Preamble
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Economic and Social Committee¹, Having regard to the opinion of the Committee of the Regions², ,
Acting in accordance with the ordinary legislative procedure³,
Whereas:
(1) | The Commission Communication of 19 February 2020 entitled ‘Shaping Europe’s Digital Future’ announces a revision of Regulation (EU) No 910/2014 of the European Parliament and of the Council⁴ to improve its effectiveness, extend its benefits to the private sector and promote trusted digital identities for all Europeans. |
(2) | In its conclusions of 1-2 October 2020, the European Council called on the Commission to propose the development of a Union-wide framework for secure public electronic identification, including interoperable digital signatures, to provide people with control over their online identity and data as well as to enable access to public, private and crossborder digital services. |
(3) | The Digital Decade Policy Programme 2030, established by Decision (EU) 2022/2481 of the European Parliament and of the Council⁵ , sets the objectives and digital targets of a Union framework which, by 2030, are intended to lead to wide deployment of a trusted, voluntary, user-controlled digital identity that is recognised throughout the Union and allows every user to control their data in online interactions. |
(4) | The ‘European Declaration on Digital Rights and Principles for the Digital Decade’ proclaimed by the European Parliament, the Council and the Commission⁶ (the ‘Declaration’), underlines everyone’s right to access digital technologies, products and services that are safe, secure, and privacy-protective by design. This includes ensuring that all people living in the Union are offered an accessible, secure and trusted digital identity that enables access to a broad range of online and offline services, protected against cybersecurity risks and cybercrime including data breaches and identity theft or manipulation. The Declaration also states that everyone has the right to the protection of their personal data. That right encompasses the control on how the data is used and with whom it is shared. |
(5) | Union citizens and residents in the Union should have the right to a digital identity that is under their sole control and that enables them to exercise their rights in the digital environment and to participate in the digital economy. To achieve that aim, a European digital identity framework should be established allowing Union citizens and residents in the Union to access public and private online and offline services throughout the Union. |
(6) | A harmonised digital identity framework should contribute to the creation of a more digitally integrated Union by reducing digital barriers between Member States and by empowering Union citizens and residents in the Union to enjoy the benefits of digitalisation, while increasing transparency and the protection of their rights. |
(7) | A more harmonised approach to electronic identification should reduce the risks and costs of the current fragmentation due to the use of divergent national solutions or, in some Member States, the absence of such electronic identification solutions. Such an approach should strengthen the internal market by allowing Union citizens, residents in the Union, as defined by national law, and businesses to identify themselves and to provide authentication of their identity online and offline in a safe, trustworthy, user-friendly, convenient, accessible and harmonised way, across the Union. The European Digital Identity Wallet should provide natural and legal persons across the Union with a harmonised electronic identification means enabling authentication and the sharing of data linked to their identity. Everyone should be able to access public and private services securely, relying on an improved ecosystem for trust services and on verified proofs of identity and electronic attestations of attributes, such as academic qualifications, including university degrees, or other educational or professional entitlements. The European Digital Identity Framework is intended to achieve a shift from the reliance on national digital identity solutions only, to the provision of electronic attestations of attributes valid and legally recognised across the Union. Providers of electronic attestations of attributes should benefit from a clear and uniform set of rules, while public administrations should be able to rely on electronic documents in a given format. |
(8) | Several Member States have implemented and use electronic identification means that are accepted by service providers in the Union. Additionally, investments have been made in both national and cross-border solutions on the basis of Regulation (EU) No 910/2014, including the interoperability of notified electronic identification schemes pursuant to that Regulation. In order to ensure the complementarity and fast adoption of European Digital Identity Wallets by current users of notified electronic identification means and to minimise the impact on existing service providers, European Digital Identity Wallets are expected to benefit from building on the experience gained with existing electronic identification means and from the infrastructure of notified electronic identification schemes deployed at Union and national level. |
(9) | Regulation (EU) 2016/679 of the European Parliament and of the Council7 and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council8 apply to all personal data processing activities under Regulation (EU) No 910/2014. The solutions under the interoperability framework provided in this Regulation also comply with those rules. Union data protection law provides for data protection principles, such as the data minimisation and purpose limitation principle and obligations, such as data protection by design and by default. |
(10) | To support the competitiveness of Union businesses, both online and offline service providers should be able to rely on digital identity solutions recognised across the Union, irrespective of the Member State in which those solutions are provided, thus benefiting from a harmonised Union approach to trust, security and interoperability. Both users and service providers should be able to benefit from the same legal value provided to electronic attestations of attributes across the Union. A harmonised digital identity framework is intended to create economic value by providing easier access to goods and services and by significantly reducing operational costs linked to electronic identification and authentication procedures, for instance during the onboarding of new customers, by reducing the potential for cybercrime, such as identity theft, data theft and online fraud, thus promoting efficiency gains and the secure digital transformation of the Union’s micro, small and medium-sized enterprises (SMEs). |
(11) | European Digital Identity Wallets should facilitate the application of the ‘once only’ principle, thus reducing the administrative burden on and supporting cross-border mobility of Union citizens and residents in the Union and businesses across the Union and fostering the development of interoperable e-government services across the Union. |
(12) | Regulation (EU) 2016/679, Regulation (EU) 2018/1725 of the European Parliament and of the Council9 and Directive 2002/58/EC apply to the processing of personal data in the implementation of this Regulation. Therefore, this Regulation should lay down specific safeguards to prevent providers of electronic identification means and electronic attestation of attributes from combining personal data obtained when providing other services with the personal data processed to provide the services falling within the scope of this Regulation. Personal data related to the provision of European Digital Identity Wallets should be kept logically separate from any other data held by the provider of the European Digital Identity Wallet. This Regulation should not prevent providers of European Digital Identity Wallets from applying additional technical measures that contribute to the protection of personal data, such as physical separation of personal data related to the provision of European Digital Identity Wallets from any other data held by the provider. Without prejudice to Regulation (EU) 2016/679, this Regulation further specifies the application of principles of purpose limitation, data minimisation, and data protection by design and by default. |
(13) | European Digital Identity Wallets should have the function of a common dashboard embedded into the design, in order to ensure a higher degree of transparency, privacy and control of the users over their personal data. That function should provide an easy, userfriendly interface with an overview of all relying parties with whom the user shares data, including attributes, and the type of data shared with each relying party. It should allow users to track all transactions executed through the European Digital Identity Wallet with at least the following data: the time and date of the transaction, the counterpart identification, the personal data requested and the data shared. That information should be stored even if the transaction was not concluded. It should not be possible to repudiate the authenticity of the information contained in the transaction history. Such a function should be active by default. It should allow users easily to request the immediate erasure by a relying party of personal data pursuant Article 17 of Regulation (EU) 2016/679 and easily to report the relying party to the competent national data protection authority where an allegedly unlawful or suspicious request for personal data is received, directly via the European Digital Identity Wallet. |
(14) | Member States should integrate different privacy-preserving technologies, such as zero knowledge proof, into the European Digital Identity Wallet. Those cryptographic methods should allow a relying party to validate whether a given statement based on the person’s identification data and attestation of attributes is true, without revealing any data on which that statement is based, thereby preserving the privacy of the user. |
(15) | This Regulation sets out the harmonised conditions for the establishment of a framework for European Digital Identity Wallets to be provided by Member States. All Union citizens, and residents in the Union as defined by national law, should be empowered to securely request, select, combine, store, delete, share and present data related to their identity and request the erasure of their personal data in a user friendly and convenient way, under the sole control of the user, while enabling selective disclosure of personal data. This Regulation reflects shared European values and respects fundamental rights, legal safeguards and liability, thus protecting democratic societies, Union citizens and residents in the Union. Technologies used to achieve those objectives should be developed aiming towards the highest level of security, privacy, user convenience, accessibility, wide usability and seamless interoperability. Member States should ensure equal access to electronic identification to all their citizens and residents. Member States should not, directly or indirectly, limit access to public or private services to natural or legal persons not opting to use European Digital Identity Wallets and should make available appropriate alternative solutions. |
(16) | Member States should rely on the possibilities offered by this Regulation to provide, under their responsibility, European Digital Identity Wallets for use by the natural and legal persons residing on their territory. To offer Member States flexibility and leverage the state-of-the-art technology, this Regulation should enable provision of European Digital Identity Wallets directly by a Member State, under a mandate from a Member State, or independently of a Member State, but recognised by that Member State. |
(17) | For the purposes of registration, relying parties should provide the information necessary to allow for their electronic identification and authentication towards European Digital Identity Wallets. When declaring their intended use of the European Digital Identity Wallet, relying parties should provide information regarding the data that they will request, if any, in order to provide their services and the reason for the request. Relying party registration facilitates the verification by Member States with regard to the lawfulness of the activities of the relying parties in accordance with Union law. The obligation to register provided for in this Regulation should be without prejudice to obligations laid down in other Union or national law, such as the information to be provided to the data subjects pursuant to the Regulation (EU) 2016/679. Relying parties should comply with the safeguards offered by Articles 35 and 36 of that Regulation, in particular by performing data protection impact assessments and by consulting the competent data protection authorities prior to data processing where data protection impact assessments indicate that the processing would result in a high risk. Such safeguards should support the lawful processing of personal data by relying parties, in particular with regard to special categories of data, such as health data. The registration of relying parties is intended to enhance transparency and trust in the use of European Digital Identity Wallets. Registration should be cost-effective and proportionate to the related risks in order to ensure uptake by service providers. In that context, registration should provide for the use of automated procedures, including the reliance on and the use of existing registers by Member States, and should not entail a pre-authorisation process. The registration process should enable a variety of use-cases that can differ in terms of mode of operation, whether online or in offline mode, or in terms of the requirement to authenticate devices for the purposes of interfacing with the European Digital Identity Wallet. Registration should apply exclusively to relying parties providing services by means of digital interaction. |
(18) | Safeguarding Union citizens and residents in the Union against the unauthorised or fraudulent use of European Digital Identity Wallets is of high importance for ensuring trust in and for the wide uptake of European Digital Identity Wallets. Users should be provided with effective protection against such misuse. In particular, when facts that form the basis for fraudulent or otherwise illegal use of a European Digital Identity Wallet are established by a national judicial authority in the context of another procedure, supervisory bodies that are responsible for European Digital Identity Wallet issuers should, upon notification, take the necessary measures to ensure that the registration of the relying party and the inclusion of relying parties in the authentication mechanism are withdrawn or suspended until the notifying authority confirms that the irregularities identified have been remedied. |
(19) | All European Digital Identity Wallets should enable users to electronically identify themselves and authenticate online and in offline mode across borders to access a wide range of public and private services. Without prejudice to Member States’ prerogatives as regards the identification of their citizens and residents, European Digital Identity Wallets can also serve the institutional needs of public administrations, international organisations and the Union’s institutions, bodies, offices and agencies. Authentication in offline mode would be important in many sectors, including in the health sector where services are often provided through face-to-face interaction and ePrescriptions should be able to rely on QR-codes or similar technologies to verify authenticity. Relying on the assurance level high with regard to electronic identification schemes European Digital Identity Wallets should benefit from the potential offered by tamper-proof solutions such as secure elements, to comply with the security requirements under this Regulation. European Digital Identity Wallets should also allow users to create and use qualified electronic signatures and seals which are accepted across the Union. Once on-boarded to a European Digital Identity Wallet, natural persons should be able to use it to sign with qualified electronic signatures, by default and free of charge, without having to go through any additional administrative procedures. Users should be able to sign or seal self-claimed assertions or attributes.To achieve simplification and cost-reduction benefits for persons and businesses across the Union, including by enabling powers of representation and emandates, Member States should provide European Digital Identity Wallets that rely on common standards and technical specifications to ensure seamless interoperability and to adequately increase IT security, strengthen robustness against cyber-attacks and thus significantly reduce the potential risks of ongoing digitalisation for Union citizens, residents in the Union and undertakings. Only Member States’ competent authorities can provide a high level of confidence in establishing the identity of a person and therefore provide assurance that the person claiming or asserting a particular identity is in fact the person he or she claims to be. It is therefore necessary for the provision of European Digital Identity Wallets to rely on the legal identity of Union citizens, residents in the Union or legal persons. Reliance on the legal identity should not hinder European Digital Identity Wallet users to access services under a pseudonym, where there is no legal requirement for legal identity for authentication. Trust in European Digital Identity Wallets would be enhanced if issuing and managing parties are required to implement appropriate technical and organisational measures to ensure the highest level of security that is commensurate to the risks raised for the rights and freedoms of the natural persons, in accordance with Regulation (EU) 2016/679. |
(20) | The use of a qualified electronic signature should be free of charge to all natural persons for non-professional purposes. It should be possible for Member States to provide for measures to prevent the use of qualified electronic signatures for professional purposes by natural persons free-of-charge, while ensuring that any such measures are proportionate to identified risks and are justified. |
(21) | It is beneficial to facilitate the uptake and use of European Digital Identity Wallets by seamlessly integrating them with the ecosystem of public and private digital services already implemented at national, local or regional level. To achieve that goal, it should be possible for Member States to provide for legal and organisational measures in order to increase flexibility for providers of European Digital Identity Wallets and to allow for additional functionalities of European Digital Identity Wallets to those provided for in this Regulation, including by enhanced interoperability with existing national electronic identification means. Such additional functionalities should by no means be to the detriment of providing core functions of European Digital Identity Wallets provided for in this Regulation or promote existing national solutions over European Digital Identity Wallets. Since they go beyond this Regulation, such additional functionalities do not benefit from the provisions on cross-border reliance on European Digital Identity Wallets set out in this Regulation. |
(22) | European Digital Identity Wallets should include a functionality to generate user chosen and managed pseudonyms, to authenticate when accessing online services. |
(23) | In order to achieve a high level of security and trustworthiness, this Regulation establishes the requirements for European Digital Identity Wallets. The conformity of European Digital Identity Wallets with those requirements should be certified by accredited conformity assessment bodies designated by Member States. |
(24) | In order to avoid divergent approaches and harmonise the implementation of the requirements laid down by this Regulation, the Commission should, for the purpose of certifying European Digital Identity Wallets, adopt implementing acts to establish a list of reference standards and, where necessary, to establish specifications and procedures for the purpose of expressing detailed technical specifications of those requirements. To the extent that the certification of the conformity of European Digital Identity Wallets with relevant cybersecurity requirements is not covered by existing cybersecurity certification schemes that are referred to in this Regulation, and as regards non-cybersecurity requirements relevant to European Digital Identity Wallets, Member States should establish national certification schemes pursuant to the harmonised requirements set out in and adopted pursuant to this Regulation. Member States should transmit their draft national certification schemes to the European Digital Identity Cooperation Group, which should be able to issue opinions and recommendations. |
(25) | Certification of conformity with the cybersecurity requirements established in this Regulation should, where available, rely on the relevant European cybersecurity certifications schemes established pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council10, which establishes a voluntary European cybersecurity certification framework for ICT products, processes and services. |
(26) | In order to continuously assess and mitigate risks linked to security, certified European Digital Identity Wallets should be subject to regular vulnerability assessments aiming to detect any vulnerability in the certified product-related components, certified processrelated components and certified service-related components of the European Digital Identity Wallet. |
(27) | By protecting users and companies from cybersecurity risks, the essential cybersecurity requirements laid down in this Regulation also contribute to enhancing the protection of personal data and privacy of individuals. Synergies on both standardisation and certification on cybersecurity aspects should be considered through the cooperation between the Commission, the European Standardisation Organizations, the European Union Agency for Cybersecurity (ENISA), the European Data Protection Board established by Regulation (EU) 2016/679 and the national data protection supervisory authorities. |
(28) | The onboarding of Union citizens and residents in the Union to the European Digital Identity Wallet should be facilitated by relying on electronic identification means issued at assurance level high. Electronic identification means issued at assurance level substantial should be relied upon only where harmonised technical specifications and procedures using electronic identification means issued at assurance level substantial in combination with supplementary means of identity verification will allow the fulfilment of the requirements set out in this Regulation as regards assurance level high. Such supplementary means should be reliable and easy to use and could be built on the possibility to use remote onboarding procedures, qualified certificates supported by qualified electronic signatures, qualified electronic attestation of attributes or a combination thereof. To ensure sufficient uptake of European Digital Identity Wallets, harmonised technical specifications and procedures for the onboarding of users by using electronic identification means, including those issued at assurance level substantial, should be set out in implementing acts. |
(29) | The objective of this Regulation is to provide the user with a fully mobile, secure and userfriendly European Digital Identity Wallet. As a transitional measure until the availability of certified tamper-proof solutions, such as secure elements within the users’ devices, European Digital Identity Wallets should be able to rely upon certified external secure elements for the protection of the cryptographic material and other sensitive data or upon notified electronic identification means at assurance level high in order to demonstrate compliance with the relevant requirements of this Regulation as regards the assurance level of the European Digital Identity Wallet. This Regulation should be without prejudice to national conditions with regard to the issuance and use of a certified external secure element where the transitional measure is dependent on it. |
(30) | European Digital Identity Wallets should ensure the highest level of data protection and security for the purposes of electronic identification and authentication to facilitate access to public and private services, irrespective of whether such data is stored locally or on cloud-based solutions, taking due account of the different levels of risk. |
(31) | European Digital Identity Wallets should be secure-by-design and should implement advanced security features to protect against identity and other data theft, denial of service and any other cyber threat. Such security should include state-of-the-art encryption and storage methods that are accessible only to, and decryptable only by, the user and that rely on end-to-end encrypted communication with other European Digital Identity Wallets and relying parties. Additionally, European Digital Identity Wallets should require secure, explicit and active user confirmation for the operations performed via European Digital Identity Wallets. |
(32) | The use, free of charge, of European Digital Identity Wallets should not result in the processing of data beyond data that is necessary for the provision of European Digital Identity Wallet services. This Regulation should not allow the processing of personal data stored in or resulting from the use of the European Digital Identity Wallet by the provider of the European Digital Identity Wallet for purposes other than the provision of European Digital Identity Wallet services. To ensure privacy, European Digital Identity Wallet providers should ensure unobservability by not collecting data and not having insight into the transactions of the users of the European Digital Identity Wallet. Such unobservability means that the providers are not able to see the details of the transactions made by the user. However, in specific cases, on the basis of explicit prior consent by the user in each of those specific cases, and fully in accordance with Regulation (EU) 2016/679, providers of European Digital Identity Wallets could be granted access to the information necessary for the provision of a particular service related to European Digital Identity Wallets. |
(33) | The transparency of European Digital Identity Wallets and the accountability of their providers are key elements to creating social trust and trigger acceptance of the framework. The functioning of European Digital Identity Wallets should therefore be transparent and, in particular, allow for verifiable processing of personal data. To achieve this, Member States should disclose the source code of the user application software components of European Digital Identity Wallets, including those that are related to processing of personal data and data of legal persons. The publication of this source code under an open-source licence should enable society, including users and developers, to understand its operation, audit and review the code. This would increase users’ trust in the ecosystem and contribute to the security of European Digital Identity Wallets by enabling anyone to report vulnerabilities and errors in the code. Overall, this should provide suppliers with an incentive to deliver and maintain a highly secure product. However, in certain cases, the disclosure of the source code for the libraries used, communication channel or other elements that are not hosted on the user device, could be limited by Member States, for duly justified reasons, especially for the purpose of public security. |
(34) | The use of European Digital Identity Wallets as well as the discontinuation of their use should be the exclusive right and choice of users. Member States should develop simple and secure procedures for the users to request immediate revocation of validity of European Digital Identity Wallets, including in the case of loss or theft. Upon the death of the user or the cessation of activity by a legal person, a mechanism should be established to enable the authority responsible for settling the succession of the natural person or assets of the legal person to request the immediate revocation of European Digital Identity Wallets. |
(35) | In order to promote the uptake of European Digital Identity Wallets and the wider use of digital identities, Member States should not only promote the benefits of the relevant services, but should also, in cooperation with the private sector, researchers and academia, develop training programmes aiming to strengthen the digital skills of their citizens and residents, in particular for vulnerable groups such as persons with disabilities and older persons. Member States should also raise awareness of the benefits and risks of European Digital Identity Wallets by means of communication campaigns. |
(36) | To ensure that the European Digital Identity Framework is open to innovation, technological development and future-proof, Member States are encouraged, jointly, to set up sandboxes to test innovative solutions in a controlled and secure environment in particular to improve the functionality, protection of personal data, security and interoperability of the solutions and to inform future updates of technical references and legal requirements. That environment should foster the inclusion of SMEs, start-ups and individual innovators and researchers, as well as relevant industry stakeholders. Such initiatives should contribute to and strengthen the regulatory compliance and technical robustness of European Digital Identity Wallets to be provided to Union citizens and residents in the Union, thus preventing the development of solutions that do not comply with Union law on data protection or that are open to security vulnerabilities. |
(37) | Regulation (EU) 2019/1157 of the European Parliament and of the Council11 strengthens the security of identity cards with enhanced security features by August 2021. Member States should consider the feasibility of notifying them under electronic identification schemes to extend the cross-border availability of electronic identification means. |
(38) | The process of notification of electronic identification schemes should be simplified and accelerated to promote access to convenient, trusted, secure and innovative authentication and identification solutions and, where relevant, to encourage private identity providers to offer electronic identification schemes to Member State’s authorities for notification as national electronic identification schemes under Regulation (EU) No 910/2014. |
(39) | Streamlining of the current notification and peer-review procedures will prevent heterogeneous approaches to the assessment of various notified electronic identification schemes and facilitate trust-building between Member States. New, simplified, mechanisms are intended to foster Member States’ cooperation on the security and interoperability of their notified electronic identification schemes. . |
(40) | Member States should benefit from new, flexible tools to ensure compliance with the requirements of this Regulation and of the relevant implementing acts adopted pursuant thereto. This Regulation should allow Member States to use reports and assessments, performed by accredited conformity assessment bodies, as provided for in the context of certification schemes to be established at Union level under Regulation (EU) 2019/881, to support their claims on the alignment of the schemes or of parts thereof with Regulation (EU) No 910/2014. |
(41) | Public service providers use the person identification data available from electronic identification means pursuant to Regulation (EU) No 910/2014 to match the electronic identity of the users from other Member States with the person identification data provided to those users in the Member State performing the cross-border identity matching process. However, in many cases, despite the use of the minimum data set provided under the notified electronic identification schemes, ensuring accurate identity matching when Member States act as relying parties requires additional information about the user and specific complementary unique identification procedures to be performed at national level. To further support the usability of electronic identification means, provide better online public services and increase legal certainty in relation to the electronic identity of the users, Regulation (EU) No 910/2014 should require Member States to take specific online measures to ensure unequivocal identity matching when users intend to access online cross-border public services. |
(42) | When developing European Digital Identity Wallets, it is essential to take into consideration the needs of users. Meaningful use cases and online services relying on European Digital Identity Wallets should be available. For the convenience of users and in order to ensure cross-border availability of such services, it is important to undertake actions in order to facilitate a similar approach to design, development and implementation of online services in all Member States. Non-binding guidelines on how to design, develop and implement online services relying on European Digital Identity Wallets have the potential of becoming a useful tool to achieve that goal. Such guidelines should be prepared taking into account the interoperability framework of the Union. Member States should have a leading role when it comes to adopting those guidelines. |
(43) | In accordance with Directive (EU) 2019/882 of the European Parliament and of the Council12, persons with disabilities should be able to use European Digital Identity Wallets, trust services and end-user products used in the provision of those services on an equal basis with other users. |
(44) | In order to ensure effective enforcement of this Regulation, a minimum for the maximum of administrative fines for both qualified and non-qualified trust service providers should be established. Member States should provide for effective, proportionate and dissuasive penalties. When determining the penalties, the size of the affected entities, their business models and the severity of the infringements should be duly taken into consideration. |
(45) | Member States should lay down rules on penalties for infringements such as direct or indirect practices leading to confusion between non-qualified and qualified trust services or to the abusive use of the EU trust mark by non-qualified trust service providers. The EU trust mark should not be used under conditions which, directly or indirectly, lead to the perception that any non-qualified trust services offered by those providers are qualified. |
(46) | This Regulation should not cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form laid down by Union or national law. In addition, it should not affect national form requirements pertaining to public registers, in particular commercial and land registers. |
(47) | The provision and use of trust services and the benefits brought in terms of convenience and legal certainty in the context of cross-border transactions, in particular when qualified trust services are used, are becoming increasingly important for international trade and cooperation. International partners of the Union are establishing trust frameworks inspired by Regulation (EU) No 910/2014. In order to facilitate the recognition of qualified trust services and of their providers, the Commission may adopt implementing acts to set the conditions under which trust frameworks of third countries could be considered equivalent to the trust framework for qualified trust services and providers thereof in this Regulation. Such an approach should complement the possibility for the mutual recognition of trust services and providers thereof established in the Union and in third countries in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU). When setting out the conditions under which the trust frameworks of third countries could be considered to be equivalent to the trust framework for qualified trust services and providers thereof under Regulation (EU) No 910/2014, compliance with the relevant provisions in the Directive (EU) 2022/2555 of the European Parliament and of the Council13 and Regulation (EU) 2016/679 should be ensured, as well as the use of trusted lists as essential elements to build trust. |
(48) | This Regulation should foster choice and the possibility of switching between European Digital Identity Wallets where a Member State has endorsed more than one European Digital Identity Wallet solution on its territory. In order to avoid lock-in effects in such situations, where technically feasible, the providers of European Digital Identity Wallets should ensure the effective portability of data at the request of European Digital Identity Wallet users, and should not be allowed to use contractual, economic or technical barriers to prevent or to discourage effective switching between different European Digital Identity Wallets. |
(49) | To ensure the proper functioning of European Digital Identity Wallets, European Digital Identity Wallet providers need effective interoperability and fair, reasonable and nondiscriminatory conditions for the European Digital Identity Wallets to access specific hardware and software features of mobile devices. Those components could include, in particular, near field communication antennas and secure elements, including universal integrated circuit cards, embedded secure elements, microSD cards and Bluetooth Low Energy. Access to those components could be under the control of mobile network operators and equipment manufacturers. Therefore, where needed to provide the services of European Digital Identity Wallets, original equipment manufacturers of mobile devices or providers of electronic communication services should not refuse access to such components. In addition, the undertakings that are designated as gatekeepers for core platform services as listed by the Commission pursuant to Regulation (EU) 2022/1925 of the European Parliament and of the Council14 should remain subject to the specific provisions of that Regulation, building on Article 6(7) thereof. |
(50) | In order to streamline the cybersecurity obligations imposed on trust service providers, as well as to enable those providers and their respective competent authorities to benefit from the legal framework established by Directive (EU) 2022/2555, trust services are required to take appropriate technical and organisational measures pursuant to that Directive, such as measures addressing system failures, human error, malicious actions or natural phenomena in order to manage the risks posed to the security of network and information systems which those providers use in the provision of their services as well as to notify significant incidents and cyber threats in accordance with that Directive. With regard to the reporting of incidents, trust service providers should notify any incidents having a significant impact on the provision of their services, including such caused by theft or loss of devices, network cable damage or incidents that occur in the context of the identification of persons. The cybersecurity risk management requirements and reporting obligations under Directive (EU) 2022/2555 should be considered to be complementary to the requirements imposed on trust service providers under this Regulation. Where appropriate, established national practices or guidance in relation to the implementation of security and reporting requirements and supervision of compliance with such requirements under Regulation (EU) No 910/2014 should continue to be applied by the competent authorities designated under Directive (EU) 2022/2555. This Regulation does not affect the obligation to notify personal data breaches pursuant to Regulation (EU) 2016/679. |
(51) | Due consideration should be given to ensure effective cooperation between the supervisory bodies designated pursuant to Article 46b of Regulation (EU) No 910/2014 and the competent authorities designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555. Where such a supervisory body is different from such a competent authority, they should cooperate closely, in a timely manner by exchanging the relevant information in order to ensure effective supervision and compliance of trust service providers with the requirements set out in Regulation (EU) No 910/2014 and in Directive (EU) 2022/2555. In particular, supervisory bodies designated pursuant to Regulation (EU) No 910/2014 should be entitled to request competent authorities designated or established pursuant Directive (EU) 2022/2555 to provide relevant information needed to grant the qualified status and to carry out supervisory actions to verify compliance of the trust service providers with the relevant requirements under Directive (EU) 2022/2555 or to require them to remedy noncompliance. |
(52) | It is essential to provide for a legal framework to facilitate cross-border recognition between existing national legal systems related to electronic registered delivery services. That framework could also open new market opportunities for Union trust service providers to offer new Union-wide electronic registered delivery services. In order to ensure that data using a qualified electronic registered delivery service is delivered to the correct addressee, qualified electronic registered delivery services should ensure complete certainty the identification of the addressee while a high level of confidence would suffice as regards the identification of the sender. Providers of qualified electronic registered delivery services should be encouraged by Member States to make their services interoperable with qualified electronic registered delivery services provided by other qualified trust service providers in order to easily transfer electronic registered data between two or more qualified trust service providers and to promote fair practices in the internal market. |
(53) | In most cases, Union citizens and residents in the Union are unable to exchange digital information relating to their identity, such as their address, age, professional qualifications, driving licence and other permits and payment data, across borders, securely and with a high level of data protection. |
(54) | It should be possible to issue and handle trustworthy electronic attributes and contribute to reducing administrative burden, empowering Union citizens and residents in the Union to use them in their private and public transactions. Union citizens and residents in the Union should be able, for instance, to demonstrate ownership of a valid driving licence issued by an authority in one Member State, which can be verified and relied upon by the relevant authorities in other Member States, to rely on their social security credentials or on future digital travel documents in a cross border context. |
(55) | Any service provider that issues attested attributes in electronic form such as diplomas, licences, birth certificates or powers and mandates to represent or act on behalf of natural or legal persons should be considered to be a trust service provider of electronic attestation of attributes. An electronic attestation of attributes should not be denied legal effect on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic attestation of attributes. General requirements should be laid down to ensure that a qualified electronic attestation of attributes has the equivalent legal effect of lawfully issued attestations in paper form. However, those requirements should apply without prejudice to Union or national law defining additional sector-specific requirements as regards form with underlying legal effects and, in particular, the cross-border recognition of qualified electronic attestation of attributes, where appropriate. |
(56) | The wide availability and usability of European Digital Identity Wallets should enhance their acceptance and trust in them both by private individuals and by private service providers. Therefore, private relying parties providing services, for example in the areas of transport, energy, banking and financial services, social security, health, drinking water, postal services, digital infrastructure, telecommunications or education, should accept the use of European Digital Identity Wallets for the provision of services where strong user authentication for online identification is required by Union or national law or by contractual obligation. Any request by the relying party for information from the user of a European Digital Identity Wallet should be necessary for, and proportionate to, the intended use in a given case, should be in line with the principle of data minimisation and should ensure transparency as regards which data is shared and for what purposes. To facilitate the use and acceptance of European Digital Identity Wallets, widely accepted industry standards and specifications should be taken into account in their deployment. |
(57) | Where very large online platforms within the meaning of Article 33(1) of Regulation (EU) 2022/2065 of the European Parliament and of the Council15 require users to be authenticated in order to access online services, those platforms should be required to accept the use of European Digital Identity Wallets upon the voluntary request of the user. Users should be under no obligation to use a European Digital Identity Wallet to access private services and should not be restricted or hindered in their access to services on the grounds that they do not use a European Digital Identity Wallet. However, if users wish to do so, very large online platforms should accept them for that purpose, while respecting the principle of data minimisation and the right of the users to use freely chosen pseudonyms. Given the importance of very large online platforms, due to their reach, in particular as expressed in number of recipients of the service and economic transactions, the obligation to accept European Digital Identity Wallets is necessary to increase the protection of users from fraud and to secure a high level of data protection. |
(58) | Codes of conduct at Union level should be developed in order to contribute to the widespread availability and usability of electronic identification means, including European Digital Identity Wallets within the scope of this Regulation. The codes of conduct should facilitate broad acceptance of electronic identification means including European Digital Identity Wallets by those service providers which do not qualify as very large platforms and which rely on third party electronic identification services for user authentication. |
(59) | Codes of conduct at Union level should be developed in order to contribute to the widespread availability and usability of electronic identification means, including European Digital Identity Wallets within the scope of this Regulation. The codes of conduct should facilitate broad acceptance of electronic identification means including European Digital Identity Wallets by those service providers which do not qualify as very large platforms and which rely on third party electronic identification services for user authentication. |
(60) | Unless specific rules of Union or national law require users to identify themselves, accessing services by using a pseudonym should not be prohibited. |
(61) | Attributes provided by the qualified trust service providers as part of the qualified attestation of attributes should be verified against authentic sources either directly by the qualified trust service provider or by means of designated intermediaries recognised at national level in accordance with Union or national law for the purpose of secure exchange of attested attributes between identity or attestation of attributes’ service providers and relying parties. Member States should establish appropriate mechanisms at national level to ensure that qualified trust service providers issuing qualified electronic attestation of attributes are able, on the basis of the consent of the person to whom the attestation is issued, to verify the authenticity of the attributes relying on authentic sources. It should be possible for appropriate mechanisms to include the use of specific intermediaries or technical solutions in accordance with national law allowing access to authentic sources. Ensuring the availability of a mechanism that allows the verification of attributes against authentic sources is intended to facilitate the compliance of the qualified trust service providers of qualified electronic attestation of attributes with their obligations under Regulation (EU) No 910/2014. A new annex to that Regulation should contain a list of categories of attributes with regard to which Member States are to ensure that measures are taken to allow qualified providers of electronic attestations of attributes to verify by electronic means, at the request of the user, their authenticity against the relevant authentic source. |
(62) | Secure electronic identification and the provision of attestation of attributes should offer additional flexibility and solutions for the financial services sector to allow the identification of customers and the exchange of specific attributes necessary to comply with, for example, customer due diligence requirements under a future Regulation establishing the Anti Money Laundering Authority, with suitability requirements stemming from investor protection law, or to support the fulfilment of strong customer authentication requirements for online identification for the purposes of account login and of initiation of transactions in the field of payment services. |
(63) | The legal effect of an electronic signature is not to be challenged on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic signature. However, it is for national law to establish the legal effect of electronic signatures, except for the requirements provided for in this Regulation according to which the legal effect of a qualified electronic signature is to be considered to be equivalent to that of a handwritten signature. In determining the legal effects of electronic signatures, Member States should take into account the principle of proportionality between the legal value of a document to be signed and the level of security and cost that an electronic signature requires. To increase the accessibility and use of electronic signatures, Member States are encouraged to consider the use of advanced electronic signatures in the day-to-day transactions for which they provide a sufficient level of security and confidence. |
(64) | In order to ensure the consistency of certification practices across the Union, the Commission should issue guidelines on the certification and recertification of qualified electronic signature creation devices and of qualified electronic seal creation devices, including their validity and limitations in time. This Regulation does not prevent the public or private bodies that have certified qualified electronic signature creation devices from temporarily re-certifying such devices for a short certification period on the basis of the results of the previous certification process, where such re-certification cannot be performed within the legally set time frame for a reason other than a breach or security incident, without prejudice to the obligation to conduct a vulnerability assessment and without prejudice to the applicable certification practice. |
(65) | The issuance of certificates for website authentication is intended to provide users with assurance with a high level of confidence in the identity of the entity standing behind the website, irrespective of the platform used to display that identity. Those certificates should contribute to the building of trust in conducting business online, as users would have confidence in a website that has been authenticated. The use of such certificates by websites should be voluntary. In order for website authentication to become a means by which to increase trust, to provide a better experience for the user and to foster growth in the internal market, this Regulation lays down a trust framework including minimal security and liability obligations for the providers of qualified certificates for website authentication and requirements for the issuance of those certificates. National trusted lists should confirm the qualified status of website authentication services and of their trust service providers, including their full compliance with the requirements of this Regulation with regard to the issuance of qualified certificates for website authentication. The recognition of qualified certificates for website authentication means that the providers of web-browsers should not deny the authenticity of qualified certificates for website authentication for the sole purpose of attesting the link between the website domain name and the natural or legal person to whom the certificate is issued or confirming the identity of that person. Providers of web-browsers should display the certified identity data and the other attested attributes to the end-user in a user-friendly manner in the browser environment, by technical means of their choice. To that end, providers of web-browsers should ensure support and interoperability with qualified certificates for website authentication issued in full compliance with this Regulation. The obligation of recognition and interoperability of and support for qualified certificates for website authentication does not affect the freedom of providers of web-browsers to ensure web security, domain authentication and the encryption of web traffic in a manner and by means of technology that they consider to be the most appropriate. In order to contribute to the online security of end-users, providers of web-browsers should, in exceptional circumstances, be able to take precautionary measures that are both necessary and proportionate in reaction to substantiated concerns regarding security breaches or the loss of integrity of an identified certificate or set of certificates. Where they take such precautionary measures, providers of web-browsers should notify, without undue delay, the Commission, the national supervisory body, the entity to which the certificate was issued and the qualified trust service provider that issued that certificate or set of certificates, of any concern with regard to such a security breach or loss of integrity as well as the measures taken relating to the single certificate or set of certificates. Those measures should be without prejudice to the obligation of the providers of web-browsers to recognise qualified website authentication certificates in accordance with the national trusted lists. To further protect Union citizens and residents in the Union and promote the use of qualified certificates for website authentication, public authorities in Member States should consider incorporating qualified certificates for website authentication in their websites. The measures provided for by this Regulation that aim to bring increased coherence between Member States’ divergent approaches and practices relating to supervisory procedures are intended to contribute to improved trust and confidence in the security, quality and availability of qualified certificates for website authentication. |
(66) | Many Member States have introduced national requirements for services providing secure and trustworthy electronic archiving in order to allow for the long-term preservation of electronic data and electronic documents, and associated trust services. To ensure legal certainty, trust and harmonisation across Member States, a legal framework for qualified electronic archiving services should be established, inspired by the framework of the other trust services set out in this Regulation. The legal framework for qualified electronic archiving services should offer trust service providers and users an efficient toolbox that includes functional requirements for the electronic archiving service, as well as clear legal effects when a qualified electronic archiving service is used. Those provisions should apply to electronic data and electronic documents created in electronic form as well as paper documents that have been scanned and digitised. When required, those provisions should permit the preserved electronic data and electronic documents to be ported on different media or formats for the purpose of extending their durability and legibility beyond the technological validity period, while preventing loss and alteration to the extent possible. When electronic data and electronic documents submitted to the electronic archiving service contain one or more qualified electronic signatures or qualified electronic seals, the service should use procedures and technologies capable of extending their trustworthiness for the preservation period of such data, possibly relying on the use of other qualified trust services established by this Regulation. In order to create preservation evidence where electronic signatures, electronic seals or electronic timestamps are used, qualified trust services should be used. To the extent that electronic archiving services are not harmonised by this Regulation, it should be possible for Member States to maintain or introduce national provisions, in accordance with Union law, relating to those services, such as specific provisions for services integrated in an organisation and only used for the internal archives of that organisation. This Regulation should not distinguish between electronic data and electronic documents created in electronic form and physical documents that have been digitised. |
(67) | The activities of national archives and memory institutions, in their capacity as organisations dedicated to preserving the documentary heritage in the public interest, are usually regulated in national law and they do not necessarily provide trust services within the meaning of this Regulation. In so far such institutions do not provide such trust services, this Regulation is without prejudice to their operation. |
(68) | Electronic ledgers are a sequence of electronic data records which should ensure their integrity and the accuracy of their chronological ordering. Electronic ledgers should establish a chronological sequence of data records. In conjunction with other technologies, they should contribute to solutions for more efficient and transformative public services such as e-voting, cross-border cooperation of customs authorities, cross-border cooperation of academic institutions and the recording of ownership for real estate in decentralised land registries. Qualified electronic ledgers should establish a legal presumption for the unique and accurate sequential chronological ordering and integrity of the data records in the ledger. Due to their specificities, such as the sequential chronological ordering of data records, electronic ledgers should be distinguished from other trust services such as electronic time stamps and electronic registered delivery services. To ensure legal certainty and promote innovation, a Union-wide legal framework that provides for the cross-border recognition of trust services for the recording of data in electronic ledgers should be established. This should sufficiently prevent the same digital asset from being copied and sold more than once to different parties. The process of creating and updating an electronic ledger depends on the type of ledger used, namely whether it is centralised or distributed. This Regulation should ensure technological neutrality, namely neither favouring, nor discriminating against, any technology used to implement the new trust service for electronic ledgers. In addition, sustainability indicators with regard to any adverse impacts on the climate or other environment‐ related adverse impacts should be taken into account by the Commission, using adequate methodologies, when preparing the implementing acts specifying the requirements for qualified electronic ledgers. |
(69) | The role of trust service providers for electronic ledgers should be to ascertain the sequential recording of data into the ledger. This Regulation is without prejudice to any legal obligations of users of electronic ledgers under Union or national law. For instance, use cases that involve the processing of personal data should comply with Regulation (EU) 2016/679 and use cases that relate to financial services should comply with the relevant Union financial services law. |
(70) | In order to avoid the fragmentation of and barriers in the internal market, due to diverging standards and technical restrictions, and to ensure a coordinated process to avoid affecting the implementation of the European Digital Identity Framework, a process for close and structured cooperation between the Commission, Member States, civil society, academia and the private sector is needed. To achieve that objective, Member States and the Commission should cooperate within the framework set out in the Commission Recommendation (EU) 2021/94616 to identify a common Union toolbox for the European Digital Identity Framework. In that context, Member States should agree on a comprehensive technical architecture and reference framework, a set of common standards and technical references including recognised existing standards and a set of guidelines and descriptions of best practices covering at least all functionalities and interoperability of European Digital Identity Wallets, including eSignatures and of the qualified trust service providers for electronic attestation of attributes as laid out in this Regulation. In that context, Member States should also agree on common elements with regard to a business model and fee structure for European Digital Identity Wallets, in order to facilitate take up, in particular by SMEs, in a cross-border context. The content of the toolbox should evolve in parallel with and reflect the outcome of the discussion and the process of adoption of the European Digital Identity Framework. |
(71) | This Regulation provides for a harmonised level of quality, trustworthiness and security of qualified trust services, regardless of where the operations are conducted. Thus, a qualified trust service provider should be allowed to outsource its operations related to the provision of a qualified trust service in a third country, where that third country provides adequate guarantees, ensuring that supervisory activities and audits can be enforced as if they were carried out in the Union. When the compliance with this Regulation cannot be fully assured, the supervisory bodies should be able to adopt proportionate and justified measures including the withdrawal of the qualified status of the trust service provided. |
(72) | To ensure legal certainty as regards the validity of advanced electronic signatures based on qualified certificates, it is essential that the assessment by the relying party carrying out the validation of that advanced electronic signature based on qualified certificates be specified. |
(73) | Trust service providers should use cryptographic methods reflecting current best practices and trustworthy implementations of those algorithms in order to ensure security and reliability of their trust services. |
(74) | This Regulation lays down an obligation for qualified trust service providers to verify the identity of a natural or legal person to whom the qualified certificate or the qualified electronic attestation of attribute is issued based on various harmonised methods across the Union. To ensure that qualified certificates and qualified electronic attestations of attributes are issued to the person to whom they belong and that they attest the correct and unique set of data representing the identity of that person, qualified trust service providers issuing qualified certificates or issuing qualified electronic attestations of attributes should, at the moment of the issuance of those certificates and attestations, ensure with complete certainty the identification of that person. Moreover, in addition to the mandatory verification of the identity of the person, if applicable for the issuance of qualified certificates and when issuing a qualified electronic attestation of attributes, qualified trust service providers should ensure with complete certainty the correctness and accuracy of the attested attributes of the person to whom the qualified certificate or the qualified electronic attestation of attributes is issued. Those obligations of result and complete certainty in verifying the attested data should be supported by appropriate means, including by using one or, where required, a combination of specific methods provided for in this Regulation. It should be possible to combine those methods to provide an appropriate basis for the verification of the identity of the person to whom the qualified certificate or a qualified electronic attestation of attributes is issued. It should be possible for such a combination to include reliance on electronic identification means which meet the requirements of assurance level substantial in combination with other means of identity verification. Such electronic identification would allow the fulfilment of the harmonised requirements set out in this Regulation as regards assurance level high as part of additional harmonised remote procedures, ensuring identification with a high level of confidence. Those methods should include the possibility for the qualified trust service provider issuing a qualified electronic attestation of attributes to verify the attributes to be attested by electronic means at the request of the user, in accordance with Union or national law, including against authentic sources. |
(75) | To keep this Regulation in line with global developments and to follow the best practices on the internal market, the delegated and implementing acts adopted by the Commission should be reviewed and if necessary updated on a regular basis. The assessment of the necessity of those updates should take into account new technologies, practices, standards or technical specifications. |
(76) | Since the objectives of this Regulation, namely the development of the Union-wide European Digital Identity Framework and of a trust service framework, cannot be sufficiently achieved by the Member States but can rather, by reason of their scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives. |
(77) | The European Data Protection Supervisor has been consulted pursuant to Article 42 (1) of Regulation (EU) 2018/1725.
|