Digitisation in the public sector

A comprehensive security portfolio for critical infrastructures

Digital transformation is reshaping the public sector from the outset – from connected government services to fully digital administrative processes. But as digitalisation accelerates, cyber threats are becoming more frequent and sophisticated – targeting public authorities, critical systems and IT service providers alike.

To counter this, both European and national legislators are introducing binding security frameworks that embed protection at every level – securing IT systems, digital identities and communications infrastructures by design. Security gaps must not be discovered once systems are live; they need to be eliminated during development.

New regulatory initiatives such as the Cyber Resilience Act (CRA), the NIS 2 Directive, DORA, EUCC, the CER Directive, eIDAS 2.0 and the BSI standards together form a harmonised framework designed to strengthen the long-term resilience of Europe’s digital ecosystem.

Public authorities are a growing target for cyber criminals – accounting for 19 per cent of all IT security incidents, the public sector is currently the most targeted industry in the EU:

The public administration sector is a primary target of cyber espionage: By far the majority of APT groups relevant to Germany (Advanced Persistent Threats – long-term, often state-sponsored attacker teams) focus their operations on this sector.

Source: The State of IT Security in Germany 2025, BSI – Federal Office for Information Security, TAS

Cyberspionage in Germany by economic sector, 2025

Legal frameworks as the foundation for robust IT products

Legal security requirements go far beyond mere compliance – they form the foundation of trustworthy and resilient IT products. The objective is to protect systems and infrastructures against cyber-attacks while reducing technological dependencies.

Key regulations shaping stronger cyber resilience:

Cyber Resilience Act (CRA) – Requires manufacturers to integrate cyber security into product development from the outset, ensuring vulnerabilities are prevented proactively rather than discovered later.
NIS 2 Directive – Obligates organisations and public authorities to systematically secure critical IT infrastructures and digital identities in order to prevent data loss and operational disruption.
Digital Operational Resilience Act (DORA) – Demands that financial institutions and their IT service providers build digital systems capable of withstanding cyber attacks and outages, strengthening the overall stability and security of the European financial sector.
eIDAS 2.0 & EUDI Wallet – Defines harmonised, EU-wide solutions for digital identities and enhances trust in electronic credentials and authentication processes.
EU Cybersecurity Certification (EUCC) – Establishes a reliable framework for the security evaluation of IT products, helping to prevent manipulation and reduce the risk of cyber compromise.
CER Directive – Requires operators of critical entities to protect both their physical and digital systems against disruption, natural disasters and cyber incidents – ensuring the resilience and operational continuity of essential services in sectors such as energy, transport, healthcare and public administration.
BSI Standards – Set binding requirements for secure IT architectures and cryptographic procedures, including specific provisions for protecting confidential and classified (VS) information within governmental and other security-sensitive environments.

Organisations that prepare early for these regulatory frameworks not only benefit from faster market access but also make a decisive contribution to the overall cyber security and resilience of Europe’s digital infrastructure.

Efficient implementation of complex requirements

Public authorities, operators of critical infrastructure (KRITIS) and public-sector organisations are facing ever-increasing demands in the areas of cyber security, interoperability and compliance. Modern IT systems must meet stringent regulatory requirements while remaining resilient against threats over the long term.

achelos supports operators in building and managing resilient IT networks equipped with high-assurance cyber security systems.
At the same time, we assist suppliers and product manufacturers within critical infrastructure sectors through our comprehensive Security Engineering Services – from secure product development to successful certification.

In this way, digital identities can be safeguarded, IT infrastructures protected and regulatory requirements implemented efficiently.

Security systems – trusted enterprise PKI for the public sector

With increasing regulatory requirements, public-sector organisations face growing pressure to secure their digital infrastructure reliably. At the core of this challenge are strong authentication, effective encryption and the protection of sensitive data.

achelos offers tailored security solutions that build long-term trust and integrate seamlessly into existing system landscapes. A robust enterprise Public Key Infrastructure (PKI) forms a key component, enabling secure digital identities and protected communication across networks and services.

Security Engineering Services – Achieving security from development to certification

IT manufacturers should take security requirements into account from the very start of the development process: identifying potential vulnerabilities, minimising attack surfaces and meeting regulatory obligations. achelos provides tailored services that reliably secure products and prepare them effectively for certification.

Security Requirements & Architecture – From risk assessment to secure architecture design: our security engineers define clear requirements and develop robust security architectures that form the foundation for safe, standards-compliant products.
Embedded Security Development & Testing – From the secure implementation of cryptographic functions to comprehensive security testing: achelos supports manufacturers in developing and safeguarding embedded systems, protecting update and boot processes, and ensuring the highest security standards.
Security Certification & Evaluation – achelos assists public-sector organisations and companies in integrating security requirements into product development from the outset and implementing them successfully. We draw on extensive experience from international certification and evaluation projects to ensure that solutions comply with current regulatory frameworks.

achelos helps manufacturers implement regulatory requirements in a practical way and strengthen their products to withstand the demanding security expectations of the public sector in the long term.

Proven security solutions for the public sector

Standardisation for highly secure EUDI Wallets

EUDI Wallets are a central element of the EU’s digital identity strategy. To meet the highest security requirements, modern mobile devices must be able to integrate highly secure Secure Elements reliably.

achelos supports this process by contributing to the standardisation of a certifiable Crypto Service Provider that enables interoperable and secure use of digital identities. Two reference implementations and the corresponding API definition form the basis for a European-wide standardisation effort that simplifies the integration of Secure Elements in EUDI Wallets and promotes secure scalability.

PKI migration including Smart Card Management and CLM

For an international banking institution, achelos migrated an existing Microsoft-based PKI to an integrated system combining PKI, CLM and CMS. In addition to installing and configuring a private PKI, an automated certificate lifecycle management process was introduced, and the solution was integrated into key enterprise applications such as cloud, MDM and ITSM systems.

The PKI now supports a wide range of use cases, including authentication, code signing, digital signatures and encryption. achelos also provided staff training and took on operational responsibility as part of managed services.

Renewal of a public key infrastructure

For a higher-level municipal association, achelos carried out a complete renewal of the existing PKI. A modern CA solution was implemented, featuring a self-service portal, network HSM and verification components (OCSP, CRL). Multiple issuing CAs and specific certificate profiles enable use cases such as WLAN and VPN authentication, mobile devices, web and Kerberos servers.

Additional features such as OCSP signing and code signing were integrated. An automated certificate lifecycle ensures efficient administration and long-term secure operation.

Process-oriented technology consulting for the German ID card

Since the introduction of the new German national ID card (Personalausweis) in 2010, achelos has established itself as an expert for eID solutions in the public sector. With process-oriented technology consulting, achelos supports secure business processes surrounding the national ID card and possesses extensive know-how in smart card and PKI technologies along the entire value chain.

High-performance tool for card reader conformity testing

achelos has developed a powerful test suite for card readers used with the electronic ID card. This Java-based test platform is utilised by leading terminal manufacturers and offers extensive debugging and reporting functions for both software and hardware developers.

Expertise in development, testing and certification under eIDAS

achelos contributes its experience in the development, testing and certification of IT security solutions to projects under the eIDAS Regulation. One example is the company’s support in achieving Common Criteria (CC) certification for a remote signature module within the banking sector.

Further reference projects

Our expertise is applied in numerous security-critical domains, including:

Electronic identity systems (national ID cards)
Electronic health cards (eGK, telematics infrastructure)
Digital tachographs and driving licences
Chip-based bank cards
Secure electronic communication
Public key infrastructures and digital signatures

Practical expertise – turning regulation into resilience

At achelos, we help public authorities, critical infrastructure operators and other public-sector organisations translate complex regulatory requirements into real, measurable security. Our specialists combine deep expertise in security engineering, certification and IT security systems to ensure that digital identities are protected, infrastructures are secured, and compliance goals are achieved efficiently.

With years of experience across public-sector projects – from eID solutions and PKI migrations to EUDI Wallet initiatives – we have become a trusted partner for building long-term cyber resilience. Together with our clients, we design and deliver robust, interoperable and future-ready solutions that create confidence and strengthen the public sector in the long run.

Get in touch – we’re here to support you from strategy to implementation.

Consulting System Integration Operations

Cybersecurity Systems

Tailored security for your IT: Consulting, solutions and services for a resilient and future-proof infrastructure

Consulting Testing Certification Support

Common Criteria (CC)

Successful certification according to common criteria – CC competence at every stage of the project

Consulting Certification Support

C5 attestation services for cloud providers

Tailored IT services for your C5 attestation – expert support from preparation to certification

Development

Software Development