LegalizeCommission Implementing Regulation (EU) 2025/848 of 6 May 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the registration of wallet-relying parties
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), in particular Article 5b(11) thereof,
Whereas:
(1) For the purposes of registering relying parties that intend to rely on European Digital Identity Wallets (‘wallets’) for the provision of digital public or private services, as required by Regulation (EU) No 910/2014, Member States should establish and maintain national registers of wallet-relying parties established in their territory.
(2) The Commission regularly assesses new technologies, practices, standards and technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Regulation rely on the work carried out on under Commission Recommendation (EU) 2021/946 (2) and in particular the Architecture and Reference Framework which is part of it. In accordance with recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (3), the Commission should review and, if necessary, update this Regulation, to keep it in line with global developments, the Architecture and Reference Framework and to follow the best practices on the internal market.
(3) To ensure broad access to the registers and to achieve interoperability, Member States should set up both human and machine-readable interfaces that meet the technical specifications set out in this Regulation. Providers of wallet-relying party access certificates and wallet-relying party registration certificates, where available, should, for the purpose of issuing those certificates, also be able to rely upon these interfaces.
(4) As registration policies provide clear guidance to the wallet-relying parties on the registration process, Member States should set out and publish the registration policies applicable to the national registers established in their territory.
(5) The purpose of registering wallet-relying parties is to build trust in the use of the wallets through greater transparency. Therefore, Member States should make the relevant information available to the public in a manner that is both human and machine-readable. To this end, wallet-relying parties should provide the necessary information, including their entitlement or entitlements, to the national registers.
(6) Further, for the purpose of transparency, wallet-relying parties should declare, whether they intend to rely upon electronic identification of natural persons.
(7) To ensure that the registration process is cost-effective and proportionate to risk, registrars should set up online and, where applicable, automated registration processes for wallet-relying parties that are easy to use. Registrars should verify applications for registration without undue delay.
(8) Member States are to ensure that the wallets are able to authenticate wallet-relying parties, irrespective of where they are established in the Union. For this purpose, wallet-relying parties should use wallet-relying party access certificates when they identify themselves to wallet units. To guarantee interoperability of those certificates across all wallets provided within the Union, wallet-relying party access certificates should adhere to common requirements set out in the Annex. The Commission should develop harmonized certificate policies and certificate practice statements that should be implemented by the Member States. The Commission, in collaboration with Member States, should closely monitor the development of new or alternative standards on which relying-party access certificates could be implemented. In particular, trust models that have proven their efficacy and security in Member States should be assessed.
(9) As set out in Regulation (EU) No 910/2014, wallet-relying parties are not to request users to provide any data other than those indicated for the intended use of wallets during the registration process. Wallet users should be able to verify the registration data of wallet-relying parties. To enable wallet users to verify that the attributes being requested by the wallet-relying party are within the scope of their registered attributes, Member States may require the issuance of wallet-relying party registration certificates to registered wallet-relying parties. To ensure the interoperability of the wallet-relying party registration certificates, Member States should ensure that those certificates meet the requirements and standards set out in the Annex. In particular, wallet-relying parties should declare, whether they intend to rely upon electronic identification of natural persons to meet one of the requirements set out in paragraph 1 of Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council (4) for the purpose of transparency. Further, relying parties are not to refuse the use of pseudonyms, where the identification of the user is not required by Union or national law.
(10) To protect users against oversharing information with wallet-relying parties and warn them in such cases, Member States should include common access policies in their certificate policies that would enable a wallet solution to inform the wallet user whenever a wallet-relying party is asking for more information than what they have registered or been authorised to access.
(11) To protect wallet users, registrars should be able to suspend or cancel the registration of any wallet-relying party without prior notice where the registrars have reason to believe that the registration contains information which is inaccurate, out of date or misleading; that the wallet-relying party is not complying with the registration policy; or that the wallet-relying party is otherwise acting in breach of Union or national law or of the European Declaration on Digital Rights and Principles for the Digital Decade (5) in a way that relates to their role as a wallet-relying party, for example if the wallet-relying party has not rightfully minimised the set of attributes it requests access to. To safeguard the stability of the European Digital Identity Wallet ecosystem (‘wallet ecosystem’), the decision to suspend or cancel a registration should be proportionate to the service disruption caused by the suspension or cancellation and the associated cost and inconvenience for the service provider and the user. Pursuant to Article 46a(4), point (f) of Regulation (EU) No 910/2014, supervisory bodies are also to be empowered to suspend and cancel the registration if required.
(12) For the purpose of ex post monitoring, investigations by law enforcement and dispute handling, registrars should keep records of all the information provided by wallet-relying parties established in their national register for 10 years.
(13) Regulation (EU) 2016/679 and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (6) apply to the personal data processing activities under this Regulation.
(14) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (7), and delivered its opinion on 31 January 2025.
(15) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,
HAS ADOPTED THIS REGULATION:
Article 1
Subject matter and scope
This Regulation lays down rules for the registration of wallet-relying parties.
Article 2
Definitions
For the purposes of this Regulation, the following definitions apply:
(1) ‘wallet-relying party’ means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;
(2) ‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;
(3) ‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;
(4) ‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;
(5) ‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;
(6) ‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;
(7) ‘critical assets’ means assets within or in relation to a wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the wallet unit;
(8) ‘wallet provider’ means a natural or legal person who provides wallet solutions;
(9) ‘wallet user’ means a user who is in control of the wallet unit;
(10) ‘national register of wallet-relying parties’ means a national electronic register used by a Member State to make information on wallet-relying parties registered in that Member State publicly available as set out in Article 5b(5) of Regulation (EU) No 910/2014;
(11) ‘provider of wallet-relying party access certificates’ means a natural or legal person mandated by a Member State to issue wallet-relying party access certificates to wallet-relying parties registered in that Member State;
(12) ‘wallet-relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet-relying party issued by a provider of wallet-relying party access certificates;
(13) ‘provider of person identification data’ means a natural or legal person responsible for issuing and revoking the person identification data and ensuring that the person identification data of a user is cryptographically bound to a wallet unit;
(14) ‘registrar of wallet-relying parties’ means the body responsible for establishing and maintaining the list of registered wallet-relying parties established in their territory and who has been designated by a Member State;
(15) ‘wallet-relying party registration certificate’ means a data object that describes the intended use of the relying party and indicates the attributes the relying party has registered to intend to request from users;
(16) ‘provider of wallet-relying party registration certificates’ means a natural or legal person mandated by a Member State to issue wallet-relying party registration certificates to wallet-relying parties registered in that Member State.
Article 3
National registers
Member States shall establish and maintain at least one national register of wallet-relying parties with information regarding registered wallet-relying parties established in that Member State.
The register shall include at least the information set out in Annex I.
Member States shall designate at least one registrar to manage and operate at least one national register of wallet-relying parties.
Member States shall make the information set out in Annex I on registered wallet-relying parties publicly available online, both in human-readable form and in a form suitable for automated processing.
The information referred to in paragraph 2 shall be available through a single common application programming interface (‘API’) and through a national website. It shall be electronically signed or sealed by or on behalf of the registrar, in accordance with the common requirements for a single API set out in Section 1 of Annex II.
Member States shall ensure that the API referred to in paragraph 5 complies with the common requirements set out in Section 2 of Annex II.
Member States shall ensure that the registers comply with the relevant common registration policies set out in Article 4.
Article 4
Registration policies
Member States shall lay down and publish one or more national registration policies applicable to the national registers established in their territory.
Member States may include or reuse existing sectoral or national registration policies.
The national registration policy shall include at least information on:
(a) the identification and authentication procedures applicable to wallet-relying parties during the registration process;
(b) the required supporting documentation, regarding the identity, business registration, applicable entitlement or entitlements, and other relevant information on the wallet-relying party;
(c) the authentic sources or other official electronic records and where those sources or records can be relied upon to provide accurate data;
(d) any other information or other evidence required as part of the registration process;
(e) where applicable, the automated means of enabling wallet-relying parties to register or to update an existing registration;
(f) the redress mechanism available to wallet-relying parties under the laws and procedures of the Member State where the national register is established;
(g) the rules and procedures for the verification of the identity of the registered wallet-relying parties and of any other relevant information provided by that party.
The procedures and documentation referred to in paragraph 3, points (a) and (b), shall enable the wallet-relying parties to indicate which specific entitlement or entitlements it is acting under, as set out in Annex I.
Where appropriate, the requirements set out in the national registration policy shall not impede an automated registration process.
Article 5
Information to be provided to the national registers
Wallet-relying parties shall at least provide the information set out in Annex I to national registers.
Wallet-relying parties shall ensure that the information provided is accurate at the time of registration.
Wallet-relying parties shall update any information previously registered in the national register of wallet-relying parties without undue delay.
Article 6
Registration processes
Registrars shall establish easy to use electronic, and where possible, automated registration processes for wallet-relying parties.
Registrars shall process applications for registration without undue delay and provide a response to the application for registration to the applicant within the timeframe defined in the applicable registration policy, using appropriate means and in accordance with the laws and procedures of the Member State where the national register is established.
Where possible, registrars shall verify in an automated manner:
(a) the accuracy, validity, authenticity and integrity of the information required under Article 5;
(b) where applicable, the power of attorney of representatives of the wallet-relying parties drawn up and submitted in accordance with the laws and procedures of the Member State where the national register is established;
(c) the type of entitlement or entitlements of the wallet-relying parties as set out in Annex I;
(d) the absence of an existing registration in another national register.
Registrars shall verify the information set out in paragraph 3 against the supporting documentation provided by the wallet-relying parties or against appropriate authentic sources or other official electronic records in the Member State where the national register is established and to which the registrars have access in accordance with the applicable national laws and procedures.
The verification of entitlements of wallet-relying parties referred to in paragraph 3, point (c) shall be carried out in accordance with Annex III.
Where the registrar cannot verify the information in accordance with paragraphs 3 to 5, the registrar shall reject the registration.
When a wallet-relying party no longer intends to rely upon wallet units for the provision of public or private services under a specific registration, it shall notify the relevant registrar without undue delay and request the cancellation of that registration.
Article 7
Wallet-relying party access certificates
Member States shall authorise at least one certificate authority to issue wallet-relying party access certificates.
Reading this document does not replace reading the official text published in the Official Journal of the European Union. We assume no responsibility for any inaccuracies arising from the conversion of the original to this format.