Paper 4 of 6 · Session 2: Cybersecurity & E-Government
A Threat-Modelling Framework for Croatian e-Citizen Services Under the EUDIW Regulation
Ivan Horvat, Mirjana Pejić Bach, Tomislav Hernaus · Faculty of Economics & Business, Zagreb
Abstract
Croatia's e-Citizen portal will integrate with the pan-EU Digital Identity Wallet (EUDIW) by 2026 under Regulation (EU) 2024/1183. This paper develops a STRIDE-based threat-modelling framework specific to the e-Citizen / EUDIW integration, identifies 14 high-priority threats through expert validation with eight national security architects, and proposes corresponding mitigation patterns mapped to the EUDIW Architecture and Reference Framework v1.4. The framework generalises to other Member-State e-Government systems undertaking EUDIW integration and offers concrete recommendations to SDURDD on assurance-level configuration.
1. Introduction
Croatia's e-Citizen platform (e-Građani) is one of the largest single-sign-on portals for public services in South-East Europe, serving more than 2.4 million unique citizens in 2023. The forthcoming pan-EU Digital Identity Wallet (EUDIW), mandated by Regulation (EU) 2024/1183, requires Member States to integrate national identity systems into a federated wallet architecture by 2026. This paper develops and applies a STRIDE-based threat-modelling framework specific to the e-Citizen / EUDIW integration.
2. Background
We synthesise (i) the public-administration literature on digital identity in the EU (Tsakalakis et al. 2021; Cuijpers & Schroers 2014), (ii) the security-engineering literature on identity federation (Cameron 2005; Bertino & Takahashi 2010), and (iii) the legal-informatics literature on eIDAS 2.0 (Schwerha 2024).
3. Method
We construct the threat model in three iterations: (i) baseline STRIDE applied to the legacy e-Citizen architecture, (ii) extended STRIDE-LM (linkability and machine-learning extensions) applied to the EUDIW-integrated architecture, (iii) expert validation with eight security architects from the Croatian information-society agency (SDURDD) and FINA.
4. Threat Model
We identify 47 candidate threats, of which 14 are judged high-priority. The five most consequential are: (T1) wallet-instance cloning, (T2) issuer-attestation downgrade, (T3) verifier-side correlation attacks, (T4) cross-border attribute over-disclosure under verifier coercion, and (T5) revocation-list timing attacks.
5. Mitigations & Recommendations
For each high-priority threat, we propose a mitigation pattern, mapped to the EUDIW Architecture and Reference Framework v1.4. We recommend SDURDD adopt selective-disclosure assurance levels above the EUDIW minimum, particularly for sensitive health-record verifiers.
6. Conclusion
The framework is, by construction, applicable to other Member-State e-Government systems undertaking EUDIW integration. We close with future-work pointers toward formal-methods verification of the wallet-binding protocols.
References (selected)
- Cameron, K. (2005). The laws of identity. Microsoft Identity White Paper.
- Cuijpers, C. & Schroers, J. (2014). eIDAS as guideline for the development of digital identity. SSRN.
- European Parliament (2024). Regulation (EU) 2024/1183 amending eIDAS for EUDIW. OJEU, L series.
- Pejić Bach, M. et al. (2022). Public-sector digital transformation in Croatia. Government Information Quarterly, 39(4), 101739.
- Tsakalakis, N., O'Hara, K. & Stalla-Bourdillon, S. (2021). Identity assurance in eIDAS. Computer Law & Security Review, 41, 105541.