BAKGRUNN (fra kommisjonsforordningen)

(1) Pursuant to Article 5c of Regulation (EU) No 910/2014, the certification of European Digital Identity Wallets (‘wallets’) is to be made in accordance with functional, cybersecurity, and data protection requirements to ensure a high level of security and trust in the wallets. Those certification requirements need to be harmonised across Member States in order to prevent market fragmentation and to build a robust framework.

(2) Regulation (EU) 2016/679 of the European Parliament and of the Council (2) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (3) apply to the personal data processing activities under this Regulation.

(3) The Commission regularly assesses new technologies, practices, standards or technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Regulation rely on the work carried out on the basis of Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework (4) and in particular the Architecture and Reference Framework which is part of it. In accordance with recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (5), the Commission should review and update this Implementing Regulation, if necessary, to keep it in line with global developments, the Architecture and Reference Framework and to follow the best practices on the internal market.

(4) In order to attest conformity to cybersecurity requirements included in the certification framework, the certification of wallet solutions should refer to, where available and relevant, European cybersecurity certification schemes established pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council (6). In the absence of such schemes, or when they partially cover cybersecurity requirements, this Regulation sets out the general requirements applying to national certification schemes, covering functional, cybersecurity, and data protection requirements.

(5) Pursuant to Article 5a(11) of Regulation (EU) No 910/2014, the wallets are to be certified against assurance level high as set out in Regulation (EU) No 910/2014, as well as Commission Implementing Regulation (EU) 2015/1502 (7). That assurance level has to be reached by the overall wallet solution. Under this Regulation, some components of the wallet solution may be certified at a lower assurance level, provided this is duly justified and without prejudice to the assurance level high reached by the overall solution.

(6) All national certification schemes should assign a scheme owner who will be responsible for the development and maintenance of the certification scheme. The scheme owner may be a conformity assessment body, a governmental body or authority, a trade association, a group of conformity assessment bodies, or any appropriate body and can be different than the body operating the national certification scheme.

(7) The object of certification should include the software components of the wallet solution, such as the wallet instance. The wallet secure cryptographic application (‘WSCA’), the wallet secure cryptographic device (‘WSCD’) and the platforms on which these software components are executed, while being part of the operating environment, should only be included in the object of certification when they are provided by the wallet solution. In other cases, and in particular when these devices and platforms are provided by end users, providers should establish assumptions on the wallet solution’s operating environment, including on these devices and platforms, and implement measures to confirm that these assumptions are verified in practice. In order to ensure protection of critical assets through hardware and system software used to manage and protect cryptographic keys created, stored or processed by the WSCD, the WSCD needs to satisfy high standards of certification as reflected in international standards such as Common Criteria (‘EUCC’), established in Commission Implementing Regulation (EU) 2024/482 (8), by EAL4 evaluation and advanced methodical vulnerability analysis, such as comparable to AVA_VAN.5. These certification standards should be used at the latest when certification of the conformity of wallets is carried out following a European cybersecurity certification scheme adopted pursuant to Regulation (EU) 2019/881.

(8) Fully mobile, secure and user-friendly wallets are supported by the availability of standardised and certified tamper-resistant solutions, such as embedded secure elements, external devices such as smartcards, or embedded SIM platforms in mobile devices. It is important to ensure the timely access to embedded secure elements for national eID means and wallets and to coordinate efforts by Member States in this area. The European Digital Identity Cooperation Group established pursuant to Article 46e(1) of Regulation (EU) No 910/2014 (‘Cooperation Group’), should therefore establish a dedicated subgroup for this purpose. Consulting relevant stakeholders, this subgroup should agree on a joint roadmap for access to embedded secure elements to be considered by the Commission for the review report on the Regulation (EU) No 910/2014. In order to facilitate the uptake of the wallet at national level, the Commission should furthermore, in cooperation with Member States, develop and continuously update a manual for use cases as part of the Architecture and Reference Framework.

(9) The object of certification of national certification schemes should also include the processes that are used to provide and operate the wallet solution, even if the definition or execution of those processes are subcontracted to third parties. In order to demonstrate that the processes satisfy the schemes’ requirements, assurance information is allowed to be used as evidence, provided that a dependency analysis is used to determine if the assurance information is sufficient. Assurance information comes in many different forms, including reports and certificates of conformity, which can be private, national, European or international, based on standards or on technical specifications. The objective of the dependency analysis is to assess the quality of the assurance information available about a wallet’s components.

(10) Following procedures established for this purpose, the Cooperation Group should be able to provide opinions and recommendations on the draft national certification schemes submitted to it. These national certification schemes should be specific to the wallet architecture and there should be specific profiles for each specific architecture supported.

(11) In order to ensure a common understanding of, and harmonised approach to, the assessment of the most critical risks that might affect the provision and operation of wallets, a register of risks and threats that should be taken into consideration when designing wallet solutions independently of their specific architecture should be drawn-up. The cybersecurity objectives described in Regulation (EU) No 910/2014, such as confidentiality, integrity and availability of the wallet solution, as well as user and data privacy, should be borne in mind when identifying which risks should be included in the register. Due consideration of risks and threats included in this risk register should be part of the requirements of national certification schemes. To keep in line with the continuously evolving threat landscape, the risk register should be maintained and regularly updated in collaboration with the Cooperation Group.

(12) When establishing their certification schemes, scheme owners should perform a risk assessment to refine and complement the risks and threats listed in the register with risks and threats specific to the architecture or implementation of the wallet solution. The risk assessment should consider how the applicable risks and threats can be appropriately treated. Wallet providers should complement the scheme’s risk assessment to identify any risks and threats specific to their implementation and propose appropriate treatment measures for evaluation by the certification body.

(13) To demonstrate that a wallet solution architecture meets the applicable security requirements, each architecture-specific scheme or profile should contain at least a description of the wallet solution architecture, a list of security requirements applicable to the wallet solution architecture, an evaluation plan to confirm that a wallet solution based on this architecture meets those requirements and a risk assessment. National certification schemes should require wallet providers to demonstrate how the design of the wallet solution that they provide matches the reference architecture and details the security controls and validation plans for the specific wallet solution. National certification schemes should also define a conformity assessment activity to verify that the wallet design properly reflects the selected profile’s reference architecture. National certification schemes should comply with the requirements set out in Article 51 of Regulation (EU) 2019/881, except for its points (e) and (f), related to logging.

(14) Concerning the certification of products, certificates of conformity issued under the EU cybersecurity certification scheme on EUCC, and certificates of conformity issued under national certification schemes in the context of the SOG-IS Mutual Recognition Agreement, should be allowed to be used. Furthermore, other national certification schemes should be allowed to be used for less sensitive product components, such as those established following the standard CEN EN 17640 for fixed time cybersecurity evaluation methodology.

(15) The EU Digital Identity Wallet Trust Mark (‘Trust Mark’) should be used to indicate in a clear, simple and recognisable manner that a wallet has been provided in accordance with Regulation (EU) No 910/2014. Therefore, it should be considered as a mark of conformity for a wallet solution certified under national certification schemes. National certification schemes should not define any other marks of conformity.

(16) In order to discourage fraud, national certification schemes should define actions to be taken where certification under the scheme is being claimed fraudulently.

(17) To ensure an efficient management of vulnerability notifications, providers of wallet solutions and the electronic identification scheme under which they are provided should define and implement processes to evaluate the severity and potential impact of vulnerabilities. National certification schemes should set a threshold over which the certification body is to be notified. Such notification requirement should not affect the criteria established by data protection legislation and Member States’ data protection authorities for notification on personal data breaches. Possible synergies could be established between the mandatory notification of breach or compromise of the wallet solutions and the notification of personal data breaches pursuant to Regulation (EU) 2016/679. The certification body’s assessment of a vulnerability impact analysis report should be without prejudice to a data protection authority’s assessment of a data protection impact assessment pursuant to Articles 35 and 36 of Regulation (EU) 2016/679.

(18) The providers of wallet solutions and the electronic identification scheme under which they are provided should notify the scheme owner of any justifications for exceptions to the vulnerability assessment required for the evaluation of the WSCD and WSCA, as set out in Annex IV.

(19) The cancellation of a certificate of conformity might have severe consequences such as the revocation of all deployed wallet units. Therefore, certification bodies should only consider cancellation if an unremedied vulnerability is likely to significantly affect the reliability of the wallet solution or the reliability of another wallet solution.

(20) A specific process for the update of national certification schemes should be put in place to manage the transition between successive releases of the schemes, in particular in relation to actions to be taken by the certificate holder regarding upcoming evaluations, maintenance, recertification and special evaluations.

(21) To facilitate transparency, wallet providers should publicly share security information about their wallet solution.

(22) Where national certification schemes rely on assurance information from other certification schemes or sources, a dependency analysis should be carried out to verify that the assurance documentation, for instance assurance reports and certificates of conformity, is available and adequate for the wallet solutions and the electronic identification scheme under which they are provided. The basis for this dependency analysis should be the risk assessment of the wallet solutions and the electronic identification scheme under which they are provided. The evaluation should determine whether the assurance documentation available for a given wallet solution and the electronic identification scheme under which it is provided is adequate to provide assurance corresponding to the targeted evaluation level. The evaluation should also update the dependency analysis, or entirely re-evaluate it, where necessary.

(23) Certification bodies should issue certificates of conformity in national certification schemes, together with a publicly available certification report, as referred to in Article 5d(2), point (a), of Regulation (EU) No 910/2014. The associated certification assessment report should be made available to the Cooperation Group.

(24) National certification schemes should set out yearly surveillance evaluation to ensure that the processes around the management and maintenance of the wallets are operating effectively, meaning that they operate as defined in the policies determining the processes. The biennial vulnerability assessment is a requirement stemming from Regulation (EU) No 910/2014, to ensure that the wallet solution continues to cover appropriately the cybersecurity risks and threats identified in the risk register, including any evolution of the threat landscape. The notions of surveillance evaluations, recertification evaluations and special evaluations should be in accordance with EN ISO/IEC 17021-1:2015.

(25) A certification cycle ends with the expiry of the certificate of conformity, or with the issuance of a new certificate of conformity following a successful recertification evaluation. The recertification evaluation should include an evaluation of all components of the object of certification, including an evaluation of the effectiveness and, where applicable, a vulnerability assessment. During recertification, it should be possible to reuse results from previous evaluations on components that have not changed.

(26) When a European cybersecurity certification scheme is adopted, national certification schemes with the same scope should cease issuing certifications after a defined transition period as referred to in Article 57(1) of Regulation (EU) 2019/881.

(27) National certification schemes should rely on existing frameworks and reuse evidence as appropriate in order to ensure harmonisation and interoperability. Member States may conclude agreements for the cross-border reuse of certification schemes or parts thereof. The European Commission and ENISA should, in cooperation with the Cooperation Group, support Member States in the development and maintenance of their national certification schemes ensuring knowledge-sharing and best practices.

(28) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (9), and delivered its opinion on 30 September 2024.

(29) The measures provided for in this Regulation are in accordance with the opinion of the Committee referred to in Article 48(1) of Regulation (EU) No 910/2014,