What our four security certifications mean for your organisation

1641808643-itsme_eidas_phone

Every vendor in the digital identity space will tell you they take security seriously. The more useful question is: has that claim been checked? Recently, itsme^® was formally recognised and labelled as "Essential" under NIS2 by the Center for Cybersecurity Belgium. It's a good moment to recap what our four security certifications actually cover, and what that means if you're responsible for the systems that depend on us. 

1. NIS2 Essential: formally recognised under Belgium's national security framework

The Centre for Cybersecurity Belgium (CCB) has formally labelled itsme^® as "Essential" under NIS2, on the basis of our ISO/IEC 27001:2022 certification (more on that below). The label confirms that our information security management meets the requirements for recognition as an Essential entity under Belgian and European law. It is issued under the CyberFundamentals, CCB's national NIS2 compliance framework. 

This is useful for security leads managing NIS2 obligations, which require you to account for third-party risk in your own compliance posture. A CCB-issued label gives you documented evidence for your vendor register. In effect, it answers the auditor's question before it gets asked.

2. ISO/IEC 27001:2022: How we manage security

ISO 27001 is the international standard for information security management. It audits how a company handles security decisions: how risks are identified, how controls are applied, how incidents are managed, and how the whole system holds up over time. Our certificate, issued by LSTI under COFRAC accreditation and valid until August 2028, covers the full scope of itsme^® services, including the suppliers and data centres that support them.

3. eIDAS: The legal standing of identity and signature

eIDAS is the EU regulation that defines what electronic identification and trust services are legally worth. Qualified Trust Service Provider status sits at the top of that framework. You can't self-designate as a QTSP. It requires assessment by an accredited body and results in your name appearing on the national Trusted List, supervised by a member state authority.

Belgian Mobile ID holds QTSP status for the creation of qualified certificates for electronic signature. A signature completed through itsme^® carries the highest legal standing available under EU law.

For CTOs integrating itsme^® into flows involving contract signing, mandate authorisation, or consent capture, this is the certification that makes those use cases legally solid.

4. Common Criteria EAL3+: Testing the product itself

The first three certifications assess processes and services. Common Criteria evaluates a specific product against a defined security target, tested by an independent laboratory.

The itsme^® Second Factor Attestation Engine v1.0.0 achieved EAL3 augmented with additional requirements covering functional specification, implementation review, and flaw remediation. The evaluation was carried out by SGS Brightsight in Delft and certified by TrustCB under the Netherlands national scheme. Valid until January 2031. Recognised across EU member states under both the Common Criteria Recognition Arrangement and the SOGIS Mutual Recognition Agreement.

For security architects, this is the component that verifies the integrity of the second factor in an itsme^® authentication. It has been tested at the code level by an independent lab.

What this means in practice

The four certifications cover different layers: organisational processes, legal trust services, product security, and national cybersecurity baseline. But they don’t exist in isolation. Instead, they reflect the regulatory direction of travel in Europe: identity infrastructure is being held to higher and more specific standards, and that trajectory isn't slowing down.

eIDAS 2.0 and the EU Digital Identity Wallet raise the baseline for what "trusted identity" means across member states. NIS2 has made third-party cybersecurity posture a compliance requirement. Organisations that integrate identity services are increasingly accountable for the security standards of the providers they rely on.

The certifications itsme^® holds today are a response to where regulation already is. They're also preparation for where it's going.