Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)

Article 1

Subject matter

This Regulation lays down technical and operational requirements of the interoperability framework in order to ensure the interoperability of the electronic identification schemes which Member States notify to the Commission.

Those requirements include in particular:

(a) minimum technical requirements related to the assurance levels and the mapping of national assurance levels of notified electronic identification means issued under notified electronic identification schemes under Article 8 of Regulation (EU) No 910/2014 as set out in Articles 3 and 4;

(b) minimum technical requirements for interoperability, as set out in Articles 5 and 8;

(c) the minimum set of person identification data uniquely representing a natural or legal person as set out in Article 11 and in the Annex;

(d) common operational security standards as set out in Articles 6, 7, 9 and 10;

(e) arrangements for dispute resolution as set out in Article 13.

Article 2

Definitions

For the purposes of this Regulation, the following definitions shall apply:

(1) ‘node’ means a connection point which is part of the electronic identification interoperability architecture and is involved in cross-border authentication of persons and which has the capability to recognise and process or forward transmissions to other nodes by enabling the national electronic identification infrastructure of one Member State to interface with national electronic identification infrastructures of other Member States;

(2) ‘node operator’ means the entity responsible for ensuring that the node performs correctly and reliably its functions as a connection point.

Article 3

Minimum technical requirements related to the assurance levels

Minimum technical requirements related to the assurance levels shall be as set out in Commission Implementing Regulation (EU) 2015/1502 (⁴).

Article 4

Mapping of national assurance levels

The mapping of national assurance levels of the notified electronic identification schemes shall follow the requirements laid down in Implementing Regulation (EU) 2015/1502.  The results of the mapping shall be notified to the Commission using the notification template laid down in Commission Implementing Decision (EU) 2015/1984 (⁵).

Article 5

Nodes

Article 6

Data privacy and confidentiality

Article 7

Data integrity and authenticity for the communication

Communication between the nodes shall ensure data integrity and authenticity to make certain that all requests and responses are authentic and have not been tampered with. For this purpose, nodes shall use solutions which have been successfully employed in cross-border operational use.

Article 8

Message format for the communication

The nodes shall use for syntax common message formats based on standards that have already been deployed more than once between Member States and proven to work in an operational environment. The syntax shall allow:

(a) proper processing of the minimum set of person identification data uniquely representing a natural or legal person;

(b) proper processing of the assurance level of the electronic identification means;

(c) distinction between public sector bodies and other relying parties;

(d) flexibility to meet the needs of additional attributes relating to identification.

Article 9

Management of security information and metadata

The node operator shall store data which, in the event of an incident, enable reconstruction of the sequence of the message exchange for establishing the place and the nature of the incident. The data shall be stored for a period of time in accordance with national requirements and, as a minimum, shall consist of the following elements:

(a) node's identification;

(b) message identification.

(c) message date and time.

Article 10

Information assurance and security standards

Article 11

Person identification data

Article 12

Technical specifications

Article 13

Dispute resolution

Article 14

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States

ANNEX

Requirements concerning the minimum set of person identification data uniquely representing a natural or a legal person, referred to in Article 11

1. The minimum data set for a natural person

The minimum data set for a natural person shall contain all of the following mandatory attributes:

(a) current family name(s);

(b) current first name(s);

(c) date of birth;

(d) a unique identifier constructed by the sending Member State in accordance with the technical specifications for the purposes of cross-border identification and which is as persistent as possible in time.

The minimum data set for a natural person may contain one or more of the following additional attributes:

(a) first name(s) and family name(s) at birth;

(b) place of birth;

(c) current address;

(d) gender.

2. The minimum data set for a legal person

The minimum data set for a legal person shall contain all of the following mandatory attributes:

(a) current legal name;

(b) a unique identifier constructed by the sending Member State in accordance with the technical specifications for the purposes of cross-border identification and which is as persistent as possible in time.

The minimum data set for a legal person may contain one or more of the following additional attributes:

(a) current address;

(b) VAT registration number;

(c) tax reference number;

(d) the identifier related to Article 3(1) of Directive 2009/101/EC of the European Parliament and of the Council (⁶);

(e) Legal Entity Identifier (LEI) referred to in Commission Implementing Regulation (EU) No 1247/2012 (⁷);

(f) Economic Operator Registration and Identification (EORI) referred to in Commission Implementing Regulation (EU) No 1352/2013 (⁸);

(g) excise number provided in Article 2(12) of Council Regulation (EC) No 389/2012 (⁹).