21
Commission was not responsible for assessing the soundness of these solutions from a
data protection perspective.
45 To ensure that a revoked certificate could be identified in other countries,
Member States would have had to bilaterally exchange information in the form of
revocation lists. One concern raised during our audit was that such bilateral exchange,
involving different actors and revocation solutions was inefficient, especially as the
number of new certificates was growing.
46 In order to address those concerns, on 30 March 2022, eight months after the
introduction of the EU Digital COVID Certificate, the Commission published technical
specifications and rules to establish a more efficient mechanism for exchanging
revocation lists through the central gateway. The specifications also recommended
three technologies for distributing revocation lists from national databases to the
applications used to verify certificates. If correctly applied, these proposed solutions
can be deemed to preserve privacy, although one of them (bloom filters) took privacy
concerns into account much better than the other two
26
. Nevertheless, the use of
these solutions was voluntary and the Commission did not have the competence to
monitor whether Member States applied them.
47 IT security risks can be addressed and mitigated with a structured IT security
framework
27
. This usually comprises several elements, such as governance
arrangements, security policies, requirements and standards. It also includes good
practices such as actively searching for weaknesses (‘vulnerability scans’) and actively
testing defences (‘penetration tests’).
48 The Commission has its own IT security framework
28
that applies to all the
information systems hosted in its data centres, including the contact-tracing and the
EU Digital COVID Certificate gateways. The framework follows international
standards
29
. It requires the Commission to conduct a risk assessment for each IT
26
eHealth Network, “EU DCC Revocation - B2A Communication between the Backend and the
Applications”, section 4.6.3.
27
ISACA, Certified Information System Auditor review manual, 2019.
28
Commission Decision (EU) 2017/46 on the security of communication and information
systems in the European Commission, and implementing rules C(2017) 8841 final.
29
International Organization for Standardization / International Electrotechnical Commission
standards 27001, 27002, 27005 and 27035.