DG FISMA - OTC trading

Demonstrator (2017-2018)

Demonstrator (2018)

Google Cloud Deployment (PwC) OAM DLT nodes EFTG portal OAM client application (Java simulator)

Sourcecode Public portal for for January 26, 2018 demonstration (AWS, managed by EC) Other info



  • FIDES - blockchain notary by PwC

Energy and utilities


  • DG TAXUD - customs on Hyperledger Fabric - Excise Movement Control System
  • DG TAXUD - Excise Movement Control System (accijns)

European Blockchain Partnership (EBP)

  • CEF Digital EBP homepage
    • Policy Group, Technical Group (including TechGov/Security)
    • Legal Social Economic Group
    • Use Case Groups
    • Node overview
    • And more: common documents, terminology, early adopters, ...


EBSI public domain info

EBSI homepage

EBSI Early Adopters

Social media

CEF (legacy, migrated to Digital Building Blocks)


Other EBSI public info

EBSI v2 Early Adopter Program



DIGIT admin

EBSI project management



Progress tracking


CEF BBs and EBSI governance

CEF BBs governance

Blockchain governance

EBSI service desk

CEF EBSI support and status info

DIGIT EBSI software assets

EBSI cloud (AWS, Azure)


EBSI console, Grafana, ...

EBSI trust

EBSI knowledge management

Trusted Issuer Registry legal analysis and agreement Verifiable Attestation Diploma Service Agreement GDPR: SSI user's information notice

EBSI legal WIP (sieux)

EBSI legal landing pages

Basics Terms and Conditions, SLA

Legal 'Get started with EBSI' - legal assessment reports

  • Legal assessment reports
    • ESSIF Onboarding Service (EOS) legal analysis
      • For the scope of EBSI 2.0 the service of onboarding users to self-create the DIDs will be referred to semantically as “ESSIF onboarding service”, not as “Trusted Registration Authority" which insinuates the involvement of a public authority.
      • For the scope of EBSI 2.0 it will not be required that the onboard service involves a real name identification of users to create DIDs. It will be a service, not a certification.
    • SSI eIDAS report - drill down
      • Part 1 Introduction to SSI
      • Part 2 eDIAS
      • Part 3 Legal scenarios related to SSI and eIDAS
        • General considerations:
          • extend ESSIF to legal persons
          • assert VC as equal to electronic documents
          • a NP's DID is a pseudonym
          • a LP's DID is most likely an asset property of the legal person
          • it can be imagined DID are used for authentication or signing
        • Very short term: use of notified eID means/QCs to issue VCs, role of eIDAS bridge and eIDAS nodes
        • Short term: use of Verifiable IDs as eIDAS means, issuance of QCs based on DIDs
        • Mid-to-Long term:
          • Extension of eIDAS notification to Verifiable Attestations
          • Issuance of Verifiable Attestations as a trust service
          • Regulation of Identity Hubs as a trust service
          • Regulation delegated key management as a trust service
          • Regulation of specify types of DLT-Nodes as a trust service
    • GDRP report - drill down

Overview of actors - 'Use case governance/trust model'



EBSI versions, environments and architecture

EBSI versions

EBSI scope

EBSI architecture

EBSI operational management board

EBSI V1 on CEF Digital wiki (eu login)

EBSI V2 on CEF Digital wiki (eu login)

EBSI V2 Functional aspects

High Level Scope/subscopes
CEFdigital wiki EBSIdoc
Data model
CEFdigital wiki
EBSI V2 Architecture
EBSI V2 RFCs/transition
Functional documentation for all UCs (table of content provides a detailed breakdown)
Functional documentation ESSIF
Some materials related to the topic of correlation/traceability-related:
  • Business-level -- On DID-correlation:
  • Blockchain-/Transaction-level – On anonymity of blockchain transactions:
Functional documentation Diploma
Functional documentation Notarisation
See webex slides.
Functional documentation TDS
This use-case was originally proposed by the European Court of Auditors (ECA) with the aim to develop a blockchain-based Registry that could provide beneficiaries of EU funds with a tool to systematically notarise audit-relevant documents (e.g. invoices, proof of payments, supporting documents, bids, etc.), thus creating a trusted, fully digital audit-trail linked to the EU budget spending. Such a registry, which acts as a TDS service, can be generalised and its use can be extended beyond the scope of the audit of EU funds.

TDS:for the purposes of this use case, the TDS of a certain input (document and its metadata) shall be intended as the recording on blockchain(s) of an hash generated from that input. The imprint can be used at a later stage as immutable proof of authenticity/integrity of a given file. (source:

Originally started by the ECA, later extended to TAXUD's IOSS-DR (Import One-Stop Shop).
eIDAS bridge/sealing

EBSI V2 semantics

EBSI V2 Ledger


EBSI Risk management

DIGIT ITSRM2 material

EBSI V2 Testing

Jara Quintana

EBSI V2 Production


EBSI V2 Technical governance and security

  • EBSI Open-SCAP - local/desktop(Guacamole)
    • Apache Guacamole is a clientless remote desktop gateway, supporting VNC, RDP, and SSH. Clientless because no plugins or client software are required. Thanks to HTML5, once Guacamole is installed on a server, all the desktop needs is a browser.
EBSI V2 Technical governance
EBSI V2 internal processes and procedures
EBSI V2 Security
EBSI V2 Security - overall - top level
EBSI V2 security - preparation
EBSI V2 wallet
EBSI V2 vulnerability management (VMP)
EBSI V2 DRP/BCM general
EBSI V2 Nebula
Nebula is an overlay networking tool designed to be fast, secure, and scalable. Connect any number of hosts with on-demand, encrypted tunnels that work across any IP networks and without opening firewall ports.




  • JIRA - Tracker - System Dashboard, beyond EBSI
    • Select 'Boards' then 'EBSIINT-scrum'
    • On the left then select 'backlog', 'active sprints' or 'reports'
  • JIRA - EBSIINT tracker includes Kanban board, issues, tests, reports, ...
    • Two views: Activity and Statistics (from where you can drill down)

  • JIRA - EBSIINT tracker RapidBoard, Product Backlog

Issues - EBSI V1

Issues - EBSI ITSRM2

  • EBSIINT-635 creation of the EBSI ITSRM2 documentation processes for P1 (System Security Characterisation) and P2 (Primary Assets), and the creation of an initial first Security Plan.consists of subtasks (which are issues themselves):
    • -833 P1 System description, -834 P1 Roles and organisation, -835 P1 Constraints and measures
    • -836 P2 Primary assets, inventory, -837 Impact scenarios
    • -838 Security plan, risk acceptance criteria, -839 Security plan

Issues - EBSI V2

  • EBSIINT-1309- brief developers on security
  • EBSIINT-827- Tech Governance definition with EBP Tech Reps and EBSI Architecture, should produce:
    • EBSI Technical Governance Guiding Principles
    • EBSI TechGov Decision-making bodies
    • EBSI V2 Technical Governance Rules
    • EBSI V2 Technical Governance Operational Guidelines
    • EBSI V2 Technical Governance Node Operator Terms & Conditions Guidance

  • EBSIINT-1323 - approach 'from business to technology'
  • EBSIINT-592 - EBSI V2 mapping component to capabilities (+gap analysis).
    • Creates Functional and technical capability map
    • Creates Requirements and Capability maps - terminology:
      • Requirements are specified from Use Cases down to User Stories, made up of Steps (this is unsettled)
        • EBSI V1 has 4 Use Cases: ESSIF, Diploma, Notarisation and TDS
        • Use Cases are described in Journeys, providing an end-to-end description of the Use Case
        • Journeys are made up of User Stories (e.g. request diploma, issue diploma, receive diploma) - e.g. In order to start using ESBI services, as a Legal Entity, I can Setup My EBSI Enterprise Wallet
        • User Stories are made up of Steps, described in Gherkin:
          • Feature: Setup My EBSI Enterprise Wallet
          • Given I'm IT Administrator of the IT Infrastructure of the Legal Entity
          • And I have the required administrative right on the servers
          • And I have connection to Internet
          • When I start the setup of my Enterprise Wallet
          • And I download the EBSI Enterprise Wallet installation code on a specific URL
          • And I launch the installation of the Wallet on my server
          • And I define a new password to protect the access to the wallet
          • And I write a recovery passphrase in case I lose my password
          • And I receive setup successful message
          • Then my EBSI Enterprise Wallet is installed
      • Capabilities implement what is required. For this purpose, User Stories are mapped onto Capabilities of the EBSI platform

  • EBSIINT-1030- ticket for Sprint 4 security work as per KA
    • Oddly enought it's called 'DID-method / VC-Registries on Distributes Databases or Ledgers - security assessment', while it should be related to a user journey such as ESSIF onboarding of a natural/legal person
  • EBSIINT-1048- ticket for Sprint 4 security work as per KA
    • Oddly enought it's called 'As a user I can access the EBSI wallet (citizen) (configure ESSIF agent) - security assessment', while it should be related to a user journey ...

  • EBSIINT-1381 - assessment of eIDAS impact on EBSI architecture
  • EBSIINT-2639 - EBSI V2 Security Management Guidelines
  • EBSIINT-2998- ticket for RFC on production 'dry-run' scoping as per KA
  • EBSIINT-3017- ticket for RFC on production 'dry-run' scoping as per Guillem - disk-encryption
  • EBSIINT-3049 cefdigital- Create EBSI v2 production ready image based on Security assessment - including disk-encryption
  • EBSIINT-3049 digital-building-blocks- Create EBSI v2 production ready image based on Security assessment - including disk-encryption
  • EBSIINT-3150- Hardening of node (Guillem)
  • EBSIINT-3256- IOSS-DR IR002 RFC encrypted partition - MLS
  • EBSIINT-3257- IOSS-DR IR003 RFC secure coding guidelines - MLS
  • EBSIINT-3258- IOSS-DR IR004 RFC OS authentication improvement
  • EBSIINT-3259- IOSS-DR IR010 RFC contingency plan with guidelines to setup backup node - MLS
  • EBSIINT-3260- IOSS-DR IR013 resume HSM tests on AWS
    • EBSIINT-3260- IOSS-DR IR013 resume HSM tests on AWS before ruling it out completely if it still doesn't work

  • EBSIINT-3277- IOSS-DR IR010 MLS request to review processes for chain and storage
  • EBSIINT-3276- Operational tooling
  • EBSIINT-3191- Further security benchmarks Docker, VM, AWS, ...
  • EBSIINT-4317 - analysis of automated security testing in CI - MLS/JaraQ
  • RFC corresponding to EBSIINT-4317
OpenSCAP hardening
  • EBSIINT-3319 - architecture and security - CDN, Nebula, ...
  • EBSIINT-3483- Wallet conformity assessment/security questions
  • EBSIINT-3524- Security review DNS
  • EBSIINT-3525- Security review of all open source components EBSI relies on (whitesource-style)
  • EBSIINT-3526- create BCP (DRP)
  • EBSIINT-4108- node logging (eIDAS inspiration)
  • EBSIINT-4256- Information required for Web Application Penetration Test (Israel Pardo)
  • EBSIINT-4257- Roles and constraints information required for IT Risk Security Plan (Israel Pardo)