BAKGRUNN (fra kommisjonsforordningen)

(1) The European Digital Identity Framework established by Regulation (EU) No 910/2014 is a crucial component in the establishment of a secure and interoperable digital identity ecosystem across the Union. With the European Digital Identity Wallets (‘wallets’) being the cornerstone of the framework, it aims at facilitating access to services across Member States, for natural and legal persons, while ensuring the protection of personal data and privacy.

(2) Regulation (EU) 2016/679 of the European Parliament and of the Council (2), and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (3) apply to all personal data processing activities under this Regulation.

(3) Article 5a(23) of Regulation (EU) No 910/2014 mandates the Commission, where necessary, to establish the relevant specifications and procedures. This is achieved by means of four Implementing Regulations, dealing with protocols and interfaces: Commission Implementing Regulation (EU) 2024/2982 (4), integrity and core functionalities: Commission Implementing Regulation (EU) 2024/2979 (5), person identification data and electronic attestation of attributes: Commission Implementing Regulation (EU) 2024/2977 (6), as well as the notifications to the Commission: Commission Implementing Regulation (EU) 2024/2980 (7). This Regulation lays down the relevant requirements for protocols and interfaces.

(4) The Commission regularly assesses new technologies, practices, standards or technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Regulation rely on the work carried out on the basis of Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework (8) and in particular the architecture and reference framework. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (9), the Commission should review and update this Implementing Regulation, if necessary, to keep it in line with global developments, the architecture and reference framework, and to follow the best practices on the internal market.

(5) In order to ensure transparency and trustworthiness of wallet-relying parties towards wallet users, the protocols and interfaces used by the wallet solutions should provide wallet users with a reliable mechanism to authenticate wallet-relying parties and other wallet units. Inversely, wallet providers should provide a mechanism to authenticate and validate wallet units so that relying parties can receive assurances with respect to trustworthiness and authenticity of the wallet units. Further, the technical infrastructure of the wallets should also be designed to ensure that only the minimal necessary amount of data is transferred only to the authorised relying parties, while keeping unlinkability between the different transactions. In order to facilitate the issuance of person identification data and electronic attestations of attributes, all wallet solutions should support a minimum set of protocols and interfaces.

(6) To ensure the usability of wallet solutions across Member States, all wallet solutions should support common technical specifications when person identification data and electronic attestations of attributes are presented via the wallets to relying parties, both in remote and proximity scenarios. Additionally, wallet units may support other protocols and interfaces for specific use cases.

(7) To ensure data protection by design and by default, the wallets should be provided with several privacy enhancing features to prevent providers of electronic identification means and electronic attestation of attributes from combining personal data obtained when providing other services with the personal data processed to provide the services falling within the scope of Regulation (EU) No 910/2014. As set out in Regulation (EU) No 910/2014, relying parties are not to request users to provide any data other than those indicated for the intended use of wallets during the registration process. Wallet users should be enabled to verify the registration data of relying parties at any point in time. Further, wallet units should be able to display wallet relying party registration certificates to users, when available, as part of an attribute request. This should enable wallet users to verify that the attributes being requested by the wallet relying party are within the scope of their registered attributes, providing assurance that the request is legitimate and trustworthy.

(8) In order to protect the data of wallet users, wallet providers should ensure that wallet units validate requests from wallet-relying parties or other wallet units prior to making any data available. For the same reason and in accordance with Article 5a(4)(d)(ii) of Regulation (EU) No 910/2014, wallet providers should ensure that wallet units allow wallet users to make data erasure requests to wallet-relying parties.

(9) In order to enable swift reactions in the case of any data protection concerns related to Article 5a(4)(d)(iii) of Regulation (EU) No 910/2014, wallet providers should ensure that wallet solutions provide mechanisms for reporting of a relying party to the competent national data protection authority. Appropriate flexibility should be left to wallet providers and data protection authorities in establishing suitable mechanisms for interacting with data protection authorities of the Member States.

(10) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10), and delivered its opinion on 30 September 2024.

(11) The measures provided for in this Regulation are in accordance with the opinion of the Committee referred to in Article 48 of Regulation (EU) No 910/2014,