A journey that changed more than just the product: MyEID’s path to EAL4+ and eIDAS certification

image-1101

When the physical certificates were finally in hand, the moment felt almost unreal. Years of work had culminated in two documents. EAL4+ and eIDAS are not just acronyms – they are concrete proof of a high level of security. The achievement was significant not only for Aventra itself and its customers, but more broadly for Finland and Europe as well. 

This article is based on conversations with Aventra founder and CEO Jan Sjöblom and Senior Expert in Cybersecurity and Software Development Hannu Honkanen, both of whom played a key role in the certification process.

Where did it all begin? 

It all began with a vision that had started to take shape years before the first project plans were drawn up. From the very beginning, Aventra’s founders clearly recognised what was missing from the market: a secure, Finnish solution for access and identity management. They also understood early on that, in the future, certifications would not be a competitive advantage but a necessity. Aventra’s ambition was to challenge the major players and reshape the competitive landscape. 

Although certification had been discussed for years, the decision to certify the MyEID PKI card chip was only made during the Covid period. The situation was uncertain, and concerns about business continuity were very real. However, funding from Business Finland made it possible to launch the project. Thanks to this support, MyEID could be developed further than had previously seemed possible. 

The certification process forced a complete rethink 

At the outset, the certification project was estimated to take around a year. It quickly became clear that this estimate was far too optimistic. Every stage opened the door to the next, even more detailed level of scrutiny. As soon as one requirement had been met, new questions, documentation needs, and unforeseen details emerged. 

What proved most surprising was not the difficulty of individual technical requirements, but the thoroughness of the evaluation itself. The certification process did not focus solely on the chip or the software – it examined virtually the entire operating environment: how development work was carried out, where it took place, who was involved, and how security was reflected in day-to-day operations. 

During the project, it soon became evident that this was not “just about obtaining a certificate”, but about adopting an entirely new way of building products and organising work. 

The learning curve was steep. The terminology, processes, and requirements of the Common Criteria world gradually became clearer, often through trial and error. Enormous amounts of documentation accumulated, and many times a seemingly finished package had to return to the drawing board due to clarifications or newly identified issues. 

At times, progress felt slow, but understanding deepened continuously. Certification forced the team to examine the product in a way few organisations ever have to: every detail had to be justified, verified, and documented. 

“I don’t know whether we would have started if we had known what kind of work and battle the whole process would be,” Jan laughs. “But at the same time, I’m incredibly happy and proud of all of us. The process has also been valuable and beneficial for everything else we do. You really learn when the work is both meaningful and challenging,” he continues. 

Aventra founder and CEO Jan Sjöblom.

The entire organisation had to evolve and grow 

There were several turning points along the journey. One of the most important was the extensive audit of facilities and operations, which forced Aventra to examine its work from a completely new perspective. The entire organisation became involved, and all security-related practices were thoroughly reviewed. At this stage, it became clear that this was not merely about technology, but about a broader cultural transformation. 

At the same time, a deeper understanding of the Common Criteria requirements brought greater confidence to the work. The team began to find a shared rhythm, and although development work still continued, progress became faster than before. The certification no longer felt like a distant dream. 

Senior Expert in Cybersecurity and Software Development Hannu Honkanen.
Senior Expert in Cybersecurity and Software Development Hannu Honkanen.

When the hard work was finally rewarded 

When the certification was finally achieved, the emotions were mixed. Relief was accompanied by disbelief. Years of work had materialised into a single piece of paper. In practice, EAL4+ and eIDAS mean that the MyEID PKI smart card meets exceptionally high standards of security and reliability. 

The team reacted with pride, customers with interest, and the founders perhaps a little more quietly, fully aware of everything that had been required along the way. The public attention came as the biggest surprise. Several media outlets picked up the story, which felt particularly meaningful for a small organisation. 

The impact on customers, Finland, and Europe 

The achievement also has a broader significance. For customers, it means a reliable and secure solution at a time when the importance of cybersecurity continues to grow. For the market, it introduces greater competition and more choice. For Finland and Europe, it represents a step towards greater technological and cybersecurity self-sufficiency. 

In an uncertain geopolitical climate, the value of trustworthy and local solutions increases significantly. 

What comes next? 

However, attention is already turning towards the future. The industry is evolving rapidly, and new requirements continue to emerge. It is well understood that quantum computing will change the rules of the game. Current encryption algorithms are not eternal, and security requirements are expected to become significantly stricter in the coming years. The entire cybersecurity industry is transitioning towards solutions capable of withstanding the threats posed by quantum computing. 

Aventra wants to remain at the forefront of this development. Aventra’s experts actively participate in various working groups where knowledge is shared and the standards of the future are being built. 

We promise ourselves that we will continue to uphold our “Simply Secure” way of working and keep creating secure, high-quality solutions in the future as well.