Kommisjonens gjennomføringsforordning (EU) 2025/847 av 6. mai 2025 om fastsettelse av regler for anvendelsen av europaparlaments- og rådsforordning (EU) nr. 910/2014 med hensyn til reaksjoner på sikkerhetsbrudd for lommebok for europeisk digital identitet (European Digital Identity Wallets)
eID digital lommebok: sikkerhetsbrudd
Kommisjonsforordning publisert i EU-tidende 7.5.2025
Tidligere
- Utkast til forordning lagt fram av Kommisjonen 29.11.2024 med tilbakemeldingsfrist 27.12.2024
Bakgrunn
(fra kommisjonsforordningen)
(1) The European Digital Identity Framework (‘framework’) set out in Regulation (EU) No 910/2014 is a crucial component in the establishment of a secure and interoperable digital identity ecosystem across the Union. With the European Digital Identity Wallets (‘wallets’) as its cornerstone, the framework aims to facilitate access to services across Member States, while ensuring the protection of personal data and privacy.
(2) Regulations (EU) 2016/679 (2) and (EU) 2018/1725 (3) of the European Parliament and of the Council, and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (4) apply to the personal data processing activities under this Regulation. The rules on the assessment and provision of information established under this Regulation are without prejudice to the obligation to notify personal data breaches to the competent supervisory authority where applicable under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, and to the obligation to communicate the personal data breaches to the data subjects where applicable under these Regulations.
(3) The Commission regularly assesses new technologies, practices, standards and technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Regulation rely on the work carried out under Commission Recommendation (EU) 2021/946 (5) and in particular the Architecture and Reference Framework which is part of it. In accordance with recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (6), the Commission should review and, if necessary, update this Regulation, to keep it in line with global developments and the Architecture and Reference Framework, and to follow the best practices on the internal market.
(4) In the event of a security breach or a compromise of the wallet solutions or of the validation mechanisms referred to in Article 5a(8) of Regulation (EU) No 910/2014, or of the electronic identification scheme under which the wallet solutions are provided, reactions to such security breaches and compromises need to follow in a fast, coordinated and secure manner across Member States to protect users and to maintain trust in the digital identity ecosystem. This is without prejudice to Directive (EU) 2022/2555 of the European Parliament and of the Council (7) and Regulations (EU) 2019/881 (8) and (EU) 2024/2847 (9) of the European Parliament and of the Council, in particular as regards handling of incidents or vulnerabilities and their consideration as security breaches. Therefore, Member States should ensure the timely suspension of the provision and the use of wallets affected by a security breach or compromise, or, where appropriate, their withdrawal.
(5) To ensure appropriate reactions to a security breach or compromise, Member States should assess whether a security breach or compromise of a wallet solution, of the validation mechanisms referred to in Article 5a(8) of Regulation (EU) No 910/2014, or of the electronic identification scheme under which a wallet solution is provided, affects the reliability of that wallet solution or of other wallet solutions. Such an assessment should be based on uniform criteria, such as the number and category of wallet users, of natural persons, and of wallet-relying parties impacted, the nature of impacted data, the duration of the compromise or security breach, the limited availability of a service and financial losses, and the potential compromise of personal data. These criteria should provide Member States with flexibility and discretion to establish in a proportionate manner whether the reliability of a wallet solution is affected and whether the suspension or, where justified by the severity of the breach or compromise, the withdrawal of the wallet solution is appropriate. These criteria should not trigger an automatic withdrawal of a wallet solution or an automatic suspension of the provision and the use of a wallet solution, but they should be duly considered by Member States when deciding if a withdrawal, or suspension of the provision and the use, of a wallet solution are necessary.
(6) Due to the impact and inconvenience caused by suspending the use of wallet solutions, Member States will need to evaluate whether the revocation of wallet unit attestations or any other additional measures are necessary to react adequately to the security breach or compromise.
(7) To keep wallet users informed about the status of their wallets, they are to be provided with adequate information about security breaches or compromises affecting their wallets. As wallet-relying parties registered in the Union can also be affected by security breaches and compromises, relevant information on security breaches and compromises are also to be shared with them.
(8) To enhance transparency and build trust into the digital identity ecosystem, the information about the security breaches or compromises and about their consequences should at least include the information required under this Regulation. Information concerning security breaches or compromises shared to wallet users and wallet-relying parties should however be carefully assessed so that to prevent and minimise the risk of their exploitation by attackers.
(9) To enable users to access their wallet units again after a security breach or compromise has been remedied, the Member State that provided the wallet solutions, will need to re-establish the provision and use of that wallet solutions without undue delay. This can be done by re-establishing the wallet units, by issuing wallet units provided under a new version of the wallet solutions or by re-issuing new valid wallet unit attestations. Wallet users affected, wallet-relying parties, single points of contact designated pursuant to Article 46c(1) of Regulation (EU) No 910/2014 and the Commission are to be informed accordingly.
(10) To ensure the withdrawal of wallets where a security breach or compromise has not been remedied within three months of the suspension or where this is justified by the severity of the security breach or compromise, the Member State should ensure that the relevant wallet unit attestations are revoked and that they cannot revert to a valid state nor be issued or provided to existing wallet units. Moreover, no new wallet units should be provided under the affected wallet solution. For transparency purposes, users, relying parties, single points of contact designated pursuant to Article 46c(1) of Regulation (EU) No 910/2014 and the Commission need to be informed of the withdrawal. This includes a description of the potential impacts on the wallet users and notably the management of issued attestations, or on wallet-relying parties.
(11) The period of three months following the suspension of the provision and the use of a wallet solution, and during which the security breach or compromise having led to that suspension is to be remedied, should provide for a time limit after which the wallet solution is to be withdrawn unless an appropriate remedy has been implemented. Member States however are free to require the security breach or compromise to be remedied within a time limit that is shorter than three months, taking into account, in particular and where relevant, the extent, duration and consequences of that security breach or compromise. Where the security breach or compromise is not or cannot be remedied within the time limit set by the Member State, the Member State may require the wallet solution to be withdrawn before the expiration of the period of three months. Member States should use this time period during which a security breach or compromise that led to the suspension of the provision and the use of a wallet solution has to be remedied to prepare the potential withdrawal of that wallet solution and the resulting communications.
(12) To reduce the administrative burden for Member States regarding the information to be provided, in accordance with this Regulation, to the Commission and to other Member States, Member States should use existing notification tools such as the Cyber Incident Reporting and Analysis System (‘CIRAS’) operated by the European Union Agency for Cybersecurity (‘ENISA’). Regarding alternative channels or means to be utilised to inform wallet users affected by a security breach or compromise and wallet-relying parties, Member States should ensure that the relevant information is provided in a clear, comprehensive, and easily accessible manner. The channels to provide such information to wallet users affected and wallet-relying parties should include appropriate solutions for website-based broadcasting, real-time tracking of website updates and news aggregation.
(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered its opinion on 31 January 2025.
(14) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,