BAKGRUNN (fra kommisjonsforordningen)

(1) The European Digital Identity Framework established by Regulation (EU) No 910/2014, is a crucial component in the establishment of a secure and interoperable digital identity ecosystem across the Union. With the European Digital Identity Wallets (‘wallets’) as the cornerstone of the framework, it aims at facilitating access to services across Member States, while ensuring the protection of personal data and privacy.

(2) Regulation (EU) 2016/679 of the European Parliament and of the Council (2) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (3) apply to all personal data processing activities under this Regulation.

(3) Article 5a(23) of Regulation (EU) No 910/2014 mandates the Commission, where necessary, to establish the relevant specifications and procedures. This is achieved by means of four Implementing Regulations, dealing with protocols and interfaces: Commission Implementing Regulation (EU) 2024/2982 (4), integrity and core functionalities: Commission Implementing Regulation (EU) 2024/2979 (5), person identification data and electronic attestation of attributes: Commission Implementing Regulation (EU) 2024/2977 (6), as well as the notifications to the Commission: Commission Implementing Regulation (EU) 2024/2980 (7). This Regulation lays down the relevant requirements for person identification data and electronic attestations of attributes to be issued to European Digital Identity Wallets.

(4) The Commission regularly assesses new technologies, practices, standards or technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Implementing Regulation rely on the work carried out on the basis of Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework (8) and in particular the architecture and reference framework which is part of it. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (9), the Commission should review and update this implementing regulation, if necessary, to keep it in line with global developments, the architecture and reference framework and to follow the best practices on the internal market.

(5) To ensure data protection by design and by default, the wallets should be provided with several privacy enhancing features to prevent providers of electronic identification means and electronic attestation of attributes from combining personal data obtained when providing other services with the personal data processed to provide the services falling within the scope of Regulation (EU) No 910/2014.

(6) To ensure harmonisation, certain common functionalities should be available in all wallets, including the ability to securely request, obtain, select, combine, store, delete, share, and present, under the sole control of the wallet user, person identification data and electronic attestations of attributes. To ensure that person identification data and electronic attestations of attributes can be processed via every wallet unit, technical specifications concerning person identification data attributes, the data format, and the infrastructure required to ensure appropriate trustworthiness of person identification data need to be supported by all wallet solutions. Further, common specifications in relation to attributes of person identification data aim at ensuring that this data can be used for identity matching as required.

(7) Member States are to ensure that the wallets are able to authenticate relying parties, providers of person identification data and providers of electronic attestations of attributes irrespective of where they are established in the Union. To achieve this, these entities should use wallet-relying party access certificates when they identify themselves to wallet units. To guarantee interoperability of these certificates across all wallets provided within the Union, wallet-relying parties’ access certificates should adhere to common standards. The Commission, in collaboration with Member States, should closely monitor the development of new or alternative standards on which relying-party access certificates could be built. In particular, trust models that have proven their efficacy and security in Member States should be assessed.

(8) To ensure transparency towards wallet users, Member States should publish information indicating which wallet solutions are supported by providers of person identification data established in their territories. Since the identity of the user must be as reliable as possible, a common assurance level high should be imposed on the identity proofing of wallet users prior to the issuance of person identification data, according to assurance level high as laid down for electronic identification means under Regulation (EU) No 910/2014. In this manner, the wallet units ensure the highest available degree of trustworthiness for means of identification across the Union. During enrolment of wallet users at level of assurance high, various secure processes are possible, for instance, where the wallet user has been verified to be in possession of photo or biometric identification evidence recognised but not issued by the Member State in which the application for the electronic identification means is made and that evidence represents the claimed identity, the evidence should be checked to determine that it is valid according to a relevant authoritative source.

(9) In order to support interoperability, electronic attestations of attributes should comply with harmonised requirements on the format.

(10) To protect the data of wallet users and to ensure the authenticity of electronic attestations of attributes, mechanisms for the authentication of providers of electronic attestations of attributes, and for the verification of the authenticity and validity of wallet units by that provider should apply prior to the issuance of the attestations to wallet units.

(11) In order to avoid the use of, and the reliance on, person identification data and electronic attestations of attributes that have lost their legal validity after being issued to a wallet unit, providers of person identification data and of electronic attestations of attributes should publish a policy outlining the circumstances and procedures for revocation.

(12) To ensure that the person identification data uniquely represents the wallet user, Member States should, in addition to the mandatory attributes in the person identification data set out in this Regulation, provide optional attributes needed to ensure that the set of person identification data is unique.

(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10) and delivered its opinion on 30 September 2024.

(14) The measures provided for in this Regulation are in accordance with the opinion of the committee referred to in Article 48 of Regulation (EU) No 910/2014,