(fra kommisjonsforordningen)

(1) Regulation (EU) No 910/2014 requires that European Digital Identity Wallets (‘wallets’) and notified electronic identification means are available as an option for authentication to gain access to online cross-border public services provided by Member States. In such cross-border authentication cases, records containing information pertaining to the user of the wallet or the user of notified electronic identification means are sometimes already available to the relying party through the relying party’s own register or an external register, and, often in the form of a user account. In these instances, certain information pertaining to the user, obtained from the wallets or from the notified electronic identification means, may be matched by or on behalf of that relying party. For example, this could be accomplished by using a centralised solution operated by a public sector body, against the information already held by that relying party or by a register relied upon by the relying party, indicatively a population register or a database with user account information.

(2) The Commission regularly assesses new technologies, practices, standards and technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Regulation rely on the work carried out under Commission Recommendation (EU) 2021/946 (2) and in particular the Architecture and Reference Framework which is part of it. In accordance with recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (3), the Commission should review and, if necessary, update this Regulation, to keep it in line with global developments, the Architecture and Reference Framework and to follow the best practices on the internal market.

(3) To ensure that the identity matching process functions in a reliable manner across all Member States, Member States acting as relying parties, should perform the initial identity matching when a natural person first requests to get granted access to a service operated by the relying party, based on either the minimum dataset as laid out in Commission Implementing Regulation (EU) 2015/1501 (4) or the person identification dataset laid out in Commission Implementing Regulation (EU) 2024/2977 (5). While this Regulation focuses on Member States acting as relying parties, Regulation (EU) No 910/2014 leaves it for Member States to decide if the identity matching system is also made available to private relying parties. Where Member States foresee identity matching for relying parties which are not public sector bodies, they should apply as far as possible the mechanisms and procedures laid down in this Regulation.

(4) For the purpose of cross-border identity matching when using the wallets, the information used for unequivocal identity matching should be the mandatory data identifiers of the person identification dataset set out in Section 1 of the Annex to Implementing Regulation (EU) 2024/2977, together with any optional data needed to ensure that the set of person identification data is unique.

(5) For the purpose of cross-border identity matching when using notified electronic identification means, the information used for unequivocal identity matching should be the mandatory attributes of the minimum dataset for a natural person as set out in Section 1 of the Annex to Implementing Regulation (EU) 2015/1501. The reference to the mandatory attributes of the minimum dataset for a natural person should be understood in the context of Implementing Regulation (EU) 2015/1501, which describes an attribute as a component of the minimum set of person identification data, as opposed to the definition of attributes laid down in Article 3, point (43), of Regulation (EU) No 910/2014 as amended by Regulation (EU) 2024/1183.

(6) Due to the dependence on pre-existing information used by the relying party to ensure unequivocal identity matching, the identity matching process might not be successful in all instances. To provide an appropriate degree of flexibility for relying parties, Member States may put in place complementary processes that achieve an equivalent level of confidence in the outcome of the identity matching process.

(7) Where the identity matching process is deemed successful as per the provisions of this Regulation, the relying party or the party acting on its behalf, or a register relied upon by relying parties or the centralised system should ensure that the user is informed about the successful registration, including by displaying the user’s name or pseudonym and, where appropriate, among others, about the available options for storing the result of the identity matching process. Those options may include storing an association in a register operated by the relying party and/or in a register relied upon by the relying party and/or issuance of a dedicated electronic attestation of attributes containing an association that can be reused in the future and/or using alternative options provided by the relying party or the party acting on behalf of the relying party. Where applicable, the user should have the choice between options and the retention time should be under the control of the user to ensure that users can reuse completed identity matching processes in the future.

(8) To enhance transparency and user control, when the user could not be successfully matched, the user should be provided with clear reasons why the match was unsuccessful. In addition, the user should be informed about any potential next steps. This should include the information that was used in the identity matching process and any discrepancies that were found, providing clear explanations and instructions to the users on possible remedies and complementary processes.

(9) To make appropriate recourse mechanisms available whenever identity matching is performed, relying parties or the parties acting on their behalf or registers relied upon by relying parties should keep appropriate logs concerning the identity matching process, the information used for matching and any other supporting documentation provided by the natural person as well as the outcome of the identity matching process. These logs should be retained for a minimum of 6 months and a maximum of 12 months to enable the registration and processing of complaints by users. The retention time could be extended if required by Union or national law.

(10) To avoid wallet users needing to perform the identity matching process repeatedly, Member States may require that identity matching systems be capable of issuing an electronic attestation of attributes with a link between the wallet user and a register in which that user is registered as a known user. Alternatively, Member States may store an association as a reference to a register that is accessible to the relying party or other assisting measures.

(11) To ensure that the wallets to be provided in line with the requirements of Article 5a(1) of Regulation (EU) No 910/2014, and the notified electronic identification schemes to benefit from the advantages of having operational identity matching systems, a longer deadline of application of the respective provisions of this Regulation needs to be set. As regards wallets, each Member State should provide at least one wallet within 24 months as of the date of entry into force of the implementing acts referred to in Articles 5a(23) and 5c(6) of Regulation (EU) No 910/2014. Therefore, the application of the relevant provisions of this Regulation on identity matching based on wallets should coincide with the above timeframe. As regards notified electronic identification schemes, sufficient time should be given for the replacement of the functionalities for identity matching.

(12) As use of the wallet is to be voluntary, Member States should provide alternative methods for users to gain access to the services they provide when acting as relying parties.

(13) When attempting to authenticate towards an electronic service, a new user registration may be seamless and thereby appear to a user, visually and technically, the same as a returning visit to an electronic service. For that reason, a new user registration to an electronic service should, for the purpose of this Regulation, be seen as equivalent to a successful identity matching process.

(14) Member States should ensure that the identity matching process functions seamlessly and that the user does not experience multiple session changes and repetitive steps even if the identity matching process is initially not successful and complementary processes are performed.

(15) Member States have the freedom to design their user interfaces and notifications in a manner befitting their national context, taking into account the spirit of the requirements contained in this Regulation.

(16) Regulation (EU) 2016/679 of the European Parliament and of the Council (6) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (7) apply to the personal data processing activities under this Regulation.

(17) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (8) and delivered its opinion on 31 January 2025.

(18) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,