Kommisjonens gjennomføringsforordning (EU) 2025/848 av 6. mai 2025 om fastsettelse av regler for anvendelsen av europaparlaments- og rådsforordning (EU) nr. 910/2014 med hensyn til registrering av mottakerparter
eID digital lommebok: registering av mottakerparter
Kommisjonsforordning publisert i EU-tidende 7.5.2025
Tidligere
- Utkast til forordning lagt fram av Kommisjonen 29.11.2024 med tilbakemeldingsfrist 27.12.2024
Bakgrunn
(fra kommisjonsforordningen)
(1) For the purposes of registering relying parties that intend to rely on European Digital Identity Wallets (‘wallets’) for the provision of digital public or private services, as required by Regulation (EU) No 910/2014, Member States should establish and maintain national registers of wallet-relying parties established in their territory.
(2) The Commission regularly assesses new technologies, practices, standards and technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Regulation rely on the work carried out on under Commission Recommendation (EU) 2021/946 (2) and in particular the Architecture and Reference Framework which is part of it. In accordance with recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (3), the Commission should review and, if necessary, update this Regulation, to keep it in line with global developments, the Architecture and Reference Framework and to follow the best practices on the internal market.
(3) To ensure broad access to the registers and to achieve interoperability, Member States should set up both human and machine-readable interfaces that meet the technical specifications set out in this Regulation. Providers of wallet-relying party access certificates and wallet-relying party registration certificates, where available, should, for the purpose of issuing those certificates, also be able to rely upon these interfaces.
(4) As registration policies provide clear guidance to the wallet-relying parties on the registration process, Member States should set out and publish the registration policies applicable to the national registers established in their territory.
(5) The purpose of registering wallet-relying parties is to build trust in the use of the wallets through greater transparency. Therefore, Member States should make the relevant information available to the public in a manner that is both human and machine-readable. To this end, wallet-relying parties should provide the necessary information, including their entitlement or entitlements, to the national registers.
(6) Further, for the purpose of transparency, wallet-relying parties should declare, whether they intend to rely upon electronic identification of natural persons.
(7) To ensure that the registration process is cost-effective and proportionate to risk, registrars should set up online and, where applicable, automated registration processes for wallet-relying parties that are easy to use. Registrars should verify applications for registration without undue delay.
(8) Member States are to ensure that the wallets are able to authenticate wallet-relying parties, irrespective of where they are established in the Union. For this purpose, wallet-relying parties should use wallet-relying party access certificates when they identify themselves to wallet units. To guarantee interoperability of those certificates across all wallets provided within the Union, wallet-relying party access certificates should adhere to common requirements set out in the Annex. The Commission should develop harmonized certificate policies and certificate practice statements that should be implemented by the Member States. The Commission, in collaboration with Member States, should closely monitor the development of new or alternative standards on which relying-party access certificates could be implemented. In particular, trust models that have proven their efficacy and security in Member States should be assessed.
(9) As set out in Regulation (EU) No 910/2014, wallet-relying parties are not to request users to provide any data other than those indicated for the intended use of wallets during the registration process. Wallet users should be able to verify the registration data of wallet-relying parties. To enable wallet users to verify that the attributes being requested by the wallet-relying party are within the scope of their registered attributes, Member States may require the issuance of wallet-relying party registration certificates to registered wallet-relying parties. To ensure the interoperability of the wallet-relying party registration certificates, Member States should ensure that those certificates meet the requirements and standards set out in the Annex. In particular, wallet-relying parties should declare, whether they intend to rely upon electronic identification of natural persons to meet one of the requirements set out in paragraph 1 of Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council (4) for the purpose of transparency. Further, relying parties are not to refuse the use of pseudonyms, where the identification of the user is not required by Union or national law.
(10) To protect users against oversharing information with wallet-relying parties and warn them in such cases, Member States should include common access policies in their certificate policies that would enable a wallet solution to inform the wallet user whenever a wallet-relying party is asking for more information than what they have registered or been authorised to access.
(11) To protect wallet users, registrars should be able to suspend or cancel the registration of any wallet-relying party without prior notice where the registrars have reason to believe that the registration contains information which is inaccurate, out of date or misleading; that the wallet-relying party is not complying with the registration policy; or that the wallet-relying party is otherwise acting in breach of Union or national law or of the European Declaration on Digital Rights and Principles for the Digital Decade (5) in a way that relates to their role as a wallet-relying party, for example if the wallet-relying party has not rightfully minimised the set of attributes it requests access to. To safeguard the stability of the European Digital Identity Wallet ecosystem (‘wallet ecosystem’), the decision to suspend or cancel a registration should be proportionate to the service disruption caused by the suspension or cancellation and the associated cost and inconvenience for the service provider and the user. Pursuant to Article 46a(4), point (f) of Regulation (EU) No 910/2014, supervisory bodies are also to be empowered to suspend and cancel the registration if required.
(12) For the purpose of ex post monitoring, investigations by law enforcement and dispute handling, registrars should keep records of all the information provided by wallet-relying parties established in their national register for 10 years.
(13) Regulation (EU) 2016/679 and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (6) apply to the personal data processing activities under this Regulation.
(14) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (7), and delivered its opinion on 31 January 2025.
(15) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,