Commission Implementing Regulation (EU) 2024/2977 of 28 November 2024 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards person identification data and electronic attestations of attributes issued to European Digital Identity Wallets

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 5a(23) thereof,

Whereas:

(1) The European Digital Identity Framework established by Regulation (EU) No 910/2014, is a crucial component in the establishment of a secure and interoperable digital identity ecosystem across the Union. With the European Digital Identity Wallets (‘wallets’) as the cornerstone of the framework, it aims at facilitating access to services across Member States, while ensuring the protection of personal data and privacy.

(2) Regulation (EU) 2016/679 of the European Parliament and of the Council (2) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (3) apply to all personal data processing activities under this Regulation.

(3) Article 5a(23) of Regulation (EU) No 910/2014 mandates the Commission, where necessary, to establish the relevant specifications and procedures. This is achieved by means of four Implementing Regulations, dealing with protocols and interfaces: Commission Implementing Regulation (EU) 2024/2982 (4), integrity and core functionalities: Commission Implementing Regulation (EU) 2024/2979 (5), person identification data and electronic attestation of attributes: Commission Implementing Regulation (EU) 2024/2977 (6), as well as the notifications to the Commission: Commission Implementing Regulation (EU) 2024/2980 (7). This Regulation lays down the relevant requirements for person identification data and electronic attestations of attributes to be issued to European Digital Identity Wallets.

(4) The Commission regularly assesses new technologies, practices, standards or technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Implementing Regulation rely on the work carried out on the basis of Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework (8) and in particular the architecture and reference framework which is part of it. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (9), the Commission should review and update this implementing regulation, if necessary, to keep it in line with global developments, the architecture and reference framework and to follow the best practices on the internal market.

(5) To ensure data protection by design and by default, the wallets should be provided with several privacy enhancing features to prevent providers of electronic identification means and electronic attestation of attributes from combining personal data obtained when providing other services with the personal data processed to provide the services falling within the scope of Regulation (EU) No 910/2014.

(6) To ensure harmonisation, certain common functionalities should be available in all wallets, including the ability to securely request, obtain, select, combine, store, delete, share, and present, under the sole control of the wallet user, person identification data and electronic attestations of attributes. To ensure that person identification data and electronic attestations of attributes can be processed via every wallet unit, technical specifications concerning person identification data attributes, the data format, and the infrastructure required to ensure appropriate trustworthiness of person identification data need to be supported by all wallet solutions. Further, common specifications in relation to attributes of person identification data aim at ensuring that this data can be used for identity matching as required.

(7) Member States are to ensure that the wallets are able to authenticate relying parties, providers of person identification data and providers of electronic attestations of attributes irrespective of where they are established in the Union. To achieve this, these entities should use wallet-relying party access certificates when they identify themselves to wallet units. To guarantee interoperability of these certificates across all wallets provided within the Union, wallet-relying parties’ access certificates should adhere to common standards. The Commission, in collaboration with Member States, should closely monitor the development of new or alternative standards on which relying-party access certificates could be built. In particular, trust models that have proven their efficacy and security in Member States should be assessed.

(8) To ensure transparency towards wallet users, Member States should publish information indicating which wallet solutions are supported by providers of person identification data established in their territories. Since the identity of the user must be as reliable as possible, a common assurance level high should be imposed on the identity proofing of wallet users prior to the issuance of person identification data, according to assurance level high as laid down for electronic identification means under Regulation (EU) No 910/2014. In this manner, the wallet units ensure the highest available degree of trustworthiness for means of identification across the Union. During enrolment of wallet users at level of assurance high, various secure processes are possible, for instance, where the wallet user has been verified to be in possession of photo or biometric identification evidence recognised but not issued by the Member State in which the application for the electronic identification means is made and that evidence represents the claimed identity, the evidence should be checked to determine that it is valid according to a relevant authoritative source.

(9) In order to support interoperability, electronic attestations of attributes should comply with harmonised requirements on the format.

(10) To protect the data of wallet users and to ensure the authenticity of electronic attestations of attributes, mechanisms for the authentication of providers of electronic attestations of attributes, and for the verification of the authenticity and validity of wallet units by that provider should apply prior to the issuance of the attestations to wallet units.

(11) In order to avoid the use of, and the reliance on, person identification data and electronic attestations of attributes that have lost their legal validity after being issued to a wallet unit, providers of person identification data and of electronic attestations of attributes should publish a policy outlining the circumstances and procedures for revocation.

(12) To ensure that the person identification data uniquely represents the wallet user, Member States should, in addition to the mandatory attributes in the person identification data set out in this Regulation, provide optional attributes needed to ensure that the set of person identification data is unique.

(13) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10) and delivered its opinion on 30 September 2024.

(14) The measures provided for in this Regulation are in accordance with the opinion of the committee referred to in Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Subject matter and scope

This Regulation lays down rules for the issuance of person identification data and electronic attestations of attributes to wallet units, to be updated on a regular basis to keep in line with technology and standards developments and with the work carried out on the basis of Recommendation (EU) 2021/946, and in particular the architecture and reference framework.

Article 2

Definitions

For the purpose of this Regulation, the following definitions apply:

(1) ‘wallet user’ means a user who is in control of the wallet unit;

(2) ‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;

(3) ‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;

(4) ‘provider of person identification data’ means a natural or legal person responsible for issuing and revoking the person identification data and ensuring that the person identification data of a user is cryptographically bound to a wallet unit;

(5) ‘wallet unit attestation’ means a data object that describes the components of the wallet unit or allows authentication and validation of those components;

(6) ‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;

(7) ‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;

(8) ‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;

(9) ‘wallet provider’ means a natural or legal person who provides wallet solutions;

(10) ‘critical assets’ means assets within or in relation to a wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the wallet unit;

(11) ‘wallet-relying party’ means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;

(12) ‘wallet-relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet-relying party issued by a provider of wallet-relying party access certificates;

(13) ‘provider of wallet-relying party access certificates’ means a natural or legal person mandated by a Member State to issue relying party access certificates to wallet-relying parties registered in that Member State.

Article 3

Issuance of person identification data to wallet units

Article 4

Issuance of electronic attestations of attributes to wallet units

Article 5

Revocation of person identification data

(a) upon the explicit request of the wallet user to whose wallet unit the person identification data or electronic attestation of attributes were issued to;

(b) where the wallet unit attestation to which the person identification data was issued to has been revoked;

(c) in other situations determined by the providers of person identification data or electronic attestations of attributes in their policies referred to in paragraph 1.

Article 6

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 28 November 2024.

For the Commission The President Ursula VON DER LEYEN

(1) OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).