Executive Summary: Norway’s adoption of the European eIDAS Regulation through the Norwegian Electronic Signature Act (E-signaturloven) and the deployment of BankID as a qualified trust service underlines the country’s commitment to secure, legally binding digital transactions. This article examines how BankID satisfies eIDAS requirements for qualified electronic signatures (QES), analyses its role in modern authentication workflows (including Apple ID and Gmail sign-ins), and evaluates risks such as browser session hijacking. It concludes with actionable recommendations for enterprises and public bodies to maintain compliance and resilience in a threat landscape increasingly targeted by advanced persistent threats like IcedID.
The European Electronic Identification, Authentication and Trust Services (eIDAS) Regulation (EU No 910/2014) establishes a harmonized legal framework for electronic identification and trust services across EU member states. Norway, as part of the EEA, has implemented eIDAS through the Act on Electronic Signatures (E-signaturloven) and associated regulations, ensuring mutual recognition of qualified electronic signatures (QES) and trust service providers (TSPs).
BankID is designated as a qualified trust service under eIDAS by the Norwegian supervisory authority, the Norwegian Communications Authority (Nkom), and is listed in the EU’s Trusted List of Qualified Trust Services. This designation confirms that BankID’s qualified certificates and signature creation devices meet the rigorous technical and procedural standards required under Article 25 of eIDAS, ensuring that electronically signed documents are admissible as evidence in court and possess the same legal force as traditional signatures.
BankID is widely used for identity verification and signing in both public and private sectors, including banking, healthcare, and government services. Increasingly, it is integrated into consumer technology ecosystems such as Apple ID and Google Account sign-in flows. In these scenarios, BankID is typically invoked via a secure redirect to the user’s bank portal, where the user authenticates using multi-factor authentication (MFA) and optionally signs the session or transaction.
This integration raises important considerations: while BankID provides strong identity proofing, the authentication session itself—managed by relying parties such as Apple or Google—must be protected against interception and tampering. A compromised browser session (e.g., via malware or phishing) can undermine the integrity of the entire login flow, even if BankID itself is secure.
Recent cyber threat intelligence (e.g., MITRE ATT&CK Technique T1185) highlights the growing use of browser session hijacking by advanced malware such as IcedID. This malware employs web injection attacks to intercept or redirect users to spoofed banking or credential harvesting portals. Notably, threat actors have been observed using self-signed TLS certificates to bypass certificate validation warnings, enabling man-in-the-middle (MITM) attacks.
While BankID employs strong cryptographic protections and is resistant to direct compromise, its effectiveness depends on the security of the entire authentication chain—from the user’s device to the relying party’s session management. A hijacked browser session during a BankID authentication attempt could allow an attacker to initiate fraudulent sign-ins (e.g., to Apple ID or Gmail) on behalf of the user, even if the BankID step itself is secure.
Enterprises and service providers must therefore implement layered defenses, including endpoint monitoring, behavioral anomaly detection, and real-time session integrity checks to detect unauthorized access attempts.
To maintain compliance with eIDAS and Norwegian law, organizations using BankID should adhere to the following safeguards:
As a Norwegian qualified trust service, BankID is mutually recognized under eIDAS across the EU/EEA. This enables Norwegian citizens and businesses to use BankID for signing documents and accessing services in other eIDAS countries (e.g., Denmark, Sweden, Germany), provided the relying party supports cross-border authentication via the eIDAS interoperability framework.
However, differences in national implementation—such as variations in LoA requirements or sector-specific restrictions—can create compliance gaps. Organizations should consult the Norwegian Trusted List and the EU’s Trusted List Browser to verify the current status of BankID’s qualification and any conditional use cases.
Yes. Under the Norwegian Electronic Signature Act and eIDAS, a qualified electronic signature created using BankID is legally equivalent to a handwritten signature and is admissible as evidence in court.
BankID can be used for strong authentication during sign-in, but the overall security depends on the session management of the service (e.g., Apple or Google). Users should ensure their devices are free of malware and that they only initiate BankID authentication from trusted networks.
Immediately revoke the session, run a malware scan using a reputable tool, and report the incident to your bank and relevant service provider. Enable multi-factor authentication and consider using a dedicated, hardened device for sensitive authentication flows.
```