Analyzing the Standardization Landscape for Identity Management in Public Services – A Standards Review for the IMPULSE Project

René Lindner^{1, 4,}*, Madlen Schmudde^1,*, Alicia Jiménez González², Jaime Loureiro Acuña² and Knut Blind³

¹DIN German Institute for Standardization, 10787 Berlin, Germany
²Gradiant, 36214 Vigo, Spain
³Fraunhofer ISI, 76139 Karlsruhe, Germany
⁴TECNUN Escuela de Ingeniería, Universidad de Navarra, 20018 Donostia, Spain
E-mail: madlen.schmudde@din.de; rlindner@alumni.unav.es
*Corresponding Authors

Received 20 April 2023; Accepted 13 September 2023; Publication 18 November 2023

Abstract

The digitalization of public services is one of the major challenges that public administrations are currently facing. Electronic identifications play a major role for a variety of these related services. Due to the impact these services will have on the daily life of citizens, organizations, and the public at large, the social dimensions must be considered equally to the technical ones. To ensure the applicability, trust, and compliance of electronic identity for access to public services, it is necessary to take into account relevant standards collected through an analysis of the state-of-the-art. In general, the literature on integrating standardization in research projects is very rare and potential impacts of standards related to electronic identification have not been assessed yet. The European project IMPULSE has integrated standardization as an essential element and assessed the relevant standardization landscape as one activity. The analysis of the standardization landscape resulted in the identification of nine formal and six de-facto standards that have high relevance for IMPULSE. The process for this analysis and the resulting dashboard will support future projects to effectively consider, analyze and use standards for their projects.

Keywords: Electronic identification, standardization, sociotechnical systems, IMPULSE project.

1 Introduction

1.1 Background

Improving digital experiences has long been an important goal for businesses, but even today it remains high on the executives’ priority list [1]. One of the more recent trends shaping the conversation is passwordless authentication [2]. In that sense, electronic identification (eIDs) services have become strategic services in the global governance of online societies. Despite its limited and clearly defined scope, the eID plays a unique role in the information society as it enables public digital services for citizens as well as businesses and is a prerequisite for the development of electronic government (eGovernment). The digitalization of public administration services is nowadays an essential part of the Digital Single Market strategy [3] to improve the access to services for both citizens and businesses. In many cases, access to specific public services requires secure identification and management of the so-called digital identities. Digital identities are an important prerequisite for legally compliant information exchange not only in Europe but all over the world.

Existing approaches to deal with digital identities focus on central providers (national authorities or online service providers), where identity management is fully delegated to a third party. Thus, a typical event in the life of an individual such as changing dwelling place or service providers often means that new identifiers and overlapping versions of the same digital identity are created, as procedures for data portability are missing. Emerging self-sovereign digital identity approaches are instead controlled and managed by the identity owners, enabling them to maintain their digital identities agnostic from residence, national eID infrastructure and/or market-dominating service providers [4].

In recent years, eIDs are typically developed by both government agencies and by private corporations, which are almost exclusively focused on technical and legal interoperability. However, eIDs are increasingly expected to reflect broader public concerns such as privacy, security, user empowerment and control over one’s personal information – rendering broader regulatory frameworks like the electronic Identification Authentication and trust Services [5] and the General Data Protection Regulation [6]. eIDs require more than engineering ingenuity and legal compliance; they involve negotiation of conflicting social and economic values, e.g. less information disclosed by users might reduce business opportunities for companies in particular related to data-based business models.

Like smartphones, wifi or cloud computing, digital identity is heading on the same growth trajectory towards mass adoption. The coronavirus has been a boost for the industry; with vaccine passports for travel, dealing with online access to new services helping to fuel acceptance. Nick Maynard, lead analyst at Juniper Research, projects that by 2025, more than 6.2 billion digital identity applications will be in operation [7], mainly based on SSI over blockchain technology (as proposed in IMPULSE project), requiring compliance with standards that are still under development to ensure trust on eID relaying on Distributed ledger technologies (DLT)

Transitioning from traditional methods of verifying identity up to those based on self-sovereign identity (SSI) models has solved fundamental problems in digital identity trust. It boosts efficiency, lowers costs, and delivers a more favourable user experience, convenience and inclusivity. The long-term aim for SSI is to achieve the same levels of trust and legality afforded to traditional paper-based identity documents, such as National ID or passports. However, in order to boost and maximize the SSI models adoption within the civil society, it is important to further progress in the SSI standardization initiatives with the goal to harmonize minimal sociotechnical requirements for the SSI-based eID solutions. Furthermore, new pilot projects that are presently developing in support of these solutions should influence on the standardization processes, thus facilitating easier and faster the implementation of standard and eventually regulatory compliant eID systems.

1.2 The IMPULSE (Identity Management in PUbLic SErvices) Project

The European research and innovation (R&I) project IMPULSE (Identity Management in PUbLic SErvices) aims to transform the mainstream discourse on digital identity by drawing up a user-centric multi-stage method of multidisciplinary evaluation of eID management that combines the bottom-up approach of co-creation with the need for a universal vision of digital identity ethics in providing public services [8]. The focus of the research is on evaluating the benefits, but also risks, costs and limitations, considering socio-economic, legal, ethical and operational impacts, together with framework conditions (GDPR and eIDAS regulations, and existing legacy eID national systems and technical standards).

IMPULSE brings together a set of representative and innovative processes across six case studies piloted on five different countries providing a variety of contexts as well as diverse social, legal, economic and cultural perspectives. A pilot-based experimentation approach will allow to evaluate social, legal and technical aspects in the use of SSI-based eID systems such as acceptance, usability, inclusion and security and privacy protection issues through five European countries (Bulgaria, Denmark, Iceland, Italy and Spain) which currently provide legacy and different centralized national eID systems. Next, the specific considerations, challenges and social concerns on the six IMPULSE cases studies are highlighted:

The Danish digital identification system (Danish NameID) consists of a username, password and a physical paper card with codes. Aarhus Citizens (especially vulnerable ones) regularly lose their physical paper code card. This means that they cannot apply for the services to which they are entitled. The Citizens’ Services in Aarhus expects this pilot to foster the empowerment of citizens to be in contact with the increasingly digitalized public sector.

Ertzaintza is an entitled Law Enforcement Agency (LEA) in the Basque Country (Spain) committed to innovation. However, when filing a complaint online, citizens cannot give proof of their real identity, and as a result, they are requested to go to the nearest police station to sign the complaint, showing a valid ID document. The pilot will enable secure and trustworthy eID so the complaint process can be completed entirely online. IMPULSE will avoid unnecessary bureaucratic burden to the citizens, while at the same time preventing fake or fraudulent complaints.

The citizen card (CC) is the main tool used by citizens in Gijón city (Spain) to access municipal services requiring identification, both electronically and physically. However, ID verification methods have weaknesses (blurred images, deteriorated texts, complicated codes to memorize, etc.) that limit its use. The aim of the pilot is to explore how the IMPULSE technologies can bridge those gaps, with a special focus on enabling sufficient security measures to guarantee proper operations.

The municipality of Peshtera (Bulgaria) provides their citizens a public service for the application of a certificate of legal permanent address which is currently conducted offline. The IMPULSE approach will be evaluated as eID mechanism to access this public service completely online and piloting activities, will allow the validation of an innovative eID management solution especially from the GDPR compliant point of view.

The Reykjavik city (Iceland) provides citizens a participatory democracy portal to initiate discussions on public concerns. However, the public service is not ready to be consumed by citizens with physical/motor impairments. The main benefit expected from IMPULSE is the integration of an inclusive eID solution to increase the participation of citizens with impairments as well as their careers.

The “Enterprise Digital Drawer” portal operated by UnionCamere (Italy) provides access to a number of services and documents that are primarily linked to the official Italian Business Register. In order to consume such a service, the representatives of the company need to be identified. Piloting activities in this case study will address the case where business people can access public/private services online and provide proof that specific business requirements are met, making it secure and transparent by design, preserving data hosting on trusted sources while providing full flow control to the users on their own data.

Concerning standard implications, IMPULSE intends to ensure that the system works properly and results are trustworthy. It requires compliance with technical specifications, standards and procedures. Therefore, the identification and use of existing and acknowledged eID standards is crucial to IMPULSE validation of the pilots for the six case studies.

1.3 Purpose of the Present Study

This paper presents an approach to generate an overview of the standardization landscape with the aim to provide a list of standards related to eID management and thus to support the developments in IMPULSE that relate not only to the technological part, but also to the social factors to ensure an implementation of these technologies. The literature about technology transfer has pointed to the relevance of the close and reciprocal interaction between research and standardization more than a decade ago [9]. Meanwhile, the European Commission (EC) fosters in their Framework Programmes and the new EU standardization strategy the integration of standardization in research projects [10–12]. However, practical examples and best practices, especially with regard to the assessment of existing standards, are still rare in the literature. This study seeks to address this current gap by using a case study to assess the following two research questions:

• How can a standardization landscape be described in a research topic such as that of IMPULSE?

• Which role do standards play in the development of decentralized eID management models?

Before answering these questions, a general overview of the relation of standardization and research projects and the different eID management approaches setting the frame for the IMPULSE project is provided.

1.4 Standardization and Research Projects

The EC is funding a variety of different topics, including the socioeconomic and cultural transformation in the context of the fourth industrial revolution, whose call texts contain different references to standards and standardization [13]. But why is standardization relevant for research and innovation?

The EC states that standards help “to bridge the gap between research and market and increase the probabilities of market up-take of technological innovations” and “to valorize and spread the scientific discoveries and inventions towards the green and digital transition”, whereas standardization is “essential to boost European industry’s competitiveness and resilience and build a sustainable future” [14]. The new EU strategy on standardization confirms this and highlights that standards “help manufacturers ensure the interoperability of products and services, reduce costs, improve safety and foster innovation” [12]. Furthermore, the strategy mentions that the number of standards on (business) services is with merely 2% of all European standards still quite low. The EC wants to improve this situation with supporting the development of service standards to enhance the competitiveness of business services and to reduce market barriers. Therefore, activities for researchers like the development of a code of practice on standardization to strengthen the link between standardization and research as well as the standardization booster to test the relevance of project results for standardization are crucial.

Despite the work of standardization as a channel for knowledge and technology transfer [9] and although standardization has been promoted by the EC for several years, the role of standards and standardization in research projects has been considered underrated [15]. Furthermore, there is only little research on the integration of standardization in research projects. For example, Lindner et al. [16] suggested a related five-step methodology, in which the review of the existing standardization landscape on the project topic is the first step and crucial for the further ones, which are: the identification of end-user needs and standardization gaps, the definition of a standardization strategy, the initiation of standardization activities and the promotion and exploitation of these. Moreover, Majer et al. [17] have assessed the standardization landscape of the bio-based economy (see also [18]; considering also certification) and generally described their approach for the standards search and analysis. Other literature also conducted a review on the standardization landscape, such as on artificial intelligence [19] and the internet of things [20, 21]. However, while they do not provide detailed information on the approaches used for the standards analysis, they at least show the importance of considering standards in technology development.

The outcomes of research on standardization landscapes include not only the so-called formal standards and workshop agreements from standards developing organizations (SDOs), such as the International Organization of Standardization (ISO), but also standards from industry initiatives or open platforms (e.g., W3C), called de-facto standards. The differences between these standards lie in the procedures by which they are developed and the degree of consensus among all relevant stakeholders on the standards’ topic. Workshop Agreements (i.e., CWA and IWA) are tools from the formal standardization system that fit with a development time of about 6–12 months into research projects. Figure 1 shows the different types of standardization documents with their level of consensus and their development time.

Figure 1 Overview of different types of standardization documents.

Within the IMPULSE project, the results of the analysis of the standardization landscape are relevant for technology development as well as ethical implications and social aspects. Therefore, not only technical standards are of interest, but also standards related to privacy and ethics or accompanying services.

1.5 Different eID Management Approaches

The different digital identity management approaches can be classified in the following manner [22]:

Isolated: the data is controlled by the entity who offers the service, the Service Provider (SP). Historically, this approach is the most widely established so its best practices have been deeply studied. However, it has disadvantages. The user needs to provide the required data, but they do not have control over it: a unilateral decision from the SP could affect this data, e.g., making it unavailable. The SP, on the other hand, fears both the security implications a breach of its data silos would trigger and also the loss of interest a user may have if the registration process is too long.

Centralized: only one Identity Provider (IdP) is in charge of digital identity management for a group of SP. This means that different SP accept the same credentials managed by this IdP without the need to authenticate again for a different service. It provides a single sign-on experience, solving the problem of remembering too many passwords. However, the exposure of a single identifier would expose the user in every service.

Federated: in this approach, a third party who has agreements with the SP acts as Identity Provider (IdP). All together, they form a federation of identities. It is more suitable for a large number of users than the centralized approach. As a counterpart, all identities are managed by a very reduced group of organizations, which increases the concerns in terms of sovereignty and security.

Decentralized: also known as Self Sovereign Identity (SSI), attending to the capacity of the user to manage their own identity. The user holds their own verifiable credentials in a digital wallet that is only managed by themselves. Those verifiable credentials are issued by publicly accepted issuers – a person or organization that is legally or socially acknowledged to have the authority to create a specific credential. In order to digitally authenticate to a Relying Party (RP), the holder shares a credential whose issuer can be verified in a public system, such as a distributed ledger. The communication is performed using digital signatures that are verified by both sides, the holder and the RP. The main disadvantage of this approach is the lack of research [23]. The irruption of blockchain technology has enhanced this approach, as it requires a public and neutral system where the entities can verify the validity of the credentials. It is expected to evolve in the following years.

The last of the eID management approaches mentioned above is the one that better preserves the sovereignty of the user, as the personal data remains under their own control.

2 Method

In order to answer the research questions and to describe the approach for analyzing the standardization landscape within a specific topic such as eID management for the IMPULSE project, the case study method is used. Dul and Hak [24] define a case study as a study in which one single case or a small number of cases in their real-life context are selected and the assessments obtained from these cases are analyzed in a qualitative way. Among others, a case study contains data from direct observation and from public and private archives. This also applies to the research conducted within the IMPULSE project, in which the research team is directly involved and thus reflects the three strengths of case study research noted by Meredith [25]. Case studies have also been used previously to examine the role of standardization for different organizations (e.g. [26]) or to review the integration of standardization in research projects. For example, Lindner et al. [21] reviewed the existing standards and proposed them as an essential element for research projects in their five-step methodology. The first step of the methodology described herein can be validated and enhanced through this case study.

The method to analyze the standardization landscape relevant for the IMPULSE project is summarized in Figure 2. The three phases of the activity, including the search for standards, the analysis of identified standards and the dissemination of results, are further described below.

Figure 2 Process for the review of standardization landscape for IMPULSE project.

In the first phase, the standards search, the IMPULSE project collected relevant keywords, already known related standardization committees, and further relevant organizations. Table 1 provides an overview of the information gathered among the project partners.

Table 1 Input of project partners to the standards search for IMPULSE

		Further Relevant
Keywords	Technical Committees	Organizations
AI/artificial intelligence, blockchain, decentralized identity, DID controller/ document/subject, disruptive technology, EBSI, eID, eIDAS, electronic identification, ESSIF, holder, issuer, registration authority, self-sovereign identity, self-sovereign type of blockchain, verifiable credential/ presentation, verifier	CEN/CLC/JTC 19/WG 01, CEN/TC 331/WG 02 “New digital postal services”, ETSI ESI (Electronic Signature Initiative) ETSI ISG Permissioned Distributed Ledger, ISO/TC 307 “Blockchain and distributed ledger technologies”, ISO/IEC JTC 1/SC 27 “IT Security techniques”, ISO/TC 46 “Information and documentation”, ISO/TC 154 “Processes, data elements and documents in commerce, industry and administration”, ITU-T Digital Currency Global Initiative, UNI/CT 532	Bitkom, Cloud Signature Consortium, DIF Decentralized Identity Foundation, Hyperledger Identity, ToIP Trust over IP, W3C Credentials Community Group, W3C Decentralized Identifier Working Group, W3C Verifiable Credentials Working Group

For the search for formal standards, the standards database Perinorm was mainly used. Perinorm is a bibliographic database that comprises databases from 29 countries as well as data from European and international standardization bodies with around 2.4 million records worldwide [27]. Beside the standards of European national organizations, like e. g. DIN, UNE or BSI, and Non-European national organizations, e. g. from Brazil, USA or South Africa, the database also includes standards from the European organizations CEN, CENELEC, ETSI and international organizations such as ISO, IEC and ITU. Technical documents and reports on these levels were also considered for the analysis. With regard to national standards, it should be noted that, due to language barriers, mostly those containing at least an English title were considered. The different keywords provided were searched across the title, keywords and abstract fields. Only valid entries were chosen and withdrawn standards excluded. Furthermore, only European and international standards (e.g., EN, ISO) were collected and not the nationally adopted ones. All the hits from the Perinorm search resulted in a list of formal standards. In addition to the Perinorm search, the websites of the relevant standardization committees and bodies were also consulted for information on other relevant standards. This resulted in the initial list of standards gathered from Perinorm and the various websites showing further standardization committees relevant for IMPULSE.

The search for de-facto standards was mainly conducted by the technology providers and researchers of the IMPULSE project. The websites of the previously identified organizations were accessed and information on relevant documents were collected, resulting in a list of de-facto standards.

In the second phase of the review of the standardization landscape for IMPULSE, all project partners were asked to assess the identified formal and de-facto standards. Therefore, a template was prepared using Microsoft Excel, consisting of the list of standards, several fields for searching the number of terms included in title, keywords and abstract, and fields for rating. The project partners rated the relevance of each identified standard by selecting one of the following three options: not relevant, relevant and highly relevant for the specific work packages and city cases in IMPULSE. With this step, formal and de-facto standards that have no relevance for IMPULSE were discarded and only relevant documents collected for further use.

The results of the analysis of existing standards were further processed to promote and use them for IMPULSE and beyond. For this, a dashboard including all formal standards was developed, which includes different indicators of interest, such as the level of standards (international, European or national), their relation to fields of the international classification for standards (ICS) and the age of the standards. Dashboards play a key role for the analysis and visualization of data about a specific topic and are even more relevant when adjusting them to the specific needs of the end-user [28]. Existing literature uses dashboards to show the results of research in, for example, e-health artificial intelligence [29]. In addition to the dashboard, the outcomes of the standardization landscape review are foreseen to be used in IMPULSE for further technology development, using at least the highly relevant identified standards.

3 Results

3.1 General Overview

Developing an overview about the standardization landscape in an R&I project provides an overview about the state of the area in this field. The suggested keywords, standardization committees and standard-setting organizations (see Table 1), were used to identify 615 formal standards and 112 de-facto standards that could be interesting for the project (see Figure 3). From these standards, 389 formal and 97 de-facto ones were rated as relevant for the IMPULSE project. More specifically 9 formal and 6 de-facto standards were highlighted as highly relevant for this project. Hereafter, only standards rated as relevant or highly relevant for the IMPULSE project are considered.

Figure 3 Number of relevant standards.

3.2 Standard-setting Organizations on eID Management

On international and European level, depending on the subject of the formal standard, there are different technical committees responsible for the development of the standards. The important technical committees for the relevant standards for the IMPULSE project are listed in Table 2. Since national standards are developed from national standards bodies (NSB), the relevant NSBs are also listed in this table.

Table 2 Overview of formal standard-setting organizations and technical committees identified

International Level	European Level	National Level
ISO/IEC JTC1 “Information Technology”; ISO/TC 46 “Information and documentation”; ISO/TC 68 “Financial services”; ISO/TC 154 “Processes, data elements and documents in commerce, industry and administration”; ISO/TC 307 “Blockchain and distributed ledger technologies” ITU-T “International Telecommunication Union Telecommunication Standardization Sector”	ETSI TC ESI “Electronic Signatures and Infrastructures”; ETSI ISG SAI “Industry Specification Group on Securing Artificial Intelligence”; ETSI 3GPP “3rd Generation Partnership Project”; CEN/TC 224 “Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment”; CEN-CENELEC/JTC 19 “Blockchain and distributed ledger technologies”; CEN-CLC/JTC 21 “Artificial Intelligence”	BSI “Federal Office for Information Security” (DE); DIN “German Institute for Standardization” (DE); ANSI “American National Standards Institute” (US); NIST “National Institute of Standards and Technology” (US); CSA Group “Canadian Standards Association Group” (CA); UNE “Spanish Association for Standardization” (ES); AFNOR “French Standardization Association” (F); SIS “Swedish Institute for Standards” (S)
Note. DE $=$ Germany, US $=$ United States of America, CA $=$ Canada, ES $=$ Spain, F $=$ France, S $=$ Sweden.

On international level, several joint technical committees (JTC) from ISO and IEC are active. The one responsible for most of the relevant standards for IMPULSE is ISO/IEC JTC1, which has published 185 of the relevant international standards. It is composed of 22 subcommittees whereas ISO/IEC JTC 1/SC 27 “Information security, cybersecurity and privacy protection” having drawn up 162 standards relevant for the project. Furthermore, the second important subcommittee ISO/IEC JTC 1/SC 37 “Biometrics” has published 14 of the international standards that have been assessed as relevant to the project. Some other relevant international standards have been published by ISO/IEC JTC 1/SC 17 “Cards and security devices for personal identification”, ISO/IEC JTC 1/SC 29 “Coding of audio, picture, multimedia and hypermedia information”, ISO/IEC JTC 1/SC 41 “Internet of things and digital twin”, and ISO/IEC JTC 1/SC 42 “Artificial intelligence”. In addition to ISO/IEC JTC1, mainly four other ISO/TCs (i.e., ISO/TC 46, ISO/TC 68, ISO/TC 154, and ISO/TC 307), as well as ITU-T have published international standards relevant for the IMPULSE project.

Regarding the European standards, the majority, namely 76 standards, have been published by ETSI. The ETSI Technical Committee ESI has published 70 of the relevant standards. It is therefore the most active one in the field and thus very important for the IMPULSE project. The remaining standards have been published by the ETSI groups ISG SAI and 3GPP. ETSI TC ESI works in collaboration with CEN/TC 224 to provide standards for digital signatures. CEN/TC 224 is responsible for 51 of the relevant European standards rated by IMPULSE partners. Furthermore, the recently launched CEN/CENELEC/JTC 19 will pay special attention to standards developed by ISO/TC 307.

With 23 standards, the majority of the identified national standards originate from Germany, whereas DIN with seven standards is not the main publisher, but BSI the Federal Cyber Security Authority with 13 standards. The second highest proportion of national standards (10) is from the US. These have been published by NIST, which is part of ANSI, a private, non-profit organization that administers and coordinates the US voluntary standards and conformity assessment system. The CSA Group, UNE, AFNOR and SIS have published the remaining relevant national standards.

Other standard-setting organizations, besides those described above, that develop de-facto standards on decentralized eID management are the World Wide Web Consortium (W3C), the Decentralized Identity Foundation (DIF), Internet Engineering Task Force (IETF), the OpenID Foundation and the Institute of Electrical and Electronics Engineers (IEEE). W3C is the most acknowledged standardization organization in the context of Self Sovereign Identity (SSI), as it is hosting different Working Groups (WGs) such as the “Decentralized Identifier WG” and “Verifiable Credentials WG” to develop standards for the core elements of the decentralized identity [30]. The DIF is an engineering-driven organization which focuses on developing foundational elements necessary to establish an open ecosystem for decentralized identity and aims to ensure interoperability between all participants [31]. The scope of IETF is the development of technical documents that influence the way people design, use and manage the internet within a large open international community [32]. The OpenID Foundation is a non-profit international standardization organization of individuals and companies that works in 10 WGs on OpenID technologies [33]. IEEE is the world’s largest technical professional organization and a leading developer of international standards in the field of telecommunication, information technology, and power-generation products and services [34].

Table 3 Overview of highly relevant formal standards

Document No.
(Publication year)	Title	Relevance for IMPULSE
CEN/TS 16921 (2016)	Personal identification – Borders and law enforcement application profiles for mobile biometric identification systems	Most relevant standard for facial recognition and document verification services for IMPULSE
DIN SPEC 4997 (2020)	Privacy by Blockchain Design: A standardised model for processing personal data using blockchain technology	Must-read standard in order to design a new decentralised eID model
ETSI GR SAI 001 V 1.1.1 (2022)	Securing Artificial Intelligence (SAI) – AI Threat Ontology	Used to discover security vulnerabilities and attacks to IMPULSE AI systems based on threat modelling
ETSI GR SAI 002 V 1.1.1 (2021)	Securing Artificial Intelligence (SAI) – Data Supply Chain Security	This standard’s recommendations have been followed in terms of data sources, data curation, training/testing and deployment of the forgery detection solution of IMPULSE
ETSI TS 119 182-1 (2021)	Electronic Signatures and Infrastructures (ESI) – JAdES digital signatures – Part 1: Building blocks and JAdES baseline signatures	Used in IMPULSE to build a profile for the Verifiable Credential signature
ISO/IEC 20889 (2018)	Privacy enhancing data de-identification terminology and classification of techniques	Relevance to the technical specifications of the project
ISO/IEC 27001 (2015)	Information technology – Security techniques – Information security management systems – Requirements	Provides security requirements to be considered for information security management in IMPULSE
UNE 71207-1 (2020)	Digital Enabling Technologies – Distributed Identities Management Model on Blockchain and other Distributed Ledger Technologies. Part 1: Reference Framework	Used in IMPULSE to follow the best practices for decentralised identity management

3.3 Standards on eID Management Highly Relevant for IMPULSE

An overview of the formal standards rated as highly relevant for the IMPULSE project is given in Table 3. Three of the standards are considered highly relevant for a decentralized eID management solutions like the one the IMPULSE project aims to provide. The first one, DIN SPEC 4997, provides a standardized model for processing personal data using blockchain technology, which is a must-read standard in order to design a new decentralized eID model compliant with the current standards. However, the purpose of the IMPULSE project is not to design a new identity model, but to use an existing one, also following the best practices for decentralized identity management. For this purpose, the UNE 71207-1 standard was published on 11/1/2021 in the BOE (Spain Official Bulletin), a process that is officially approved and made it legally binding. UNE 71207-1 is considered the most appropriate standard, as it directly tackles the management of digital identities in a decentralized manner. This standard now forms the basis for a new European Technical Specification and is therefore included as a work item within CEN/CLC/JTC 19. The CEN/TS 16921 standard focusses on the personal identification using mobile biometric identification systems and is probably the most relevant standard for facial recognition and document verification services. These services are used within the IMPULSE project to identify citizens who request an enrolment process that leads to the issuance of a credential that proves the citizen’s identity.

Table 4 Overview of highly relevant de-facto standards

Document Title (Publication Year)	Relevance for IMPULSE
Decentralized Identifiers (DIDs) v1.0 (W3C, 2022)	basis of the technology stacks on which IMPULSE will implement its services
JSON-LD 1.1 (W3C, 2021)	used within IMPULSE for the REST APIs
OpenId Specifications for Verifiable Credential Issuance (, 2022)	these guidelines are followed within IMPULSE for the issuance of EBSI Verifiable Authorisations and EBSI Verifiable Identities
OpenId Specifications for Verifiable Presentations (, 2022)	these guidelines are followed within IMPULSE for the verifiable presentations of EBSI Verifiable Authorisations and EBSI Verifiable Identities
Verifiable Credentials Data Model 1.1 (W3C, 2021)	provides essentials for the user identification within IMPULSE
Verifiable Credentials JSON Schema Specification (W3C, 2019)	Identity Verifiable Credentials used in IMPULSE will need to be compliant with this specification

With 4 out of 6, the majority of de-facto standards that were rated as highly relevant by the IMPULSE project were published by W3C (see Table 4). The other 2 documents are from OpenID. Some of the documents listed are in an early stage and represent the most advanced documents in the industry. The most relevant standard, which could become the first new identifier the W3C would approve since the URL, is the Decentralized Identifiers (DIDs) v1.0 specification. Decentralized identifiers (DIDs) are a new type of identifier for verifiable, “self-sovereign” digital identity. DIDs are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority. DIDs resolve to DID Documents – simple documents that describe how to use that specific DID. This document specifies the algorithms and guidelines for resolving DIDs and dereferencing DID URLs. Almost as important as the previous one, the Verifiable Credentials Data Model 1.1 specification provides a mechanism to express the credentials used on the decentralized eID management approach in a way that is cryptographically secure, privacy respecting, and machine-verifiable. They can represent driver’s licenses used to assert that a person is capable of operating a motor vehicle, university degrees can be used to assert a person’s level of education, and government-issued passports enabling citizens to travel between countries.

3.4 Standardization Dashboard for Results Analysis and Dissemination

In order to further analyze and disseminate the identified relevant standards project internally, a dashboard was developed, which, in addition to a search function within the list of (highly) relevant standards, contains different indicators of the formal standards and their respective standard-setting organizations (e.g. age of standards, level of standards, type of standards, ICS fields of the standards, active countries in the TCs). Table 4 shows an overview of the dashboard prepared for the IMPULSE standardization landscape. As the results can be clustered to the needs of the IMPULSE project partners, it supports an easy identification of standards relevant to IMPULSE.

Figure 4 Dashboard with the relevant standards of IMPULSE.

Regarding the level of formal standards, the majority (58%) were developed on international level whereas 33% originated from European and the minority of 9% from national level (see Figure 5). The most important countries regarding the origin of the national standards are Germany and the US since more than half of these standards were developed in the former country and one quarter in the latter (see Figure 6).

Figure 5 Level of formal standards identified.

Figure 6 Origin of formal national standards identified.

Thus, the dashboard was used to provide an overview of the different fields covered by the standards that are relevant for IMPULSE. The International Classification for Standards (ICS) is used for this purpose (see Figure 7). Only the ICS fields to which at least three standards are assigned to are taken into account. The identified standards are part of five different ICS fields, whereas “33 – Telecommunications. Audio and video engineering” and “35 – Information technology” are the most important ones. It is important to keep in mind, that one standard can be part of different ICS fields. This means that 397 standards identified as relevant are in total 482 times classified in ICS fields. Nevertheless, there are three mainly relevant subcategories. Nearly half (44%) of the standards are classified as IT Security (35.030), which is by far the most prominent field. The field Application of information technology (35.240) is the second most important field in which nearly one third (29%) of the standards are categorized. One-seventh of the standards are part of ICS field Telecommunication Systems (33.040).

Figure 7 Overview of the number of standards in the different ICS fields.

4 Discussion

As the IMPULSE project includes a variety of different topics such as eID, blockchain and artificial intelligence, quite a lot of standard-setting organizations and standardization committees were found in terms of each individual topic. This does not necessarily apply to topics that have a narrower focus, such as the topic of civil crisis management, which is mainly addressed in only two to three standardization committees at European and international level.

Due to the high number of identified standard-setting organizations relevant for IMPULSE, the number of identified standards is also quite high. Most of the identified standards have also a relation to the project itself. Therefore, it is important to identify the most relevant standards that the project needs to apply or consider for the technology development. However, an extended list should be kept, as one or another previously not so highly rated standard may gain importance in the course of the project at a later stage. Thus, different standards may be relevant at the different stages of the technology development. Furthermore, organizations working in information technologies are aware of some standards such as the ISO 27001 management standard, to which they need to comply to.

The standards search was mainly conducted using the Perinorm database, which requires paid access, or so-called standards info points, e.g., at universities, which provide free access. However, there are other options, such as the ISO online browsing platform [35], the CEN and CENELEC standards search [36] or the websites of NSBs, which offer a free of charge standards search. Additionally, some literature already provides an overview of relevant standards and standard-setting organizations for a specific topic (e.g. [19]). For this reason, another approach to the identification of relevant standards and standard-setting organizations could be a literature review. However, the difficulty with this approach might be the lack of detailed information on the relevant standards identified and the actuality and completeness of the data collected.

Regarding the identified relevant standards for IMPULSE, the UNE 71207-1 has the closest relation to the project activities and has also been approved by the European standardization committee CEN-CLC/JTC 19 for the realization of a European technical specification under the title “Decentralized Identity Management Model based on Block chain and other Distributed Ledger Technologies. – Part 1: Generic Reference Framework”. Especially newly set up TCs such as CEN/CLC JTC 19, which usually do not have standards in their repository from the beginning, require input from national TC’s or research activities such as IMPULSE for their standardization activities. The project partners of IMPULSE were not previously aware of the UNE standard and its existence was discovered during the search with Perinorm. Due to the relevance of this standard for IMPULSE, an intensive exchange with the national standardization committee of UNE responsible for UNE 71207-1 took place, resulting in a partnership of IMPULSE with this committee. A first outcome of this interaction was that the project may contribute to the development of further parts of the UNE 71207 standards series and thus may directly influence future European standards; a success that most probably would not have been possible without the comprehensive analysis of the standardization landscape.

In this regard, it is important to assess the difference between de-facto and formal standards. The formal standardization system ensures actuality of the standards through periodic revisions and provides contribution possibilities based on pre-defined rules. In comparison to this, de-facto standards are not developed in a common process, might be available online in draft versions that are not complete but available free of charge, and have usually no periodic review. Due to the lack of information and comparability options of the de-facto standards, they are left out in the dashboard analysis. In general, the dashboard supports a more visual and search-friendly presentation of the identified relevant standards as well as the provision of background information on, for example, their origin and topic. Furthermore, this research approach also has limitations, as the data gathered depends very much on the information provided by the project partners (e.g., keywords for the search, de-facto standard-setting organizations) and their needs. In this regard, information on international standards adopted at national level, for example, could have provided more insight into the relevance of a standard for a particular country.

5 Conclusion

The evolvement of topics such as eID management still depends very much on research efforts, e.g., within public funded research projects. However, research results usually face the difficulty to reach the market on time. Therefore, it is important to find solutions to bridge this gap. The EC has been fostering the integration of standardization within research projects for several years in order to support the dissemination and exploitation of the projects’ results.

The IMPULSE project on eID management actively combines standardization activities in the development of its solutions. At a first step, the relevant standardization landscape was analyzed, initially resulting in a list of more than 660 standards. In total 9 formal standards and 6 de-facto standards have been assessed as highly relevant for IMPULSE. With the overview of the standardization landscape, the project is aware of existing standards that can be directly used for the development of the IMPULSE solutions, for both the technical and social part. The Spanish standard UNE 71207-1 has been identified as the most advanced standardization initiative to define a reference framework for a decentralized Identity Management Model based on blockchain and other Distributed Ledger Technologies. Cooperation with the standard-setting organizations will avoid fragmentation of the various standardization initiatives on eID management and foster the future uptake of the IMPULSE results.

The results of the analysis show that many standards of relevance already exist, but that there is also a gap in standards on eID management in general. Research projects such as IMPULSE can contribute to fill the gap in existing standardization and thus contribute to the state-of-the-art in eID management. Via the formal standardization system, R&I projects such as IMPULSE can comment on draft standards and develop new standards during the project term.

This article answers both research questions by presenting a process for conducting a review of the standardization landscape and demonstrating the relevance of existing standards to a research project. Furthermore, this research confirmed the relevance of the first step of the approach to integrating standardization in research projects by Lindner et al. [16] and provides a good practice for assessing and using standards for future projects. Research should always contribute to the state-of-the-art to which formal standards belong. Therefore, research projects should also assess their potential contribution to standardization in order to promote the uptake of their results and make them marketable through standards compliance.

Acknowledgements

This article has been prepared with funding from the EU project IMPULSE. IMPULSE has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 101004459.

References

[1] Gurumurthy, R., Nanda, R., Schatsky, D. ‘Putting digital at the heart of strategy. When everyone is digital, strategy is the differentiator’. Deloite Insights Article, 2021. Available online: https://www2.deloitte.com/us/en/insights/topics/digital-transformation/digital-acceleration-in-a-changing-world.html.

[2] de Wit, W. ‘The future of authentication is passwordless: ready to make the change?’, (2022). Available online: https://www.onewelcome.com/news/the-future-of-authentication-is-passwordless.

[3] European Commission ‘COM/2015/0192 final. A Digital Single Market Strategy for Europe’, 2015. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52015DC0192\&from=EN.

[4] Soltani, R., Nguyen, U.T., An, A. ‘A Survey of Self-Sovereign Identity Ecosystem. Security and Communication Networks’, vol. 2021, Article ID 8873429, 26 pages, 2021. https://doi.org/10.1155/2021/8873429.

[5] European Union ‘Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC’, 2014. http://data.europa.eu/eli/reg/2014/910/oj.

[6] European Union ‘Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’, 2016. http://data.europa.eu/eli/reg/2016/679/oj.

[7] Juniper. Press release on the website of Juniper, 2020. Available online: https://www.juniperresearch.com/press/digital-identity-app-in-use-to-exceed-2025.

[8] IMPULSE. Website of the IMPULSE project. https://www.impulse-h2020.eu/.

[9] Blind, K., Gauch, S. ‘Research and standardisation in nanotechnology: evidence from Germany’. The Journal of Technology Transfer, 34(3), 320–342, 2009.

[10] European Union ‘Regulation (EU) No 1290/2013 of the European Parliament and of the Council of 11 December 2013’, 2013. Available online: https://publications.europa.eu/en/publication-detail/-/publication/3c645e51-6bff-11e3-9afb-01aa75ed71a1/language-en.

[11] European Commission ‘COM/2018/0224 (COD) Proposal for a Regulation of the European Parliament and of the Council establishing Horizon Europe the Framework Programme for Research and Innovation, Laying Down Its Rules for Participation and Dissemination’, 2018. Available online: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM:2018:0435:FIN.

[12] European Commission ‘Press release of 2 February 2022 on the EU Standardization strategy’, 2022. Available online: https://ec.europa.eu/commission/presscorner/detail/en/ip\_22\_661.

[13] European Commission ‘European Commission Decision C(2020)6320 of 17 September 2020 Horizon 2020 Work Programme 2018-2020. 13. Europe in a changing world – Inclusive, innovative and reflective societies’, 2020. Available online: https://ec.europa.eu/research/participants/data/ref/h2020/wp/2018-2020/main/h2020-wp1820-societies\_en.pdf.

[14] European Commission. News of 4 August 2021 on EC Website, 2021. Available online: https://ec.europa.eu/info/news/standards-drive-innovation-2021-aug-04\_en.

[15] Radauer, A. ‘Driving from the fringe into spotlight. The underrated role of standards and standardization in RTDI policy and evaluation’, Fteval J. Res. Technol. Policy Eval. 2020, 51, 59–65, 2020.

[16] Lindner, R., Jaca, C., Hernantes, J. ‘A Good Practice for Integrating Stakeholders through Standardization—The Case of the Smart Mature Resilience Project’, Sustainability, 13(16):9000, 2021. https://doi.org/10.3390/su13169000.

[17] Majer, S., Wurster, S., Moosmann, D., Ladu, L., Sumfleth, B., Thrän, D. ‘Gaps and Research Demand for Sustainability Certification and Standardisation in a Sustainable Bio-Based Economy in the EU’, Sustainability, 10, 2455, 2018.

[18] Ladu, L., Blind, K. ‘Overview of policies, standards and certifications supporting the European bio-based economy’, Current Opinion in Green and Sustainable Chemistry, Volume 8, 30–35, 2017.

[19] Ziegler, W. ‘A Landscape Analysis of Standardisation in the Field of Artificial Intelligence’, Journal of ICT Standardization, 2020. https://doi.org/10.13052/jicts2245-800X.824.

[20] Trappey, A. J.C., Trappey, C. V., Govindarajan, U. H., Chuang, A. C., Sun, J. J. ‘A review of essential standards and patent landscapes for the Internet of Things: A key enabler for Industry 4.0’, Advanced Engineering Informatics Volume 33, 2017, Pages 208–229, 2017. https://doi.org/10.1016/j.aei.2016.11.007.

[21] Meyer, O., Rauhoeft, G., Schel, D., Stock, D. ‘Industrial Internet of Things: covering standardization gaps for the next generation of reconfigurable production systems‘, IEEE 16th International Conference on Industrial Informatics (INDIN), pp. 1039–1044, 2018. http://doi.org/10.1109/INDIN.2018.8472048.

[22] Laurent, M., Bouzefrane, S. ‘Digital identity management‘, London: ISTE Press, pp. 33–37, 2015.

[23] Cucko, S., Turkanovic, M. ‘Decentralized and Self-Sovereign Identity: Systematic Mapping Study‘, IEEE Access, 9, 139009–139027, 2021. https://doi.org/10.1109/access.2021.3117588.

[24] Dul, J., Hak, T. ‘Case Study Methodology in Business Research‘, Elsevier Ltd.: Oxford, UK, 2008.

[25] Meredith, J. ‘Building operations management theory through case and field research‘, J. Oper. Manag. 16, 441–454, 1998.

[26] Larsson, M., Jakobsson, K. ‘The Role of Standardization and Adaptation in the Marketing Mix: A Case Study on a Professional Service Firm‘, 2019. Available online: http://hj.diva-portal.org/smash/get/diva2:1320402/FULLTEXT01.pdf.

[27] Beuth (2022). Website of Beuth on Perinorm. https://www.perinorm. com/.

[28] Vázquez-Ingelmo A., García-Peñalvo F.J., Therón R. ‘Application of Domain Engineering to Generate Customized Information Dashboards‘. In: Zaphiris P., Ioannou A. (eds) Learning and Collaboration Technologies. Learning and Teaching. LCT 2018. Lecture Notes in Computer Science, vol 10925. Springer, Cham, 2018. https://doi.org/10.1007/978-3-319-91152-6\_40.

[29] Ziuziański, P., Furmankiewicz, M., Sołtysik-Piorunkiewicz, A. ‘E-health artificial intelligence system implementation: case study of knowledge management dashboard of epidemiological data in Poland‘. International Journal of Biology and Biomedical Engineering, 8(8), 2014.

[30] W3C, Website of World Wide Web Consortium. https://www.w3.org/groups/wg.

[31] DIF, Website of Decentralized Identity Foundation. https://identity.foundation/.

[32] IETF, Website of Internet Engineering Task Force. https://www.ietf.org/about/introduction/.

[33] openID, Website of openID. https://openid.net/wg/.

[34] IEEE, Website of Institute of Electrical and Electronics Engineers. https://www.ieee.org/about/at-a-glance.html.

[35] ISO, Website of the ISO online browsing platform. https://www.iso.org/obp/ui.

[36] CEN-CENELEC, Website of CEN and CENELEC for standards search. https://standards.cencenelec.eu/.

Biographies

René Lindner obtained his Diploma in Industrial Engineering in 2009 at the Technical University in Berlin, Germany. Afterwards he teached for several years courses in project management, math and innovation management. Furthermore, he was involved in several European research projects, such as SMR, DRIVER+, ARCH, Smarter Together and supported the conduction of the standardization activities in these projects. His fields of interests are smart and resilient cities. He is currently writing his PhD thesis on the integration of standardization activities in research projects at Tecnun – Universidad de Navarra, Spain.

Madlen Schmudde received her PhD in Chemistry in 2017 from the Free University in Berlin. Afterwards she worked several years in the field of environmental analysis before starting as a project manager at DIN. There she works in the Group Research and Transfer and is active in several EU R&I projects.

Alicia Jiménez González graduated in July 2009 as Telecommunication Engineer by the University of Seville, and qualified as an expert in Management of R&D&I international projects by the International University of Andalusia. In 2009 she joined the company LCC Wireless Communications as Radio engineer. Later, joined Adevice Solutions SL for the preparation of R&D&I proposals and Project’s monitoring. In 2011 she was hired by the SME Wellness Telecom as Project Manager in the area of ICT. She has coordinated and participated in several European projects and participated as expert reviewer. Since 2015 she works at Gradiant, currently being the head of EU programmes in the organization.

Jaime Loureiro Acuña holds a Master’s Degree in telecommunication engineering (Universidad de Vigo, 2009). In that same year, he receives his Master in multimedia communications. Between 2010 and 2016, he worked for the Information Technologies Group of the Universidad de Vigo as a researcher. He has focused his work on the design and implementation of secure protocols to distribute and run multimedia contents in IoT devices in a secure manner. In addition, he has actively participated in R&D projects related to areas such as security and privacy (SCAPE and SMART-HOSPITAL), cloud computing and virtualisation (VIMAIN) and IoT (IPNA, RAUDUS). In November 2016 he joined GRADIANT assuming the role of security researcher for the “Security and Privacy” area. In particular, he has participated in the BlackIce HSM RETOS project, by researching on advanced cryptographic technologies to secure data computation in untrusted environments, and in EDSALUD where blockchain has been adopted as a technology for health records auditing. Since 2018 he has been providing training courses on blockchain networks and development of smart contracts to various private companies. At the beginning of 2019 he assumes the role of the Head of the Secure Information Processing R&D line within the Security and Privacy department, leading projects involving identity management, cryptography, blockchain and smart contracts. Since 2012, he is a cofounder of Infinbox (20% share), a company that develops innovative products for the Health sector.

Knut Blind was a senior researcher and department head at Fraunhofer ISI between 1996 and 2010, before returning to ISI in October 2019 as the coordinator of the Business Unit Regulation and Innovation. Between 2010 and 2019, he worked in the Innovation Management Department of the Fraunhofer Institute for Open Communication Systems as a project manager. Since 2006, he is also Professor for Innovation Economics at the Technical University Berlin. Between 2008 and 2016, he also held the Endowed Chair in Standardization at Rotterdam School of Management, Erasmus University Rotterdam. His research focus is on analysing the connection between regulation and innovation.