Version Version info Author
19.11.2025 1.0 Final version Information System Authority (RIA), Republic of Estonia
1. Introduction This document describes how Estonian eID schemes (ID card, RP card and diplomatic identity card) meet
the interoperability and minimum technical and operational security requirements of Commission
Implementing Regulation (EU) 2015/1501. The above-mentioned eID schemes were initially notified in
2018.
2
2. Interoperability Requirements Article Requirement Description
Art. 4 Mapping of national assurance levels
The mapping of national assurance levels of the notified electronic identification schemes shall follow the requirements laid down in Implementing Regulation (EU) 2015/1502. The results of the mapping shall be notified to the Commission using the notification template laid down in Commission Implementing Decision (EU) 2015/1505.
The Estonian eID schemes meet all requirements of the eIDAS
level of assurance ‘high’ laid down in the Commission
Implementing Regulation (EU) 2015/1502. The detailed mapping
is given in [1].
Art. 5 Nodes
1. A node in one Member State shall be able to connect with nodes of other Member States.
2. The nodes shall be able to distinguish between public sector bodies and other relying parties through technical means.
3. A Member State implementation of the technical requirements set out in this Regulation shall not impose disproportionate technical requirements and costs on other Member States for them to interoperate with the implementation adopted by the first Member State.
The Estonian eIDAS Node operated by RIA is operational and integrated into the eIDAS Interoperability Framework [2] in accordance with the eIDAS Technical Specifications [3] of the eIDAS Technical Subgroup on eID of the EUDI Cooperation Group. Connectivity tests are performed regularly.
The Estonian eIDAS Node relies on a sample software of eIDAS Node developed by the European Commission that implements the eID Profile [3].
The current Estonian eID schemes have been made available through Estonian government e-identification gateway (TARA) that integrates Estonian eIDAS-Proxy-Service to eIDAS-Connectors of other Member States.
A temporary restriction has been applied in TARA and in Estonian eIDAS-Proxy-Service for ID cards under the Estonian eID scheme issued from 17 November 2025 that cannot be used in eIDAS Network. After completion of the revision process of the updates to current Estonian eID scheme the cards issued from 17 November 2025 will be made available in Estonian eIDAS-Proxy- Service.
3
The Estonian eIDAS Node and TARA distinguish public‑sector bodies from other relying parties via the eIDAS SAML message format element “SPType” with values “public” or “private”.
Art. 6 Data privacy and confidentiality
1. Protection of privacy and confidentiality of the data exchanged and the maintenance of data integrity between the nodes shall be ensured by using best available technical solutions and protection practices.
2. The nodes shall not store any personal data, except for the purpose set out in Article 9(3).
The Estonian eIDAS Node is integrated into the eIDAS Interoperability Framework [2] in accordance with the eIDAS Technical Specifications [3] of the eIDAS Technical Subgroup on eID of the EUDI Cooperation Group. Protection of data privacy, confidentiality and integrity for the communication between Estonian eIDAS Node and eIDAS Network is ensured via cryptographically protected SAML messages and TLS (SHA-256 with RSA 2048 bits) to protect the transport layer. eIDAS Proxy Service allows authentication requests from another EU Member State with Estonian notified eID scheme, providing eIDAS minimum data set (MDS). The Estonian eIDAS Node does not store personal data beyond what is strictly necessary under Article 9(3) of Implementing Regulation (EU) 2015/1501. Data storing is limited to technical logging needed in the event of an incident.
Art. 7 Data integrity and authenticity for the communication Communication between the nodes shall ensure data integrity and authenticity to make certain that all requests and responses are authentic and have not been tampered with. For this purpose, nodes shall use solutions which have been successfully employed in cross-border operational use.
The Estonian eIDAS Node is integrated into the eIDAS Interoperability Framework [2] in accordance with the eIDAS Technical Specifications [3] of the eIDAS Technical Subgroup on eID of the EUDI Cooperation Group. The eIDAS-Node application in the Estonian eIDAS Proxy Service implementation is part of the European Commission’s eIDAS- Node sample software [4] that is responsible for a secure communication between member states eIDAS Nodes using the eIDAS SAML protocol. Both applications use a database as a background channel and a special XML intermediate protocol developed by European Commission (so-called LightRequest and LightResponse) to communicate with each other.
4
Data integrity and authenticity for the communication between Estonian eIDAS Node and eIDAS Network is ensured via cryptographically protected SAML messages and TLS (SHA-256 with RSA 2048 bits) to protect the transport layer.
Art. 8 Message format for the communication
The nodes shall use for syntax common message formats based on standards that have already been deployed more than once between Member States and proven to work in an operational environment. The syntax shall allow: (a) proper processing of the minimum set of person identification data uniquely representing a natural or legal person; (b) proper processing of the assurance level of the electronic identification means; (c) distinction between public sector bodies and other relying parties; (d) flexibility to meet the needs of additional attributes relating to identification.
The Estonian eIDAS Node is integrated into the eIDAS Interoperability Framework [2] in accordance with the eIDAS Technical Specifications [3] of the eIDAS Technical Subgroup on eID of the EUDI Cooperation Group following the common message formats set out in the specifications that has proven to work in an operational environment. The Estonian eIDAS Proxy Service uses the government e- identification gateway (TARA) interface, acting as an eIDAS Identity Provider (IdP). The SpecificProxyService is responsible for a communication with the government e-identification gateway (TARA), which uses OIDC protocol as an authentication protocol. The Estonian eIDAS Node and TARA distinguish public‑sector
bodies from other relying parties via the eIDAS SAML message
format element “SPType” with values “public” or “private”.
5
Art. 9 Management of security information and metadata
1. The node operator shall communicate the metadata of the node management in a standardised machine processable manner and in a secure and trustworthy way.
2. At least the parameters relevant to security shall be retrieved automatically.
3. The node operator shall store data which, in the event of an incident, enable reconstruction of the sequence of the message exchange for establishing the place and the nature of the incident. The data shall be stored for a period of time in accordance with national requirements and, as a minimum, shall consist of the following elements: (a) node's identification; (b) message identification; (c) message date and time.
The Estonian eIDAS Node is integrated into the eIDAS Interoperability Framework [2] in accordance with the eIDAS Technical Specifications [3] of the eIDAS Technical Subgroup on eID of the EUDI Cooperation Group following the common message formats set out in the specifications that has proven to work in an operational environment.
The Estonian eIDAS Node metadata is communicated in a
standardised machine processable manner in a secure and
trustworthy in line with the requirements of metadata format
set out in technical specifications.
The Estonian eIDAS Node stores data what is necessary under
Article 9 of Implementing Regulation (EU) 2015/1501 [2] needed
in the event of an incident enabling reconstruction of the
sequence of the message exchange for establishing the place
and nature of the incident.
Art. 10 Information assurance and security standards 1. Node operators of nodes providing authentication shall
prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation.
2. Node operators shall deploy security critical updates without undue delay.
The Estonian eIDAS Node and TARA are operated within
Estonian Information Security Standard (E-ITS) aligned to ISO/IEC
27001 and Estonian public‑sector security baseline
requirements. The standard is based on the German BSI IT-
Grundschutz (BSIG) baseline protection system and on the EVS-
ISO/IEC 27001:2014 standard.
Information assurance is demonstrated through periodic audits
and compliance with national regulations.
Security testing for eIDAS Node and TARA is performed regularly
and upon major updates. Security‑critical updates are deployed
without undue delay.
6
Art. 11 Person identification data
1. A minimum set of person identification data uniquely representing a natural or a legal person shall meet the requirements set out in the Annex when used in a cross- border context.
2. A minimum data set for a natural person representing a legal person shall contain the combination of the attributes listed in the Annex for natural persons and legal persons when used in a cross-border context.
3. Data shall be transmitted based on original characters and, where appropriate, also transliterated into Latin characters.
The Estonian eIDAS Proxy Service uses the government e- identification gateway (TARA) interface, acting as an eIDAS Identity Provider (IdP). The SpecificProxyService is responsible for a communication with the government e-identification gateway (TARA), which uses OIDC protocol as an authentication protocol. On a successful authentication, the MDS is sent back to the requesting party. The electronic identification means under the Estonian eID scheme enable identification of natural persons only. Legal person attributes are used in the context of representation, where natural person to acts on behalf of a legal person. The MDS for a natural person contains current family name(s), current first name(s), date of birth and unique persistent identifier (Estonian personal identification code). The minimum data set for a legal person contains current legal name, Business Registry code (identifier for a legal person in Estonia). MDS attributes for a natural person are based on data on the eID certificate, for legal person the MDS attributes are requested from Estonian e-Business Registry using X-Road data exchange layer. The MDS provided by Estonian eID schemes meet the requirements set out in the Annex set out in the Commission Implementing Regulation (EU) 2015/1502 [2]. The Estonian eIDAS Node transmits data using original characters and, where appropriate, transliterated into Latin characters.
7
3. References [1] eID level of assurance mapping for Estonian eID according to Article 8 (3) of Regulation (EU) No. 910/2014.
[2] COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 - of 8 September 2015 on the interoperability framework pursuant to Article 12(8)
of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic
transactions in the internal market.
[3] Technical Specifications under the eIDAS eID Profile: eIDAS Interoperability Architecture, eIDAS SAML Message Format, eIDAS SAML Attribute
Profile, eIDAS Cryptographic Requirements for the Interoperability Framework.
[4] eIDAS-Node Integration Package.
2026
LoA Mapping of the Estonian diplomatic identity card on level “High”
Table of contents
List of Definitions ................................................................................................................................... 2
1. Introduction ....................................................................................................................................... 5
2. Technical specification and procedures ............................................................................................. 5
2.1. Enrolment .................................................................................................................................... 6
2.1.1. Application and registration .................................................................................................. 6
2.1.2. Identity proofing and verification (natural person) ............................................................... 8
2.1.3. Identity proofing and verification (legal person) ................................................................. 11
2.1.4. Binding between the electronic identification means of natural and legal persons ........... 11
2.2. Electronic identification means management .......................................................................... 11
2.2.1. Electronic identification means characteristics and design ................................................ 11
2.2.2. Issuance, delivery and activation ........................................................................................ 12
2.2.3. Suspension, revocation and reactivation ............................................................................ 13
2.2.4. Renewal and replacement ................................................................................................... 14
2.3. Authentication .......................................................................................................................... 16
2.3.1. Authentication mechanism ................................................................................................. 18
2.4. Management and organisation ................................................................................................. 19
2.4.1. General provisions ............................................................................................................... 22
2.4.2. Published notices and user information .............................................................................. 23
2.4.3. Information security management ...................................................................................... 24
2.4.4. Record keeping .................................................................................................................... 25
2.4.5. Facilities and staff ................................................................................................................ 26
2.4.6. Technical controls ................................................................................................................ 29
2.4.7. Compliance and audit.......................................................................................................... 31
List of References ................................................................................................................................. 35
2
List of Definitions Term Definition
authentication A unique identification of a person by checking their alleged identity.
biometric data Biometric data is a facial image, fingerprint images and signature or
image of signature.
certificate Public key, together with additional information, laid down in the
certificate profiles, rendered unforgeable via encipherment using the
private key of the Certificate Authority which issued the certificate.
diplomatic card An identity card which is issued to a foreign national who is a diplomat
accredited to Estonia and his or her family member, who is a foreign
national. Categories A and B.
diplomatic identity card There are two types of diplomatic identity cards: diplomatic card and
service card.
diplomatic note Formal, written communication between states, typically sent by an
embassy to a host country's Foreign Ministry or vice versa for official
business.
Diplomatic Portal Secure online platform (website) managed by MFA to share
information, procedures and communication for accredited foreign
missions and other institutions. Handling accreditations, immunities,
notifications and protocol guidelines.
electronic identification The process of using person identification data in electronic form
uniquely representing either a natural or legal person, or a natural
person representing a legal person.
electronic identification
scheme
A system for electronic identification under which electronic
identification means are issued to natural or legal persons, or natural
persons representing legal persons.
electronic signature Data in electronic form which is attached to or logically associated with
other data in electronic form, and which is used by the signatory to
sign. Signatory means natural person who creates an electronic
signature.
Estonian citizen A person who holds Estonian citizenship according to the Estonian
Citizenship Act.
Estonian population register A database which unites the main personal data on Estonian
citizens, citizens of the EU and third-country national who have
been granted a residence permit or right of residence in Estonia.
foreign mission Diplomatic representation and consular post of a foreign state, mission
of an international organisation and an international organisation or
other institution accredited to Estonia.
foreign national A person, who is not Estonian citizen.
foreign representation of the
Republic of Estonia
An official unit (embassies, consulates, representations) operating
under the MFA in foreign country, responsible for representing
Estonia’s interests, maintaining diplomatic and consular relations,
and providing consular activities.
3
HUB HUB is a secure data exchange interface between the PBGB, the card
manufacturer, and Certification Authority to support standardised data
exchange related to the issuance of ID-1 format identity documents.
ID card administration portal Portal for looking up given PUK code and re-key of certificates,
available at https://www.idhaldusportaal.ee/en/.
ID software An end-user desktop application for personal maintenance of
smartcard-based eID.
ID-1 format identity
documents
Documents in ID-1 format are identity card, e-resident’s digital ID,
residence permit card and diplomatic identity card.
information security
management system
A set of processes and procedures designed to manage, to acceptable
levels, risks related to information security.
personal identification code A unique 11-digit identifier for individuals in Estonia based on a
person's gender, date of birth, serial number and check digit.
PIN code Activation code for the certificate enabling digital authentication and
the certificate enabling qualified electronic signatures.
private key The key of a key pair that is assumed to be kept in secret by the owner
of the key pair, and that is used to create electronic signatures and/or
to decrypt electronic messages, records or files that were encrypted
with the corresponding public key.
public key The key of a key pair that may be publicly disclosed by the owner of the
corresponding private key and that is used by relying parties to verify
electronic signatures created with the owner’s corresponding private
key and/or to encrypt messages, records and files so that they can be
decrypted only with the owner’s corresponding private key.
PUK Personal unlocking key.
revocation portal Portal for revocation of certificates, available at https://revocation-
portal.eidpki.ee/en/landing.
service card A service card is issued to a foreign national who is the administrative
or technical employee of a foreign mission and his/her foreign national
family member, a foreign national who is a private servant, a foreign
national employee of a mission or an international organisation or
other institution established by an international agreement located in
Estonia and his/her foreign national family member, an honorary
consul and, in other justified cases provided for in an international
agreement, an Estonian citizen or permanent resident working in a
foreign mission or other institution. Categories C, D, E, F, G, HC.
travel document An official identity document (national passport, diplomatic passport,
service or official passport, national ID card) that proves a person’s
identity and allows them to cross international borders and enter other
countries.
Web eID The Web eID solution enables the use of ID-1 format identity
documents for secure authentication and digital signing on the
web.
X-tee Data exchange platform that allows secure and standardised data
exchange between different institutions, including state authorities
and private sector, available at https://www.x-tee.ee/home.
4
List of Acronyms Acronyms Definition
CA Certification Authority
CC Common Criteria
CCA Client Certificate Authentication
CERT Computer Emergency Response Team
CP Certificate Policy
CPS Certification Practice Statement
CRL Certificate Revocation List, a list of invalid (revoked, suspended) certificates
EAL Evaluation Assurance Level
eID Electronic Identity
eIDAS Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework (always referred together as eIDAS regulation)
E-ITS Estonian Information Security Standard
ENISA The European Union Agency for Cybersecurity
ETSI The European Telecommunications Standards Institute
EU European Union
GDPR General Data Protection Regulation - Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data
ICT Information and communication technology
IDA Identity Documents Act
ISO International Organization for Standardization
LDAP Lightweight Directory Access Protocol
LoA Levels of Assurance
MFA The Ministry of Foreign Affairs
OCSP Online Certificate Status Protocol
OTP One Time Password
PCI Payment Card Industry
PBGB The Estonian Police and Border Guard Board
PKI Public key infrastructure
QSCD Qualified Signature Creation Device
QTS Qualified Trust Service
QTSP Qualified Trust Service Provider
RIA Information System Authority of the Republic of Estonia (Riigi Infosüsteemi Amet)
RSA Rivest-Shamir-Adleman
SMIT The IT and Development Centre of the Ministry of the Interior
TARA State Authentication Service
TLS Transport Layer Security
TS Trust Service
VEIS Database of foreign missions and representations of international organizations,
international organizations and institutions established by international agreements, and
their personnel
5
1. Introduction
The present document explain how the diplomatic identity card (hereafter where necessary a/the card)
meets the requirements for the Level of Assurance (LoA) ’high’ pursuant to the requirements of the eIDAS
LoA defined in Commission Implementing Regulation (EU) 2015/1502 [1] pursuant to Article 8(3) of the
eIDAS Regulation [2] [(EU) 910/2014], as amended by Regulation (EU) 2024/1183 as regards establishing
the European Digital Identity Framework (always referred together).
There are two types of Estonian diplomatic identity cards: diplomatic card and service card (hereinafter
used together as “the card”).
2. Technical specification and procedures
The elements of technical specifications and procedures outlined in this annex of the Commission
Implementing Regulation (EU) 2015/1502 [1] will be used to determine how the requirements and criteria
of article 8 of the eIDAS Regulation [2} will be applied for electronic identification means issued under an
electronic identification scheme.
ID-1 is an Estonian eID platform that is implemented on top of Aquarius chip (product name:
AQUARIUS_CA_09) from Thales, which is CC EAL6+ certified. The eID functionality is managed by the
application IAS Classic v5.2.1 with MOC Server v3.1 (EAL5+) on the operating system MultiApp V5.1
(version C, EAL6+)
ID-1 operates on:
Globalplatform 2.3.1
- Secure messaging: SCP03 i= 00, 01, 10, 11, 20, 21, 30, 31, 60, 61, 70 & 71 (AES 128, 192, 256),
- Optional and Mandated DAP up to RSA2K: applet versioning and integrity during post-issuance,
- Delegated Management up to RSA2K: secure post-issuance card management delegation
operations,
- Multiple Security Domains: Segregation of roles on the same card,
- Extradition: extradites an application from a Security Domain to another.
Globalplatform Privacy Framework
- Privacy Enhanced ID Configuration: SCP 21.
Java Card 3.1;
- Multiple Logical channels: concurrent applets addressed simultaneously during the same card
session,
- Garbage collector: recovers memory space of deleted or useless objects.
Applet optimizer: Saves at least 10% of NVM memory required by applications.
PACE support: privacy protection with explicit user consent.
Applet supports all required minimum public key features for easy integration in various PKI. It includes
the certificate for electronic authentication and encryption as well as certificate for providing a qualified
electronic signature, that are stored on the chip. In addition, the certificate for authentication and
encryption is also available in LDAP (Lightweight Directory Access Protocol) repository.
6
The certificates are valid until the date of expiry of the card, meaning up to five years depending on the
validity of the physical card.
2.1. Enrolment
The card grants the immunities and privileges outlined in the Vienna Convention on Diplomatic Relations
[3] and other international conventions and treaties according to the relevant category.
Diplomatic and service cards are also the legal basis for residence in Estonia for the employees of a foreign
mission and their family members and entitle the bearer, together with a passport, to enter and travel
within the territory of the Schengen Area.
2.1.1. Application and registration
LOW
1. Ensure the applicant is aware of the terms and conditions related to the use of the electronic
identification means.
The obligations of the document holder are regulated by
eIDAS Regulation [2],
Identity Documents Act (IDA) [4],
Electronic Identification and Trust Services for Electronic Transactions Act [5],
Subscriber Terms and Conditions for Certificates issued by Zetes Estonia OÜ for ID-1 format
identity documents of the Republic of Estonia [6],
Certificate Policy for ID-1 format identity documents of the Republic of Estonia (eID CP) [7],
Certification Practice Statement for the Intermediate certificate for ID-1 Documents of the
Republic of Estonia (eID CPS) [8] and
Regulation 7 of the Minister of the Foreign Affairs [9].
The card can be applied for only through diplomatic note or official letter. A card is issued in
person at the MFA’s service point, except for the minor under the age of 15 or an adult with
limited legal capacity, in these cases the card will be issued to his/her legal representative. For a
person aged between 15 and 17 years the card may be collected by his/her legal representative.
The applicant can complete the application form online by submitting required personal data and
uploading applicant’s photo via Diplomatic Portal [10]. The pre-filled notification must be printed, signed
by the applicant and the head of mission, affixed with the foreign mission’s seal, and submitted together
with the necessary supporting documents to the issuing authority with a diplomatic note or official letter.
When applying for the card the applicant must agree to the terms and conditions of using certificates by
signing the application form. The basic terms and conditions related to the use of the electronic
identification means of the Estonian diplomatic identity card are listed on the paper carrier with a card
and are introduced by the issuing authority during the issuance process. The paper carrier consists of two
parts: firstly, the terms and conditions; secondly, the acknowledgement part. The recipient signs the
7
paper carrier physically, acknowledging and accepting the terms and conditions, after which the
acknowledgement part is separated by an official. The signed acknowledgement on paper is archived by
the issuing authority together with an application form. The recipient receives the part of the terms and
conditions on paper. Furthermore, a detailed version of the terms and conditions for the use of
certificates of personal identification documents is publicly available on the online notification form and
on the id.ee website [11].
2. Ensure the applicant is aware of recommended security precautions related to the electronic
identification means.
Returning a card is detailed in section 9 of the Regulation 7 of the Minister of the Foreign Affairs [9]
Additionally, recommended security precautions related to the electronic identification means, the
reminder of safe usage of a card, and the terms and conditions for the use of certificates are listed, as
mentioned above, in section 1; for example, not to hand over one’s card, to keep the codes of a card
secret from others, to ensure the card is used only under the control of the document holder, to promptly
inform the issuing authority in order to revoke the certificates in case of lost, stolen, or forgotten or
blocked PIN codes.
3. Collect the relevant identity data required for identity proofing and verification.
Collecting the relevant identity data required for identity-proofing and verification is regulated by section
3 of the Regulation 7 of the Minister of the Foreign Affairs [9]. Collected identity data is checked against
the database of Estonian population register.
The official of the issuing authority identifies physically the person at least once during the issuance
process, taking into account the exceptions described in this document.
For identity-proofing, the staff of a foreign mission provides the following information to the issuing
authority:
a diplomatic note or official letter,
a copy of a valid travel document,
a photo taken a maximum of 6 months prior to the application date (requirements are set out in
Regulation 62 of the Minister of the Interior, adopted on 01.12.2015 [12]),
the Minimum Data Set listed in section 3 of the Regulation 7 of the Minister of Foreign Affairs, as
of 09.03.2017 [9], to collect the relevant identity data required to verify the identity of a person
beyond doubt at the time of application, including the following:
1) the name of the foreign mission or other institution submitting the application,
2) personal data (first name(s), last name(s), date of birth, gender, country of birth,
citizenship),
3) contact information (address, telephone number, and email address),
4) the signature of the Head of Mission,
5) the date of submission,
6) the seal of the foreign mission submitting the application,
7) the document holder’s signature to confirm that he or she has examined and approve the
8
conditions of use of the certificates.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.1.2. Identity proofing and verification (natural person)
LOW
1. The person can be assumed to be in possession of evidence recognised by the Member State in
which the application for the electronic identity means is being made and representing the claimed
identity.
N/A because, in case of the card, the identity of the applicant and the validity and authenticity of their
document is always verified. Please see the description in the following paragraphs for substantial and
high.
2. The evidence can be assumed to be genuine, or to exist according to an authoritative source and
the evidence appears to be valid.
N/A because, in case of the Estonian diplomatic identity card, the identity of the applicant and the validity
and authenticity of their document is always verified. Please see the description in the following
paragraphs for substantial and high.
3. It is known by an authoritative source that the claimed identity exists and it may be assumed that
the person claiming the identity is one and the same.
N/A because, in case of the Estonian diplomatic identity card, the identity of the applicant and the validity
and authenticity of their document is always verified. Please see the description in the following
paragraphs for substantial and high.
SUBSTANTIAL
Level low, plus one of the alternatives listed in points 1 to 4 has to be met:
1. The person has been verified to be in possession of evidence recognised by the Member State in
which the application for the electronic identity means is being made and representing the claimed
identity and the evidence is checked to determine that it is genuine; or, according to an authoritative
source, it is known to exist and relates to a real person and steps have been taken to minimise the
risk that the person's identity is not the claimed identity, taking into account for instance the risk of
lost, stolen, suspended, revoked or expired evidence
Estonian eID means is always issued as a part of the diplomatic identity card issuance, referred to in this
document as the card.
9
The card is for using Estonian provided e-services. It grants the immunities and privileges outlined in the
Vienna Convention on Diplomatic Relations [3] and other international conventions and treaties
according to the relevant category. It is also the legal basis for residence in Estonia for the employees of
a foreign mission and other institution and their family members and entitles the bearer, together with a
travel document, to enter and travel within the territory of the Schengen states.
The data about every card application is recorded in the statutes of the database of foreign missions and
representations of international organisations, international organisations and institutions established by
international agreements, and their personnel (hereafter database of VEIS) [13]. All foreigners who have
been issued the card have a personal identification code and are recorded centrally in the Estonian
population register. Personal identification code is used as unique identifier.
When applying for a card, applicant’s data in the notification form is checked by the official of issuing
authority for previous data against the population register and the database of VEIS [13] in accordance with
the IDA [4] and the Foreign Relations Act [14] and regulations issued on the basis of these acts.
The database of VEIS [13] provides information about the personal data of the document holder (including
a facial image and signature sample), as well as about the status of the previously issued identity
document, including information about whether the document has been lost, stolen, revoked, expired,
destroyed and whether the card has been physically returned to the issuing authority. Applicant needs to
present a copy of the valid travel document issued by the country of their citizenship when applying for
the card.
A notification for a card needs to be accompanied by a diplomatic note or official letter of the foreign
mission or other institution submitting the application, including the signature of the Head of foreign
mission and the seal of mission.
or
2. An identity document is presented during a registration process in the Member State where the
document was issued and the document appears to relate to the person presenting it and steps have
been taken to minimise the risk that the person's identity is not the claimed identity, taking into
account for instance the risk of lost, stolen, suspended, revoked or expired documents.
N/A
3. Where procedures used previously by a public or private entity in the same Member State for a
purpose other than the issuance of electronic identification means provide for an equivalent
assurance to those set out in section 2.1.2 for the assurance level substantial, then the entity
responsible for registration need not to repeat those earlier procedures, provided that such
equivalent assurance is confirmed by a conformity assessment body referred to in Article 2(13) of
Regulation (EC) No 765/2008 [15] of the European Parliament and of the Council or by an equivalent
body.
10
N/A
4. Where electronic identification means are issued on the basis of a valid notified electronic
identification means having the assurance level substantial or high, and taking into account the risks
of a change in the person identification data, it is not required to repeat the identity proofing and
verification processes. Where the electronic identification means serving as the basis has not been
notified, the assurance level substantial or high must be confirmed by a conformity assessment body
referred to in Article 2(13) of Regulation (EC) No 765/2008 [15] or by an equivalent body.
N/A
HIGH
Requirements of either point 1 or 2 have to be met:
1. Level substantial, plus one of the alternatives listed in points (a) to (c) has to be met:
(a) Where the person has been verified to be in possession of photo or biometric identification
evidence recognised by the Member State in which the application for the electronic identity means
is being made and that evidence represents the claimed identity, the evidence is checked to
determine that it is valid according to an authoritative source; and the applicant is identified as the
claimed identity through comparison of one or more physical characteristic of the person with an
authoritative source.
A copy of a valid identity document including biometric data is checked in accordance with the IDA [4] and
regulations issued on the basis of that act, as well as with the internal procedures and regulations of the
issuing authority.
(b) Where procedures used previously by a public or private entity in the same Member State for a
purpose other than the issuance of electronic identification means provide for an equivalent
assurance to those set out in section 2.1.2 for the assurance level high, then the entity responsible
for registration need not to repeat those earlier procedures, provided that such equivalent assurance
is confirmed by a conformity assessment body referred to in Article 2(13) of Regulation (EC) No
765/2008 [15] or by an equivalent body and steps are taken to demonstrate that the results of the
earlier procedures remain valid.
N/A
(c) Where electronic identification means are issued on the basis of a valid notified electronic
identification means having the assurance level high, and taking into account the risks of a change
in the person identification data, it is not required to repeat the identity proofing and verification
processes. Where the electronic identification means serving as the basis has not been notified, the
assurance level high must be confirmed by a conformity assessment body referred to in Article 2(13)
of Regulation (EC) No 765/2008 [15] or by an equivalent body and steps are taken to demonstrate
that the results of this previous issuance procedure of a notified electronic identification means
remain valid.
11
N/A
or
2. Where the applicant does not present any recognised photo or biometric identification evidence,
the very same procedures used at the national level in the Member State of the entity responsible
for registration to obtain such recognised photo or biometric identification evidence are applied.
N/A
2.1.3. Identity proofing and verification (legal person)
The card is used only for identification of natural persons; therefore, 2.1.3 is not applicable.
2.1.4. Binding between the electronic identification means of natural and
legal persons
The card is used only for the identification of natural persons; therefore, 2.1.4. is not applicable.
2.2. Electronic identification means management
2.2.1. Electronic identification means characteristics and design
LOW
1. The electronic identification means utilises at least one authentication factor.
Please see the description in the following paragraphs for substantial and high.
2. The electronic identification means is designed so that the issuer takes reasonable steps to check
that it is used only under the control or possession of the person to whom it belongs.
Please see the description in the following paragraphs for substantial and high.
SUBSTANTIAL
1. The electronic identification means utilises at least two authentication factors from different
categories.
Two-factor authentication is required when using the Estonian eID. The two factors are the chip of the
card and the PIN codes. The first factor of authentication is possession of the card. The second factor is
the set of PIN codes issued together with the card. The person receives a securely sealed envelope with
three codes in it (PIN1, PIN2, PUK): PIN1 for authentication and encryption purposes, PIN2 for a qualified
electronic signature (compulsory change before first use), and PUK to reset blocked PIN codes in the ID
software.
The document holder possesses a unique private key which is used for authentication. Functions for using
12
this private key are protected with a PIN code, known only by the document holder.
2. The electronic identification means is designed so that it can be assumed to be used only if under
the control or possession of the person to whom it belongs.
The private key is stored in a secure module of a microchip on the smart card. The smart card with the
secure module is a physical device under the document holder’s control.
The eID means are part of the card, issued as defined under section 2.1.1.
HIGH
Level substantial, plus:
1. The electronic identification means protects against duplication and tampering as well as against
attackers with high attack potential
The secure module on the smart card is a QSCD (Qualified Electronic Signature Creation Device) certified
device.
2. The electronic identification means is designed so that it can be reliably protected by the person
to whom it belongs against use by others.
The document holder has physical control over the authentication device. The document holder has the
option to change the PIN codes at any time by using ID software, when they know their PIN or PUK code.
PIN 2 change is compulsory before first use. Certificate revocation service is available in revocation portal
(available at: https://revocation-portal.eidpki.ee/en/landing) using OTP (one-time password) or
alternative state approved eID means 24/7, and in service point during operating hours.
2.2.2. Issuance, delivery and activation
The process of issuance, delivery, and activation is regulated by the IDA [4], and of the Regulation 7 of
the Minister of the Foreign Affairs [9].
LOW
After issuance, the electronic identification means is delivered via a mechanism by which it can be
assumed to reach only the intended person.
The card is issued in person. If the applicant has previously been issued a card, the applicant must return
it upon the receipt of a new card.
SUBSTANTIAL
After issuance, the electronic identification means is delivered via a mechanism by which it can be
assumed that it is delivered only into the possession of the person to whom it belongs.
13
The fact that the card is issued only personally to the applicant after identity-proofing indicates that the
electronic identification means is delivered only into the possession of the person who applied for it and
to whom it belongs.
HIGH
The activation process verifies that the electronic identification means was delivered only into the
possession of the person to whom it belongs.
The documents are delivered to the MFA’s service point in a secure document bag. The contents of the
bags are checked by the authorised personnel and confirm the receipt of the delivery electronically.
The cards are delivered to the issuing authority in an electronically suspended form (meaning that the
eID functionality is not active). A card is handed over to the applicant personally and the card is activated
by the issuing authority after identity-proofing of the receiver. The recipient signs the paper form
physically, acknowledging and accepting the terms and conditions, after which an official of the issuing
authority activates the electronic identification means in the system.
2.2.3. Suspension, revocation and reactivation
After issuance of the card, the certificates cannot be suspended and reactivated by the certificate owner
Only revocation is allowed.
The legal framework of revocation of the electronic identification means is set by the eIDAS Regulation
[2], with its implementing acts, and is regulated at the national level by the IDA [4] and eID CP [7]. The
document holder is obliged to notify the MFA in case of theft or loss of the card, so revocation can be
implemented.
Revocation of certificates can be done in person by appearing in a service point of the issuing authority
or using revocation portal which is accessible 24/7. Revocation of the certificates means that the
certificates are revoked; therefore, electronic functionality cannot be used.
Upon termination or suspension of the card user's service relationship with the foreign mission, the card
shall be declared invalid by the issuing authority no later than one month after the relevant diplomatic
note or notification letter from the mission has been received by the MFA [9].
LOW
1. It is possible to suspend and/or revoke an electronic identification means in a timely and effective
manner.
The certificates of the card can be revoked in the issuing authority service point in person and in the
revocation portal. E-services cannot be used/accessed if the certificates are revoked.
For revocation of certificates an officer identifies the person according to the issuing authority’s internal
processes. The physical document remains valid until the expiry of the document.
14
In the online revocation portal, the certificate owner is authenticated electronically with an alternative
state approved eID means or an OTP, and revocation requests are forwarded to the CA via the X-tee
secure authenticated channel. The CA authenticates and executes the request automatically and
immediately. If the request is accepted it is executed without delay.
After revocation is completed, the certificate status in the CA interface is set as revoked and the certificates
cannot be used; therefore, e-services cannot be used either. The physical document remains valid until
the expiry of the document. To regain access to e-services after revocation has been completed, a new
card must be issued (with new certificates); therefore, the enrolment procedure is applied as described
in section 2.1.1 above.
2. The existence of measures taken to prevent unauthorised suspension, revocation and/or
reactivation.
Suspension of certificates after activating the certificate is not possible.
Revocation can be performed in the service point of the issuing authority after physical identification or
in revocation portal and cannot be reversed.
3. Reactivation shall take place only if the same assurance requirements as established before the
suspension or revocation continue to be met.
Since suspension of certificates after activating the certificate is not possible, then reactivation is not
applicable. Certificates in the status revoked cannot be reactivated. Revocation of the card or the
certificates can be done only in a service point of the issuing authority or in revocation portal.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.2.4. Renewal and replacement
LOW
Taking into account the risks of a change in the person identification data, renewal or replacement
needs to meet the same assurance requirements as initial identity proofing and verification or is
based on a valid electronic identification means of the same, or higher, assurance level.
According to the IDA [4], a person is obliged to notify the issuing authority if the personal identification
data (in case of a name or other change) has been changed within one month’s time and apply for a new
card. Therefore, it is the responsibility of the card holder to keep the person’s identification data up to
date. For renewal of the card, the applicant must fill in the application and foreign mission must provide
a diplomatic note or official letter, providing personal data (including a photo), which is checked against
existing information, provided previously.
15
The re-key of certificates is required, for example, in case of security vulnerabilities or cryptographic
updates that might have an impact on the security of already issued cards or to remain QSCD certified.
Certificate renewal can be carried out after the identity-proofing procedure (either physical or electronic
authentication), where the data provided is checked against the database of VEIS [13] and the Estonian
population register.
If a card malfunction falls under warranty or guarantee, then the new card is replaced, and new
certificates are issued for the same period of validity.
The card warranty cases include:
usage of electronic functionality being problematic,
the card reader not recognising the card chip,
the issuing authority revoking the certificates before the end of the certificate validity period.
SUBSTANTIAL
Same as level low
HIGH
Level low, plus: Where renewal or replacement is based on a valid electronic identification means,
the identity data is verified with an authoritative source.
Certificate re-key can be performed in the service point of the issuing authority or remotely via ID card
administration portal.
Prerequisites for the certificate re-key:
the card is whitelisted for the re-key by the issuing authority,
the card is valid and electronically functional,
the card certificates are valid,
person knows PIN1 of the card.
If PIN1 is not known, the document holder can set new PIN code in the ID software by entering PUK.
The document holder can log in to ID card administration portal via State Authentication Service TARA.
Document holder must insert the card to a smart card reader, agree with the terms and conditions for
the use of certificates and initiate the process by inserting PIN1.
Certificate re-key at a service point of the issuing authority is done after the physical identification
procedure, where the data provided is checked against the ITDAK and the Estonian population register.
Document holder will sign an application for re-key, insert their the card to the smart card reader and
enter PIN1.
During the process of re-key, the new keys and certificates are generated and will be in active state,
previous certificates will be revoked automatically by the CA. Document holder will receive a notification
16
from the issuing authority about the revocation and issuance of new certificates to their official
[email protected] email address.
A request for renewal or replacement of a card can be submitted through a diplomatic note or official
letter. A new card is issued in a service point of the issuing authority after the physical identification
procedure (authorisation is not permitted).
2.3. Authentication
The authentication mechanism of the Estonian diplomatic identity card is described on the following
caption.
17
Caption 1 Authentication of the Estonian diplomatic and service card
Since autumn 2022, it has also been possible to use Web eID for authentication. Web eID authentication
uses the same mechanism, but it is implemented in the application layer, not in the transport layer like
TLS CCA. Web eID authentication is described on the following caption.
18
Caption 2 Web eID identification diagram
2.3.1. Authentication mechanism
LOW
1. The release of person identification data is preceded by reliable verification of the electronic
identification means and its validity.
At the beginning of authentication, the certificate validity can be checked with the help of the OCSP
(Online Certificate Status Protocol) service or by using current CRL (Certificate Revocation List). Certificate
validity checks are made by the website/-service.
2. Where person identification data is stored as part of the authentication mechanism, that
information is secured in order to protect against loss and against compromise, including analysis
offline.
For secure transaction and authentication, the Transport Layer Security (TLS) is used. Data on the Estonian
eID certificates are considered as public data.
3. The authentication mechanism implements security controls for the verification of the electronic
identification means, so that it is highly unlikely that activities such as guessing, eavesdropping,
replay or manipulation of communication by an attacker with enhanced-basic attack potential can
subvert the authentication mechanisms.
19
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
SUBSTANTIAL
Level low, plus:
1. The release of person identification data is preceded by reliable verification of the electronic
identification means and its validity through a dynamic authentication.
On TLS authentication, the person’s certificate validity can be checked with the OCSP or with the CRL.
2. The authentication mechanism implements security controls for the verification of the electronic
identification means, so that it is highly unlikely that activities such as guessing, eavesdropping,
replay or manipulation of communication by an attacker with moderate attack potential can subvert
the authentication mechanisms.
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
HIGH
Level substantial, plus: The authentication mechanism implements security controls for the
verification of the electronic identification means, so that it is highly unlikely that activities such as
guessing, eavesdropping, replay or manipulation of communication by an attacker with high attack
potential can subvert the authentication mechanisms.
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
2.4. Management and organisation
The Estonian eID scheme is based on nationally issued official documents. The MFA is responsible for
identity management and for issuing diplomatic identity card. Therefore, all requirements are defined
under national legislation, subordinate guidelines, orders, and procedures.
Two types of parties can be distinguished within the Estonian eID scheme: both public and private parties
must comply with requirements that come from European and national legislation.
Public authorities
Public authorities act in the public interest according to laws and regulations and are subject to special
obligations of due diligence.
20
The Ministry of the Interior
The Ministry of the Interior is tasked with developing the policy of identity management and the policy of
issuing the personal identification documents for Estonian citizens and foreigners and coordinating the
activities of government authorities.
Ministry of Foreign Affairs (MFA)
The MFA is the issuing authority. MFA is a government agency in charge of conducting and designing
Estonian Foreign policy. MFA’s competence in foreign relations is provided for in the Foreign Relations
Act [14] and in a Statute of the MFA [16]. According to the Foreign Relations Act [14] the MFA accredits
diplomats and consular representatives of foreign states and international organisations, issues cards to
the members of staff of diplomatic missions and consular posts of foreign states and representations of
international organisations. Development, implementation, and management for the cards are the
responsibility of the MFA’s State Protocol Department, which operates on the basis of the department’s
statute.
Estonian Police and Border Guard Board (PBGB)
The PBGB is the institution of executive power within the area of government of the Estonian Ministry of
the Interior and, among the main functions, ensures protection of public order, organisation of matters
of border management, citizenship, and migration by carrying out national legislation, state supervision,
and applying enforcement powers of the state on the basis, the extent, and condition. The functions,
rights, and organisation of the police and the legal bases of the police service are provided in the Police
and Border Guard Act [17] and the Statutes of the Police and Border Guard Board [18].
PBGB is operating under the authorisation of the Estonian Government to represent MFA for
procurement of card blanks, personalisation and certificates.[19]
Development, preparation of tenders and contracts, implementation, and management (including
procedures concerning complaints) for identity documents are the main responsibilities of the Identity
and Status Bureau of PBGB.
IT and Development Centre, Ministry of the Interior (SMIT)
SMIT is responsible for ensuring the information and communication technology service development
and management within the ministry governing area. The functions, rights, and organisation are provided
in the Statutes of SMIT [20].
Information System Authority (RIA)
RIA is a government body responsible for:
- eID technical architecture,
- development of client/end-user software,
- chip technical specification,
- application for eID middleware,
- Estonian Information Security Standard [21],
- collecting, analysing, solving security incidents and informing them to ENISA (CERT, E-ITS [21]),
- creating and ensuring technical solutions/platform for both domestic and cross-border
accessing of e-services and
21
- performing the functions of a point of single contact under eIDAS Regulation [2].
RIA is also the Supervisory Body, who is responsible for supervisory tasks that are set out in eIDAS
Regulation [2]:
- the assessment of qualified status of trust services and issuance of licenses to provide trust services,
- the managing of trust list of Estonian trust service providers,
- supervising of notified trust services providers in meeting the established requirements.
The functions, rights, and organisation are provided in the Statutes of the RIA [22].
In the Estonian public sector, all information systems, including the eID scheme must comply with the
Estonian Information Security Standard (E-ITS) [21].
The objective of E-ITS is to develop and promote the level of information security in both the Estonian
public and private sectors by presenting a basis for information security in Estonia, compliant with the
Estonian legal system, which is also aligned with the internationally recognised information security
management standard ISO/IEC 27001. The development process of the E-ITS [21] is based on the German
BSI IT-Grundschutz baseline security system. [23]
Private parties
Private parties take over tasks as contractors of public authorities or carry out market roles within the
Estonian eID scheme that are not executed by public authorities. The exact role and responsibilities of the
private parties will be agreed upon in the concluded contracts in accordance with the IDA [4].
Card manufacturer
The PBGB has a contract with Thales DIS Finland OY for ID-1 format identity document blanks,
personalisation and related services. Thales DIS Finland OY’s subcontractor is Hansab AS.
The card manufacturer is responsible for:
production, processing and logistics of document blanks with a chip certified as a QSCD,
the provision of document personalisation services (provided by subcontractor of card
manufacturer),
the provision of post-issuance services for documents,
processing of personal data in accordance with Estonian, EU and international regulations,
standards, requirements and instructions.
Certification Authority (CA)
The PBGB has a contract with Zetes SA for the provision of certification and qualified trust services.
The duties of the CA in certification service and qualified trust service cover the following:
issuance of root certificates and intermediate certificates for the creation of a certificate chain,
issuance of qualified certificates for electronic signatures and certificates for authentication and
encryption,
22
service of Subscriber certificates,
provision of OCSP responder service,
provision of CRL service,
provision of LDAP directory service,
provision of test services.
Helpline
ID software user support for electronic use of the cards and ID software is available workdays 8.30-17.00
by phone +372 666 8888 or email [email protected], additionally www.id.ee is available for user support.
2.4.1. General provisions
LOW
1. Providers delivering any operational service covered by this Regulation are a public authority or a
legal entity recognised as such by national law of a Member State, with an established organisation
and fully operational in all parts relevant for the provision of the services.
Diplomatic identity cards are issued by the MFA; hence, the requirement is fulfilled.
2. Providers comply with any legal requirements incumbent on them in connection with operation
and delivery of the service, including the types of information that may be sought, how identity
proofing is conducted, what information may be retained and for how long.
Operations of all entities involved in the Estonian eID scheme are directly governed by national legislation
and subordinate regulations. The legislation and enforcement of procedures about identity- proofing are
described previously under section 2.1.2.; hence, the requirement is fulfilled.
3. Providers are able to demonstrate their ability to assume the risk of liability for damages, as well
as their having sufficient financial resources for continued operations and providing of the services.
According to the Electronic Identification and Trust Services for Electronic Transactions Act [5], the
certification service provider shall have a liability insurance contract, with the sum insured at least in the
amount of one million euros annually per each single insured event and at least one million euros per all
events in total.
The CA and card manufacturer shall have a valid performance warranty for the duration of the contract.
During the term of the Contract, the Contractor shall hold a non-life insurance contract with an insurer
authorised in Estonia, the European Union (EU) or another Member State of the European Economic Area
to which the Contracting Authority is a beneficiary.
PBGB has established fines for external service providers for breach of contract.
23
4. Providers are responsible for the fulfilment of any of the commitments outsourced to another
entity, and compliance with the scheme policy, as if the providers themselves had performed the
duties.
Contracting partners are responsible for the fulfilment of all commitments outsourced to another entity
and compliance with the policies as stated (including an obligation to notify of the subcontractors) in the
contract with the PBGB.
5. Electronic identification schemes not constituted by national law shall have in place an effective
termination plan. Such a plan shall include orderly discontinuations of service or continuation by
another provider, the way in which relevant authorities and end users are informed, as well as details
on how records are to be protected, retained and destroyed in compliance with the scheme policy.
Estonian eID scheme is constituted by national law; therefore, a termination plan is not applicable.
Subcontractors have contractual obligations for the continuation of service throughout the validity period
of the issued certificates. As of 01.07.2017, electronic authentication is listed as a vital service in the
Emergency Act [24] and is considered as a provider of a service of general interest; therefore, the General
Part of the Economic Activities Code Act [25] applies.
Termination of CA is stipulated in eID CPS [8].
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.2. Published notices and user information
LOW
1. The existence of a published service definition that includes all applicable terms, conditions, and
fees, including any limitations of its usage. The service definition shall include a privacy policy.
Applicable terms and conditions (including any limitations of usage and privacy policy) are defined and
explained under section 2.1.1. The terms and conditions, the procedure for the issue and revocation of a
diplomatic identity card, the format and technical specification of a card, the list of information entered
on a card, and the registration procedure of non-residents exempt from income tax is listed in the Protocol
Guide [26]. Usage of personal data and privacy is regulated by the GDPR [27] and the Personal Data
Protection Act [28], which provides the conditions and procedure for processing of personal data, the
procedure for the exercise of state supervision and administrative supervision upon processing of
personal data, and liability for a violation of the requirements for processing of personal data.
24
2. Appropriate policy and procedures are to be put in place in order to ensure that users of the service
are informed in a timely and reliable fashion of any changes to the service definition and to any
applicable terms, conditions, and privacy policy for the specified service.
The MFA is fully responsible, according to the internal procedures and regulations, for coordinating
change management and communication of all aspects of issuing the cards in a timely and reliable
fashion, without undue delay. Service planners are responsible for putting appropriate policies and
procedures in place, ensuring that users of the service are informed in a timely and reliable fashion of any
changes to the service definition, any applicable terms, conditions, and privacy policy.
3. Appropriate policies and procedures are to be put in place that provide for full and correct
responses to requests for information.
Internal process of the MFA provides the guidelines for issuance of the cards and for services necessary
after issuance (i.e. revoking the certificates).
Additionally, the Terms and Conditions for Use of Certificates of Personal Identification Documents of the
Republic of Estonia are referred to under section 2.1.1.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.3. Information security management
LOW
There is an effective information security management system for the management and control of
information security risks.
Please see the description below under substantial and high.
SUBSTANTIAL
Level low, plus:
The information security management system adheres to proven standards or principles for the
management and control of information security risks.
E-ITS [21] is compulsory for all state and local government organisations who handle databases/registers.
Therefore, all internal procedures for development and maintenance are created and managed based on
E-ITS security levels and classes. E-ITS [21} is a tool for risk and security management; hence, the
requirement is fulfilled. State supervision for E-ITS [21] compliance is conducted by RIA.
25
Private parties adhere to and provide certificates of audits (eIDAS and ISO) which demonstrate following
proven standards and principles for the management and control of information security risks, as
previously stated under 2.4.
HIGH
Same as level substantial.
2.4.4. Record keeping
Collecting data and records, maintenance, archiving, and protection of all relevant records and data is
required and regulated by European (eIDAS Regulation [2], GDPR [27]) and national legislation,
subordinate regulations, and internal procedures.
LOW
1. Record and maintain relevant information using an effective record-management system, taking
into account applicable legislation and good practice in relation to data protection and data
retention.
The Public Information Act [29] provides the conditions of, procedure for, and methods of access to and
reuse of public information and the bases for refusal to grant access to information, restricted public
information, and the procedure for granting access thereto to the extent not regulated by other acts, the
bases for establishment and administration of databases, and supervision over the administration of
databases, the procedure for the exercise of state supervision, and administrative supervision over the
organisation of access to information.
The Personal Data Protection Act [28] provides for the conditions and procedure for the processing of
personal data, the procedure for the exercise of state supervision and administrative supervision upon the
processing of personal data, and liability for a violation of the requirements for the processing of personal
data.
Regulation 3 of the Minister of Foreign Affairs of 23.05.2016 [13] provides, in section 11, that submitted
applications, with all additional documents presented, are kept according to the Archives Act [30] and its
subordinate acts.
Section 11 provides that all data in the database will be archived after the accreditation, and other
processes related to it, of the member of the foreign mission staff and her/his family member, private
servant, and honorary consul, is finished. The archived data is preserved for seven years. The following
data about the applicant of the card will be permanently preserved: the name of the foreign mission,
surname and family name, rank, presumed starting and ending time of the posting, name of the position
in both Estonian and English, the time of leaving the posting, and, in case of an ambassador, the date of
presenting the credentials.
Activity record log files are saved and stored for ten years after creating the records in a saved CSV file
on the hard drive.
26
Regulation 3 of the Minister of Foreign Affairs of 23.05.2016 [13] provides, in section 12, that the security
class for data in the database of VEIS and the database security level. According to section 18, the decision
of liquidation of the database can be made by the Minister of Foreign Affairs.
2. Retain, as far as it is permitted by national law or other national administrative arrangement, and
protect records for as long as they are required for the purpose of auditing and investigation of
security breaches, and retention, after which the records shall be securely destroyed.
The Archives Act [30] provides for the appraisal of records, acquisition and preservation of archival
records, grant of access thereto, organisation of the use thereof, and liability for rendering records and
archival records unusable and destruction thereof, establishment of the bases for records management
of agencies and persons performing public duties, and bases for the activities of the National Archives
and local government archives.
Regulation 181 of the Government of the Republic of 22.12.2011 [31], the archival rules, regulates and
specifies the requirements for the assessment and safekeeping of the records at public institutions or
persons until their handover to the public archive and the rules of handover, preservation, protection in
public archive, and access management, including issuance of the archival notice of the archive records.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.5. Facilities and staff
Estonian eID is managed by the Estonian government; therefore, all human resource decisions are laid
down in official administrative procedures according to the national legislation; in particular, based on
the Civil Service Act [32], Foreign Service Act [33] and Employment Contracts Act [34].
Additionally, E-ITS [21] facilitates requirements for both facilities and staff.
The manufacturing site of the card manufacturer is certified throughout the contract period according to
the following standards:
Intergraf's ISO 14298 – level Governmental.
ISO 9001 Quality Management System – requirements.
ISO/IEC 27001 Information technology – Security techniques – Information security management
systems – Requirements.
PCI CPP Physical Security Requirements and Test Procedures for the transportation of documents
from the manufacturing site to the personalisation site via secure transportation.
The personalisation site and processes of the card manufacturer are compliant with the following
regulations and standards:
27
Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic
identification and trust services for electronic transactions in the internal market, as amended by
Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework
(always referred together as eIDAS regulation),
ISO 9001 Quality Management System – requirements,
ISO/IEC 27001 Information technology – Security techniques - Information security management
systems – Requirements,
PCI CPP - Logical Security Requirements and Test Procedures,
PCI CPP - Physical Security Requirements and Test Procedures,
o ISO 9001 Quality Management System – requirements,
o ISO/IEC 27001 Information technology – Security techniques – Information security management
systems – Requirements,
o PCI CPP - Logical Security Requirements and Test Procedures,
o PCI CPP - Physical Security Requirements and Test Procedures,
o PCI Data Security Standard.
The card manufacturer ensures compliance with all relevant EU, Estonian and international legal acts,
standards and recommendations as well as the relevant electronic identification and CA rules at all times
throughout the contract and in case any amendments or updates are introduced, card manufacturer shall
ensure compliance with all amended and updated requirements without any delay.
LOW
1. The existence of procedures that ensure that staff and subcontractors are sufficiently trained,
qualified and experienced in the skills needed to execute the roles they fulfil.
In public authorities, staff are employed and trained according to dedicated job profiles (general
framework and qualification requirements) and job descriptions (detailed work characteristics and
responsibilities). Both originate from state development plans, work plans, cooperation agreements, and
the needs specified by the service planner/owner. Where relevant, additional dedicated training
programmes for staff members also exist (e.g., identity-proofing and fraud). This ensures that procedures
are performed by trained, qualified, and experienced staff. Background checks are implemented during
recruitment and employment as a routine precautionary measure in accordance. Duties are performed
according to formalised processes, and special obligations of due diligence exist. Job profiles, training
programmes, procedures, and processes are monitored and updated on a regular basis as part of the
state public service.
Implementing E-ITS [21] or ISO 27001 [35] requirements facilitate the existence of procedures that ensure
that staff and subcontractors are sufficiently trained, qualified, and experienced in the skills needed to
execute the roles they fulfil.
The requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification and
Trust Services for Electronic Transactions Act [5], and the contracts. All specific standards and
requirements set out in the previously mentioned under contractors are applicable to the
subcontractor(s) depending on their role. The CPs for the ID-1 format identity documents are publicly
28
available electronically on CA webpage [7] and www.id.ee webpage, CPSs are available on CA webpage
[8].
2. The existence of sufficient staff and subcontractors to adequately operate and resource the service
according to its policies and procedures.
Public authorities have been provided with resources and staff according to the administrative effort of
the corresponding services as part of legislative procedures, which are reassessed on a yearly basis as
part of yearly estimations and analysis. Additionally, implementing E-ITS [21] or ISO [35] requirements
facilitate the existence of sufficient staff and subcontractors to adequately operate and resource the
service according to its policies and procedures.
The requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification and
Trust Services for Electronic Transactions Act [5], and the contracts. The certificate policies and
certification practice statements for the ID-1 format identity documents (which apply for the diplomatic
identity card likewise) are publicly available electronically respectively on CA webpage [8] or www.id.ee
webpage [11].
3. Facilities used for providing the service are continuously monitored for, and protect against,
damage caused by environmental events, unauthorised access and other factors that may impact
the security of the service.
Implementing E-ITS [21] or ISO [35] requirements facilitate continuous monitoring for, and protection
against, damage caused by environmental events, unauthorised access, and other factors that may
impact the security of the service of facilities used for providing services.
The requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification and
Trust Services for Electronic Transactions Act [5], and the contracts. The contractors have an insurance
policy to provide the security of the service.
The bases of continuity of vital services are regulated in the Emergency Act [24].
Physical security requirements for manufacturing and personalisation process and physical security
requirements for the personalisation site come from the PCI standards (as described in 2.4.5). The
physical and information systems security of the MFA is regulated with different internal organisational
documents.
Internal document of information management procedure establishes general principles for requesting
access rights and obligations at the end of the employment. In addition, there are internal rules that
regulate security and fire safety, e.g. general ATS system, in archive and for servers’ automatic gas
extinguishing system.
4. Facilities used for providing the service ensure that access to areas holding or processing personal,
cryptographic or other sensitive information is limited to authorised staff or subcontractors.
29
Implementing E-ITS [21] requirements ensure that access to areas holding or processing personal,
cryptographic, or other sensitive information is limited to authorised staff or subcontractors.
The archival rules referred to in 2.4.4 regulate and specify the requirements for assessment and
safekeeping of the records at public institutions or persons until their handover to the public archive and
the rules of handover, preservation, protection in the public archive, access management, including
issuance of the archival notice of the archive records.
Additionally, why and how data is gathered, kept, and handled and who has access to the data are defined
in the statutes of a particular database. This includes information system access control, which is
monitored in terms of who has which access rights, for how long, and given by whom. This ensures that
access rights are backwards traceable, should there be a need to identify who, when, why, and where
has granted access.
The requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification and
Trust Services for Electronic Transactions Act [5], and the contracts; also, from the CP [7]. The contractors
for manufacturing and personalisation of the cards operate under the PCI standards that cover the
physical security part and personnel requirements.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.6. Technical controls
LOW
The service system is hosted by a qualified trust service provider, published in the national trusted list:
https://sr.riik.ee/en/trusted-list/ and in the EU trusted list: https://eidas.ec.europa.eu/efda/trust-
services/browse/eidas/tls.
eID CPS, eID CP, terms and conditions are available at https://repository.eidpki.ee/repository/. Conformity
assessments reports are provided upon request and under nondisclosure agreement.
1. The existence of proportionate technical controls to manage the risks posed to the security of the
services, protecting the confidentiality, integrity and availability of the information processed.
Requirements for the existence of proportionate technical controls to manage the risks posed to the
security of services, protecting the confidentiality, integrity, and availability of the information processed
for private parties, come from European and national legislation, and the contracts. Data between the
MFA, the card manufacturer, and CA transfers through secure PBGB exchange interface HUB.
MFA accesses the environment via X-tee data change.
30
The data exchange takes place as a transmission of messages over the X-tee data exchange layer, ensuring
secure, standardised, and auditable message-based communication. Generic information on X-tee can be
found at https://www.ria.ee/en/state-information-system/x-tee.html.
As part of the Estonian eID scheme, a new intermediary service called HUB has been introduced to
support and standardise data exchange related to the issuance of ID1-format identity documents. HUB is
a gateway-type service that mediates communication between the parties involved in the ID card (applies
for diplomatic cards also) issuance process - the issuing authorities, the document manufacturer, and the
QTSP. All data exchange through HUB takes place over the X-tee data exchange layer, ensuring secure,
auditable, and standardised communication.
The primary role of ID1 HUB is to manage and mediate:
requests for personalisation orders of ID-1 format identity documents documents sent from
issuing authorities to the manufacturer,
notifications of personalisation order and delivery package status changes back to the
corresponding issuing authority systems, and
requests for certificate generation, activation, revocation, and related status queries sent to the
QTSP.
HUB enables the transmission of trust service responses both to the issuing authorities’ systems and to
the card manufacturer(s). By acting as a single intermediary, HUB reduces direct system-to-system
integrations and ensures consistent handling of processes and data.
The introduction of HUB aims to:
standardise communication between all parties involved in ID1 document issuance,
provide auditable and traceable data exchange,
increase resilience and efficiency by supporting the parallel or alternative use of different QTSPs
when requesting certificates.
2. Electronic communication channels used to exchange personal or sensitive information are
protected against eavesdropping, manipulation and replay.
Requirements for the existence of proportionate technical controls to manage the risks posed to the
security of services, protecting the confidentiality, integrity, and availability of the information processed
for contractors, come from European and national legislation, and the contract.
Data between the MFA, the card manufacturer, and CA transfers through secure PBGB exchange interface
HUB.
MFA accesses the environment via X-tee data change.
3. Access to sensitive cryptographic material, if used for issuing electronic identification means and
authentication, is restricted to the roles and applications strictly requiring access. It shall be ensured
that such material is never persistently stored in plain text.
31
Requirements for access restrictions for contractors come from the eIDAS Regulation [2], the Electronic
Identification and Trust Services for Electronic Transactions Act [5], and the contracts.
4. Procedures exist to ensure that security is maintained over time and that there is an ability to
respond to changes in risk levels, incidents and security breaches.
Security and risk management:
a) Middleware software (including card drivers) is maintained by the state and is frequently
updated.
b) In case of security vulnerabilities or cryptographic updates that might have an impact on the
security of already issued cards or to remain QSCD certified, the re-key of the certificates shall be
possible via ID card administration portal.
c) To prevent the potential digital misuse, the certificates can be revoked using revocation portal
which is accessible 24/7 to all card holders.
Requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification and Trust
Services for Electronic Transactions Act [5], and the contracts. IDA [4] allows the issuing authority to
revoke the certificates, when necessary.
5. All media containing personal, cryptographic or other sensitive information are stored,
transported and disposed of in a safe and secure manner.
Requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification and Trust
Services for Electronic Transactions Act [5] and other applicable national legislative acts, and the
contracts. for example, data must be physically stored only in the Estonian territory.
SUBSTANTIAL
Same as level low, plus: Sensitive cryptographic material, if used for issuing electronic identification
means and authentication is protected from tampering
Requirements for contractors come from the eIDAS Regulation [2], and other applicable national
legislative acts, and the contracts.
HIGH
Same as level substantial.
2.4.7. Compliance and audit
The qualified trust service provider Zetes SA is subject to the eIDAS Regulation [2], with its implementing
acts, and, at the national level, is regulated by the Electronic Identification and Trust Services for
Electronic Transactions Act [5].
CA has been audited by the certification body of LSTI SAS (CAB is accredited for the certification of trust
services according to ISO/IEC27001 and ETSI EN 319 403 [36]) and confirmed as a QTSP according to
32
article 3 (20) of eIDAS by RIA. The initiation and supervisory activities of CA and its qualified trust service
provided, and lifecycle management of the related qualified status are carried out according to the figure
below. CA activities are under regular supervision throughout the lifecycle of such services, from their
commencement to their termination. CA has an obligation to communicate with RIA regarding any
changes in the provision of its qualified trust services, data set out in a notification according to paragraph
1 of article 21 of eIDAS, and any incidents concerning a breach of security or loss of integrity. The qualified
trust services provided by CA are in accordance with the requirements laid down in eIDAS, the ETSI
European Standard (ETSI EN), and national regulations. Information related to CA and provided services
have been entered into the national trusted list by the validity of the relevant conformity assessment
report, in general, for 2 years. Detailed information regarding CA, provided services, certificates,
certification practice statements, policies, and conformity assessment reports are available at the website
https://repository.eidpki.ee/repository/.
Activities for QTSP/QTS initiation and lifecycle management of the related qualified status of trust service
level is described on the following caption 3.
33
Caption 3 Activities for QTSP/QTS initiation and lifecycle management of the related qualified status at trust service level
LOW
The existence of periodical internal audits scoped to include all parts relevant to the supply of the
provided services to ensure compliance with relevant policy.
Please see the detailed description in the following section high.
34
SUBSTANTIAL
The existence of periodical independent internal or external audits scoped to include all parts
relevant to the supply of the provided services to ensure compliance with relevant policy.
Please see the detailed description in the following section high.
HIGH
1. The existence of periodical independent external audits scoped to include all parts relevant to the
supply of the provided services to ensure compliance with relevant policy.
The contractors of the PBGB and their subcontractors in connection with the issuance of documents
(including the diplomatic identity card issued by the MFA ) must be audited accordingly and/or comply
with requirements of standard(s) (ETSI, PCI and/or ISO) until the expiry of the contracts or until the expiry
of the last certificate pair issued and/or renewed according to the specifics of particular standard or audit.
The CA is audited every year by a conformity assessment body, and RIA, as the Supervisory Body, confirms
that the CA fulfils the requirements laid down in eIDAS [2] and national laws for a QTSP. CA is audited at
least every 2 years to confirm that the CA and the qualified trust services provided by them fulfil the
requirements laid down in eIDAS and national law. An external E-ITS [21] audit has been conducted for
the MFA information system (including the database of VEIS [13]) as of 26.062017, and the next planned
audit will be conducted in accordance with the stated E-ITS security level.
2. Where a scheme is directly managed by a government body, it is audited in accordance with the
national law.
Estonian eID scheme is subject to national law. Therefore, it is under supervisory control of the state.
Supervisory control is conducted in an administrative authority by a higher authority over the subordinate
administrative agency in terms of the lawfulness in actions and feasibility in functions. Supervisory control
of Estonian governmental authorities and agencies is regulated by chapter 7 of the Government of the
Republic Act [37]; hence, this requirement is fulfilled.
35
List of References
[1] Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on Published: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02015R1502- 20220711
[2] Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework (always referred together as eIDAS regulation) Reference: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02014R0910- 20241018
[3] Vienna Convention on Diplomatic Relations Published: https://treaties.un.org/pages/viewdetails.aspx?src=treaty&mtdsg_no=iii- 3&chapter=3&clang=_en
[4] Identity Documents Act (IDA) https://www.riigiteataja.ee/en/eli/ee/505012026002/consolide/current
[5] Electronic Identification and Trust Services for Electronic Transactions Act Published: https://www.riigiteataja.ee/en/eli/ee/529122024007/consolide/current
[6] Subscriber Terms and Conditions for Certificates issued by Zetes Estonia OÜ for ID-1 format identity documents of the Republic of Estonia Published: https://repository.eidpki.ee/repository/
[7] Certificate Policy for ID-1 format identity documents of the Republic of Estonia” (eID CP) Published: https://www.id.ee
[8] Zetes Estonia OÜ - Certification Practice Statement for the Intermediate CA for ID-1 documents of the Republic of Estonia; Trust Service Practice Statement (eID CPS) Published: https://repository.eidpki.ee/repository/
[9] Regulation 7 of the Minister of the Foreign Affairs, as of 09.03.2017 (in Estonian only) Published: https://www.riigiteataja.ee/akt/126082025005?leiaKehtiv
[10] Diplomatic Portal Published: https://dipid.mfa.ee/
[11] www.id.ee webpage Published: https://www.id.ee/
[12] Regulation No. 62 of the Minister of the Interior “Requirements for a photograph when applying for an identity document” (only in Estonian) Published: https://www.riigiteataja.ee/akt/108122015004?leiaKehtiv
[13] Regulation 3 of the Minister of Foreign Affairs, as of 23.05.2016,” (in Estonian only) Published: https://www.riigiteataja.ee/akt/126092025004?leiaKehtiv
[14] Foreign Relations Act Published: https://www.riigiteataja.ee/en/eli/ee/530092025011/consolide/current
[15] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93. Published: http://data.europa.eu/eli/reg/2008/765/2021-07-16
[16] Statute of MFA (in Estonian only Published: https://www.riigiteataja.ee/akt/101112011004?leiaKehtiv
[17] Police and Border Guard Act Published: https://www.riigiteataja.ee/en/eli/ee/527102025003/consolide/current
[18] Police and Border Guard Statute (only in Estonian) Published: https://www.riigiteataja.ee/akt/128062025002?leiaKehtiv
[19] Authorisation of the Estonian Government (only in Estonian) Published: https://www.riigiteataja.ee/akt/303122022004
[20] SMIT Statute (only in Estonian)
36
Published: https://www.riigiteataja.ee/akt/109072024006?leiaKehtiv
[21] Estonian Information Security Standard (E-ITS, website in Estonian, some documents also in English) Published: https://eits.ria.ee
[22] RIA Statute (only in Estonian) Published: https://www.riigiteataja.ee/akt/127122024010?leiaKehtiv
[23] German BSI IT-Grundschutz baseline security system Published: https://www.bsi.bund.de/EN/Themen/Unternehmen-und- Organisationen/Standards-und-Zertifizierung/IT-Grundschutz/it-grundschutz_node
[24] Emergency Act Published: https://www.riigiteataja.ee/en/eli/ee/527102025001/consolide/current
[25] General Part of the Economic Activities Code Act Published: https://www.riigiteataja.ee/en/eli/ee/504012018003/consolide/current
[26] Protocol Guide Published: https://vm.ee/en/ministry-news-and-contacts/state-protocol/protocol-guide
[27] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data Published: https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A32016R0679&qid=1765634765358
[28] Personal Data Protection Act Published: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679- 20160504
[29] Public Information Act Published: https://www.riigiteataja.ee/en/eli/ee/514112013001/consolide/current
[30] Archives Act Published: https://www.riigiteataja.ee/en/eli/ee/521032019019/consolide/current
[31] Regulation 181 of the Government of the Republic of 22.12.2011 (in Estonian only) Published: https://www.riigiteataja.ee/akt/114072023005?leiaKehtiv
[32] Civil Service Act Published: https://www.riigiteataja.ee/en/eli/ee/503022026003/consolide/current
[33] Foreign Service Act Published: https://www.riigiteataja.ee/en/eli/ee/515092025004/consolide/current
[34] Employment Contracts Act Published: https://www.riigiteataja.ee/en/eli/ee/501092025001/consolide/current
[35] ISO standards https://www.iso.org/standards.html
[36] ETSI EN 319 403 Published: https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301 v020301p.pdf
[37] Government of the Republic Act Published https://www.riigiteataja.ee/en/eli/ee/504092025010/consolide/current
2026
LoA Mapping of the Estonian residence permit card on level “High”
Table of contents
List of Definitions ..................................................................................................................................... 1
List of Acronyms ...................................................................................................................................... 3
1. Introduction ......................................................................................................................................... 4
2. Technical specifications and procedures ............................................................................................. 4
2.1. Enrolment ..................................................................................................................................... 5
2.1.1. Application and registration .................................................................................................. 5
2.1.2. Identity proofing and verification (natural person) .............................................................. 7
2.1.3. Identity proofing and verification (legal person) ................................................................ 10
2.1.4. Binding between the electronic identification means of natural and legal persons .......... 10
2.2. Electronic identification means management ........................................................................... 10
2.2.1. Electronic identification means characteristics and design ................................................ 10
2.2.2. Issuance, delivery, and activation ....................................................................................... 11
2.2.3. Suspension, revocation, and reactivation ........................................................................... 12
2.2.4. Renewal and replacement ................................................................................................... 14
2.3. Authentication ............................................................................................................................ 15
2.3.1. Authentication mechanism ................................................................................................. 17
2.4. Management and organisation .................................................................................................. 18
2.4.1. General provisions ............................................................................................................... 21
2.4.2. Published notices and user information ............................................................................. 23
2.4.3. Information security management ..................................................................................... 24
2.4.4. Record-keeping.................................................................................................................... 24
2.4.5. Facilities and staff ................................................................................................................ 25
2.4.6. Technical controls ................................................................................................................ 28
2.4.7. Compliance and audit .......................................................................................................... 30
1
List of Definitions Term Definition
authentication A unique identification of a person by checking their alleged identity.
biometric data Biometric data is a facial image, fingerprint images and signature or
image of signature.
certificate Public key, together with additional information, laid down in the
certificate profiles, rendered unforgeable via encipherment using the
private key of the Certification Authority which issued the certificate.
electronic identification The process of using person identification data in electronic form
uniquely representing either a natural or legal person, or a natural
person representing a legal person.
electronic identification
scheme
A system for electronic identification under which electronic
identification means are issued to natural or legal persons, or natural
persons representing legal persons.
electronic signature Data in electronic form which is attached to or logically associated with
other data in electronic form, and which is used by the signatory to
sign. Signatory means natural person who creates an electronic
signature.
Estonian population
register
A database which unites the main personal data on Estonian citizens,
citizens of the EU and third-country national who have been granted a
residence permit or right of residence in Estonia.
foreign representation
of the Republic of
Estonia
An official unit (embassies, consulates, representations) operating
under the MFA in foreign country, responsible for representing
Estonia’s interests, maintaining diplomatic and consular relations, and
providing consular activities.
foreigner A citizen of a member state of the European Union, except Estonia, or
of a member state of the European Economic Area or of the Swiss
Confederation (hereinafter a citizen of the European Union); or a third-
country national.
HUB HUB is a secure data exchange interface between the PBGB, the card
manufacturer, and Certification Authority to support standardised data
exchange related to the issuance of ID-1 format identity documents.
ID card administration
portal
Portal for looking up given PUK code and re-key of certificates, available
at https://www.idhaldusportaal.ee/en/.
ID software An end-user desktop application for personal maintenance of
smartcard-based eID.
ID-1 format identity
documents
Documents in ID-1 format are identity card, e-resident digital ID, RP
card and diplomatic identity card.
identity documents
database (ITDAK)
A record-keeping system for ensuring the internal security of the state,
including the identification of persons and the issuance and revocation
of identity documents specified in subsection 15 (4) of the IDA, as well
as persons who have applied for mentioned documents. The basic data
collected by the information system are:
- Data related to the identification or verification of a person's identity,
2
- Data related to the applicant for an identity document,
- Data on the application for an identity document,
- Data on the identity document.
Ministry of Foreign
Affairs (MFA)
In this document, the MFA includes either both or one: the MFA
headquarters and/or foreign represenations abroad (i.e. embassies,
consulates, honorary consuls, consular missions).
personal identification
code
A unique 11-digit identifier for individuals in Estonia based on a
person's gender, date of birth, serial number and check digit.
PIN code Activation code for the certificate enabling digital authentication and
the certificate enabling qualified electronic signatures.
private key The key of a key pair that is assumed to be kept in secret by the owner
of the key pair, and that is used to create electronic signatures and/or
to decrypt electronic messages, records or files that were encrypted
with the corresponding public key.
public key The key of a key pair that may be publicly disclosed by the owner of the
corresponding private key and that is used by relying parties to verify
electronic signatures created with the owner’s corresponding private
key and/or to encrypt messages, records and files so that they can be
decrypted only with the owner’s corresponding private key.
PUK Personal unlocking key.
register for authentic
documents
Database of documents of the European Union, of its member states,
and other countries, e.g. PRADO (Public Register of Authentic identity
and travel Documents Online).
revocation portal Portal for revocation of certificates, available at https://revocation-
portal.eidpki.ee/en/landing.
RP card A mandatory identity document of a third-country national residing in
Estonia on the basis of a valid right of residence or residence permit
secure service provider
for handing out identity
documents
External service provider with the competency to hand out identity
documents.
self-service Digital environment, where a person can apply for an identity
document, available at https://etaotlus.politsei.ee/ekpid/login.
Third-country national Person who is not Estonian, citizen of European Union, or of a member
state of the European Economic Area or of the Swiss Confederation.
web eID The Web eID solution enables the use of ID-1 format identity
documents for secure authentication and digital signing on the web.
X-tee Data exchange platform that allows secure and standardised data
exchange between different institutions, including state authorities and
private sector, available at https://www.x-tee.ee/home.
3
List of Acronyms Acronyms Definition
ABIS Automated Biometric Identification System
CA Certification Authority
CC Common Criteria
CCA Client Certificate Authentication
CERT Computer Emergency Response Team
CP Certificate Policy
CPS Certification Practice Statement
CRL Certificate Revocation List, a list of invalid (revoked) certificates
EAL Evaluation Assurance LEvel
eID Electronic Identity
eIDAS Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic
identification and trust services for electronic transactions in the internal market, as
amended by Regulation (EU) 2024/1183 as regards establishing the European Digital
Identity Framework (always referred together as eIDAS regulation)
E-ITS Estonian Information Security Standard
ENISA The European Union Agency for Cybersecurity
ETSI The European Telecommunications Standards Institute
EU European Union
GDPR General Data Protection Regulation - Regulation (EU) 2016/679 of the European
Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data
ICT Information and communication technology
IDA Identity Documents Act
ISO International Organization for Standardization
ITDAK Identity Documents Database
LDAP Lightweight Directory Access Protocol
LoA Levels of Assurance
MFA The Ministry of Foreign Affairs
OCSP Online Certificate Status Protocol
OTP One Time Password
PCI Payment Card Industry
PGBG The Estonian Police and Border Guard Board
PKI Public Key Infrastructure
QSCD Qualified Signature Creation Device
QTS Qualified Trust Service
QTSP Qualified Trust Service Provider
RA Registration Authority
RIA Information System Authority of the Republic of Estonia (Riigi Infosüsteemi Amet)
RSA Rivest-Shamir-Adleman
SMIT The IT and Development Centre of the Ministry of the Interior
TARA State Authentication Service
TLS Transport Layer Security
4
1. Introduction
The present document explains how the Estonian RP card meets the requirements for the Level of
Assurance (LoA) ’high’ pursuant to the requirements of the eIDAS LoA defined in Commission
Implementing Regulation (EU) 2015/1502 [1] pursuant to Article 8(3) of the eIDAS Regulation [2] [(EU)
910/2014], as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital
Identity Framework (always referred together).
2. Technical specifications and procedures
The elements of technical specifications and procedures outlined in this annex of the Commission
Implementing Regulation (EU) 2015/1502 [1] will be used to determine how the requirements and
criteria of article 8 of Regulation (EU) [2] will be applied for electronic identification means issued under
an electronic identification scheme.
ID-1 is an Estonian eID platform that is implemented on top of Aquarius chip (product name:
AQUARIUS_CA_09) from Thales, which is CC EAL6+ certified. The eID functionality is managed by the
application IAS Classic v5.2.1 with MOC Server v3.1 (EAL5+) on the operating system MultiApp V5.1
(version C, EAL6+)
ID-1 operates on:
Globalplatform 2.3.1
- Secure messaging: SCP03 i= 00, 01, 10, 11, 20, 21, 30, 31, 60, 61, 70 & 71 (AES 128, 192,
256);
- Optional and Mandated DAP up to RSA2K: applet versioning and integrity during post-
issuance;
- Delegated Management up to RSA2K: secure postissuance card management delegation
operations;
- Multiple Security Domains: Segregation of roles on the same card;
- Extradition: extradites an application from a Security Domain to another.
Globalplatform Privacy Framework
- Privacy Enhanced ID Configuration: SCP 21.
Java Card 3.1;
- Multiple Logical channels: concurrent applets addressed simultaneously during the same
card session;
- Garbage collector: recovers memory space of deleted or useless objects.
Applet optimiser: Saves at least 10% of NVM memory required by applications.
PACE support: privacy protection with explicit user consent.
Applet supports all required minimum public key features for easy integration in various PKI. It includes
the certificate for electronic authentication and encryption as well as certificate for providing a
qualified electronic signature, that are stored on the chip. In addition, the certificate for authentication
and encryption is also available in LDAP (Lightweight Directory Access Protocol) repository.
5
The certificates are valid until the date of expiry of the RP card, meaning up to five years depending on
the validity of the physical RP card.
2.1. Enrolment
The RP card is a mandatory identity document from the age of 15 which is issued to third-country
nationals residing in Estonia based on a valid residence permit or right of residence.
2.1.1. Application and registration
LOW
1. Ensure the applicant is aware of the terms and conditions related to the use of the electronic
identification means.
The issuance of RP card and the obligations of the document holder are regulated by
the eIDAS Regulation [1],
IDA [3],
Subscriber Terms and Conditions for Certificates issued by Zetes Estonia OÜ for ID-1 format
identity documents of the Republic of Estonia [4],
Electronic Identification and Trust Services for Electronic Transactions Act [5],
Certificate Policy for ID-1 format identity documents of the Republic of Estonia (eID CP) [6].
Certification Practice Statement for the Intermediate certificates for ID-1 Documents of the
Republic of Estonia (eID CPS) [7].
According to section 114 of the IDA [3], the initial RP card can be applied for only in person in a service
point of the issuing authority or in the foreign representation of the Republic of Estonia (hereinafter
foreign representation). In case of expiry, loss or theft of the RP card, persons can apply for a recurring
RP card in one of the following methods:
in self-service, available only for third-country nationals, who have been previously issued an
RP card and for those who are legal guardians,
in a service point of the issuing authority,
via post,
via email.
Terms and conditions for the use of certificates on the RP card are publicly available on the www.id.ee
website [8], and a printout can be requested from the issuing authority or the foreign representation.
The applicant must explicitly agree to the terms and conditions that are in force at time of application.
Important points related to the use of the electronic identification means of the RP card are available
on the PBGB website [9] as well as on a paper carrier of the RP card.
2. Ensure the applicant is aware of recommended security precautions related to the electronic
identification means
The obligations of a document holder and return of an RP card are stated in section 14 of the IDA [3].
6
When a document holder forgets their PIN codes, they can use the PUK in the ID software to set new
PIN codes. In case the PUK is forgotten, they can use another state accepted digital document to access
ID card administration portal and view the PUK code of their RP card. Alternatively, an application can
be submitted in the issuing authority service point and the PUK will be sent by post. PUK can be sent
to Estonian postal address only. If the PUK is blocked, the document can be used only as a physical
identity document, for the use of certificate, a new document must be applied for.
Recommended security precautions related to the electronic identification means are listed on PBGB’s
webpage [9], on a paper carrier of the RP card and in the terms and conditions for the use of the
certificates mentioned above [8]; for example, not to hand over one’s RP card, to keep the PIN codes
secret from others, how to act in case document is lost or stolen etc.
3. Collect the relevant identity data required for identity proofing and verification.
Collecting the relevant identity data required for identity-proofing and verification is regulated based
on Regulation 20 of the Minister of the Interior, as of 01.08.2025 [10]. Collecting application and
relevant identity data required for identity-proofing in the foreign representation is additionally
regulated by the Consular Act [11] and regulations of the minister responsible. Collected identity data
is checked against the database of the Estonian population register, identity documents database
(ITDAK] and automated biometric identification system (ABIS) [12].
The issuer identifies physically the person at least once during the issuance process, taking into account
the exceptions described in this document (minors under the age of 15).
For identity-proofing, the applicant provides the following information to the issuing authority:
valid identity or travel document (except in cases where the application is done via regular
mail, by a legal guardian, or electronically; expired RP card is allowed in service point, when
applying for a recurring document, in that case the PBGB official uses other evidence and
databases for identity-proofing),
a photo taken in the issuing authority service point or individually a maximum of 6 months
prior to the application date (requirements set out in Regulation 62 of the Minister of the
Interior, adopted on 01.12.2015 [13]),
fingerprints from the age of 6,
signature sample (mandatory from the age of 15, voluntary from the age of 7 to the age of 14),
place of hand-over,
reason for applying,
date,
the Minimum Data Set listed in section 5 of Regulation 20 of the Minister of the Interior [10]
to collect the relevant identity data required to verify the identity of a person beyond doubt
at the time of application, including the following:
1) personal data (first name(s), last name(s), Estonian personal identification code or date of
birth, place of birth, sex),
2) citizenship,
3) contact information (street, house, apartment, city or village, county, postal code,
country, phone, email address),
7
other information, when necessary.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.1.2. Identity proofing and verification (natural person)
LOW
1. The person can be assumed to be in possession of evidence recognised by the Member State
in which the application for the electronic identity means is being made and representing the
claimed identity.
N/A because, in case of RP card the identity of the applicant and the validity and authenticity of their
document is always verified, not assumed. Please see the description in the following paragraphs for
substantial and high.
2. The evidence can be assumed to be genuine, or to exist according to an authoritative source
and the evidence appears to be valid.
N/A because in case of RP card the identity of the applicant and the validity and authenticity of their
document is always verified not assumed.
3. It is known by an authoritative source that the claimed identity exists, and it may be assumed
that the person claiming the identity is one and the same.
N/A because, in case of RP card the identity of the applicant and the validity and authenticity of their
document is always verified, not assumed.
SUBSTANTIAL
Level low, plus one of the alternatives listed in points 1 to 4 has to be met:
1. The person has been verified to be in possession of evidence recognised by the Member State
in which the application for the electronic identity means is being made and representing the
claimed identity and the evidence is checked to determine that it is genuine; or, according to an
authoritative source, it is known to exist and relates to a real person and steps have been taken
to minimise the risk that the person's identity is not the claimed identity, taking into account for
instance the risk of lost, stolen, suspended, revoked, or expired evidence.
Estonian eID is always issued as a part of the RP card issuance. The RP card is issued to third-country
nationals. Data about every RP card application is checked and recorded in ITDAK and in the ABIS [14]
in accordance with IDA [3]. A holder of an RP card will always receive an Estonian personal
identification code. All foreigners who have been issued an Estonian identity document under IDA [3]
8
are recorded centrally in the Estonian population register. Personal identification code is used as
unique identifier.
A third-country national needs to present a valid travel document issued by the country of their
origin of citizenship and recognised by the Republic of Estonia when applying for an RP card. To verify
the validity and authenticity of the presented travel document, the data on the document is checked
against available international databases. The authenticity of the presented travel document is verified
in accordance with the sample documents presented by the other country in the register for authentic
documents.
or
2. An identity document is presented during a registration process in the Member State where
the document was issued and the document appears to relate to the person presenting it and
steps have been taken to minimise the risk that the person’s identity is not the claimed identity,
taking into account, for instance, the risk of lost, stolen, suspended, revoked, or expired
documents.
In case of a third-country national, the initial identity-proofing is done based on a valid travel document
recognised by the Republic of Estonia in accordance with the Aliens Act [15].
3. Where procedures used previously by a public or private entity in the same Member State for
a purpose other than the issuance of electronic identification means provide for an equivalent
assurance to those set out in section 2.1.2. for the assurance level substantial, then the entity
responsible for registration need not to repeat those earlier procedures, provided that such
equivalent assurance is confirmed by a conformity assessment body referred to in article 2 (13) of
Regulation (EC) no. 765/2008 [16] of the European Parliament and of the Council (1) or by an
equivalent body.
N/A
4. Where electronic identification means are issued on the basis of a valid notified electronic
identification means having the assurance level substantial or high, and taking into account the
risks of a change in the person identification data, it is not required to repeat the identity proofing
and verification processes. Where the electronic identification means serving as the basis has not
been notified, the assurance level substantial or high must be confirmed by a conformity
assessment body referred to in article 2 (13) of Regulation (EC) no. 765/2008 [16] or by an
equivalent body.
N/A
HIGH
Requirements for either point 1 or 2 have to be met:
1. Level substantial, plus one of the alternatives listed in points (a) to (c) has to be met:
9
(a) Where the person has been verified to be in possession of photo or biometric identification
evidence recognised by the Member State in which the application for the electronic identity
means is being made and that evidence represents the claimed identity, the evidence is checked
to determine that it is valid according to an authoritative source; and the applicant is identified as
the claimed identity through comparison of one or more physical characteristic of the person with
an authoritative source.
A valid identity document is checked in accordance with the Aliens Act [15], the IDA [3], and regulations
issued based on those acts, as well as with the internal procedures and regulations of the issuing
authority. The personnel of issuing authority follows the routine procedure to check that the document
is genuine and corresponds to the data provided in either national or international registers, whether
the document provided is valid and not listed as lost, stolen, revoked, or expired. During application, a
physical and biometrical identity check of a person is conducted.
(b) Where procedures used previously by a public or private entity in the same Member State for
a purpose other than the issuance of electronic identification means provide for an equivalent
assurance to those set out in section 2.1.2. for the assurance level high, then the entity responsible
for registration need not to repeat those earlier procedures, provided that such equivalent
assurance is confirmed by a conformity assessment body referred to in article 2 (13) of Regulation
(EC) no. 765/2008 [16] or by an equivalent body and steps are taken to demonstrate that the
results of the earlier procedures remain valid.
N/A
(c) Where electronic identification means are issued on the basis of a valid notified electronic
identification means having the assurance level high, and taking into account the risks of a change
in the person identification data, it is not required to repeat the identity proofing and verification
processes. Where the electronic identification means serving as the basis has not been notified,
the assurance level high must be confirmed by a conformity assessment body referred to in article
2 (13) of Regulation (EC) no. 765/2008 [16] or by an equivalent body and steps are taken to
demonstrate that the results of this previous issuance procedure of a notified electronic
identification means remain valid.
N/A
or
2. Where the applicant does not present any recognised photo or biometric identification
evidence, the very same procedures used at the national level in the Member State of the entity
responsible for registration to obtain such recognised photo or biometric identification evidence
are applied.
N/A
10
2.1.3. Identity proofing and verification (legal person)
The RP card is used only for identification of natural persons; therefore 2.1.3. is not applicable.
2.1.4. Binding between the electronic identification means of natural
and legal persons
The RP card is used only for identification of natural persons; therefore 2.1.4. is not applicable.
2.2. Electronic identification means management
2.2.1. Electronic identification means characteristics and design
LOW
1. The electronic identification means utilises at least one authentication factor.
Please see the description in the following paragraphs for substantial and high.
2. The electronic identification means is designed so that the issuer takes reasonable steps to
check that it is used only under the control or possession of the person to whom it belongs.
Please see the description in the following paragraphs for substantial and high.
SUBSTANTIAL
1. The electronic identification means utilises at least two authentication factors from different
categories.
A two-factor authentication is required for using the eID functionality of the RP card: an RP card and
PIN codes. The first factor of authentication is being in possession of a RP card. The second factor of
authentication are the PIN codes that are issued together with the RP card. The person receives a
securely sealed envelope with three codes in it (PIN1, PIN2, PUK): PIN1 for authentication and
encryption purposes, PIN2 for a qualified electronic signature (compulsory change before first use),
and PUK to reset blocked PIN codes in the ID software.
The document holder possesses a unique private key which is used for authentication. Functions for
using this private key are protected with a PIN code, known only by the document holder.
2. The electronic identification means is designed so that it can be assumed to be used only if
under the control or possession of the person to whom it belongs.
The private key is stored in a secure module of a microchip on the RP card. The RP card with the secure
module is a physical device under the document holder’s control.
11
HIGH
Level substantial, plus:
1. The electronic identification means protects against duplication and tampering as well as
against attackers with high attack potential.
The secure module on the RP card is a QSCD certified device.
2. The electronic identification means is designed so that it can be reliably protected by the
person to whom it belongs against use by others.
The document holder has physical control over the authentication device. The document holder has
the option to change the PIN codes at any time by using ID software, when they know their PIN or PUK
code. PIN2 change is compulsory before first use. Certificate revocation service is available in
revocation portal using OTP (One-Time Password) or alternative state approved eID means 24/7, and
in service points during their operating hours.
2.2.2. Issuance, delivery, and activation
The process of issuance, delivery, and activation is regulated by the IDA [3] and the Consular Act [11].
LOW
After issuance, the electronic identification means is delivered via a mechanism by which it can
be assumed to reach only the intended person.
The RP card is issued in person. Additionally, there is a possibility to issue an RP card to a legal guardian
or an authorised representative assigned by the applicant at the time of applying for the document.
The RP card is issued at the issuing authority service point, at the external service provider’s service
point or in the foreign representation indicated in the application form. The choice of authorised
representative to receive the RP card and the place of receiving must be stated in the application. The
authorised representative to receive the RP card cannot be changed later in the process. This option
can be applied if the person has provided the application in person at the issuing authority service
point or in the foreign representation, in self-service or electronically signed via email.
In case of an authorised representative or legal guardian, the authorised person provides their own
identity document.
SUBSTANTIAL
After issuance, the electronic identification means is delivered via a mechanism by which it can
be assumed that it is delivered only into the possession of the person to whom it belongs.
The RP card is issued only personally to the applicant, their legal guardian or to an authorised
representative (who has been appointed at the application) after identity-proofing. This includes
checking the person’s document and identity checks into ITDAK and ABIS. The authenticity of the
12
presented identity document is verified in accordance with ITDAK or register of authentic documents
when necessary. This indicates that the eID means is delivered only into the possession of the person
who applied for it and to whom it belongs.
HIGH
The activation process verifies that the electronic identification means was delivered only into the
possession of the person to whom it belongs.
The documents are delivered to the service points (PBGB and external service provider’s service point
and foreign representation) in a secure document bag. The contents of the bags are checked by the
authorised personnel and confirm the receipt of the delivery electronically.
RP cards are delivered to the issuing authority service point, external service provider’s service point
or the foreign representation in an electronically suspended state (meaning that the eID functionality
is not active). If an RP card is issued at the issuing authority service point to the applicant personally,
to a legal guardian or to an authorised representative, the RP card is activated by the issuing authority
after the identity-proofing of the receiver, who confirms with their handwritten signature that they
have received the document in its entirety (the receiver confirms that the RP card was received, the
envelope was intact and data correct).
If the RP card is handed over at a foreign representation, the physical RP cards are delivered there by
diplomatic mail in an electronically suspended state. Once the foreign representation has proven the
identity of the applicant and handed over the document, the necessary actions are carried out via the
MFA information systems, and a request to activate the document is sent to the ITDAK. If the document
is handed over by an honorary consul, they inform the relevant embassy of the issuance, and the
embassy performs the required actions.
Once the document is handed over, the necessary actions are carried out in the service provider
information system, and a request to activate the document is sent to the ITDAK.
2.2.3. Suspension, revocation, and reactivation
After issuance of RP card, the certificates cannot be suspended and reactivated by the certificate owner.
Only revocation is allowed.
The legal framework of revocation of the electronic identification means is set by the eIDAS Regulation
[2], with its implementing acts, and is regulated at the national level by the IDA [3] and eID CP [6]. The
document holder is obliged to notify the issuing authority in case of theft or loss of the RP card, so that
the certificates can be revoked.
Revocation of certificates can be done in person by appearing in a service point of the issuing authority
or using revocation portal which is accessible 24/7. Revocation of the certificates means that the
certificates are revoked; therefore, electronic functionality cannot be used.
13
LOW
1. It is possible to suspend and/or revoke an electronic identification means in a timely and
effective manner.
Suspension of certificates after activating the certificate is not possible.
The certificates of an RP card can be revoked in the issuing authority service point in person or in
revocation portal. A certificate owner may request revocation of their own certificates or for another
person over which they have legal custody. E-services cannot be used/accessed if the certificates are
revoked.
At the service point, the certificate owner is identified by the official of service point, and the
revocation request must be signed by the certificate owner. The official of service point verifies the
person filing for revocation in accordance with the PBGB identity verification procedures and checks
the legality to request revocation.
In the online revocation portal, the certificate owner is authenticated electronically with an alternative
state approved eID means or an OTP, and revocation requests are forwarded to the CA via the X-tee
secure authenticated channel. The CA authenticates and executes the request automatically and
immediately. If the request is accepted, it is executed without delay.
After revocation is completed, the certificate status in the CA interface is set as revoked and the
certificates cannot be used; therefore, e-services cannot also be used. The physical document remains
valid until the expiry of the document. To regain access to e-services after revocation has been
completed, a new RP card must be issued (with new certificates); therefore, the enrolment procedure
is applied as described in section 2.1.1.
2. The existence of measures taken to prevent unauthorised suspension, revocation, and/or
reactivation.
Suspension of certificates after activating the certificate is not possible.
Revocation can be performed only in the service point of the issuing authority after physical
identification or in revocation portal and cannot be reversed.
3. Reactivation shall take place only if the same assurance requirements as established before
the suspension or revocation continue to be met.
Since suspension of certificates after activating the certificate is not possible, then reactivation is not
applicable. Certificates in the status revoked cannot be reactivated. Revocation of the RP card or the
certificates can be done only in a service point of the issuing authority or in revocation portal.
SUBSTANTIAL
Same as level low.
14
HIGH
Same as level low.
2.2.4. Renewal and replacement
LOW
Taking into account the risks of a change in the person identification data, renewal or replacement
needs to meet the same assurance requirements as initial identity proofing and verification or is
based on a valid electronic identification means of the same, or higher, assurance level.
According to the IDA [3], a person is obliged to notify the issuing authority if the personal identification
data (in case of name change or other) has been changed within one month’s time and apply for a new
RP card as described in section 2.1.1. Therefore, it is the responsibility of the document holder to keep
the person’s identification data up to date.
For renewal of the RP card on case of expiry, loss, theft or damage, the person must fill in the
application, providing personal data (including biometric data) and the enrolment procedure is applied
as described in section 2.1.1
The re-key of certificates is required, for example, in case of security vulnerabilities or cryptographic
updates that might have an impact on the security of already issued RP cards or to remain QSCD
certified. Certificate re-key can be carried out after the identity-proofing procedure (either physical or
electronic authentication), where the data provided is checked against the ITDAK and the Estonian
population register.
If an RP card malfunction falls under warranty (for example, RP card cannot be used electronically),
then the new RP card and certificates are issued for the same period of validity without a charge to the
document holder.
SUBSTANTIAL
Same as level low.
HIGH
Level low, plus: Where renewal or replacement is based on a valid electronic identification means,
the identity data is verified with an authoritative source.
Certificate re-key can be performed in the service point of the issuing authority or remotely via ID card
administration portal.
Prerequisites for the certificate re-key:
RP card is whitelisted for the re-key by the issuing authority,
RP card is valid and electronically functional,
RP card certificates are valid,
15
person knows PIN1 of the RP card.
If PIN1 is not known, the document holder can set new PIN code in the ID software by entering PUK.
The document holder can log in to ID card administration portal via State Authentication Service TARA.
Document holder must insert the RP card to a smart card reader, agree with the terms and conditions
for the use of certificates and initiate the process by inserting PIN1.
Certificate re-key at a service point of the issuing authority is done after the physical identification
procedure, where the data provided is checked against the ITDAK and the Estonian population register.
Document holder will sign an application for re-key, insert their RP card to the smart card reader and
enter PIN1.
During the process of re-key, the new keys and certificates are generated and will be in active state,
previous certificates will be revoked automatically by the CA. Document holder will receive a
notification from the issuing authority about the revocation and issuance of new certificates to their
official [personalidentificationcode]@eesti.ee email address.
The warranty application can be submitted in the service point of the issuing authority after the physical
identification procedure or in cases of the document holder’s request (via helpline and email) where
the data provided is checked against the ITDAK. A new RP card is issued in a service point of the issuing
authority, external service provider or the foreign representation after the physical identification
procedure (authorisation is permitted, when the applicant appoints the representative during
application).
2.3. Authentication
The authentication mechanism of the RP card in case of Transport Layer Security (TLS) Client Certificate
Authentication (CCA) is described on the following caption.
16
Caption 1 Authentication of the RP card
Since autumn 2022, it has also been possible to use Web eID for authentication. Web eID
authentication uses the same mechanism, but it is implemented in the application layer, not in the
transport layer like TLS CCA. Web eID authentication is described on the following caption 2.
17
Caption 2 Web eID authentication diagram
2.3.1. Authentication mechanism
LOW
1. The release of person identification data is preceded by reliable verification of the electronic
identification means and its validity.
At the beginning of authentication, the certificate validity can be checked by the OCSP (Online
Certificate Status Protocol) service or by using current CRL (Certificate Revocation List). Certificate
validity checks are made by the website/-service.
2. Where person identification data is stored as part of the authentication mechanism, that
information is secured in order to protect against loss and against compromise, including analysis
offline.
For secure transaction and authentication, the TLS is used. Data on the RP card certificates are
considered as public data.
3. The authentication mechanism implements security controls for the verification of the
electronic identification means, so that it is highly unlikely that activities such as guessing,
eavesdropping, replay, or manipulation of communication by an attacker with enhanced-basic
attack potential can subvert the authentication mechanisms.
18
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
SUBSTANTIAL
Level low, plus:
1. The release of person identification data is preceded by reliable verification of the electronic
identification means and its validity through a dynamic authentication.
On TLS authentication, the person’s certificate validity can be checked with the OCSP or with the CRL.
2. The authentication mechanism implements security controls for the verification of the
electronic identification means, so that it is highly unlikely that activities such as guessing,
eavesdropping, replay, or manipulation of communication by an attacker with moderate attack
potential can subvert the authentication mechanisms
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
HIGH
Level substantial, plus: The authentication mechanism implements security controls for the
verification of the electronic identification means, so that it is highly unlikely that activities such
as guessing, eavesdropping, replay, or manipulation of communication by an attacker with high
attack potential can subvert the authentication mechanisms.
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
2.4. Management and organisation
The Estonian eID scheme is based on nationally issued identity documents. In the Republic of Estonia,
the Ministry of the Interior is responsible for identity management policy.
Two types of parties can be distinguished within the Estonian eID scheme: public and private. Both
public and private parties must comply with requirements that come from European and national
legislation.
Public authorities
Public authorities act in the public interest according to laws and regulations and are subject
to special obligations of due diligence.
19
The Ministry of the Interior
The Ministry of the Interior is tasked with developing the policy of identity management and the policy
of issuing the personal identification documents for Estonian citizens and foreigners and coordinating
the activities of government authorities.
Estonian Police and Border Guard Board (PBGB)
The PBGB is the issuing authority. This is the institution of executive power within the area of
government of the Estonian Ministry of the Interior and, among the main functions, ensures protection
of public order, organisation of matters of border management, citizenship, and migration by carrying
out national legislation, state supervision, and applying enforcement powers of the state on the basis,
the extent, and condition. The functions, rights, and organisation of the police and the legal bases of
the police service are provided in the Police and Border Guard Act [17] and the Statutes of the Police
and Border Guard Board [18].
According to the IDA [3], the PBGB has the competence of making a decision on issuance and
revocation of an identity document. The IDA allows the PBGB to transfer duties for the hand-over of
documents to an external service provider. Additionally, the IDA allows the PBGB to transfer the duties
for the issuance of certificates. Certificates are generated during the personalisation process by the
qualified trust service provider (QTSP), who is managing the whole life cycle of the qualified
certificates.
Development, preparation of tenders and contracts, implementation, objectively certain and secure
identification and management (including procedures concerning complaints) for identity documents
(including the national RP card) are the main responsibilities of the Identity and Status Bureau of PBGB.
Personalisation site is responsible for the distribution of all types of identity documents (including the
RP card) to the issuing locations.
IT and Development Centre, Ministry of the Interior (SMIT)
SMIT is responsible for ensuring the information and communication technology service development
and management within the ministry governing area. The functions, rights, and organisation are
provided in the Statutes SMIT [19].
Information System Authority (RIA)
RIA is a government body responsible for:
- eID technical architecture,
- development of client/end-user software,
- chip technical specification,
- application for eID middleware,
- Estonian Information Security Standard [20],
- collecting, analysing, solving security incidents and informing them to ENISA (CERT, E-ITS [20]),
- creating and ensuring technical solutions/platform for both domestic and cross-border
accessing of e-services and
- performing the functions of a point of single contact under eIDAS Regulation [2].
20
RIA is also the Supervisory Body, who is responsible for supervisory tasks that are set out in eIDAS
Regulation [2]:
- the assessment of qualified status of trust services and issuance of licenses to provide trust
services,
- the managing of trust list of Estonian trust service providers,
- supervising of notified trust services providers in meeting the established requirements.
The functions, rights, and organisation are provided in the Statutes of the RIA [21].
In the Estonian public sector, all information systems, including the eID scheme must comply with the
Estonian Information Security Standard (E-ITS) [20].
The objective of E-ITS is to develop and promote the level of information security in both the Estonian
public and private sectors by presenting a basis for information security in Estonia, compliant with the
Estonian legal system, which is also aligned with the internationally recognised information security
management standard ISO/IEC 27001. The development process of the E-ITS is based on the German
BSI IT-Grundschutz baseline security system [22].
The Ministry of Foreign Affairs (MFA)
The MFA is responsible for accepting residence permit applications, forwarding collected applications
to the PBGB for issuing residence permits and RP cards, and for handing over RP cards in the foreign
representations.
Private parties
Private parties take over tasks as contractors of public authorities or carry out market roles within the
Estonian eID scheme that are not executed by public authorities. The exact role and responsibilities of
the private parties will be agreed upon in the concluded contracts in accordance with the IDA [3].
Card manufacturer
The PBGB has a contract with Thales DIS Finland OY for ID-1 format identity document blanks,
personalisation and related services. Thales DIS Finland OY’s subcontractor is Hansab AS.
The card manufacturer is responsible for:
production, processing and logistics of document blanks with a chip certified as a QSCD,
the provision of document personalisation services (provided by subcontractor of card
manufacturer),
the provision of post-issuance services for documents,
processing of personal data in accordance with Estonian, EU and international regulations,
standards, requirements and instructions.
Certification Authority (CA)
The PBGB has a contract with Zetes SA for the provision of certification and qualified trust services.
The duties of the CA in certification service and qualified trust service cover the following:
21
issuance of root certificates and intermediate certificates for the creation of a certificate chain,
issuance of qualified certificates for electronic signatures and certificates for authentication
and encryption,
service of Subscriber certificates,
provision of OCSP responder service,
provision of CRL service,
provision of LDAP directory service,
provision of test services.
External Service Provider
According to section 31 of the IDA [3], at the request of the applicant, the issuing authority may deliver
the document through a secure service provider. The secure service provider shall be determined by
the issuing authority.
The PBGB has a contract with Hansab AS for external service provision. Hansab AS provides the service
of handing over identity documents through a subcontractor, who hands out documents in external
service provider’s service points nation-wide.
Requirements for external service providers must ensure that the service provided is equally secure as
the service provided by issuing authority and foreign representations. Requirements for the external
service provider are set out in the contract.
Helpline
ID software user support for electronic use of ID cards and ID software is available workdays 8.30-17.00
by phone +372 666 8888 or email [email protected], additionally www.id.ee is available for user support.
2.4.1. General provisions
LOW
1. Providers delivering any operational service covered by this regulation are a public authority
or a legal entity recognised as such by national law of a Member State, with an established
organisation, and fully operational in all parts relevant for the provision of the services.
The IDA [3] and the Statutes of the PBGB [18] apply to any operational service covered in the Estonian
eID scheme; hence, the requirement is fulfilled.
2. Providers comply with any legal requirements incumbent on them in connection with operation
and delivery of the service, including the types of information that may be sought, how identity-
proofing is conducted, what information may be retained, and for how long.
Operations of all entities involved in the Estonian eID scheme are directly governed by national
legislation and subordinate regulations. The legislation and enforcement of procedures about identity-
proofing are described previously under section 2.1.2.; hence, the requirement is fulfilled.
22
3. Providers are able to demonstrate their ability to assume the risk of liability for damages, as
well as their having sufficient financial resources for continued operations and providing of the
services.
According to the Electronic Identification and Trust Services for Electronic Transactions Act [5], the CA
shall have a liability insurance contract, with the sum insured at least in the amount of one million
euros annually per each single insured event and at least one million euros per all events in total.
The CA and card manufacturer shall have a valid performance warranty for the duration of the contract.
During the term of the contract, the private party shall hold a non-life insurance contract with an
insurer authorised in Estonia, the EU or another Member State of the European Economic Area to
which the PBGB is a beneficiary.
PBGB has established fines for external service providers for breach of contract.
4. Providers are responsible for the fulfilment of any of the commitments outsourced to another
entity, and compliance with the scheme policy, as if the providers themselves had performed the
duties.
Private parties are responsible for the fulfilment of all commitments outsourced to another entity and
compliance with the policies as stated (including an obligation to notify about the subcontractors) in
the contract with the PBGB.
5. Electronic identification schemes not constituted by national law shall have in place an effective
termination plan. Such a plan shall include orderly discontinuations of service or continuation by
another provider, the way in which relevant authorities and end users are informed, as well as
details on how records are to be protected, retained and destroyed in compliance with the scheme
policy.
Estonian eID scheme is constituted by national law; therefore, a termination plan is not applicable.
Subcontractors have contractual obligations to the continuation of service throughout the validity
period of the issued certificates. As of 01.07.2017, electronic authentication is listed as a vital service
in the Emergency Act [23] and is considered as a provider of a service of general interest; therefore,
the General Part of the Economic Activities Code Act [24] applies.
Termination of CA is stipulated in eID CPS [7].
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
23
2.4.2. Published notices and user information
LOW
1. The existence of a published service definition that includes all applicable terms, conditions,
and fees, including any limitations of its usage. The service definition shall include a privacy policy.
The service of issuing identity documents ensures the issuance of national identity documents under
the conditions and timeframe set out in national legislation (IDA [4] and Regulation 20 of the Minister
of the Interior, as of 01.08.2025 [10]), accepting the application for procedures during which the
decision to issue, or not to issue, the document is made, and the issuance of the document. Quality
control includes “four eyes” principle, where two different officials are involved in the issuance of the
document. The IDA [3] also sets the rules for revocation of the document and/or certificates.
Applicable terms and conditions (including any limitations of usage and privacy policy) are defined and
explained under section 2.1.1. The fees for RP card are regulated by the Statutory Fees Act [25]. Usage
of personal data and privacy is regulated by the GDPR [26], the Personal Data Protection Act [27], which
provides the conditions and procedure for processing of personal data, the procedure for the exercise
of state supervision and administrative supervision upon processing of personal data, and liability for
a violation of the requirements for processing of personal data. The statutes of ITDAK [28] and ABIS
statute [14] provide the specifics of what data is collected, the preservation period of collected data
etc.
2. Appropriate policy and procedures are to be put in place in order to ensure that users of the
service are informed in a timely and reliable fashion of any changes to the service definition and
to any applicable terms, conditions, and privacy policy for the specified service.
PBGB is fully responsible for coordinating change management and communication of all aspects of RP
card issuance in a timely and reliable fashion, without undue delay. PBGB is responsible for putting
appropriate policies and procedures in place, ensuring that users of the service are informed in a timely
and reliable fashion of any changes to the service definition, any applicable terms, conditions, and
privacy policy.
3. Appropriate policies and procedures are to be put in place that provide for full and correct
responses to requests for information.
PBGB’s internal process provides the guidelines for issuance and services related to identity documents
after their issuance (e.g. revocation of certificates). Additionally, the terms and conditions are referred
to under section 2.1.1.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
24
2.4.3. Information security management
LOW
There is an effective information security management system for the management and control
of information security risks.
Please see the description below under substantial.
SUBSTANTIAL
Level low, plus: The information security management system adheres to proven standards or
principles for the management and control of information security risks.
E-ITS [20] is compulsory for all state and local government organisations who handle
databases/registers. Therefore, all internal procedures for development and maintenance are created
and managed based on E-ITS [20] security levels and classes. E-ITS [20] is a tool for risk and security
management; hence, the requirement is fulfilled. State supervision for E-ITS [20] compliance is
conducted by RIA.
Private parties adhere to and provide certificates of audits (eIDAS and ISO) which demonstrate
following proven standards and principles for the management and control of information security
risks, as previously stated under 2.4.
HIGH
Same as level substantial.
2.4.4. Record-keeping
Collecting data and records, maintenance, archiving, and protection of all relevant records and data is
required and regulated by European (eIDAS Regulation [2], GDPR [26]) and national legislation,
subordinate regulations, and internal procedures.
LOW
1. Record and maintain relevant information using an effective record-management system,
taking into account applicable legislation and good practice in relation to data protection and data
retention.
The Public Information Act [29] provides the conditions of, procedure for, and methods of access to
and reuse of public information and the bases for refusal to grant access to information, restricted
public information, and the procedure for granting access thereto to the extent not regulated by other
acts, the bases for establishment and administration of databases, and supervision over the
administration of databases, the procedure for the exercise of state supervision, and administrative
supervision over the organisation of access to information.
25
The Personal Data Protection Act [27] provides for the conditions and procedure for the processing of
personal data, the procedure for the exercise of state supervision and administrative supervision upon
the processing of personal data, and liability for a violation of the requirements for the processing of
personal data.
The Statutes of ITDAK [28] and ABIS [14] provides that for ensuring availability, integrity, and
confidentiality of data protection in databases, the organisational, physical, and information
technology security measures must be implemented. Section 18 of ITDAK Statutes provides that data
records are kept 75 years. The ITDAK has a service-level agreement between the PBGB and the ICT
service provider (SMIT), in which are stated quality parameters, E-ITS security classes, and highest data
loss tolerance.
The Statutes of ABIS [14] provides that data records are kept actively for 15 years, after that for 60
years.
2. Retain, as far as it is permitted by national law or other national administrative arrangement,
and protect records for as long as they are required for the purpose of auditing and investigation
of security breaches, and retention, after which the records shall be securely destroyed.
Please see description in 2.4.4/1.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.5. Facilities and staff
Estonian eID is managed by an Estonian government body (PBGB); therefore, all human resource
decisions are laid down in official administrative procedures according to the national legislation; in
particular, based on the Civil Service Act [30] and Police and Border Guard Board Act [17].
Additionally, E-ITS [20] facilitates requirements for both facilities and staff.
The manufacturing site of the card manufacturer is certified throughout the contract period according
to the following standards:
Intergraf's ISO 14298 - level Governmental,
ISO 9001 Quality Management System – requirements,
ISO/IEC 27001 Information technology – Security techniques – Information security
management systems – Requirements,
PCI CPP Physical Security Requirements and Test Procedures for the transportation of
documents from the manufacturing site to the personalisation site via secure transportation.
26
The personalisation site and processes of the card manufacturer are compliant with the following
regulations and standards:
Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic
identification and trust services for electronic transactions in the internal market, as amended
by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework
(always referred together as eIDAS regulation),
ISO 9001 Quality Management System – requirements,
ISO/IEC 27001 Information technology – Security techniques – Information security
management systems – Requirements,
PCI CPP - Logical Security Requirements and Test Procedures,
PCI CPP - Physical Security Requirements and Test Procedures,
ISO 9001 Quality Management System – requirements,
ISO/IEC 27001 Information technology – Security techniques – Information security
management systems – Requirements,
PCI CPP - Logical Security Requirements and Test Procedures,
PCI CPP - Physical Security Requirements and Test Procedures,
PCI Data Security Standard.
The card manufacturer ensures compliance with all relevant EU, Estonian and international legal acts,
standards and recommendations as well as the relevant electronic identification and CA rules at all
times throughout the contract and in case any amendments or updates are introduced, card
manufacturer shall ensure compliance with all amended and updated requirements without any delay.
LOW
1. The existence of procedures that ensure that staff and subcontractors are sufficiently trained,
qualified and experienced in the skills needed to execute the roles they fulfil.
In public authorities, staff are employed and trained according to dedicated job profiles (general
framework and qualification requirements) and job descriptions (detailed work characteristics and
responsibilities). Both originate from state development plans, work plans, cooperation agreements,
and the needs specified by the service owner of PBGB. Where relevant, additional dedicated training
programmes for staff members also exist (e.g., identity-proofing and fraud). This ensures that
procedures are performed by trained, qualified, and experienced staff. Background checks are
implemented during recruitment and employment as a routine precautionary measure in accordance
with Police and Border Guard Act [17]. Duties are performed according to formalised processes, and
special obligations of due diligence exist. Job profiles, training programmes, procedures, and processes
are monitored and updated on a regular basis as part of the state public service.
Implementing E-ITS [20] or ISO 27001 [31] requirements facilitate the existence of procedures that
ensure that staff and subcontractors are sufficiently trained, qualified, and experienced in the skills
needed to execute the roles they fulfil.
The requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], and the contracts. All specific standards and
requirements set out in the previously mentioned under contractors are applicable to the
27
subcontractor(s) depending on their role. The CPs for the ID-1 format identity documents are publicly
available electronically on CA webpage [6] and www.id.ee webpage, CPSs are available on CA webpage
[8].
2. The existence of sufficient staff and subcontractors to adequately operate and resource the
service according to its policies and procedures.
Public authorities have been provided with resources and staff according to the administrative effort
of the corresponding services as part of legislative procedures, which are reassessed on a yearly basis
as part of yearly estimations and analysis. Additionally, implementing E-ITS [20] or ISO [31]
requirements facilitate the existence of sufficient staff and subcontractors to adequately operate and
resource the service according to its policies and procedures.
The requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], and the contract. The CPs for the ID-1 format
identity documents are publicly available electronically on CA webpage [6] and www.id.ee webpage,
CPSs are available on CA webpage [8].
3. Facilities used for providing the service are continuously monitored for, and protect against,
damage caused by environmental events, unauthorised access, and other factors that may impact
the security of the service.
Implementing E-ITS [20] or ISO [31] requirements facilitate continuous monitoring for, and protection
against, damage caused by environmental events, unauthorised access, and other factors that may
impact the security of the service of facilities used for providing the services.
The requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], and the contracts. The contractors have an
insurance policy to provide the security of the service.
The bases of continuity of vital services are regulated in the Emergency Act [23].
Physical security requirements for manufacturing and personalisation process and physical security
requirements for the personalisation site come from the PCI standards (as described in 2.4.5). The
physical and information systems security of the MFA is regulated with different internal organisational
documents.
4. Facilities used for providing the service ensure that access to areas holding or processing
personal, cryptographic, or other sensitive information is limited to authorised staff or
subcontractors.
Implementing E-ITS [20] or ISO [31] requirements ensure that access to areas holding or processing
personal, cryptographic, or other sensitive information is limited to authorised staff or subcontractors.
The archival rules referred to in 2.4.4 regulate and specify the requirements for assessment and
safekeeping of the records at public institutions or persons until their handover to the public archive
28
and the rules of handover, preservation, protection in the public archive, access management,
including issuance of the archival notice of the archive records.
Additionally, why and how data is gathered, kept, and handled and who has access to the data are
defined in the statutes of a particular database. This includes information system access control, which
is monitored in terms of who has which access rights, for how long, and given by whom. This ensures
that access rights are backwards traceable, should there be a need to identify who, when, why, and
where has granted access.
The requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], the contracts, also from the eID CP [6]. The private
party responsible for manufacturing and personalisation of the RP cards operates under the PCI
standards (as described in 2.4.5) that cover the physical security part and personnel requirements.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.6. Technical controls
LOW
The service system is hosted by a qualified trust service provider, published in the national trusted list:
https://sr.riik.ee/en/trusted-list/ and in the EU trusted list: https://eidas.ec.europa.eu/efda/trust-
services/browse/eidas/tls.
eID CPS, eID CP, terms and conditions are available at https://repository.eidpki.ee/repository/.
Conformity assessments reports are provided upon request and under nondisclosure agreement.
1. The existence of proportionate technical controls to manage the risks posed to the security of
the services, protecting the confidentiality, integrity, and availability of the information
processed.
Requirements for the existence of proportionate technical controls to manage the risks posed to the
security of services, protecting the confidentiality, integrity, and availability of the information
processed for contractors, come from European and national legislation, and the contracts. Data
between the PBGB, the card manufacturer, and CA transfers through secure PBGB exchange interface
HUB.
The data exchange takes place as a transmission of messages over the X-tee data exchange layer,
ensuring secure, standardised, and auditable message-based communication. Generic information on
X-tee can be found at https://www.ria.ee/en/state-information-system/x-tee.html.
29
As part of the Estonian eID scheme, a new intermediary service called HUB has been introduced to
support and standardise data exchange related to the issuance of ID-1 format identity documents. HUB
is a gateway-type service that mediates communication between the parties involved in the RP card
issuance process - the issuing authorities, the document manufacturer, and the QTSP. All data exchange
through HUB takes place over the X-tee data exchange layer, ensuring secure, auditable, and
standardised communication.
The primary role of HUB is to manage and mediate:
requests for personalisation orders of ID-1 format identity documents sent from issuing
authorities to the manufacturer,
notifications of personalisation order and delivery package status changes back to the
corresponding issuing authority systems, and
requests for certificate generation, activation, revocation, and related status queries sent to
the QTSP.
HUB enables the transmission of trust service responses both to the issuing authorities’ systems and
to the card manufacturer(s). By acting as a single intermediary, HUB reduces direct system-to-system
integrations and ensures consistent handling of processes and data.
The introduction of HUB aims to:
standardise communication between all parties involved in ID1 document issuance,
provide auditable and traceable data exchange,
increase resilience and efficiency by supporting the parallel or alternative use of different
QTSPs when requesting certificates.
2. Electronic communication channels used to exchange personal or sensitive information are
protected against eavesdropping, manipulation, and replay.
Requirements for the existence of proportionate technical controls to manage the risks posed to the
security of services, protecting the confidentiality, integrity, and availability of the information
processed for contractors, come from European and national legislation, and the contracts. Data
between the PBGB, the card manufacturer, and CA transfers through secure PBGB exchange interface
HUB.
3. Access to sensitive cryptographic material, if used for issuing electronic identification means
and authentication, is restricted to the roles and applications strictly requiring access. It shall be
ensured that such material is never persistently stored in plain text.
Requirements for access restrictions for contractors come from the eIDAS Regulation [2], the Electronic
Identification and Trust Services for Electronic Transactions Act [5], and the contracts.
4. Procedures exist to ensure that security is maintained over time and that there is an ability to
respond to changes in risk levels, incidents, and security breaches.
30
Security and risk management:
a) Middleware software (including card drivers) is maintained by the state and is frequently
updated.
b) In case of security vulnerabilities or cryptographic updates that might have an impact on the
security of already issued RP cards or to remain QSCD certified, the re-key of the certificates
shall be possible via ID card administration portal.
c) To prevent the potential digital misuse, the certificates can be revoked using revocation portal
which is accessible 24/7 to all RP card holders.
Requirements for contractors come from the eIDAS Regulation [2], the Electronic Identification and
Trust Services for Electronic Transactions Act [5], and the contracts. IDA [3] allows the issuing authority
to revoke the certificates, when necessary.
5. All media containing personal, cryptographic, or other sensitive information are stored,
transported, and disposed of in a safe and secure manner.
Requirements for contractors come from the eIDAS Regulation [2] (QTSP requirements), the Electronic
Identification and Trust Services for Electronic Transactions Act [5] and other applicable national
legislative acts, the tender documents, and the contracts.
SUBSTANTIAL
Same as level low,
plus: Sensitive cryptographic material, if used for issuing electronic identification means, and
authentication is protected from tampering.
Requirements for contractors come from the eIDAS Regulation [1], and other applicable national
legislative acts, and the contracts.
HIGH
Same as level substantial.
2.4.7. Compliance and audit
CA is subject to the eIDAS Regulation [2], with its implementing acts, and, at the national level, is
regulated by the Electronic Identification and Trust Services for Electronic Transactions Act [5].
CA has been audited by the certification body LSTI-Apave SAS (Conformity Assessment Body is
accredited for the certification of trust services according to ISO/IEC27001 and ETSI EN 319 403 [32])
and confirmed as a QTSP according to article 3 (20) of eIDAS by RIA. The initiation and supervisory
activities of the CA and its qualified trust service provided, and lifecycle management of the related
qualified status are carried out according to the figure below. The CA activities are under regular
supervision throughout the lifecycle of such services, from their commencement to their termination.
The CA has an obligation to communicate with RIA regarding any changes in the provision of its
qualified trust services, data set out in a notification according to paragraph 1 of article 21 of eIDAS
31
[2}, and any incidents concerning a breach of security or loss of integrity. The qualified trust services
provided by CA are in accordance with the requirements laid down in eIDAS [2], the ETSI European
Standard (ETSI EN), and national regulations. Information related to the CA and provided services have
been entered into the national trusted list by the validity of the relevant conformity assessment report,
in general, for 2 years. Detailed information regarding the CA, provided services, certificates,
certification practice statements, policies, and conformity assessment reports are available at the
website https://repository.eidpki.ee/repository/.
Activities for QTSP/QTS initiation and lifecycle management of the related qualified status of trust
service level is described on the following caption 3.
32
Caption 3 activities for QTSP/QTS initiation and lifecycle management of the related qualified status at trust service level
LOW
The existence of periodical internal audits scoped to include all parts relevant to the supply of the
provided services to ensure compliance with relevant policy.
Please see the detailed description in the following section high.
33
SUBSTANTIAL
The existence of periodical independent internal or external audits scoped to include all parts
relevant to the supply of the provided services to ensure compliance with relevant policy.
Please see the detailed description in the following section high.
HIGH
1. The existence of periodical independent external audits scoped to include all parts relevant to
the supply of the provided services to ensure compliance with relevant policy.
The contractors of the PBGB and their subcontractors in connection with the issuance of documents
(including the RP card) must be audited accordingly and/or comply with requirements of standard(s)
(ETSI, PCI and/or ISO) until the expiry of the contracts or until the expiry of the last certificate pair
issued and/or renewed according to the specifics of particular standard or audit. The CA is audited
every year by a conformity assessment body, and RIA, as the Supervisory Body, confirms that the CA
fulfils the requirements laid down in eIDAS [2] and national laws for a QTSP. CA is audited at least
every 2 years to confirm that the CA and the qualified trust services provided by them fulfil the
requirements laid down in eIDAS [2] and national law. E-ITS [20] preliminary audit was conducted in
March 2025, main audit begun in the beginning of September 2025.
2. Where a scheme is directly managed by a government body, it is audited in accordance with
the national law.
Estonian eID scheme is subject to national law; therefore, it is under supervisory control of the state.
Supervisory control is conducted in an administrative authority by a higher authority over the
subordinate administrative agency in terms of the lawfulness in actions and feasibility in functions.
Supervisory control of Estonian governmental authorities and agencies is regulated by chapter 7 of the
Government of the Republic Act [33]; hence, this requirement is fulfilled.
The PBGB is a government body supervised according to national laws and other legal acts applicable
to government bodies. Supervisory control is done by the Ministry of the Interior, as the PBGB is an
agency under the ministry. Supervisory control of the RIA is done by the Ministry of Justice and Digital
Affairs.
The PBGB has an internal audit bureau which provides independent, objective, and consulting activities
to create value and fulfilling organisational activities. Internal audits help to fulfil the organisational
objectives by using a systematic approach for evaluating and improving risk management, control, and
efficiency in organisation management culture processes. The activities of the Internal Audit Bureau
are based on the international standards of the Institute of Internal Auditors (external conformity
assessment conducted in 2025). The work of the Internal Audit Bureau is regulated by the PBGB
internal regulation. Risk management in the PBGB is regulated by the PBGB risk management
framework.
34
List of References
[1] Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on
Published: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02015R1502-
20220711
[2] Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework (always referred together as eIDAS regulation) Reference: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02014R0910-
20241018
[3] Identity Documents Act (IDA)
Published: https://www.riigiteataja.ee/en/eli/ee/505012026002/consolide/current
[4] Subscriber Terms and Conditions for Certificates issued by Zetes Estonia OÜ for ID-1 format
identity documents of the Republic of Estonia
Published: https://repository.eidpki.ee/repository/
[5] Electronic Identification and Trust Services for Electronic Transactions Act
Published: https://www.riigiteataja.ee/en/eli/ee/529122024007/consolide/current
[6] Certificate Policy for ID-1 format identity documents of the Republic of Estonia” (eID CP)
Published: https://www.id.ee
[7] Zetes Estonia OÜ - Certification Practice Statement for the Intermediate CA for ID-1 documents
of the Republic of Estonia (eID CPS)
Published: https://repository.eidpki.ee/repository/
[8] www.id.ee webpage
https://www.id.ee/ , in English: https://www.id.ee/en/
[9] Important points to remember for document users
https://www.politsei.ee/en/important-points-to-remember-for-document-users
[10] Regulation No 20 of the Minister of the Interior, as of 01.08.2025 (only in Estonian)
Published: https://www.riigiteataja.ee/akt/129072025001
[11] Consular Act
Published: https://www.riigiteataja.ee/en/eli/ee/516122025001/consolide/current
[12] ABIS Database information
Published: https://www.siseministeerium.ee/en/abis
[13] Regulation No. 62 of the Minister of the Interior “Requirements for a photograph when applying
for an identity document” (only in Estonian)
Published: https://www.riigiteataja.ee/akt/108122015004?leiaKehtiv
[14] ABIS Database Statute (only in Estonian)
Published: https://www.riigiteataja.ee/akt/103102023017?leiaKehtiv
[15] Aliens Act
Published: https://www.riigiteataja.ee/en/eli/ee/530092025010/consolide/current
[16] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008
setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93.
Published: http://data.europa.eu/eli/reg/2008/765/2021-07-16
[17] Police and Border Guard Act
Published: https://www.riigiteataja.ee/en/eli/ee/527102025003/consolide/current
35
[18] Police and Border Guard Statute (only in Estonian)
Published: https://www.riigiteataja.ee/akt/128062025002?leiaKehtiv
[19] SMIT Statute (only in Estonian)
Published: https://www.riigiteataja.ee/akt/109072024006?leiaKehtiv
[20] Estonian Information Security Standard (E-ITS, website in Estonian, some documents also in
English)
Published: https://eits.ria.ee
[21] RIA Statute (only in Estonian)
Published: https://www.riigiteataja.ee/akt/127122024010?leiaKehtiv
[22] German BSI IT-Grundschutz baseline security system
https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-
Zertifizierung/IT-Grundschutz/it-grundschutz_node
[23] Emergency Act
Published: https://www.riigiteataja.ee/en/eli/ee/527102025001/consolide/current
[24] General Part of the Economic Activities Code Act
Published: https://www.riigiteataja.ee/en/eli/ee/511092025011/consolide/current
[25] Statutory Fees Act
Published: https://www.riigiteataja.ee/en/eli/ee/525112025005/consolide/current
[26] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016
Published: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-
20160504
[27] Personal Data Protection Act
Published: https://www.riigiteataja.ee/en/eli/ee/522092025009/consolide/current
[28] ITDAK Database Statute (only in Estonian)
Published: https://www.riigiteataja.ee/akt/102072025011?leiaKehtiv
[29] Public Information Act
Published: https://www.riigiteataja.ee/en/eli/ee/514112013001/consolide/current
[30] Civil Service Act
Published: https://www.riigiteataja.ee/en/eli/ee/502012018003/consolide/current
[31] ISO standards
Published: https://www.iso.org/standards.html
[32] ETSI EN 319 403
https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v02
0301p.pdf
[33] Government of the Republic Act
Published https://www.riigiteataja.ee/en/eli/ee/504092025010/consolide/current
2026
LoA Mapping of the Estonian ID card on level “High”
Table of contents
List of Definitions ................................................................................................................................. 1
List of Acronyms .................................................................................................................................. 3
1. Introduction .................................................................................................................................. 4
2. Technical specification and procedures ........................................................................................ 4
2.1. Enrolment ..................................................................................................................................... 5
2.1.1. Application and registration .................................................................................................. 5
2.1.2. Identity proofing and verification (natural person) .............................................................. 7
2.1.3. Identity proofing and verification (legal person) ................................................................ 10
2.1.4. Binding between the electronic identification means of natural and legal persons .......... 10
2.2. Electronic identification means management ............................................................................ 10
2.2.1. Electronic identification means characteristics and design ................................................ 10
2.2.2. Issuance, delivery and activation ........................................................................................ 11
2.2.3 Suspension, revocation and reactivation ............................................................................ 13
2.2.4. Renewal and replacement ................................................................................................... 14
2.3. Authentication ............................................................................................................................ 15
2.3.1. Authentication mechanism ................................................................................................. 17
2.4. Management and organisation .................................................................................................. 18
2.4.1. General provisions ............................................................................................................... 21
2.4.2. Published notices and user information ............................................................................. 23
2.4.3. Information security management ..................................................................................... 24
2.4.4. Record keeping .................................................................................................................... 24
2.4.5. Facilities and staff ................................................................................................................ 25
2.4.6. Technical controls ................................................................................................................ 28
2.4.7. Compliance and audit .......................................................................................................... 30
List of References .................................................................................................................................. 34
1
List of Definitions Term Definition
authentication A unique identification of a person by checking their alleged identity.
biometric data Biometric data is a facial image, fingerprint images and signature or
image of signature.
certificate Public key, together with additional information, laid down in the
certificate profiles, rendered unforgeable via encipherment using the
private key of the Certification Authority which issued the certificate.
electronic identification The process of using person identification data in electronic form
uniquely representing either a natural or legal person, or a natural
person representing a legal person.
electronic identification
scheme
A system for electronic identification under which electronic
identification means are issued to natural or legal persons, or natural
persons representing legal persons.
electronic signature Data in electronic form which is attached to or logically associated with
other data in electronic form, and which is used by the signatory to
sign. Signatory means natural person who creates an electronic
signature.
Estonian citizen A person who holds Estonian citizenship according to the Estonian
Citizenship Act.
Estonian population
register
A database which unites the main personal data on Estonian citizens,
citizens of the EU and third-country national who have been granted a
residence permit or right of residence in Estonia.
foreign representation of
the Republic of Estonia
An official unit (embassies, consulates, representations) operating
under the MFA in foreign country, responsible for representing
Estonia’s interests, maintaining diplomatic and consular relations, and
providing consular activities.
foreigner A citizen of a member state of the European Union, except Estonia, or
of a member state of the European Economic Area or of the Swiss
Confederation (hereinafter a citizen of the European Union); or a third-
country national.
HUB HUB is a secure data exchange interface between the PBGB, the card
manufacturer, and Certification Authority to support standardised data
exchange related to the issuance of ID-1 format identity documents.
ID card A mandatory identity document of Estonian citizens and EU citizens
permanently residing in Estonia. In addition to regular identification
purposes, an ID card can also be used for identification in an electronic
environment and for providing digital signatures. Estonian citizens can
also use the ID card as a travel document within the EU.
ID card administration
portal
Portal for looking up given PUK code and re-key of certificates, available
at https://www.idhaldusportaal.ee/en/.
ID software An end-user desktop application for personal maintenance of smartcard-
based eID.
2
ID-1 format identity
documents
Documents in ID-1 format are ID card, e-resident digital ID, residence
permit card and diplomatic identity card.
identity documents
database (ITDAK)
A record-keeping system for ensuring the internal security of the state,
including the identification of persons and the issuance and revocation
of identity documents specified in subsection 15 (4) of the IDA, as well
as people who have applied for mentioned documents. The basic data
collected by the information system are:
- Data related to the identification or verification of a person's identity,
- Data related to the applicant for an identity document,
- Data on the application for an identity document,
- Data on the identity document.
Ministry of Foreign Affairs
(MFA)
In this document, the MFA includes either both or one: the MFA
headquarters and/or foreign represenations abroad (i.e. embassies,
consulates, honorary consuls, consular missions).
personal identification
code
A unique 11-digit identifier for individuals in Estonia based on a
person’s gender, date of birth, serial number and check digit.
PIN code Activation code for the certificate enabling digital authentication and
the certificate enabling qualified electronic signatures.
private key The key of a key pair that is assumed to be kept in secret by the owner
of the key pair, and that is used to create electronic signatures and/or
to decrypt electronic messages, records or files that were encrypted
with the corresponding public key.
public key The key of a key pair that may be publicly disclosed by the owner of the
corresponding private key and that is used by relying parties to verify
electronic signatures created with the owner’s corresponding private
key and/or to encrypt messages, records and files so that they can be
decrypted only with the owner’s corresponding private key.
PUK Personal unlocking key.
register for authentic
documents
Database of documents of the European Union, of its member states,
and other countries, e.g. PRADO (Public Register of Authentic identity
and travel Documents Online).
revocation portal Portal for revocation of certificates, available at https://revocation-
portal.eidpki.ee/en/landing.
secure service provider for
handing out identity
documents
External service provider with the competency to hand out identity
documents.
self-service Digital environment, where a person can apply for an identity
document, available at https://etaotlus.politsei.ee/ekpid/login.
Web eID The Web eID solution enables the use of ID-1 format identity
documents for secure authentication and digital signing on the web.
X-tee Data exchange platform that allows secure and standardised data
exchange between different institutions, including state authorities and
private sector, available at https://www.x-tee.ee/home.
3
List of Acronyms Acronyms Definition
ABIS Automated Biometric Identification System
CA Certification Authority
CC Common Criteria
CCA Client Certificate Authentication
CERT Computer Emergency Response Team
CP Certificate Policy
CPS Certification Practice Statement
CRL Certificate Revocation List, a list of invalid (revoked) certificates
EAL Evaluation Assurance Level
eID Electronic Identity
eIDAS Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework (always referred together as eIDAS regulation)
E-ITS Estonian Information Security Standard
ENISA The European Union Agency for Cybersecurity
ETSI The European Telecommunications Standards Institute
EU European Union
GDPR General Data Protection Regulation - Regulation (EU) 2016/679 of the European Parliament
and of the Council of 27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data
ICT Information and communication technology
IDA Identity Documents Act
ISO International Organization for Standardization
ITDAK Identity Documents Database
LDAP Lightweight Directory Access Protocol
LoA Levels of Assurance
MFA The Ministry of Foreign Affairs
OCSP Online Certificate Status Protocol
OTP One Time Password
PCI Payment Card Industry
PBGB The Estonian Police and Border Guard Board
PKI Public Key Infrastructure
QSCD Qualified Signature Creation Device
QTS Qualified Trust Service
QTSP Qualified Trust Service Provider
RIA Information System Authority of the Republic of Estonia (Riigi Infosüsteemi Amet)
RSA Rivest-Shamir-Adleman
SMIT The IT and Development Centre of the Ministry of the Interior
TARA State Authentication Service
TLS Transport Layer Security
4
1. Introduction
The present document explains how the Estonian ID card meets the requirements for the Level of
Assurance (LoA) ’high’ pursuant to the requirements of the eIDAS LoA defined in Commission
Implementing Regulation (EU) 2015/1502 [1] pursuant to Article 8(3) of the eIDAS Regulation [2] [(EU)
910/2014], as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital
Identity Framework (always referred together).
2. Technical specification and procedures
The elements of technical specifications and procedures outlined in this annex of the Commission
Implementing Regulation (EU) 2015/1502 [1] will be used to determine how the requirements and
criteria of article 8 of Regulation (EU) will be applied for electronic identification means issued under
an electronic identification scheme.
ID-1 is an Estonian eID platform that is implemented on top of Aquarius chip (product name:
AQUARIUS_CA_09) from Thales, which is CC EAL6+ certified. The eID functionality is managed by the
application IAS Classic v5.2.1 with MOC Server v3.1 (EAL5+) on the operating system MultiApp V5.1
(version C, EAL6+)
ID-1 operates on:
Globalplatform 2.3.1
- Secure messaging: SCP03 i= 00, 01, 10, 11, 20, 21, 30, 31, 60, 61, 70 & 71 (AES 128, 192,
256);
- Optional and Mandated DAP up to RSA2K: applet versioning and integrity during post-
issuance;
- Delegated Management up to RSA2K: secure postissuance card management delegation
operations;
- Multiple Security Domains: Segregation of roles on the same card;
- Extradition: extradites an application from a Security Domain to another.
Globalplatform Privacy Framework
- Privacy Enhanced ID Configuration: SCP 21.
Java Card 3.1;
- Multiple Logical channels: concurrent applets addressed simultaneously during the same
card session;
- Garbage collector: recovers memory space of deleted or useless objects.
Applet optimiser: Saves at least 10% of NVM memory required by applications.
PACE support: privacy protection with explicit user consent.
Applet supports all required minimum public key features for easy integration in various PKI. It includes
the certificate for electronic authentication and encryption as well as certificate for providing a
qualified electronic signature, that are stored on the chip. In addition, the certificate for authentication
and encryption is also available in LDAP (Lightweight Directory Access Protocol) repository.
5
The certificates are valid until the date of expiry of the ID card, meaning up to five years depending on
the validity of the physical ID card.
2.1. Enrolment
The ID card is a mandatory identity document from the age of 15 which is issued to Estonian and EU
citizens living in Estonia.
2.1.1. Application and registration
LOW
1. Ensure the applicant is aware of the terms and conditions related to the use of the electronic
identification means.
The issuance of ID card and the obligations of the document holder are regulated by
eIDAS Regulation [2],
IDA [3],
Subscriber Terms and Conditions for Certificates issued by Zetes Estonia OÜ for ID-1 format
identity documents of the Republic of Estonia [4],
Electronic Identification and Trust Services for Electronic Transactions Act [5],
Certificate Policy for ID-1 format identity documents of the Republic of Estonia (eID CP) [6] and
Certification Practice Statement for the Intermediate certificates for ID-1 Documents of the
Republic of Estonia (eID CPS) [7].
According to article 114 of the IDA [3], the initial ID card can be applied for only in person (or via a legal
guardian) in a service point of the issuing authority or in the foreign representation of the Republic of
Estonia (hereinafter foreign representation). The exception is a minor under the age of 15 whose legal
guardian applies for the document and is documented by the issuing authority and whose legal
guardian proves their parental relationship.
In cases of expiry, loss, theft or damage of the ID card, Estonian citizens and EU citizens can apply for
a recurring ID card in one of the following methods:
in self-service, available only for Estonian citizens, who have been previously issued an ID card
and for those who are legal guardians,
in a service point of the issuing authority,
in a foreign representation,
via post,
via email.
Terms and conditions for the use of certificates on the ID card are publicly available on the www.id.ee
website [8], and a printout can be requested from the issuing authority or the foreign representation.
The applicant must explicitly agree to the terms and conditions that are in force at time of application.
Important points related to the use of the electronic identification means of the ID card are available
on PBGB website [9] as well as on a paper carrier of the ID card.
6
2. Ensure the applicant is aware of recommended security precautions related to the electronic
identification means.
The obligations of a document holder and return of an ID card are stated in article 14 of the IDA [3].
When a document holder forgets their PIN codes, they can use the PUK in the ID software to set new
PIN codes. In case the PUK is forgotten, they can use another state accepted digital document to access
ID card administration portal and view the PUK code of their ID card. Alternatively, an application can
be submitted in the issuing authority service point and the PUK will be sent by post. PUK can be sent
to Estonian postal address only. If the PUK is blocked, the document can be used only as a physical
identity document, for the use of certificate, a new document must be applied for.
Recommended security precautions related to the electronic identification means are listed on the
paper carrier of the ID card, on PBGB’s webpage [9], and in the terms and conditions for the use of the
certificates mentioned above [8]; for example, not to hand over one’s ID card, to keep the PIN codes
secret from others, how to act in case document is lost or stolen etc.
3. Collect the relevant identity data required for identity proofing and verification.
Collecting the relevant identity data required for identity-proofing and verification is regulated based
on Regulation 20 of the Minister of the Interior, as of 01.08.2025 [10]. Collecting application and
relevant identity data required for identity-proofing in the foreign representation is additionally
regulated by the Consular Act [11] and regulations of the minister responsible. Collected identity data
is checked against the database of the Estonian population register, identity documents database
(ITDAK) and automated biometric identification system (ABIS) [12].
The issuer identifies physically the person at least once during the issuance process, taking into account
the exceptions described in this document (minors under the age of 15).
For identity-proofing, the applicant provides the following information to the issuing authority:
a valid identity or travel document (except in cases where the application is done via regular
mail, by a legal guardian, electronically, or when applying for an initial document) Estonian
citizen’s expired document is allowed in service point, when applying for a recurring document,
in that case the PBGB official uses other evidence and databases for identity-proofing),
a photo taken in the issuing authority service point or individually a maximum of 6 months prior
to the application date (requirements are set out in Regulation 62 of the Minister of the Interior,
adopted on 01.12.2015 [13]),
fingerprints from the age of 12,
signature sample (mandatory from the age of 15, voluntary from the age of 7 to the age of 14),
place of hand-over,
reason for applying,
date,
the minimum data set listed in article 5 of Regulation 20 of the Minister of the Interior, as of
01.08.2025 [10], involves collecting the relevant identity data required to verify the identity of
a person beyond doubt at the time of application, including the following:
7
1) personal data (first name(s), last name(s), Estonian personal identification code or date of
birth, place of birth, sex),
2) citizenship,
3) contact information (street, house, apartment, city or village, county, postal code, country,
phone, email address),
other information, when necessary.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.1.2. Identity proofing and verification (natural person)
LOW
1. The person can be assumed to be in possession of evidence recognised by the Member State in
which the application for the electronic identity means is being made and representing the
claimed identity.
N/A because, in case of the ID card, the identity of the applicant and the validity and authenticity of
their document is always verified, not assumed. Please see the description in the following paragraphs
for substantial and high.
2. The evidence can be assumed to be genuine, or to exist according to an authoritative source
and the evidence appears to be valid.
N/A because, in case of the ID card, the identity of the applicant and the validity and authenticity of
their document is always verified, not assumed.
3. It is known by an authoritative source that the claimed identity exists, and it may be assumed
that the person claiming the identity is one and the same.
N/A because, in case of the ID card, the identity of the applicant and the validity and authenticity of
their document is always verified, not assumed.
SUBSTANTIAL
Level low, plus one of the alternatives listed in points 1 to 4 has to be met:
1. The person has been verified to be in possession of evidence recognised by the Member State
in which the application for the electronic identity means is being made and representing the
claimed identity and the evidence is checked to determine that it is genuine; or, according to an
authoritative source, it is known to exist and relates to a real person and steps have been taken
to minimise the risk that the person's identity is not the claimed identity, taking into account for
instance the risk of lost, stolen, suspended, revoked or expired evidence.
8
Estonian eID is always issued as a part of the ID card issuance. The ID card is issued to both Estonian
citizens and EU citizens. The ID card issued to Estonian citizens is recognised as a travel document. The
ID card issued to EU citizens is valid for person’s identification, proof of right of residence and using
Estonian e-services but is not recognised as a travel document. Data about every ID card application is
recorded in the ITDAK and in ABIS [14] in accordance with IDA [3].
Foreigners who have been issued an Estonian identity document under IDA [3] and all Estonian citizens
have a personal identification code and are recorded centrally in the Estonian population register.
Personal identification code is used as unique identifier.
When an Estonian citizen applies for an ID card, their data is checked against the population register,
the ITDAK and ABIS in accordance with the IDA [3] and regulations issued based on that Act. The ITDAK
ascertains whether an Estonian identity document is valid but also provides information about the
personal data of the document holder, as well as about the status of the previously issued identity
document(s), including information about whether the document(s) has/have been lost, stolen,
revoked, or expired. The applicant’s biometric data is checked in ABIS.
When an EU citizen applies for an ID card, their right of residence is checked against the Estonian
population register and the ITDAK to determine whether there have been any previous encounters
with the Republic of Estonia. An EU citizen needs to present a valid identity document issued by the EU
Member State of their citizenship when applying for an ID card. The authenticity of the presented
identity document is verified in accordance with the sample documents presented by other Member
States in the register for authentic documents.
or
2. An identity document is presented during a registration process in the Member State where the
document was issued and the document appears to relate to the person presenting it and steps
have been taken to minimise the risk that the person's identity is not the claimed identity, taking
into account for instance the risk of lost, stolen, suspended, revoked or expired documents.
In case of Estonian citizens, the initial identity-proofing is done on the basis of a birth certificate, kinship
in the Estonian population register, and in accordance with the Citizenship Act [15]; in case of a
recurring ID card, the identification is done based on the previous ID card and the Estonian population
register, ITDAK and ABIS; in case of EU citizens, based on a valid identity document of their country of
citizenship.
3. Where procedures used previously by a public or private entity in the same Member State for
a purpose other than the issuance of electronic identification means provide for an equivalent
assurance to those set out in section 2.1.2 for the assurance level substantial, then the entity
responsible for registration need not to repeat those earlier procedures, provided that such
equivalent assurance is confirmed by a conformity assessment body referred to in Article 2(13) of
Regulation (EC) No 765/2008 [16] of the European Parliament and of the Council (1) or by an
equivalent body.
9
N/A
4. Where electronic identification means are issued on the basis of a valid notified electronic
identification means having the assurance level substantial or high, and taking into account the
risks of a change in the person identification data, it is not required to repeat the identity proofing
and verification processes. Where the electronic identification means serving as the basis has not
been notified, the assurance level substantial or high must be confirmed by a conformity
assessment body referred to in Article 2(13) of Regulation (EC) No 765/2008 [16] or by an
equivalent body.
N/A
HIGH
Requirements of either point 1 or 2 have to be met:
1. Level substantial, plus one of the alternatives listed in points (a) to (c) has to be met:
(a) Where the person has been verified to be in possession of photo or biometric identification
evidence recognised by the Member State in which the application for the electronic identity
means is being made and that evidence represents the claimed identity, the evidence is checked
to determine that it is valid according to an authoritative source; and the applicant is identified as
the claimed identity through comparison of one or more physical characteristic of the person with
an authoritative source.
When applying for an ID card a valid identity document is checked in accordance with the IDA [3] and
regulations issued based on that Act, as well as with the internal procedures and regulations of the
issuing authority. The personnel of the issuing authority follow the routine procedure to check that the
document is genuine and corresponds to the data and biometric data provided in either national or
international registers, whether the document provided is valid and not listed as lost, stolen, revoked,
or expired. In case of expired document, it is possible to apply in self-service with another state
approved eID means. During application in a service point, a physical identity check is conducted,
together with a system checks into national and if needed also in available international databases.
(b) Where procedures used previously by a public or private entity in the same Member State for
a purpose other than the issuance of electronic identification means provide for an equivalent
assurance to those set out in section 2.1.2 for the assurance level high, then the entity
responsible for registration need not to repeat those earlier procedures, provided that such
equivalent assurance is confirmed by a conformity assessment body referred to in Article 2(13)
of Regulation (EC) No 765/2008 [16] or by an equivalent body and steps are taken to
demonstrate that the results of the earlier procedures remain valid;
N/A
(c) Where electronic identification means are issued on the basis of a valid notified electronic
identification means having the assurance level high, and taking into account the risks of a
change in the person identification data, it is not required to repeat the identity proofing and
10
verification processes. Where the electronic identification means serving as the basis has not
been notified, the assurance level high must be confirmed by a conformity assessment body
referred to in Article 2(13) of Regulation (EC) No 765/2008 [16] or by an equivalent body and
steps are taken to demonstrate that the results of this previous issuance procedure of a notified
electronic identification means remain valid.
N/A
or
2. Where the applicant does not present any recognised photo or biometric identification
evidence, the very same procedures used at the national level in the Member State of the entity
responsible for registration to obtain such recognised photo or biometric identification evidence
are applied.
In exceptional cases where a valid document issued by the Republic of Estonia is lost or stolen, the
person is identified based on the information entered previously into the ITDAK and ABIS.
2.1.3. Identity proofing and verification (legal person)
The ID card is used only for identification of natural persons; therefore 2.1.3. is not applicable.
2.1.4. Binding between the electronic identification means of natural
and legal persons
The ID card is used only for identification of natural persons; therefore 2.1.4. is not applicable.
2.2. Electronic identification means management
2.2.1. Electronic identification means characteristics and design
LOW
1. The electronic identification means utilises at least one authentication factor.
Please see the description in the following paragraphs for substantial and high.
2. The electronic identification means is designed so that the issuer takes reasonable steps to
check that it is used only under the control or possession of the person to whom it belongs.
Please see the description in the following paragraphs for substantial and high.
SUBSTANTIAL
1. The electronic identification means utilises at least two authentication factors from different
categories.
11
A two-factor authentication is required for using the eID functionality of the ID card: an ID card and
PIN codes. The first factor of authentication is being in possession of an ID card. The second factor of
authentication are the PIN codes that are issued together with the ID card. The person receives a
securely sealed envelope with three codes in it (PIN1, PIN2, PUK): PIN1 for authentication and
encryption purposes, PIN2 for a qualified electronic signature (compulsory change before first use),
and PUK to reset blocked PIN codes in the ID software.
The document holder possesses a unique private key which is used for authentication. Functions for
using this private key are protected with a PIN code, known only by the document holder.
2. The electronic identification means is designed so that it can be assumed to be used only if
under the control or possession of the person to whom it belongs.
The private key is stored in a secure module of a microchip on the ID card. The ID card with the secure
module is a physical device under the document holder’s control.
HIGH
Level substantial, plus:
1. The electronic identification means protects against duplication and tampering as well as
against attackers with high attack potential
The secure module on the ID card is a QSCD (Qualified Signature Creation Device) certified device.
2. The electronic identification means is designed so that it can be reliably protected by the person
to whom it belongs against use by others.
The document holder has physical control over the authentication device. The document holder has
the option to change the PIN codes at any time by using ID software when they know their PIN or PUK
code. PIN 2 change is compulsory before first use. Certificate revocation service is available in
revocation portal using OTP (One-Time Password) or alternative state approved eID means 24/7, and
in service points during their operating hours.
2.2.2. Issuance, delivery and activation
The process of issuance, delivery, and activation is regulated by the IDA [3] and the Consular Act [11].
LOW
After issuance, the electronic identification means is delivered via a mechanism by which it can
be assumed to reach only the intended person.
The ID card is issued in person. Additionally, there is a possibility to issue an ID card to a legal guardian
or an authorised representative assigned by the applicant at the time of applying for the document.
The ID card is issued at the issuing authority service point, at the external service provider’s service
12
point or in the foreign representation indicated in the application form. The choice of the authorised
representative to receive the ID card and the place of receiving must be stated in the application. The
choice of the authorised representative cannot be changed later in the process. This option can be
applied only if the person has provided the application in person at the issuing authority service point
or in the foreign representation, in self-service or electronically signed via email.
In case of an authorised representative and legal guardian, the authorised person provides their own
identity document.
SUBSTANTIAL
After issuance, the electronic identification means is delivered via a mechanism by which it can
be assumed that it is delivered only into the possession of the person to whom it belongs.
The ID card is issued only personally to the applicant, their legal guardian or to an authorised
representative (who has been appointed at the application) after identity-proofing. This includes
checking the person’s document and identity checks into ITDAK and ABIS. The authenticity of the
presented identity document is verified with ITDAK or register for authentic documents when
necessary. This indicates that the eID means is delivered only into the possession of the person who
applied for it and to whom it belongs.
HIGH
The activation process verifies that the electronic identification means was delivered only into the
possession of the person to whom it belongs.
The documents are delivered to the service points (PBGB and external service provider’s service point
and foreign representation) in a secure document bag. The contents of the bags are checked by the
authorised personnel and confirm the receipt of the delivery electronically.
ID cards are delivered to the issuing authority service point, external service provider’s service point
or the foreign representation in a suspended state (meaning that the eID functionality is not active). If
an ID card is issued at the issuing authority service point or external service point to the applicant
personally, to a legal guardian or to an authorised representative, the ID card is activated by the issuing
authority after the identity-proofing of the receiver, who confirms with their handwritten signature
that they have received the document in its entirety (the receiver confirms that the ID card was
received, the envelope was intact and data correct).
If the ID card is handed over at a foreign representation, the physical ID cards are delivered there by
diplomatic mail in an electronically suspended state. Once the foreign representation has proven the
identity of the applicant and handed over the document, the necessary actions are carried out via the
MFA's information systems, and a request to activate the document is sent to the ITDAK. If the
document is handed out by an honorary consul, they inform the relevant foreign representation of the
issuance, and the foreign representation performs the required actions.
Once the document is handed over by a external service provider, the necessary actions are carried out
in the service provider information system, and a request to activate the document is sent to the ITDAK.
13
2.2.3 Suspension, revocation and reactivation
After issuance of ID card, the certificates cannot be suspended and reactivated by the certificate owner.
Only revocation is allowed.
The legal framework of revocation of the electronic identification means is set by the eIDAS Regulation
[2], with its implementing acts, and is regulated at the national level by the IDA [3] and eID CP [6]. The
document holder is obliged to notify the issuing authority in case of theft or loss of the ID card, so that
the certificates can be revoked.
Revocation of certificates can be done in person by appearing in a service point of the issuing authority
or using revocation portal which is accessible 24/7. Revocation of the certificates means that the
certificates are revoked; therefore, electronic functionality cannot be used.
LOW
1. It is possible to suspend and/or revoke an electronic identification means in a timely and
effective manner.
Suspension of certificates after activating the certificate is not possible.
The certificates of an ID card can be revoked in the issuing authority service point in person and in the
revocation portal. A certificate owner may request revocation of their own certificates or for another
person over which they have legal custody. E-services cannot be used/accessed if the certificates are
revoked.
At the service point, the certificate owner is identified by the service point official, and the revocation
request must be signed by the certificate owner. The service point official verifies the person filing for
revocation in accordance with the PBGB identity verification procedures and checks the legality to
request revocation.
In the online revocation portal, the certificate owner is authenticated electronically with an alternative
state approved eID means or an OTP, and revocation requests are forwarded to the CA via the X-tee
secure authenticated channel. The CA authenticates and executes the request automatically and
immediately. If the request is accepted, it is executed without delay.
After revocation is completed, the certificate status in the CA interface is set as revoked and the
certificates cannot be used; therefore, e-services cannot also be used. The physical document remains
valid until the expiry of the document. To regain access to e-services after revocation has been
completed, a new ID card must be issued (with new certificates); therefore, the enrolment procedure
is applied as described in section 2.1.1.
2. The existence of measures taken to prevent unauthorised suspension, revocation and/or
reactivation.
14
Suspension of certificates after activating the certificate is not possible.
Revocation can be performed in the service point of the issuing authority after physical identification
or in revocation portal and cannot be reversed.
3. Reactivation shall take place only if the same assurance requirements as established before the
suspension or revocation continue to be met.
Since suspension of certificates after activating the certificate is not possible, then reactivation is not
applicable. Certificates in the status revoked cannot be reactivated. Revocation of the ID card or the
certificates can be done only in a service point of the issuing authority or in revocation portal.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.2.4. Renewal and replacement
LOW
Taking into account the risks of a change in the person identification data, renewal or replacement
needs to meet the same assurance requirements as initial identity proofing and verification or is
based on a valid electronic identification means of the same, or higher, assurance level.
According to the IDA [3], a person is obliged to notify the issuing authority if the personal identification
data (in case of name change or other) has been changed within one month’s time and apply for a new
ID card as described in section 2.1.1. Therefore, it is the responsibility of the document holder to keep
the person’s identification data up to date.
For renewal of the ID card in case of expiry, loss, theft or damage, the person must fill in the application,
providing personal data (including biometric data), and the enrolment procedure is applied as
described in section 2.1.1.
The re-key of certificates is required, for example, in case of security vulnerabilities or cryptographic
updates that might have an impact on the security of already issued ID cards or to remain QSCD
certified. Certificate re-key can be carried out after the identity-proofing procedure (either physical or
electronic authentication), where the data provided is checked against the ITDAK and the Estonian
population register.
If an ID card malfunction falls under warranty (for example, ID card cannot be used electronically), then
the new ID card and certificates are issued for the same period of validity without a charge to the
document holder.
15
SUBSTANTIAL
Same as level low.
HIGH
Level low, plus: Where renewal or replacement is based on a valid electronic identification means,
the identity data is verified with an authoritative source.
Certificate re-key can be performed in the service point of the issuing authority or remotely via ID card
administration portal.
Prerequisites for the certificate re-key:
ID card is whitelisted for the re-key by the issuing authority,
ID card is valid and electronically functional,
ID card certificates are valid,
person knows PIN1 of the ID card.
If PIN1 is not known, the document holder can set new PIN code in the ID software by entering PUK.
The document holder can log in to ID card administration portal via State Authentication Service TARA.
Document holder must insert ID card to a smart card reader, agree with the terms and conditions for
the use of certificates and initiate the process by inserting PIN1.
Certificate re-key at a service point of the issuing authority is done after the physical identification
procedure, where the data provided is checked against the ITDAK and the Estonian population register.
Document holder will sign an application for re-key, insert their ID card to the smart card reader and
enter PIN1.
During the process of re-key, the new keys and certificates are generated and will be in active state,
previous certificates will be revoked automatically by the CA. Document holder will receive a
notification from the issuing authority about the revocation and issuance of new certificates to their
official [email protected] email address.
The warranty application can be submitted in the offices of the issuing authority after the physical
identification procedure or in cases of the document holder’s request (via helpline and email) where
the data provided is checked against the ITDAK. A new ID card is issued in a service point of the issuing
authority, external service provider or the foreign representation after the physical identification
procedure (authorisation is permitted, when the applicant appoints the representative during
application).
2.3. Authentication
The authentication mechanism of the ID card in case of Transport Layer Security (TLS) Client Certificate
Authentication (CCA) is described on the following caption.
16
Caption 1 Authentication of the Estonian ID card
Since autumn 2022, it has also been possible to use Web eID for authentication. Web eID
authentication uses the same mechanism, but it is implemented in the application layer, not in the
transport layer like TLS CCA. Web eID authentication is described on the following caption 2.
17
Caption 2 Web eID authentication diagram
2.3.1. Authentication mechanism
LOW
1. The release of person identification data is preceded by reliable verification of the electronic
identification means and its validity.
At the beginning of authentication, the certificate validity can be checked by the OCSP (Online
Certificate Status Protocol) service or by using current CRL (Certificate Revocation List). Certificate
validity checks are made by the website/-service.
2. Where person identification data is stored as part of the authentication mechanism, that
information is secured in order to protect against loss and against compromise, including analysis
offline.
For secure transaction and authentication, the TLS is used. Data on the ID card certificates are
considered as public data.
3. The authentication mechanism implements security controls for the verification of the
electronic identification means, so that it is highly unlikely that activities such as guessing,
eavesdropping, replay or manipulation of communication by an attacker with enhanced-basic
attack potential can subvert the authentication mechanisms.
18
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
SUBSTANTIAL
Level low, plus:
1. The release of person identification data is preceded by reliable verification of the electronic
identification means and its validity through a dynamic authentication.
On TLS authentication, the person’s certificate validity can be checked with the OCSP or with the CRL.
2. The authentication mechanism implements security controls for the verification of the
electronic identification means, so that it is highly unlikely that activities such as guessing,
eavesdropping, replay or manipulation of communication by an attacker with moderate attack
potential can subvert the authentication mechanisms.
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
HIGH
Level substantial, plus: The authentication mechanism implements security controls for the
verification of the electronic identification means, so that it is highly unlikely that activities such
as guessing, eavesdropping, replay or manipulation of communication by an attacker with high
attack potential can subvert the authentication mechanisms.
With the correct implementation and usage of PKI technology, where a private key is under the sole
control of the document holder, guessing, eavesdropping, replay, or manipulation of communication is
not possible.
2.4. Management and organisation
The Estonian eID scheme is based on nationally issued identity documents. In the Republic of Estonia,
the Ministry of the Interior is responsible for identity management policy.
Two types of parties can be distinguished within the Estonian eID scheme: public and private. Both
public and private parties must comply with requirements that come from European and national
legislation.
Public authorities
Public authorities act in the public interest according to laws and regulations and are subject to special
obligations of due diligence.
19
The Ministry of the Interior
The Ministry of the Interior is tasked with developing the policy of identity management and the policy
of issuing the personal identification documents for Estonian citizens and foreigners and coordinating
the activities of government authorities.
Estonian Police and Border Guard Board (PBGB)
The PBGB is the issuing authority. This is the institution of executive power within the area of
government of the Estonian Ministry of the Interior and, among the main functions, ensures protection
of public order, organisation of matters of border management, citizenship, and migration by carrying
out national legislation, state supervision, and applying enforcement powers of the state on the basis,
the extent, and condition. The functions, rights, and organisation of the police and the legal bases of
the police service are provided in the Police and Border Guard Act [17] and the Statutes of the Police
and Border Guard Board [18].
According to the IDA [3], the PBGB has the competence of making a decision on issuance and
revocation of an identity document. The IDA allows the PBGB to transfer duties for the hand-over of
documents to an external service provider. Additionally, the IDA [3] allows the PBGB to transfer the
duties for the issuance of certificates. Certificates are generated during the personalisation process by
the qualified trust service provider (QTSP), who is managing the whole life cycle of the qualified
certificates.
Development, preparation of tenders and contracts, implementation, objectively certain and secure
identification and management (including procedures concerning complaints) for identity documents
(including the national ID card) are the main responsibilities of the Identity and Status Bureau of PBGB.
Personalisation site of PBGB is responsible for the distribution of all types of identity documents
(including the ID card) to the issuing locations.
IT and Development Centre, Ministry of the Interior (SMIT)
SMIT is responsible for ensuring the information and communication technology service development
and management within the ministry governing area. The functions, rights, and organisation are
provided in the Statutes of SMIT [19].
Information System Authority (RIA)
RIA is a government body responsible for:
- eID technical architecture,
- development of client/end-user software,
- chip technical specification,
- application for eID middleware,
- Estonian Information Security Standard [20],
- collecting, analysing, solving security incidents and informing them to ENISA (CERT, E-ITS [20]),
- creating and ensuring technical solutions/platform for both domestic and cross-border
accessing of e-services and
- performing the functions of a point of single contact under eIDAS Regulation [2].
20
RIA is also the Supervisory Body, who is responsible for supervisory tasks that are set out in eIDAS
Regulation [2]:
- the assessment of qualified status of trust services and issuance of licenses to provide trust
services,
- the managing of trust list of Estonian trust service providers,
- supervising of notified trust services providers in meeting the established requirements.
The functions, rights, and organisation are provided in the Statutes of the RIA [21].
In the Estonian public sector, all information systems, including the eID scheme must comply with the
Estonian Information Security Standard (E-ITS) [20].
The objective of E-ITS is to develop and promote the level of information security in both the Estonian
public and private sectors by presenting a basis for information security in Estonia, compliant with the
Estonian legal system, which is also aligned with the internationally recognised information security
management standard ISO/IEC 27001. The development process of the E-ITS [20] is based on the
German BSI IT-Grundschutz baseline security system [22].
The Ministry of Foreign Affairs (MFA)
The MFA is responsible for accepting ID card applications, forwarding collected applications to the
PBGB for issuing ID cards, and for handing over ID cards in the foreign representations.
Private parties
Private parties take over tasks as contractors of public authorities or carry out market roles within the
Estonian eID scheme that are not executed by public authorities. The exact role and responsibilities of
the private parties will be agreed upon in the concluded contracts in accordance with the IDA [3].
Card manufacturer
The PBGB has a contract with Thales DIS Finland OY for ID-1 format identity document blanks,
personalisation and related services. Thales DIS Finland OY’s subcontractor is Hansab AS.
The card manufacturer is responsible for:
production, processing and logistics of document blanks with a chip certified as a QSCD,
the provision of document personalisation services (provided by subcontractor of card
manufacturer),
the provision of post-issuance services for documents,
processing of personal data in accordance with Estonian, EU and international regulations,
standards, requirements and instructions.
Certification Authority (CA)
The PBGB has a contract with Zetes SA for the provision of certification and qualified trust services.
The duties of the CA in certification service and qualified trust service cover the following:
issuance of root certificates and intermediate certificates for the creation of a certificate chain,
21
issuance of qualified certificates for electronic signatures and certificates for authentication
and encryption,
service of Subscriber certificates,
provision of OCSP responder service,
provision of CRL service,
provision of LDAP directory service,
provision of test services.
External Service Provider
According to § 31 of the IDA [3], at the request of the applicant, the issuing authority may deliver the
document through a secure service provider. The secure service provider shall be determined by the
issuing authority.
The PBGB has a contract with Hansab AS for external service provision. Hansab AS provides the service
of handing over identity documents through a subcontractor, who hands out documents in external
service provider’s service points nation-wide.
Requirements for external service providers must ensure that the service provided is equally secure as
the service provided by issuing authority and foreign representations. Requirements for the external
service provider are set out in the contract.
Helpline
ID software user support for electronic use of ID cards and ID software is available workdays 8.30-17.00
by phone +372 666 8888 or email [email protected], additionally www.id.ee is available for user support.
2.4.1. General provisions
LOW
1. Providers delivering any operational service covered by this Regulation are a public authority
or a legal entity recognised as such by national law of a Member State, with an established
organisation and fully operational in all parts relevant for the provision of the services.
The IDA [3] and the Statutes of the PBGB [18] apply to any operational service covered in the Estonian
eID scheme; hence, the requirement is fulfilled.
2. Providers comply with any legal requirements incumbent on them in connection with operation
and delivery of the service, including the types of information that may be sought, how identity
proofing is conducted, what information may be retained and for how long.
Operations of all entities involved in the Estonian eID scheme are directly governed by national
legislation and subordinate regulations. The legislation and enforcement of procedures about identity-
proofing are described previously under section 2.1.2.; hence, the requirement is fulfilled.
3. Providers are able to demonstrate their ability to assume the risk of liability for damages, as
well as their having sufficient financial resources for continued operations and providing of the
services.
22
According to the Electronic Identification and Trust Services for Electronic Transactions Act [5], the CA
shall have a liability insurance contract with the sum insured at least in the amount of one million euros
annually per each single insured event and at least one million euros per all events in total.
The CA and card manufacturer shall have a valid performance warranty for the duration of the contract.
During the term of the contract, the private party shall hold a non-life insurance contract with an
insurer authorised in Estonia, the EU or another Member State of the European Economic Area to
which the PBGB is a beneficiary.
PBGB has established fines for external service providers for breach of contract.
4. Providers are responsible for the fulfilment of any of the commitments outsourced to another
entity, and compliance with the scheme policy, as if the providers themselves had performed the
duties.
Private parties are responsible for the fulfilment of all commitments outsourced to another entity and
compliance with the policies as stated (including an obligation to notify about the subcontractors) in
the contract with the PBGB.
5. Electronic identification schemes not constituted by national law shall have in place an effective
termination plan. Such a plan shall include orderly discontinuations of service or continuation by
another provider, the way in which relevant authorities and end users are informed, as well as
details on how records are to be protected, retained and destroyed in compliance with the scheme
policy.
Estonian eID scheme is constituted by national law; therefore, a termination plan is not applicable.
Subcontractors have contractual obligations to the continuation of service throughout the validity
period of the issued certificates. As of 01.07.2017, electronic authentication is listed as a vital service
in the Emergency Act [23] and is considered as a provider of a service of general interest; therefore,
the General Part of the Economic Activities Code Act [24] applies. Termination of CA is stipulated in eID
CPS [7].
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
23
2.4.2. Published notices and user information
LOW
1. The existence of a published service definition that includes all applicable terms, conditions,
and fees, including any limitations of its usage. The service definition shall include a privacy
policy.
The service of issuing identity documents ensures the issuance of national identity documents under
the conditions and timeframe set out in national legislation (IDA [3] and Regulation 20 of the Minister
of the Interior, as of 01.08.2025 [10]), accepting the application for procedures during which the
decision to issue, or not to issue, the document is made, and the issuance of the document. Quality
control includes “four eyes” principle, where two different officials are involved in the issuance of the
document. The IDA also sets the rules for revocation of the document and/or certificates.
Applicable terms and conditions (including any limitations of usage and privacy policy) are defined and
explained under section 2.1.1. The fees for ID card are regulated by the Statutory Fees Act [26]. Usage
of personal data and privacy is regulated by the GDPR [27], the Personal Data Protection Act [28], which
provides the conditions and procedure for processing of personal data, the procedure for the exercise
of state supervision and administrative supervision upon processing of personal data, and liability for
a violation of the requirements for processing of personal data. The statutes of ITDAK [25] and ABIS
statute [14] provide the specifics of what data is collected, the preservation period of collected data
etc.
2. Appropriate policy and procedures are to be put in place in order to ensure that users of the
service are informed in a timely and reliable fashion of any changes to the service definition and
to any applicable terms, conditions, and privacy policy for the specified service.
PBGB is fully responsible for coordinating change management and communication of all aspects of ID
card issuance in a timely and reliable fashion, without undue delay. PBGB is responsible for putting
appropriate policies and procedures in place, ensuring that users of the service are informed in a timely
and reliable fashion of any changes to the service definition, any applicable terms, conditions, and
privacy policy.
3. Appropriate policies and procedures are to be put in place that provide for full and correct
responses to requests for information.
PBGB’s internal process provides the guidelines for issuance and services related to identity documents
after their issuance (e.g. revocation of certificates).
Additionally, the terms and conditions are referred to under section 2.1.1.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
24
2.4.3. Information security management
LOW
There is an effective information security management system for the management and control
of information security risks.
Please see the description below under substantial.
SUBSTANTIAL
Level low, plus: The information security management system adheres to proven standards or
principles for the management and control of information security risks.
E-ITS [20] is compulsory for all state and local government organisations who handle
databases/registers. Therefore, all internal procedures for development and maintenance are created
and managed based on E-ITS security levels and classes. E-ITS [20} is a tool for risk and security
management; hence, the requirement is fulfilled. State supervision for E-ITS [20] compliance is
conducted by RIA.
Private parties adhere to and provide certificates of audits (eIDAS and ISO) which demonstrate
following proven standards and principles for the management and control of information security
risks, as previously stated under 2.4.
HIGH
Same as level substantial.
2.4.4. Record keeping
Collecting data and records, maintenance, archiving, and protection of all relevant records and data is
required and regulated by European (eIDAS Regulation [2], GDPR [27]) and national legislation,
subordinate regulations, and internal procedures.
LOW
1. Record and maintain relevant information using an effective record-management system,
taking into account applicable legislation and good practice in relation to data protection and
data retention.
The Public Information Act [29] provides the conditions of, procedure for, and methods of access to
and reuse of public information and the bases for refusal to grant access to information, restricted
public information, and the procedure for granting access thereto to the extent not regulated by other
acts, the bases for establishment and administration of databases, and supervision over the
administration of databases, the procedure for the exercise of state supervision, and administrative
supervision over the organisation of access to information.
25
The Personal Data Protection Act [28] provides for the conditions and procedure for the processing of
personal data, the procedure for the exercise of state supervision and administrative supervision upon
the processing of personal data, and liability for a violation of the requirements for the processing of
personal data.
The Statutes of ITDAK [25] and ABIS [14] provide that for ensuring availability, integrity, and
confidentiality of data protection in databases, the organisational, physical, and information
technology security measures must be implemented. Article 18 of ITDAK Statutes provides that data
records are kept 75 years, except for initial documents, which are kept permanently. The ITDAK has a
service-level agreement between the PBGB and the ICT service provider (SMIT), in which are stated
quality parameters, data confidentiality, integrity, availability, and highest data loss tolerance.
The Statutes of ABIS [12] provides that data records are kept actively for 15 years, after that for 60
years.
2. Retain, as far as it is permitted by national law or other national administrative arrangement,
and protect records for as long as they are required for the purpose of auditing and investigation
of security breaches, and retention, after which the records shall be securely destroyed.
Please see description in 2.4.4/1.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.5. Facilities and staff
Estonian eID is managed by an Estonian government body (PBGB); therefore, all human resource
decisions are laid down in official administrative procedures according to the national legislation; in
particular, based on the Civil Service Act [30] and Police and Border Guard Board Act [17].
Additionally, E-ITS [20] facilitates requirements for both facilities and staff.
The manufacturing site of the card manufacturer is certified throughout the contract period according
to the following standards:
Intergraf's ISO 14298 – level Governmental,
ISO 9001 Quality Management System – requirements,
ISO/IEC 27001 Information technology – Security techniques – Information security
management systems – Requirements,
PCI CPP Physical Security Requirements and Test Procedures for the transportation of
documents from the manufacturing site to the personalisation site via secure transportation.
26
The personalisation site and processes of the card manufacturer are compliant with the following
regulations and standards:
Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic
identification and trust services for electronic transactions in the internal market, as amended
by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework
(always referred together as eIDAS regulation),
ISO 9001 Quality Management System – requirements,
ISO/IEC 27001 Information technology – Security techniques - Information security
management systems – Requirements,
PCI CPP - Logical Security Requirements and Test Procedures,
PCI CPP - Physical Security Requirements and Test Procedures,
ISO 9001 Quality Management System – requirements,
ISO/IEC 27001 Information technology – Security techniques – Information security
management systems – Requirements,
PCI CPP - Logical Security Requirements and Test Procedures,
PCI CPP - Physical Security Requirements and Test Procedures,
PCI Data Security Standard.
The card manufacturer ensures compliance with all relevant EU, Estonian and international legal acts,
standards and recommendations as well as the relevant electronic identification and CA rules at all
times throughout the contract and in case any amendments or updates are introduced, card
manufacturer shall ensure compliance with all amended and updated requirements without any delay.
LOW
1. The existence of procedures that ensure that staff and subcontractors are sufficiently trained,
qualified and experienced in the skills needed to execute the roles they fulfil.
In public authorities, staff are employed and trained according to dedicated job profiles (general
framework and qualification requirements) and job descriptions (detailed work characteristics and
responsibilities). Both originate from state development plans, work plans, cooperation agreements,
and the needs specified by the service owner of PBGB. Where relevant, additional dedicated training
programmes for staff members also exist (e.g., identity-proofing and fraud). This ensures that
procedures are performed by trained, qualified, and experienced staff. Background checks are
implemented during recruitment and employment as a routine precautionary measure in accordance
with Police and Border Guard Act [17]. Duties are performed according to formalised processes, and
special obligations of due diligence exist. Job profiles, training programmes, procedures, and processes
are monitored and updated on a regular basis as part of the state public service.
Implementing E-ITS [20] or ISO 27001 [31] requirements facilitate the existence of procedures that
ensure that staff and subcontractors are sufficiently trained, qualified, and experienced in the skills
needed to execute the roles they fulfil.
The requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], and the contract. All specific standards and
requirements set out in the previously mentioned under contractors are applicable to the
27
subcontractor(s) depending on their role. The CPs for the ID-1 format identity documents are publicly
available electronically on CA webpage [6] and www.id.ee webpage [8], CPSs are available on CA
webpage [6].
2. The existence of sufficient staff and subcontractors to adequately operate and resource the
service according to its policies and procedures.
Public authorities have been provided with resources and staff according to the administrative effort
of the corresponding services as part of legislative procedures, which are reassessed on a yearly basis
as part of yearly estimations and analysis. Additionally, implementing E-ITS [20] or ISO [31]
requirements facilitate the existence of sufficient staff and subcontractors to adequately operate and
resource the service according to its policies and procedures.
The requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], and the contract. The CPs for the ID-1 format
identity documents are publicly available electronically on CA webpage [6] and www.id.ee webpage
[8], CPSs are available on CA webpage [8].
3. Facilities used for providing the service are continuously monitored for, and protect against,
damage caused by environmental events, unauthorised access and other factors that may
impact the security of the service.
Implementing E-ITS [20] or ISO [31] requirements facilitate continuous monitoring for, and protection
against, damage caused by environmental events, unauthorised access, and other factors that may
impact the security of the service of facilities used for providing services.
The requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], and the contracts. The private parties have an
insurance policy to provide the security of the service.
The bases of continuity of vital services are regulated in the Emergency Act [23].
Physical security requirements for manufacturing and personalisation process and physical security
requirements for the personalisation site come from the PCI standards (as described in 2.4.5). The
physical and information systems security of the MFA is regulated with different internal organisational
documents.
4. Facilities used for providing the service ensure that access to areas holding or processing
personal, cryptographic or other sensitive information is limited to authorised staff or
subcontractors.
Implementing E-ITS [20] requirements ensure that access to areas holding or processing personal,
cryptographic, or other sensitive information is limited to authorised staff or subcontractors.
The archival rules referred to in 2.4.4 regulate and specify the requirements for assessment and
safekeeping of the records at public institutions or persons until their handover to the public archive
28
and the rules of handover, preservation, protection in the public archive, access management,
including issuance of the archival notice of the archive records.
Additionally, why and how data is gathered, kept, and handled and who has access to the data are
defined in the statutes of a particular database. This includes information system access control, which
is monitored in terms of who has which access rights, for how long, and given by whom. This ensures
that access rights are backwards traceable, should there be a need to identify who, when, why, and
where has granted access.
The requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification
and Trust Services for Electronic Transactions Act [5], and the contracts; also, from the eID CP [6]. The
private party for manufacturing and personalisation of the ID cards operate under the PCI standards
that cover the physical security part and personnel requirements.
SUBSTANTIAL
Same as level low.
HIGH
Same as level low.
2.4.6. Technical controls
LOW
The service system is hosted by a qualified trust service provider, published in the national trusted list:
https://sr.riik.ee/en/trusted-list/ and in the EU trusted list: https://eidas.ec.europa.eu/efda/trust-
services/browse/eidas/tls.
eID CPS, eID CP, terms and conditions are available at https://repository.eidpki.ee/repository/.
Conformity assessments reports are provided upon request and under nondisclosure agreement.
1. The existence of proportionate technical controls to manage the risks posed to the security of
the services, protecting the confidentiality, integrity and availability of the information
processed.
Requirements for the existence of proportionate technical controls to manage the risks posed to the
security of services, protecting the confidentiality, integrity, and availability of the information
processed for contractors, come from European and national legislation, and the contracts. Data
between the PBGB, the card manufacturer, and CA transfers through secure PBGB exchange interface
HUB.
The data exchange takes place as a transmission of messages over the X-tee data exchange layer,
ensuring secure, standardised, and auditable message-based communication. Generic information on
X-tee can be found at https://www.ria.ee/en/state-information-system/x-tee.html.
29
As part of the Estonian eID scheme, a new intermediary service called HUB has been introduced to
support and standardise data exchange related to the issuance of ID-1 format identity documents. HUB
is a gateway-type service that mediates communication between the parties involved in the ID card
issuance process - the issuing authorities, the document manufacturer, and the QTSP. All data exchange
through HUB takes place over the X-tee data exchange layer, ensuring secure, auditable, and
standardised communication.
The primary role of HUB is to manage and mediate:
requests for personalisation orders of ID-1 format identity documents sent from issuing
authorities to the manufacturer,
notifications of personalisation order and delivery package status changes back to the
corresponding issuing authority systems, and
requests for certificate generation, activation, revocation, and related status queries sent to
the QTSP.
HUB enables the transmission of trust service responses both to the issuing authorities’ systems and
to the card manufacturer(s). By acting as a single intermediary, HUB reduces direct system-to-system
integrations and ensures consistent handling of processes and data.
The introduction of HUB aims to:
standardise communication between all parties involved in document issuance,
provide auditable and traceable data exchange,
increase resilience and efficiency by supporting the parallel or alternative use of different
QTSPs when requesting certificates.
2. Electronic communication channels used to exchange personal or sensitive information are
protected against eavesdropping, manipulation and replay.
Requirements for the existence of proportionate technical controls to manage the risks posed to the
security of services, protecting the confidentiality, integrity, and availability of the information
processed for private parties, come from European and national legislation, and the contracts. Data
between the PBGB, the card manufacturer, and CA transfers through secure PBGB exchange interface
HUB.
3. Access to sensitive cryptographic material, if used for issuing electronic identification means
and authentication, is restricted to the roles and applications strictly requiring access. It shall
be ensured that such material is never persistently stored in plain text.
Requirements for access restrictions for private parties come from the eIDAS Regulation [2], the
Electronic Identification and Trust Services for Electronic Transactions Act [5], and the contracts.
4. Procedures exist to ensure that security is maintained over time and that there is an ability to
respond to changes in risk levels, incidents and security breaches.
Security and risk management:
30
a) Middleware software (including card drivers) is maintained by the state and is frequently
updated.
b) In case of security vulnerabilities or cryptographic updates that might have an impact on the
security of already issued ID cards or to remain QSCD certified, the re-key of the certificates
shall be possible via ID card administration portal.
c) To prevent the potential digital misuse, the certificates can be revoked using revocation portal
which is accessible 24/7 to all ID card holders.
Requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification and
Trust Services for Electronic Transactions Act [5], and the contracts. IDA [3] allows the issuing authority
to revoke the certificates, when necessary.
5. All media containing personal, cryptographic or other sensitive information are stored,
transported and disposed of in a safe and secure manner.
Requirements for private parties come from the eIDAS Regulation [2], the Electronic Identification and
Trust Services for Electronic Transactions Act [5] and other applicable national legislative Acts, and the
contracts.
SUBSTANTIAL
Same as level low, plus: Sensitive cryptographic material, if used for issuing electronic identification means and authentication is protected from tampering
Requirements for private parties come from the eIDAS Regulation [2], and other applicable national
legislative acts, and the contracts.
HIGH
Same as level substantial.
2.4.7. Compliance and audit
CA is subject to the eIDAS Regulation [2], with its implementing acts, and, at the national level, is
regulated by the Electronic Identification and Trust Services for Electronic Transactions Act [5].
CA has been audited by the certification body LSTI-Apave SAS (Conformity Assessment Body is
accredited for the certification of trust services according to ISO/IEC27001 and ETSI EN 319 403 [32])
and confirmed as a QTSP according to article 3 (20) of eIDAS by RIA. The initiation and supervisory
activities of the CA and its qualified trust service provided, and lifecycle management of the related
qualified status are carried out according to the figure below. The CA activities are under regular
supervision throughout the lifecycle of such services, from their commencement to their termination.
The CA has an obligation to communicate with RIA regarding any changes in the provision of its
qualified trust services, data set out in a notification according to paragraph 1 of article 21 of eIDAS
[2}, and any incidents concerning a breach of security or loss of integrity. The qualified trust services
provided by CA are in accordance with the requirements laid down in eIDAS [2], the ETSI European
31
Standard (ETSI EN), and national regulations. Information related to the CA and provided services have
been entered into the national trusted list by the validity of the relevant conformity assessment report,
in general, for 2 years. Detailed information regarding the CA, provided services, certificates,
certification practice statements, policies, and conformity assessment reports are available at the
website https://repository.eidpki.ee/repository/.
Activities for QTSP/QTS initiation and lifecycle management of the related qualified status of trust
service level is described on the following caption 3.
Caption 3 Activities for QTSP/QTS initiation and lifecycle management of the related qualified status of trust service level
32
LOW
The existence of periodical internal audits scoped to include all parts relevant to the supply of
the provided services to ensure compliance with relevant policy.
Please see the detailed description in the following section high.
SUBSTANTIAL
The existence of periodical independent internal or external audits scoped to include all parts
relevant to the supply of the provided services to ensure compliance with relevant policy.
Please see the detailed description in the following section high.
HIGH
1. The existence of periodical independent external audits scoped to include all parts relevant to
the supply of the provided services to ensure compliance with relevant policy.
The contractors of the PBGB and their subcontractors in connection with the issuance of documents
(including the ID card) must be audited accordingly and/or comply with requirements of standard(s)
(ETSI, PCI and/or ISO) until the expiry of the contracts or until the expiry of the last certificate pair
issued and/or renewed according to the specifics of particular standard or audit. The CA is audited
every year by a conformity assessment body, and RIA, as the Supervisory Body, confirms that the CA
fulfils the requirements laid down in eIDAS [2] and national laws for a QTSP. CA is audited at least every
2 years to confirm that the CA and the qualified trust services provided by them fulfil the requirements
laid down in eIDAS [2] and national law. E-ITS [20] preliminary audit was conducted in March 2025,
main audit begun in the beginning of September 2025.
2. Where a scheme is directly managed by a government body, it is audited in accordance with
the national law.
Estonian eID scheme is subject to national law, therefore, it is under supervisory control of the state.
Supervisory control is conducted in an administrative authority by a higher authority over the
subordinate administrative agency in terms of the lawfulness in actions and feasibility in functions.
Supervisory control of Estonian governmental authorities and agencies is regulated by chapter 7 of the
Government of the Republic Act [33]; hence, this requirement is fulfilled.
The PBGB is a government body supervised according to national laws and other legal acts applicable
to government bodies. Supervisory control is done by the Ministry of the Interior, as the PBGB is an
agency under the ministry. Supervisory control of the RIA is done by the Ministry of Justice and Digital
Affairs.
The PBGB has an internal audit bureau which provides independent, objective, and consulting activities
to create value and fulfilling organisational activities. Internal audits help to fulfil the organisational
objectives by using a systematic approach for evaluating and improving risk management, control, and
efficiency in organisation management culture processes. The activities of the Internal Audit Bureau
are based on the international standards of the Institute of Internal Auditors (external conformity
33
assessment conducted in 2025). The work of the Internal Audit Bureau is regulated by the PBGB
internal regulation. Risk management in the PBGB is regulated by the PBGB risk management
framework.
34
List of References
[1] Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on Published: https://eur-lex.europa.eu/eli/reg_impl/2015/1502/oj/eng
[2] Regulation (EU) 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital Identity Framework (always referred together as eIDAS regulation) Reference: https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A02015R1502-20220711
[3] Identity Documents Act https://www.riigiteataja.ee/en/eli/ee/505012026002/consolide/current
[4] Subscriber Terms and Conditions for Certificates issued by Zetes Estonia OÜ for ID-1 format identity documents of the Republic of Estonia Published: https://repository.eidpki.ee/repository/
[5] Electronic Identification and Trust Services for Electronic Transactions Act (in English) Published: https://www.riigiteataja.ee/en/eli/ee/529122024007/consolide/current
[6] Certificate Policy for ID-1 format identity documents of the Republic of Estonia” (eID CP) Published: https://www.id.ee
[7] Zetes Estonia OÜ - Certification Practice Statement for the Intermediate CA for ID-1 documents of the Republic of Estonia (eID CPS) Published: https://repository.eidpki.ee/repository/
[8] www.id.ee webpage https://www.id.ee/ , in English: https://www.id.ee/en/
[9] Important points to remember for document users https://www.politsei.ee/en/important-points-to-remember-for-document-users
[10] Regulation No 20 of the Minister of the Interior, as of 01.08.2025 (only in Estonian) Published: https://www.riigiteataja.ee/akt/129072025001
[11] Consular Act Published: https://www.riigiteataja.ee/en/eli/ee/516122025001/consolide/current
[12] ABIS Database information Published: https://www.siseministeerium.ee/en/abis
[13] Regulation No. 62 of the Minister of the Interior “Requirements for a photograph when applying for an identity document” (only in Estonian) Published: https://www.riigiteataja.ee/akt/108122015004?leiaKehtiv
[14] ABIS Database Statute (only in Estonian) Published: https://www.riigiteataja.ee/akt/103102023017?leiaKehtiv
[15] Citizenship Act Published: https://www.riigiteataja.ee/en/eli/528072025002/consolide
[16] Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93. Published: http://data.europa.eu/eli/reg/2008/765/2021-07-16
[17] Police and Border Guard Act Published: https://www.riigiteataja.ee/en/eli/ee/527102025003/consolide/current
[18] Police and Border Guard Statute (only in Estonian) Published: https://www.riigiteataja.ee/akt/128062025002?leiaKehtiv
[19] SMIT Statute (only in Estonian) Published: https://www.riigiteataja.ee/akt/109072024006?leiaKehtiv
35
[20] Estonian Information Security Standard (E-ITS, website in Estonian, some documents also in English) Published: https://eits.ria.ee
[21] RIA Statute (only in Estonian) Published: https://www.riigiteataja.ee/akt/127122024010?leiaKehtiv
[22] German BSI IT-Grundschutz baseline security system https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards- und-Zertifizierung/IT-Grundschutz/it-grundschutz_node
[23] Emergency Act Published: https://www.riigiteataja.ee/en/eli/ee/527102025001/consolide/current
[24] General Part of the Economic Activities Code Act Published: https://www.riigiteataja.ee/en/eli/ee/511092025011/consolide/current
[25] ITDAK Database Statute (only in Estonian) Published: https://www.riigiteataja.ee/akt/102072025011?leiaKehtiv
[26] Statutory Fees Act Published: https://www.riigiteataja.ee/en/eli/ee/525112025005/consolide/current
[27] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 Published: https://eur-lex.europa.eu/legal- content/EN/TXT/?uri=CELEX%3A32016R0679&qid=1765634765358
[28] Personal Data Protection Act Published: https://www.riigiteataja.ee/en/eli/522092025009/consolide
[29] Public Information Act (in English) Published: https://www.riigiteataja.ee/en/eli/ee/514112013001/consolide/current
[30] Civil Service Act (in English) Published: https://www.riigiteataja.ee/en/eli/ee/502012018003/consolide/current
[31] ISO standards Published: https://www.iso.org/standards.html
[32] ETSI EN 319 403 https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_319 40301v020301p.pdf
[33] Government of the Republic Act Published https://www.riigiteataja.ee/en/eli/ee/504092025010/consolide/current
Police and Border Guard Board Address: Pärnu mnt 139
15060 Tallinn Estonia
Email: [email protected] Webpage: www.politsei.ee
2026
NOTIFICATION FORM FOR ID CARD AND RP CARD OF THE REPUBLIC OF ESTONIA
1
NOTIFICATION FORM FOR ELECTRONIC IDENTITY SCHEME UNDER ARTICLE 9 (5) OF REGULATION (EU) NO. 910/2014 The Republic of Estonia hereby notifies the European Commission of an electronic identification scheme to be published in the list referred to in article 9 (3) of Regulation (EU) no. 910/2014, and confirms the following: — the information communicated in this notification is consistent with the information which has been communicated to the Cooperation Group in accordance with article 7 (g) of Regulation (EU) no. 910/2014, and — the electronic identification scheme can be used to access at least one service provided by a public- sector body in the Republic of Estonia. Egert Belitšev Director General of the Police and Border Guard Board
1. General information
Title of scheme Level of assurance
LoA Mapping of the Estonian ID card high
LoA Mapping of the Estonian residence permit card (RP card) high
2. The authority/authorities responsible for the electronic identification scheme
Name of the authority Email address
Police and Border Guard (PBGB) eID scheme operator, who also fulfils the role of RA (registration authority – issuing documents/revoking certificates, except for diplomatic identity cards)
Ministry of the Interior policymaking in the field of identity management and personal identity documents
Ministry of Justice and Digital Affairs policymaking in the field of IT and trust services
Information System Authority (RIA) technical architecture of eID and cybersecurity incident management, supervision of trust service providers
Ministry of Foreign Affairs accepts identity and RP card applications, forwards collected applications to PBGB, and hands over identity and RP cards in the foreign representation
3. Information on relevant parties, entities and bodies involved in the electronic identification scheme
3.1 Name of the entity or entities managing the registration process of the unique person
identification data PBGB manages the registration process of the unique person identification data.
2
3.2 Party issuing the electronic identification means The electronic identity means are issued, according to article 7 (a) (i) of Regulation (EU) no. 910/2014, by the notifying Member State, the Republic of Estonia, in particular the PBGB.
3.3 Party operating the authentication procedure The authentication procedure is assured (granted) by PBGB through a subcontracted qualified trust service provider (certification authority, CA).
3.4 Supervisory body PBGB is a governmental body supervised according to national laws and other legal acts applicable to government bodies. The Ministry of the Interior is the main supervisory body for PBGB. The Ministry of Foreign Affairs is the supervisory body of Estonian foreign representations. RIA is the supervisory body of trust service providers.
4. Description of the electronic identification scheme There are three types of Estonian eID means that are both physical identification documents as well as digital identity documents:
- ID card, - the RP card, - diplomatic identity card (please see notification form for diplomatic identity card separately).
This notification form covers the ID card and RP cards. Estonian eID scheme is based on using PKI with cryptography according to best practices and using QSCD smartcards. All aforementioned cards have public key certificates (authentication, signing, encryption), also stored on the smart card. The secure module on the smart card is a QSCD certified device. Smart card solution protects the private key from unauthorised access, copying, or tampering. Identity data (person’s first and last name and a personal identification code) is stored in the public key certificate. These certificates are accessible on the smart card and in the public LDAP repository. The following parties are involved in the management of the eID scheme.
As the issuing authority, the PBGB
RIA is a government body which is responsible mainly for the governance of public sector IT. RIA also hosts the national CERT-EE and serve as a supervisory body for trust service providers. In terms of eID, RIA is responsible for eID hardware and software requirements. RIA maintains a set of requirements for eID, participates in procurements, and validates results as a partner organisation for PBGB. In addition, RIA develops and maintains middleware software and ID software for maintaining eID cards, also software for e-signatures.
PBGB is the issuer of ID-1 format identity documents.
PBGB has a contractor for manufacture and personalisation of ID-1 format identity documents. Card manufacturer is Thales DIS Finland OY with a subcontractor for personalisation – Hansab AS.
3
The CA is a qualified trust service provider – Zetes SA. Zetes SA is responsible for issuance of qualified certificates for electronic signatures and certificates for authentication and encryption for Estonian ID-1 format identity documents. They are responsible for the certificate life cycle: creation, activation, suspension and revocation.
Issuance of the ID card and RP card is described in section 2.2.2 of the LoA mapping documents. Authentication mechanisms are described in section 2.3 of the LoA mapping documents. Assurance requirements are based on European legislation (i.e. eIDAS Regulation, GDPR, etc.) and national legislation (i.e. the Electronic Identification and Trust Services for Electronic Transactions Act, Emergency Act, and other acts) for both public and private parties involved. Additional requirements from tender documents and contracts apply for identity documents manufacturing and personalisation, as well as for the qualified trust service provider. List of the additional attributes which may be provided in relation to natural persons under the electronic identification scheme if requested by a relying party The minimum data set is provided to the requesting party. No additional attributes are provided for natural persons under the scheme if requested by a relying party. List of the additional attributes which may be provided in relation to legal persons under the electronic identification scheme if requested by a relying party Estonian eID means are used only for identification of natural persons, therefore no additional attributes are provided for legal persons under the scheme if requested by a relying party.
4.1 Applicable supervisory, liability and management regime
4.1.1 Description of the supervisory regime of the electronic identification scheme including the evaluation process
(a) The supervisory regime applicable to the party or parties issuing the electronic identification
means PBGB is a government body supervised according to national laws and other legal acts applicable to government bodies. Supervisory control is done by the Ministry of the Interior, as PBGB is a government body under the ministry. RIA is also the supervisory body, who is responsible for supervisory tasks that are set out in article 17 of the eIDAS Regulation (the assessment of qualified status of trust services and issuance of licenses to provide trust services, the managing of trust list of Estonian trust service providers and supervising of notified trust services providers in meeting the established requirements).
(b) The supervisory regime applicable to the party or parties operating the eIDAS node Public and private parties act in accordance with European legislation (i.e. eIDAS Regulation, GDPR, etc) and national legislation (i.e. the Electronic Identification and Trust Services for Electronic Transactions Act, Emergency Ac, and other acts). PBGB is responsible for identity management procedures, and the same supervisory regime applies as described in point (a).
4
The MFA is supervised according to national laws and legal acts applicable to government bodies. RIA is acting as supervisory body according to article 19 of the eIDAS Regulation and section 45 of the Estonian Emergency Act. Section 36 of the Emergency Act lists electronic authentication and digital signing (qualified electronic signature) as vital services. Subsection 94 (31) of the Identity Documents Act states that the provider of certification service that enables digital identification and digital signing with the certificate which is entered in the documents issued on the basis of this Act is the provider of vital service specified in clause 8 of subsection 1 of § 36 of the Emergency Act. RIA is acting also as the supervisory body according to article 17 of the eIDAS Regulation, as the electronic identification and qualified trust services (including qualified e-signature) are using the same means (QSCD). Supervisory control of RIA is done by the Ministry of Justice and Digital Affairs. Supervisory control is conducted in administrative authority by a higher authority over a subordinate governmental body in terms of lawfulness in action and feasibility in functions. Supervisory control of Estonian governmental authorities and agencies is regulated by chapter 7 of the Government of the Republic Act.
4.1.2 Applicable liability regime (a) Liability of the Member State under Article 11(1) of Regulation (EU) No 910/2014
Estonian eID means are subject to European and national laws. Therefore, it is a liability of the Estonian government. Supervisory control is conducted in an administrative authority by a higher authority over the subordinate administrative agency in terms of the lawfulness in actions and feasibility in functions. Chapter 7 of the Government of the Republic Act regulates supervisory control of Estonian governmental authorities and agencies; hence, this requirement is fulfilled.
(b) Liability of the party or parties issuing the electronic identification means under Article 11(2) of Regulation (EU) No 910/2014
PBGB has full liability in identity management for issuing the ID card and RP card.
(c) Liability of the party or parties operating the eIDAS node under Article 11(3) of Regulation (EU) No 910/2014
Liability for operating the authentication procedure under Article 11(3) of Regulation (EU) no 910/2014 is held by the CA or a certification service provider who is a qualified trust service provider (in accordance with the eIDAS Regulation): Zetes SA.
4.1.3 Applicable management arrangements The validity of Estonian identity documents can be checked at the following link: https://www.politsei.ee/et/paringud/dokumendi-kehtivuse-kontroll. Suspension by certificate owner of eID means after issuance is not possible by the request of the document holder. Only revocation is allowed. According to section 17(1) of the Electronic Identification and Trust Services for Electronic Transactions Act a trust service provider has the right to suspend a certificate if there is a suspicion that incorrect data have
5
been entered in the certificate or that it is possible to use the private key corresponding to the public key contained in the certificate without the consent of the certificate holder. The legal framework of revocation of the electronic identification means is set by the eIDAS Regulation,
with its implementing acts, and is regulated at the national level by the IDA and eID CP. The document
holder is obliged to notify the issuing authority in case of theft or loss of the ID card, so that the certificates
can be revoked.
Revocation of certificates can be done in person by appearing in a service point of the issuing authority or
using revocation portal which is accessible 24/7. Revocation of the certificates means that the certificates
are revoked; therefore, electronic functionality cannot be used.
4.2 Electronic identification scheme components
4.2.1 Enrolment
(a) Application and registration
Application and registration is described in section 2.1.1 of the LoA mapping documents for ID card and RP card.
(b) Identity proofing and verification of a natural person Identity proofing and verification (natural person) is described in section 2.1.2 of the LoA mapping documents for ID card and RP card.
(c) Identity proofing and verification of a legal person
Estonian eID means are used only for identification of natural persons; therefore, this is not applicable.
(d) binding between the electronic identification means for natural and legal persons Estonian eID means are used only for identification of natural persons; therefore, this is not applicable.
4.2.2 Electronic identification means management
(a) Characteristics and design of the electronic identification means, including information on security certification
eID means characteristics and design are described in section 2.2.1 of the LoA mapping documents for ID card and RP card.
(b) Issuance, delivery and activation Issuance, delivery and activation is described in section 2.2.2 of the LoA mapping documents for ID card and RP card.
6
(c) Suspension, revocation and reactivation Suspension and therefore reactivation of eID means by document holder is not possible; revocation is described in section 2.2.3 of the LoA mapping documents for ID card and RP card.
(d) Renewal and replacement Renewal and replacement is described in section 2.2.4 of the LoA mapping documents for ID card and RP card.
4.2.3 Authentication In general, there are no restrictions for the use of Estonian eID-based electronic authentication. The authentication is an establishment of TLS (transport layer security) communication with the client certificate, and everyone (public and private sector) can use it. The only limitation is the use of the OSCP (online certificate status protocol) service for checking certificate validity. The diagram below illustrates the complete CA hierarchy and related services. In the schema below “Intermediate CA” represents the qualified CA that issues the subscriber certificates.
Caption 1 CA hierarchy and related services for the Republic of Estonia
The authentication mechanism of the ID and RP card in case of TLS Client Certificate Authentication (CCA) is described in section 2.3 of the LoA mapping documents for ID card and RP card.
4.2.4 Management and organisation
(a) General provisions on management and organisation General provisions are described in section 2.4.1 of the LoA mapping documents for ID card and RP card.
(b) Published notices and user information Published notices and user information is described in section 2.4.2 of the LoA mapping documents for ID card and RP card.
7
(c) Information security management
Information security management is described in section 2.4.3 of the LoA mapping documents for ID card and RP card.
(d) Record keeping
Record keeping is described in section 2.4.4 of the LoA mapping documents for ID card and RP card.
(e) Facilities and staff Facilities and staff are described in section 2.4.5 of the LoA mapping documents for ID card and RP card.
(f) Technical controls Technical controls are described in section 2.4.6 of the LoA mapping documents for ID card and RP card.
(g) Compliance and audit Compliance and audit are described in section 2.4.7 of the LoA mapping documents for ID card and RP card.
4.3 Interoperability Authorisation/access to Estonian e-services are based on a unique identifier. In the Estonian national infrastructure, the personal identification code is used as the unique identifier. Foreigners who have been issued an Estonian identity document under the Identity Documents Act and all Estonian citizens have a personal identification code and are recorded centrally in the Estonian population register. The personal identification code consists of 11 digits, the first of which shows the sex of the person and the next six of which show her or his date of birth. The following three digits are sequential numbers for children born on the same day, and the last digit is a control number. The Estonian population register is a database which unites the main personal data on Estonian citizens, citizens of the European Union who have registered their residence in Estonia, and foreigners who have been granted a residence permit or right of residence in Estonia. State and local government agencies and legal and natural persons can access information in the Estonian population register to perform public duties, where the performance of public duties must be based on the main information of the Estonian population register. Natural and legal persons with legitimate interest can also access information in the Estonian population register. Information in the Estonian population register is preserved for an unspecified term. The use of information in the Estonian population register is guided by the provisions of the Population Register Act and the Personal Data Protection Act. The protection of data is monitored by the Data Protection Inspectorate and the Ministry of the Interior as the authorised administrator. Upon maintenance of the Estonian population register, the protection of the private life of individuals is ensured. The Estonian eIDAS Node managed by RIA is integrated into the eIDAS Interoperability Framework in
accordance with the eIDAS Technical Specifications of the eIDAS Technical Subgroup on eID of the EUDI
Cooperation Group.
For cross-border interoperability, the RIA operates centralized eIDAS Node services, where:
1) eIDAS Proxy Service enables authentication requests from another EU Member State with Estonian notified eID schemes,
2) eIDAS Connector enables authentication in Estonian public sector online services with notified eID schemes of the EU.
8
The figure below presents main use cases and technical components for national and cross-border authentication. Each arrow indicates different scenarios, where:
yellow indicates Estonian eID user who initiates authentication in the EU Member State (MS) e- service provider,
red indicates EU Member State (MS) eID user who initiates authentication in the Estonian e-service provider,
green indicates Estonian eID user who initiates authentication in the Estonian e-service provider.
Caption 2 Main technical components for national and cross-border authentication
The Estonian eIDAS Proxy Service uses the State Authentication Service (TARA) interface, acting as an eIDAS Identity Provider (IdP). Estonian eIDAS Proxy Service structure relies on the operating principles of the eIDAS Node sample software, including two Java web applications (SpecificProxyService and eIDAS Node) and a database. The SpecificProxyService is responsible for a communication with TARA, which uses OIDC protocol as an authentication protocol. The eIDAS Node application in the Estonian eIDAS Proxy Service implementation is part of the European Commission’s eIDAS Node sample software that is responsible for a secure communication between member states eIDAS Nodes using the eIDAS SAML protocol. Both applications use a database as a background channel and a special XML intermediate protocol developed by European Commission (so-called LightRequest and LightResponse) to communicate with each other.
9
On a successful authentication, the minimum set of personal data is sent back to the requesting party. The
The minimum data set of a natural person contains current family name(s), current first name(s), date of
birth and unique persistent identifier (Estonian personal identification code). The minimum data set of a
legal person contains current legal name, Business Registry code (identifier for a legal person in Estonia).
The minimum data set attributes of a natural person are based on a data available on the ID card and RP
card certificate; the legal person's minimum data set attributes are requested from Estonian e-Business
Registry using X-Road data exchange layer.
Similarly to the Estonian eIDAS Proxy Service, the Estonian eIDAS Connector structure relies on the operating principles of the eIDAS Node sample software, including two Java web applications (SpecificConnector and eIDAS Node) and a database. The SpecificConnector is responsible for a communication with TARA and the Estonian eIDAS Node application. The Estonian eIDAS Connector is integrated with German eIDAS middleware instance that implements an adapted eID server with an eIDAS interface and realises the server-side component of the authentication process with the online ID function for German notified eID. The Estonian eIDAS Node services and the TARA are operated within Estonian Information Security Standard (E-ITS) aligned to ISO/IEC 27001 and Estonian public‑sector security baseline requirements. Through this mechanism, the requirements under the Commission Implementing Regulation (EU) 2015/1502 are met.
4.4 Supporting documentation Documentation presented LoA Mapping of the Estonian ID card on level „High“ LoA Mapping of the Estonian RP card on level „High“ White paper Interoperability mapping List of national legislation related to the electronic identification in Estonia:
Aliens Act, https://www.riigiteataja.ee/en/eli/ee/506012026003/consolide/current
Citizenship Act, https://www.riigiteataja.ee/en/eli/528072025002/consolide
Civil Service Act, https://www.riigiteataja.ee/en/eli/ee/512082025001/consolide/current
Consular Act, https://www.riigiteataja.ee/en/eli/516122025001/consolide
Electronic Identification and Trust Services for Electronic Transactions Act, https://www.riigiteataja.ee/en/eli/530122025007/consolide
Emergency Act, https://www.riigiteataja.ee/en/eli/ee/514012026006/consolide/current
General Part of the Economic Activities Code Act, https://www.riigiteataja.ee/en/eli/511092025011/consolide
Government of the Republic Act, https://www.riigiteataja.ee/en/eli/ee/504092025010/consolide/current
Identity Documents Act, https://www.riigiteataja.ee/en/eli/ee/505012026002/consolide/current
Personal Data Protection Act, https://www.riigiteataja.ee/en/eli/ee/522092025009/consolide/current
Police and Border Guard Act, https://www.riigiteataja.ee/en/eli/527102025003/consolide
Population Register Act, https://www.riigiteataja.ee/en/eli/503122025003/consolide
Public Information Act, https://www.riigiteataja.ee/en/eli/ee/511092025008/consolide/current
Regulation 62 of the Minister of the Interior, as of 01.12.2015 (in Estonian only), https://www.riigiteataja.ee/akt/118112016005?leiaKehtiv
10
Regulation 78 of the Minister of the Interior, as of 18.12.2015 (Statutes of the Identity Documents Database, in Estonian only), https://www.riigiteataja.ee/akt/114012017016?leiaKehtiv
Regulation 20 of the Minister of the Interior, as of 01.08.2025 (in Estonian only), https://www.riigiteataja.ee/akt/129072025001
Statutes of the Data Protection Inspectorate (in Estonian only), https://www.riigiteataja.ee/akt/118092025005?leiaKehtiv
Statutes of the IT and Development Centre, Ministry of the Interior (in Estonian only), https://www.riigiteataja.ee/akt/109072024006?leiaKehtiv
Statutes of the Ministry of the Interior (in Estonian only), https://www.riigiteataja.ee/akt/122012025004
Statutes of the Ministry of Foreign Affairs (in Estonian only), https://www.riigiteataja.ee/akt/114072023002?leiaKehtiv
Statutes of the Ministry of Justice and Digital Affairs (in Estonian only), https://www.riigiteataja.ee/akt/116092025018?leiaKehtiv
Statutes of the Police and Border Guard Board (in Estonian only), https://www.riigiteataja.ee/akt/128062025002?leiaKehtiv
Statutory Fees Act, https://www.riigiteataja.ee/en/eli/ee/530122025005/consolide/current
RIA statutes (in Estonian only), https://www.riigiteataja.ee/akt/127122024010?leiaKehtiv
Police and Border Guard Board Address: Pärnu mnt 139
15060 Tallinn Estonia
Email: [email protected] Webpage: www.politsei.ee
2026
NOTIFICATION FOR FOR DIPLOMATIC IDENTITY CARD OF THE REPUBLIC OF ESTONIA
1
NOTIFICATION FORM FOR ELECTRONIC IDENTITY SCHEME UNDER ARTICLE 9 (5) OF REGULATION (EU) NO. 910/2014 The Republic of Estonia hereby notifies the European Commission of an electronic identification scheme to be published in the list referred to in article 9 (3) of Regulation (EU) no. 910/2014, and confirms the following: — the information communicated in this notification is consistent with the information which has been communicated to the Cooperation Group in accordance with article 7 (g) of Regulation (EU) no. 910/2014, and — the electronic identification scheme can be used to access at least one service provided by a public- sector body in the Republic of Estonia. Egert Belitšev Director General of the Police and Border Guard Board
1. General information
Title of scheme Level of assurance
LoA Mapping of the Estonian diplomatic identity card high
2. The authority/authorities responsible for the electronic identification scheme
Name of the authority Email address
Ministry of Foreign Affairs (MFA) identity document management in embassies, identity management, and issuance of diplomatic identity cards
Police and Border Guard (PBGB) eID scheme operator, and procurement of card blanks, personalisation and certificates
Ministry of the Interior policymaking in the field of identity management and personal identity documents
Ministry of Justice and Digital Affairs policymaking in the field of IT and trust services
Information System Authority (RIA) technical architecture of eID and cybersecurity incident management, supervision of trust service providers
3. Information on relevant parties, entities and bodies involved in the electronic identification scheme
3.1 Name of the entity or entities managing the registration process of the unique person
identification data The registration process of a diplomatic identity document is managed by MFA in cooperation with PBGB.
2
3.2 Party issuing the electronic identification means The diplomatic identity means are issued, according to article 7 (a) (i) of Regulation (EU) no. 910/2014, by the notifying Member State, the Republic of Estonia, in particular the MFA.
3.3 Party operating the authentication procedure The authentication procedure is assured (granted) by PBGB through a subcontracted qualified trust service provider (certification authority, CA).
3.4 Supervisory body PBGB is a governmental body supervised according to national laws and other legal acts applicable to government bodies. The Ministry of the Interior is the main supervisory body for PBGB. The MFA is a government body supervised according to national laws and legal acts applicable to government bodies. Supervisory body of the MFA is the Government of Estonian Republic. RIA is the supervisory body of trust service providers.
4. Description of the electronic identification scheme There are three types of Estonian eID means that are both physical identification documents as well as digital identity documents:
- ID card, - the residence permit card (please see notification form for the ID card and residence permit card
separately), - diplomatic identity card.
This notification form covers the diplomatic identity card. Estonian eID scheme is based on using PKI with cryptography according to best practices and using QSCD smartcards. All aforementioned cards have public key certificates (authentication, signing, encryption), also stored on the smart card. The secure module on the smart card is a QSCD certified device. Smart card solution protects the private key from unauthorised access, copying, or tampering. Identity data (person’s first and last name and a personal identification code) is stored in the public key certificate. These certificates are accessible on the smart card and in the public LDAP repository. The following parties are involved in the management of the eID scheme.
The MFA is responsible for identity management and issuance of diplomatic identity cards. The issuing of the cards are regulated by the Foreign Relations Act, the Identity Documents Act and the Regulation 7 of the Minister of the Foreign Affairs, as of 09.03.2017.
RIA is a government body which is responsible mainly for the governance of public sector IT. RIA also hosts the national CERT-EE and serve as a supervisory body for trust service providers. In terms of eID, RIA is responsible for eID hardware and software requirements. RIA maintains a set of requirements for eID, participates in procurements, and validates results as a partner organisation for PBGB. In addition, RIA develops and maintains middleware software and ID software for maintaining eID cards, also software for e-signatures.
3
PBGB is operating under the authorisation of the Estonian Government to represent MFA for procurement of card blanks, personalisation and certificates. PBGB has a contractor for manufacture and personalisation of ID-1 format identity documents. Card manufacturer is Thales DIS Finland OY with a subcontractor for personalisation – Hansab AS.
The CA is a qualified trust service provider – Zetes SA. Zetes SA is responsible for issuance of qualified certificates for electronic signatures and certificates for authentication for Estonian identity documents. They are responsible for the certificate life cycle: creation, activation, suspension and revocation.
Issuance of the diplomatic identity card is described in section 2.2.2 of the LoA mapping document. Authentication mechanisms are described in section 2.3 of the LoA mapping document. Assurance requirements are based on European legislation (i.e. eIDAS Regulation, GDPR, etc.) and national legislation (i.e. the Electronic Identification and Trust Services for Electronic Transactions Act, Emergency Act, and other acts) for both public and private parties involved. Additional requirements from tender documents and contracts apply for identity documents manufacturing and personalisation, as well as for the qualified trust service provider. List of the additional attributes which may be provided in relation to natural persons under the electronic identification scheme if requested by a relying party The minimum data set is provided to the requesting party. No additional attributes are provided for natural persons under the scheme if requested by a relying party. List of the additional attributes which may be provided in relation to legal persons under the electronic identification scheme if requested by a relying party Estonian eID means are used only for identification of natural persons, therefore no additional attributes are provided for legal persons under the scheme if requested by a relying party.
4.1 Applicable supervisory, liability and management regime
4.1.1 Description of the supervisory regime of the electronic identification scheme including the evaluation process
(a) The supervisory regime applicable to the party or parties issuing the electronic identification
means The MFA is supervised according to national laws and legal acts applicable to government bodies. PBGB is a government body supervised according to national laws and other legal acts applicable to government bodies. Supervisory control is done by the Ministry of the Interior, as PBGB is a government body under the ministry. RIA is also the supervisory body, who is responsible for supervisory tasks that are set out in article 17 of the eIDAS Regulation (the assessment of qualified status of trust services and issuance of licenses to provide trust services, the managing of trust list of Estonian trust service providers and supervising of notified trust services providers in meeting the established requirements).
4
(b) The supervisory regime applicable to the party or parties operating the eIDAS node Public and private parties act in accordance with European legislation (i.e. eIDAS Regulation, GDPR, etc) and national legislation (i.e. the Electronic Identification and Trust Services for Electronic Transactions Act, Emergency Ac, and other acts). The MFA is responsible for identity management procedures, and the same supervisory regime applies as described in point (a). RIA is acting as supervisory body according to article 19 of the eIDAS Regulation and section 45 of the Estonian Emergency Act. Section 36 of the Emergency Act lists electronic authentication and digital signing (qualified electronic signature) as vital services. Subsection 94 (31) of the Identity Documents Act states that the provider of certification service that enables digital identification and digital signing with the certificate which is entered in the documents issued on the basis of this Act is the provider of vital service specified in clause 8 of subsection 1 of § 36 of the Emergency Act. RIA is acting also as the supervisory body according to article 17 of the eIDAS Regulation, as the electronic identification and qualified trust services (including qualified e-signature) are using the same means (QSCD). Supervisory control of RIA is done by the Ministry of Justice and Digital Affairs. Supervisory control is conducted in administrative authority by a higher authority over a subordinate governmental body in terms of lawfulness in action and feasibility in functions. Supervisory control of Estonian governmental authorities and agencies is regulated by chapter 7 of the Government of the Republic Act.
4.1.2 Applicable liability regime (a) Liability of the Member State under Article 11(1) of Regulation (EU) No 910/2014
Estonian eID means are subject to European and national laws. Therefore, it is a liability of the Estonian government. Supervisory control is conducted in an administrative authority by a higher authority over the subordinate administrative agency in terms of the lawfulness in actions and feasibility in functions. Chapter 7 of the Government of the Republic Act regulates supervisory control of Estonian governmental authorities and agencies; hence, this requirement is fulfilled.
(b) Liability of the party or parties issuing the electronic identification means under Article 11(2) of Regulation (EU) No 910/2014
MFA has full liability in identity management for issuing of diplomatic identity cards.
(c) Liability of the party or parties operating the eIDAS node under Article 11(3) of Regulation (EU) No 910/2014
Liability for operating the authentication procedure under Article 11(3) of Regulation (EU) no 910/2014 is held by the CA or a certification service provider who is a qualified trust service provider (in accordance with the eIDAS Regulation): Zetes SA.
4.1.3 Applicable management arrangements Suspension by certificate owner of eID means after issuance is not possible by the request of the document holder. Only revocation is allowed.
5
According to section 17(1) of the Electronic Identification and Trust Services for Electronic Transactions Act a trust service provider has the right to suspend a certificate if there is a suspicion that incorrect data have been entered in the certificate or that it is possible to use the private key corresponding to the public key contained in the certificate without the consent of the certificate holder. The legal framework of revocation of the electronic identification means is set by the eIDAS Regulation,
with its implementing acts, and is regulated at the national level by the IDA and eID CP. The document
holder is obliged to notify the issuing authority in case of theft or loss of the ID card, so that the certificates
can be revoked.
Revocation of certificates can be done in person by appearing in a service point of the issuing authority or using revocation portal which is accessible 24/7. Revocation of the certificates means that the certificates are revoked; therefore, electronic functionality cannot be used.
4.2 Electronic identification scheme components
4.2.1 Enrolment
(a) Application and registration Application and registration is described in section 2.1.1 of the LoA mapping document for diplomatic identity card.
(b) Identity proofing and verification of a natural person Identity proofing and verification (natural person) is described in section 2.1.2 of the LoA mapping document for diplomatic identity card.
(c) Identity proofing and verification of a legal person
Estonian eID means are used only for identification of natural persons; therefore, this is not applicable.
(d) binding between the electronic identification means for natural and legal persons Estonian eID means are used only for identification of natural persons; therefore, this is not applicable.
4.2.2 Electronic identification means management
(a) Characteristics and design of the electronic identification means, including information on security certification
eID means characteristics and design are described in section 2.2.1 of the LoA mapping document for diplomatic identity card.
(b) Issuance, delivery and activation Issuance, delivery and activation is described in section 2.2.2 of the LoA mapping document for diplomatic identity card.
6
(c) Suspension, revocation and reactivation Suspension and therefore reactivation of eID means by document holder is not possible; revocation is described in section 2.2.3 of the LoA mapping document for diplomatic identity card.
(d) Renewal and replacement Renewal and replacement is described in section 2.2.4 of the LoA mapping document for diplomatic identity card.
4.2.3 Authentication In general, there are no restrictions for the use of Estonian eID-based electronic authentication. The authentication is an establishment of TLS (transport layer security) communication with the client certificate, and everyone (public and private sector) can use it. The only limitation is the use of the OSCP (online certificate status protocol) service for checking certificate validity. The diagram below illustrates the complete CA hierarchy and related services. In the schema below “Intermediate CA” represents the qualified CA that issues the Subscriber Certificates.
Caption 1 CA hierarchy and related services for the Republic of Estonia
The authentication mechanism of the ID card (including the diplomatic identity card) in case of TLS Client Certificate Authentication (CCA) is described in section 2.3 of the LoA mapping document for diplomatic identity card.
4.2.4 Management and organisation
(a) General provisions on management and organisation General provisions are described in section 2.4.1 of the LoA mapping document for diplomatic identity card.
7
(b) Published notices and user information Published notices and user information is described in section 2.4.2 of the LoA mapping document for diplomatic identity card.
(c) Information security management Information security management is described in section 2.4.3 of the LoA mapping document for diplomatic identity card.
(d) Record keeping
Record keeping is described in section 2.4.4 of the LoA mapping document for diplomatic identity card.
(e) Facilities and staff Facilities and staff are described in section 2.4.5 of the LoA mapping document for diplomatic identity card.
(f) Technical controls Technical controls are described in section 2.4.6 of the LoA mapping document for diplomatic identity card.
(g) Compliance and audit Compliance and audit are described in section 2.4.7 of LoA mapping document for diplomatic identity card.
4.3 Interoperability Authorisation/access to Estonian e-services are based on a unique identifier. In the Estonian national infrastructure, the personal identification code is used as the unique identifier. Aliens who have been issued an Estonian identity document under the Identity Documents Act and all Estonian citizens have a personal identification code and are recorded centrally in the Estonian population register. The personal identification code consists of 11 digits, the first of which shows the sex of the person and the next six of which show her or his date of birth. The following three digits are sequential numbers for children born on the same day, and the last digit is a control number. The Estonian population register is a database which unites the main personal data on Estonian citizens, citizens of the European Union who have registered their residence in Estonia, and aliens who have been granted a residence permit or right of residence in Estonia. State and local government agencies and legal and natural persons can access information in the Estonian population register to perform public duties, where the performance of public duties must be based on the main information of the Estonian population register. Natural and legal persons with legitimate interest can also access information in the Estonian population register. Information in the Estonian population register is preserved for an unspecified term. The use of information in the Estonian population register is guided by the provisions of the Population Register Act and the Personal Data Protection Act. The protection of data is monitored by the Data Protection Inspectorate and the Ministry of the Interior as the authorised administrator. Upon maintenance of the Estonian population register, the protection of the private life of individuals is ensured. The Estonian eIDAS Node managed by RIA is integrated into the eIDAS Interoperability Framework in
accordance with the eIDAS Technical Specifications of the eIDAS Technical Subgroup on eID of the EUDI
Cooperation Group.
8
For cross-border interoperability, the RIA operates centralized eIDAS Node services, where:
1) eIDAS Proxy Service enables authentication requests from another EU Member State with Estonian notified eID schemes,
2) eIDAS Connector enables authentication in Estonian public sector online services with notified eID schemes of the EU.
The figure below presents main use cases and technical components for national and cross-border authentication. Each arrow indicates different scenarios, where:
yellow indicates Estonian eID user who initiates authentication in the EU Member State (MS) e- service provider
red indicates EU Member State (MS) eID user who initiates authentication in the Estonian e-service provider
green indicates Estonian eID user who initiates authentication in the Estonian e-service provider.
Caption 2 Main technical components for national and cross-border authentication
The Estonian eIDAS Proxy Service uses the State Authentication Service (TARA) interface, acting as an eIDAS Identity Provider (IdP). Estonian eIDAS Proxy Service structure relies on the operating principles of the eIDAS Node sample software, including two Java web applications (SpecificProxyService and eIDAS Node) and a database. The SpecificProxyService is responsible for a communication with the TARA, which uses OIDC protocol as an
9
authentication protocol. The eIDAS Node application in the Estonian eIDAS Proxy Service implementation is part of the European Commission’s eIDAS Node sample software that is responsible for a secure communication between member states eIDAS Nodes using the eIDAS SAML protocol. Both applications use a database as a background channel and a special XML intermediate protocol developed by European Commission (so-called LightRequest and LightResponse) to communicate with each other.
On a successful authentication, the minimum set of personal data is sent back to the requesting party. The
minimum data set of a natural person contains current family name(s), current first name(s), date of birth
and unique persistent identifier (Estonian personal identification code). The minimum data set of a legal
person contains current legal name, Business Registry code (identifier for a legal person in Estonia). The
minimum data set attributes of a natural person are based on a data available on the diplomatic identity
card certificate; the legal person's minimum data set attributes are requested from Estonian e-Business
Registry using X-Road data exchange layer.
Similarly to the Estonian eIDAS Proxy Service, the Estonian eIDAS Connector structure relies on the operating principles of the eIDAS Node sample software, including two Java web applications (SpecificConnector and eIDAS Node) and a database. The SpecificConnector is responsible for a communication with the TARA and the Estonian eIDAS Node application. The Estonian eIDAS Connector is integrated with German eIDAS middleware instance that implements an adapted eID server with an eIDAS interface and realises the server-side component of the authentication process with the online ID function for German notified eID. The Estonian eIDAS Node services and the TARA are operated within Estonian Information Security Standard (E-ITS) aligned to ISO/IEC 27001 and Estonian public‑sector security baseline requirements. Through this mechanism, the requirements under the Commission Implementing Regulation (EU) 2015/1502 are met.
4.4 Supporting documentation Documentation presented LoA mapping document for diplomatic identity card on level “High” White paper Interoperability mapping List of national legislation related to the electronic identification in Estonia:
Aliens Act, https://www.riigiteataja.ee/en/eli/ee/506012026003/consolide/current
Citizenship Act, https://www.riigiteataja.ee/en/eli/528072025002/consolide
Civil Service Act, https://www.riigiteataja.ee/en/eli/ee/512082025001/consolide/current
Consular Act, https://www.riigiteataja.ee/en/eli/516122025001/consolide
Electronic Identification and Trust Services for Electronic Transactions Act, https://www.riigiteataja.ee/en/eli/530122025007/consolide
Emergency Act, https://www.riigiteataja.ee/en/eli/ee/514012026006/consolide/current
General Part of the Economic Activities Code Act, https://www.riigiteataja.ee/en/eli/511092025011/consolide
Government of the Republic Act, https://www.riigiteataja.ee/en/eli/ee/504092025010/consolide/current
Identity Documents Act, https://www.riigiteataja.ee/en/eli/ee/505012026002/consolide/current
Foreign Relations Act, https://www.riigiteataja.ee/en/eli/ee/530092025011/consolide/current
Personal Data Protection Act, https://www.riigiteataja.ee/en/eli/ee/522092025009/consolide/current
10
Police and Border Guard Act, https://www.riigiteataja.ee/en/eli/527102025003/consolide
Population Register Act, https://www.riigiteataja.ee/en/eli/503122025003/consolide
Public Information Act, https://www.riigiteataja.ee/en/eli/ee/511092025008/consolide/current
Regulation 62 of the Minister of the Interior, as of 01.12.2015 (in Estonian only), https://www.riigiteataja.ee/akt/118112016005?leiaKehtiv
Regulation 78 of the Minister of the Interior, as of 18.12.2015 (Statutes of the Identity Documents Database, in Estonian only), https://www.riigiteataja.ee/akt/114012017016?leiaKehtiv
Regulation 20 of the Minister of the Interior, as of 01.08.2025 (in Estonian only), https://www.riigiteataja.ee/akt/129072025001
Statutes of the Data Protection Inspectorate (in Estonian only), https://www.riigiteataja.ee/akt/118092025005?leiaKehtiv
Statutes of the IT and Development Centre, Ministry of the Interior (in Estonian only), https://www.riigiteataja.ee/akt/109072024006?leiaKehtiv
Statutes of the Ministry of the Interior (in Estonian only), https://www.riigiteataja.ee/akt/122012025004
Statutes of the Ministry of Foreign Affairs (in Estonian only), https://www.riigiteataja.ee/akt/114072023002?leiaKehtiv
Statutes of the Ministry of Justice and Digital Affairs (in Estonian only), https://www.riigiteataja.ee/akt/116092025018?leiaKehtiv
Statutes of the Police and Border Guard Board (in Estonian only), https://www.riigiteataja.ee/akt/128062025002?leiaKehtiv
Statutory Fees Act, https://www.riigiteataja.ee/en/eli/ee/530122025005/consolide/current
RIA statutes (in Estonian only), https://www.riigiteataja.ee/akt/127122024010?leiaKehtiv
Regulation 7 of the Minister of the Foreign Affairs, as of 09.03.2017 (in Estonian only), https://www.riigiteataja.ee/akt/126082025005?leiaKehtiv
Regulation 3 of the Minister of Foreign Affairs, as of 23/05/2016,” (in Estonian only), https://www.riigiteataja.ee/akt/126092025004?leiaKehtiv
Police and Border Guard Board Address: Pärnu mnt 139
15060 Tallinn Estonia
Email: [email protected]
Webpage: www.politsei.ee
Overview of the Estonian eID system
Table of contents
1. Introduction ....................................................................................................................................... 1 1.1 Historic overview ........................................................................................................................ 1 1.2 Unique usage environment ........................................................................................................ 2
2. The concept of identity and the nature of the eID ecosystem .......................................................... 2 3. eID means ........................................................................................................................................... 3 4. Fields and responsibilities .................................................................................................................. 6
4.1 Public authorities ........................................................................................................................ 7 4.2 Private parties ............................................................................................................................. 8
5. Authentication.................................................................................................................................. 10 6. Life cycle ........................................................................................................................................... 11 List of References .................................................................................................................................. 12
1
Disclaimer: this document is partly based on Cybernetica’s overview of the Estonian electronic identity
system which has been written at the request of the Estonian Information System Authority (RIA) to
explain the setup, organisation, and the uses of the Estonian e-identity ecosystem.
1. Introduction
This document gives an overview of the Estonian eID means. The following eID means can be used for
physical and electronic identification:
• Identity card (ID card)
• Residence permit card (RP card)
• Diplomatic identity card
Smart ID, Mobile ID and e-resident’s digital ID can be only used for electronic identification.
Reliable and secure personal identification as well as physical and digital identity management are the
basis for a credible process of issuing identity documents. Estonia has long-term experience (from the
beginning of 2002) in using electronic authentication and is a global leader in the context of e-
government.
All Estonian eID means fulfil all requirements of the eIDAS [1] Level of Assurance “high”.
The general principles of identity management policy include the following:
the state determines the person’s identity,
one person has one identity,
use of another person’s identity or identity document is forbidden,
identity management is performed by the state and in a centralised manner,
both physical and digital identity documents are inextricably and uniquely linked to the
document holder’s identity,
certificates that enable digital identification and a qualified electronic signature for digital
identity of a document are uniquely associated with the document holder’s personal data,
data of both physical and digital documents, including certificates for authentication and
electronic signing, are publicly verifiable,
identity documents and the supporting software are secure.
Estonian eID scheme is based on using PKI (public key infrastructure) with cryptography according to
best practises and using QSCD (qualified signature creation device) smartcards.
1.1 Historic overview
The public service side of the Estonian eID ecosystem is built on legal foundations that regulate its
operation. When the Estonian ID card was first created (initially only as one specific kind of identity
document), rules regarding the issuance of the card were laid down in:
• Identity Documents Act [2] (February 15th, 1999),
• Digital Signatures Act [3] (March 8th, 2000).
2
The Identity Documents Act regulated, inter alia, the physical features of the ID card while the
electronic features of the card were regulated by the Digital Signatures Act. Neither act contained any
references to the other.
Estonian ID cards with digital functionality were first issued in 2002, which allowed to start using
authentication and digital signing widely in digital environment. Estonia is internationally recognised
as E-state, we have implemented digital signing and digital e-services with wide-spread usage of eID
means.
1.2 Unique usage environment
The complexity of the Estonian eID ecosystem is very high.
The eID ecosystem can be broken down into the following aspects which must be considered as a single
functional entity:
• legal (laws, regulations, directives)
• organisational (collaboration, data exchange between institutions and private companies)
• technical (protocols, standards, devices)
• security (incident reporting, accountability, responsible vulnerability notification)
• supervision
The ecosystem is pervasive, universal, and ubiquitous in its use. These three key features emphasise
the importance of the consistency of new solutions with the existing Estonian eID ecosystem. To
maintain the present lifestyle of Estonian residents, it is vital to ensure the cohesion of new systems
with existing ones.
The functionality of the Estonian eID ecosystem is universal. The eID means (ID card, RP card,
diplomatic identity card, e-resident digital ID, Mobile-ID, Smart-ID) can be used for authentication and
the creation of digital signatures. In most cases they can provide similar user experience and be equally
used in all e-services. The eID means issued to citizens and residents are identical in their functionality.
With this in mind the use of the Estonian eID ecosystem among Estonian citizens and residents is
extensive and ubiquitous. It involves all walks of life, starting from signing contracts and declaring
taxes, education and health, and ending with numerous government and commercial portals.
Excluding shopping in global e-stores, everything vital can be done remotely, using standard eID
means.
2. The concept of identity and the nature of the eID ecosystem
For a person to be issued with an eID means, they must have a base identity duly registered in the
Estonian population register [4]. Identity is based on the personal identification number. For applying
eID means, the issuing authorities verify (PBGB, MFA) the person’s identity. On fundamental bases the
3
identity data comprises of the person’s name and personal identification number. The personal
identification number is used for linking specific eID means with the base identity.
3. eID means
An eID means is used for the storage of cryptographic keys necessary for the use of eID and allows
these keys to be used materially.
Smart card based eID means store private keys on the chip, while authentication and digital signature
functions have been implemented in the form of a special program (applet) loaded on the card.
In addition to authentication and qualified digital signature creation, the eID means can also be used
for encrypting and decrypting documents (only applicable for ID cards, RP cards and diplomatic identity
cards). In case there is a need to forward confidential information via e-mail to other parties. ID
software allows to easily encrypt both digitally signed and unsigned documents.
The figure below illustrates the key elements of an eID means, using the ID card as an example. The
actual means may contain more elements, such as previous keys, platform-specific keys, owner’s
technical keys for the addition of personal certificates, etc. The means may also contain fewer
elements.
Caption 1 Key elements of eID means
For security reasons, it is recommended that a person simultaneously have multiple eID means of
different types, but the identity of the person always remains the same. This enables them to carry on
living a normal electronic life even if one of the eID means has expired, is not functioning properly, or
its security is temporarily compromised.
4
In certain cases, an eID means can be registered in an electronic environment on the basis of another
valid eID means. This simplifies the registration process, as the user does not need to visit a service
office.
Estonian ID card
Estonia issues the ID card as the primary and mandatory document for identifying its citizens and
European Union citizens living in Estonia. The first ID cards were issued on January 28th, 2002. The ID
card is a physical identification document and has advanced electronic functions that facilitate secure
authentication and a legally binding qualified electronic signature enabling safe access to e-services
and convenient way to make electronic transactions.
The ID card is recognised as a travel document for Estonian citizens.
State fee is established for ID card.
The Estonian Police and Border Guard Board (hereinafter PBGB) is responsible for issuance of the ID
card.
Caption 2 Specimen of the ID card issued since November 15, 2025
Residence permit card
Estonia issues the RP card as a mandatory identity document for third-country nationals who are
residing in Estonia based on a valid residence permit or right of residence since 2011. The RP card is a
physical identification document and has advanced electronic functions that facilitate secure
authentication and a legally binding qualified electronic signature enabling safe access to e-services
and convenient way to make electronic transactions. The RP card is not a travel document but must
be carried along with the passport of the country of citizenship in order to return to Estonia.
RP card is not a travel document.
State fee is established for RP card.
The PBGB is responsible for issuance of the RP card.
5
Caption 3 Specimen of the RP card issued since November 15, 2025
Diplomatic identity card
The diplomatic identity card is a physical identification document and has advanced electronic
functions that facilitate secure authentication and a legally binding qualified electronic signature
enabling safe access to e-services and convenient way to make electronic transactions.
There are two types of Estonian diplomatic identity cards: diplomatic card and service card.
1) A diplomatic card is issued to a diplomat of a foreign diplomatic mission and consular post
accredited to Estonia (hereinafter referred to as a foreign mission) and his/her family
member who is a foreign national.
2) A service card is issued to a foreign national who is the administrative or technical employee
of a foreign mission and his/her foreign national family member, a foreign national who is a
private servant, a foreign national employee of a mission of an international organization and
an international organization or other institution established by an international agreement
located in Estonia (hereinafter referred to as other institution) and his/her foreign national
family member, an honorary consul and, in other justified cases provided for in an
international agreement, an Estonian citizen or permanent resident working in a foreign
mission or other institution.
Below is the caption of the specimens of the cards manufactured since November 15th, 2025. There are
eight different categories with 18 series of cards:
1) Diplomatic card category A (series A1, A2, A3) and category B (series B1, B2, B3),
2) Service card category C (series C1, C2, C3), category D (series D1, D2); category E, category F,
category HC and category G (series G1, G2, G3, G4).
The reverse side of the card includes text based on the privileges of the bearer of the card. In addition,
the reverse side contains information about the right of residence in Estonia and conditions to enter
the territory of Schengen States.
6
Caption 4 Specimen of the Diplomatic Card issued since 15.11.2025
Caption 5 Specimen of the Service Card issued since 15.11.2025
A diplomatic identity card is issued free of charge and grants the document holder immunities and
privileges outlined in the Vienna Convention on Diplomatic Relations [5] and other international
conventions and treaties according to the relevant category. 09.03.2017 regulation no. 7 of the
Minister of Foreign Affairs (MFA) [6] establishes the procedure for issuing a diplomatic identity card,
the format and technical specification of the card, and the list of information entered on the card.
PBGB provides production and delivery service for the MFA.
The MFA is responsible for issuance of the diplomatic identity card
Mobile-ID and Smart-ID
Mobile-ID and Smart-ID both provide authentication and digital signature creation functions. Private
keys for Mobile-ID are stored on SIM card. For Smart-ID the private keys are split into two parts (smart
device and server), and they are never combined in one place, increasing their security. Smart card
readers are not required neither for Mobile-ID nor Smart-ID.
Smart-ID is a private scheme and not notified, but it has been evaluated for national use. Smart-IDs
issued to persons with Estonian personal identification numbers meets the criteria of high assurance
level for electronic identification [7].
Mobile ID is a state issued digital ID and is notified to LoA high.
4. Fields and responsibilities
For the operational management of the Estonian eID ecosystem the following parties are involved.
7
4.1 Public authorities
Ministry of the Interior
The role of the Ministry of the Interior in the eID ecosystem is to develop legal bases for the
administration of identity policy.
Ministry of Justice and Digital Affairs
The Ministry of Justice and Digital affairs organises, promotes, and coordinates the digital development
of the public sector, coordinates the development of public services and information systems, and
organises the development of national digital solutions and the provision of shared information
technology services.
Ministry of Foreign Affairs
In the context of the eID ecosystem, the role of the Ministry of Foreign Affairs is to issue, deliver, and
revoke diplomatic identity cards. Foreign missions can also accept applications for and issue some
other national eID means.
Private sector eID means providers
The Estonian eID ecosystem currently includes one eID means provided by a private company: Smart-
ID, which is provided and administered by SK ID Solutions AS.
Estonian Information System Authority
The functions of RIA are regulated by its statutes [60]. RIA is a government agency consisting of a
number of departments focusing on different fields. In the context of the eID ecosystem, RIA’s role is
to act as a competence centre responsible for formulating visions and strategies for the development
of the eID field, as well as to advocate for and shape the positions of the eID field in Estonia. RIA’s roles
in the eID ecosystem are as follows:
In the sphere of the state information system:
Coordinates the development of authentication, digital signature creation, and encryption
software, and the Internet-based authentication and digital signature creation system, including:
o Coordination of the long-term evolution of the entire eID field with the involvement of
various institutions,
o Maintenance of the id.ee portal,
o Development of software components used in the eID ecosystem, such as:
- Development of the DigiDoc4 desktop application,
- Development of the RIA DigiDoc application for smart devices,
- Development of the Web eID web-based authentication and signature creation
solution,
- Development of libraries, such as digidoc4j and libdigidocpp, etc.
o Maintenance of various services provided to public-sector institutions that are critical for
the operation of the Estonian eID ecosystem, as well as servers hosting these services,
including:
8
- Authentication services (TARA - State Authentication Service, used for authentication
by public sector institutions, state SSO (single sign-on access) service),
- SiGa digital signature creation service,
- SiVa digital signature validation service,
- timestamping service intermediation,
- Web eID solution (web-based authentication and digital signature creation);
o Customer support (including by phone),
Procurements.
In the sphere of cybersecurity:
Organisation of the protection of critical information infrastructure (CIIP)
Carries out administrative and state supervision (including supervision over the Estonian eID
ecosystem in accordance with legislation).
Enforces administrative procedures and handles misdemeanours.
RIA also organises various awareness-raising campaigns and trainings in different spheres, including
eID ecosystem-related areas.
The RIA Cybersecurity Centre is responsible for cybersecurity, one of RIA’s two core areas of activity.
Police and Border Guard Board
The roles and responsibilities of the PBGB in the Estonian eID ecosystem are:
Issuance of identity documents (including documents that can be used as eID means),
Development of identity documents, managing contracts with service providers,
Procurement of ID-1 format identity documents.
IT and Development Centre of the Ministry of the Interior
The IT and Development Centre of the Ministry of the Interior (SMIT, www.smit.ee) develops and
maintains the technology (including software) and systems required for the performance of the PBGB’s
functions. This also includes the development and maintenance of the systems required for identity
management and the issuance and management of identity documents.
4.2 Private parties
Trust service providers
In the context of the Estonian eID ecosystem, a trust service provider (TSP) is an organisation
responsible for the management and storage of personal certificates related to the eID ecosystem.
Other examples of trust services also include timestamping services. A number of services in Estonia
are divided between the controller (in most cases, PBGB) and the processor. The immediate service
provider in these situations is the processor. The next two subsections present an overview of the key
trust service providers operating in the Estonian eID – SK ID Solutions AS and Zetes Estonia OÜ.
9
SK ID Solutions AS
For a long time, a single Estonian company provided trust services as a core business: this was SK ID
Solutions AS. SK ID Solutions AS maintains the certificates for ID cards, RP cards, diplomatic identity
cards and e-resident digital IDs issued until November 15th 2025, Mobile-ID and Smart-ID.
SK ID Solutions AS provides the following services to Estonian eID ecosystem participants:
Issuance of qualified signature creation certificates,
Issuance of authentication certificates,
Electronic timestamping service,
Provision of access to the registry of certificates associated with ID cards, RP cards and
diplomatic identity cards via LDAP,
Responding to electronic queries about certificate validity (OCSP/CRL),
Deactivation or revocation of certificates, if necessary.
SK ID Solutions AS is the owner, developer, issuer, and service provider of the Smart-ID. They also issue
e-seal certificates to companies and agencies and maintain the Mobile-ID scheme. SK ID Solutions AS
is categorised as a vital service provider.
Zetes Estonia OÜ
As of the launch of new ID cards on November 15th, 2025, the trust service provider for the new
generation ID-1 format identity documents is Zetes SA. The PBGB has a contract with Zetes SA for the
provision of certification and qualified trust services, who has transferred the obligation to execute the
contract on Zetes Estonia OÜ, a 100% subsidiary of Zetes SA.
The duties of the certification authority in certification service and qualified trust service cover the
following:
issuance of root certificates and intermediate certificates for the creation of a certificate chain,
issuance of qualified certificates for electronic signatures and certificates for authentication
and encryption,
service of Subscriber certificates,
provision of Online Certificate Status Protocol (OCSP) responder service,
provision of Certificate Revocation List (CRL) service,
provision of Lightweight Directory Access Protocol (LDAP) directory service,
provision of test services.
Card manufacturer
Thales DIS Finland OY
The PBGB has a contract with Thales DIS Finland OY for ID-1 format identity document blanks,
personalisation and related services. Thales DIS Finland OY’s subcontractor is Hansab AS.
Thales DIS Finland OY is responsible for:
production, processing and logistics of document blanks with a chip certified as a QSCD,
10
the provision of document personalisation services (provided by subcontractor of card
manufacturer),
the provision of post-issuance services for documents,
processing of personal data in accordance with Estonian, EU and international regulations,
standards, requirements and instructions.
External Service Provider
The issuer of the document may hand over the document through a secure service provider if
requested by the applicant at application. The secure service provider shall be determined by the
issuing authority of the document.
The PBGB has a contract with Hansab AS for external service provision. Hansab AS provides the service
of handing over identity documents through a subcontractor, who hands out documents in external
service provider’s service points nation-wide.
Requirements for external service providers must ensure that the service provided is equally secure as
the service provided by the issuing authority and the foreign representations. Requirements for the
external service provider are set out in the contract.
5. Authentication
In the context of web technology, technical verification of identity denotes an operation whereby the
user is required to sign session data transmitted by the server using a private key found on their eID
means and return the signature and authentication certificate. The server then verifies the validity of
the certificate (e.g. over OCSP – online certificate status protocol) and whether it has been issued by a
trusted certification authority. The server then uses the public key found in the certificate to verify the
validity of the submitted cryptographic signature and whether it has been created for the data
transmitted by the server. If all the verification steps are passed, then the user participating in the
session can be assumed to have control over their eID means and the user identity presented as a part
of the certificate can be considered verified. The authentication solution described above can also be
characterised as an external authentication vector from the information system’s perspective.
The authentication normative [8] sets out two main requirements for public sector information
systems. First, an authentication module should not be built in-house; relevant RIA libraries should be
used for this purpose. Second, the authentication module should be isolated from the information
system. This is a major difference compared to systems not using the possibilities afforded by eID, as
the latter need to keep local account of persons, their identities and identity carriers or usernames and
passwords (credentials), which increases the complexity of the system.
Authentication can be carried out either directly by the information system offering an electronic
service or via other ‘middlemen’, such as authentication services (TARA, GovSSO – government single
sign-on access). The e-service provider is frequently also called the relying party.
11
6. Life cycle
ID-1 format identity documents are issued by the issuing authorities.
In case of ID-1 format identity documents, necessary data of the applicant is captured and is
transferred to the card manufacturer via a secure exchange interface for card personalisation. The card
manufacturer produces, and their subcontractor personalises the ID-1 format identity document.
Upon receiving the card, the applicant also receives a securely sealed envelope with three codes in it
(PIN1, PIN2 and PUK): PIN1 for authentication and encryption purposes, PIN2 for a qualified electronic
signature and PUK to reset blocked PIN codes in the ID software.
The ID card or RP card is handed over in person, to a legal guardian or an authorised representative in
a service point of PBGB, external service provider service point or a foreign representation. In case of
diplomatic identity cards, the cards are handed over by MFA official. After hand-over of the document,
the card is activated by the issuing authority after the identity-proofing of the receiver.
In order to avoid illegitimate use of lost or stolen eIDs, the holder of the Estonian eID means needs to
be able to revoke certificates. The certificates of the card can be revoked in the issuing authority service
point in person and in the case of documents issued from November 15th, 2025 also in the revocation
portal [9]. A certificate owner may request revocation of their own certificates or for another person
over whom they have legal custody.
E-services cannot be used/accessed if the certificates are revoked.
After revocation the certificates cannot be used. To regain access to e-services after revocation has
been completed, a new document must be applied for (with new certificates).
12
List of References [1] eIDAS Regulation – Regulation (EU) 910/2014 of the European Parliament and of the Council
on electronic identification and trust services for electronic transactions in the internal market,
as amended by Regulation (EU) 2024/1183 as regards establishing the European Digital
Identity Framework
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02014R0910-20241018
[2] Identity Documents Act
https://www.riigiteataja.ee/en/eli/ee/521052024002/consolide/current
[3] Digital Signatures Act (not in force currently)
https://www.riigiteataja.ee/akt/71878
[4] Population Register Act
https://www.riigiteataja.ee/en/eli/ee/503122025003/consolide/current
[5] Vienna Convention on Diplomatic Relations
https://treaties.un.org/pages/viewdetails.aspx?src=treaty&mtdsg_no=iii-
3&chapter=3&clang=_en
[6] Regulation 7 of the Minister of the Foreign Affairs, as of 09.03.2017 (in Estonian only)
https://www.riigiteataja.ee/akt/126082025005
[7] Information System Authority. Integration tools of eID.
https://www.ria.ee/en/state-information-system/electronic-identity-eid-and-trust-
services/integration-tools-eid
[8] Information System Authority. Requirements for authentication solutions within the
information system of the Republic of Estonia (authentication normative), 2017 (in Estonian).
https://ria.ee/media/1971/download
[9] Revocation portal
https://revocation-portal.eidpki.ee/en/landing