Commission Implementing Regulation (EU) 2025/1569 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards qualified electronic attestations of attributes and electronic attestations of attributes provided by or on behalf of a public sector body responsible for an authentic source

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Articles 45d(5), 45e(2), 45f(6) and 45f(7) thereof,

Whereas:

(1) Regulation (EU) No 910/2014 creates a legal framework for the issuance and validation of electronic attestations of attrib.utes, including an obligation for providers of electronic attestations of attributes to provide European Digital Identity Wallet (‘wallet’) users with the possibility to request, obtain, store and manage the electronic attestation of attributes irrespective of the Member State where the wallets are provided. Electronic attestations of attributes are crucial components for the establishment of a secure and interoperable European Digital Identity Wallet ecosystem (‘wallet ecosystem’). They enable users to share information with relying parties in a trusted manner in a variety of use cases.

(2) The interfaces with European Digital Identity Wallets to be provided by providers of qualified electronic attestations of attributes as set out in Article 45g of Regulation (EU) No 910/2014 underline the importance of the electronic attestations of attributes for the wallet ecosystem and facilitate their swift take up.

(3) The Commission regularly assesses new technologies, practices, standards and technical specifications. To ensure the highest level of harmonisation among Member States for the development and certification of the wallets, the technical specifications set out in this Regulation rely on the work carried out under Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework (2) and in particular the Architecture and Reference Framework which is part of it. In accordance with Recital 75 of Regulation 2024/1183 of the European Parliament and of the Council (3), the Commission should review and, if necessary, update this Regulation, to keep it in line with global developments, the Architecture and Reference Framework and to follow the best practices on the internal market in particular regarding the issuance of electronic attestations of attributes and verification of attributes against authentic sources or designated intermediaries.

(4) Where providers of qualified electronic attestations of attributes and electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source issue attestations that claim to comply with the requirements of schemes for the attestation of attributes registered in the catalogue, policies and procedures for compliance with the requirements of those schemes should be part of the conformity assessment established in Regulation (EU) No 910/2014.

(5) Protecting against untrustworthy information is of high significance for the digitalisation of attestations. Therefore, qualified electronic attestations of attributes and electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source should be able to be revoked, or alternative measures should be implemented to compensate for the risks related to non-revocability. Certain circumstances, such as the explicit request of the person to whom the electronic attestation of attributes was issued, or where it is known to the provider that there has been a compromise of the security or trustworthiness of the qualified electronic attestations of attributes, or where required by Union or national law, should lead to revocation by the provider of an electronic attestation of attributes. To safeguard the fundamental rights to privacy and data protection of the user, notably by appropriately minimising risks of link ability and traceability, providers of qualified electronic attestations of attributes and electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source, should set up revocation management policies that are privacy preserving.

(6) In order to facilitate cooperation among Member States and the establishment of a secure and interoperable digital identity ecosystem, including the cross-border recognition and interoperability of qualified electronic attestations of attributes and electronic attestations of attributes provided by or on behalf of a public sector body responsible for an authentic source, simplified administrative communication procedures need to be established among the relevant stakeholders, including the publication of information to swiftly identify the relevant public sector bodies. Member States should notify the relevant attributes to the Commission. Therefore, to ensure the timely, efficient, and interoperable verification of these attributes, the relevant notifications to the Commission should be at least in English as this facilitates its wide accessibility, assessment, and comprehension and at the same time enhances cooperation among the relevant stakeholders. However, translation of already existing documentation should not cause unreasonable administrative or financial burdens.

(7) To enable users and service providers to verify that electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source were indeed issued by or on behalf of that public sector body, Member States should notify those public sector bodies to the Commission. When notifying public sector bodies that issue electronic attestations of attributes in accordance with Article 45f and Annex VII of Regulation (EU) No 910/2014, Member States are to provide a conformity assessment report confirming a level of reliability and trustworthiness equivalent to qualified trust service providers. However, unlike qualified trust service providers issuing qualified electronic attestations of attributes, for these public sector bodies, it is up to Member States how they ensure that the providers meet the requirements over time. To maintain a high level of trust in public sector attestations across the Union, Member States are therefore encouraged to share their best practices on how they ensure the continued reliability and trustworthiness through the European Digital Identity Cooperation Group established pursuant to Article 46e(1) of Regulation (EU) No 910/2014 (‘Cooperation Group’). The Commission should establish, maintain, and publish a list of providers and ensure that this list is easily accessible by the public.

(8) The Commission should establish a catalogue of attributes with the assistance of the Cooperation Group to facilitate the verification of attributes against authentic sources by qualified trust service providers issuing qualified electronic attestations of attributes. Registration in the catalogue of attributes should be mandatory for attributes listed in Annex VI to Regulation (EU) No 910/2014. For other attributes, registration would be optional.

(9) The Commission should establish a catalogue of schemes for the attestation of attributes with the assistance of the Cooperation Group to facilitate the issuance of attestations by qualified trust service providers issuing qualified electronic attestations of attributes and providers of electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source and to facilitate harmonisation and cross border interoperability of these attestations. The registration of schemes in the catalogue of schemes should be optional. Requests of registration. or changes in the catalogue should be made by the owner of the scheme for the attestation of attributes and may include attributes not listed in the catalogue of attributes. The Commission should assess those requests taking into account interoperability and harmonisation needs.

(10) To ensure that the catalogue of attributes provides meaningful information and reaches a high level of interoperability within the electronic attestation of attributes ecosystem, it should provide at least a minimum set of information, such as a semantic description of the attribute, the namespace of its identifier, and the data type of the attribute. For the same purpose, the catalogue of schemes for the attestation of attributes should contain descriptions for common types of electronic attestations of attributes and a description of the trust model and the governance mechanisms applied under the attestation scheme. The information contained in the catalogues should include versioning of attributes and schemes so that attestations issued according to specific versions are not affected by changes in those attributes and schemes.

(11) To ensure the effectiveness of the verification of attributes against authentic sources by qualified trust service providers issuing qualified electronic attestations of attributes, including via designated intermediaries that provide indirect verification mechanisms to service providers, Member States should set up, within the time limit set out in Article 45e(1) of Regulation (EU) No 910/2014, mechanisms that enable qualified trust service providers issuing qualified electronic attestations of attributes to request the verification of attributes. The mechanisms should allow qualified trust service providers issuing qualified electronic attestations of attributes to determine which attributes can be verified and how to verify them. These mechanisms should include details on access points and service protocols for checking attribute validity and accuracy and consider the possibility of offering a single verification point at national level.

(12) More specifically, Member States should make available to qualified trust service providers issuing qualified electronic attestations of attributes the mechanisms for accessing and using verification points for each one of the attributes listed in Annex VI of that Regulation (EU) No 910/2014, at national level. These mechanisms should allow qualified trust service providers issuing qualified electronic attestations of attributes to present, at the request of the user, specific attributes to a verification point for the issuance of the attestation and during its lifetime. The verification mechanisms should use electronic means suitable for automatic processing, and for obtaining responses as soon as possible from the verification point. This response should confirm if the attributes presented by the qualified trust service providers issuing qualified electronic attestations of attributes correspond to the attributes stored in relation to that user in the relevant authentic source and should specify the authentic source against which the verification was conducted. To avoid misconduct, such as unlawful or manifestly excessive verification requests, Member States may impose control mechanisms on the use of the verification points, where they deem this appropriate taking into account relevant factors, including whether the authentic sources contain information that should be considered as personal data or that is otherwise confidential or sensitive in nature under Union or national law.

(13) In accordance with the principles established by the Interoperable Europe Act (4), in order to facilitate the establishment of catalogue of attributes and catalogue of schemes for the attestation of attributes and reuse, as far as possible, existing catalogues, schemes and information, the Commission should, where appropriate, exploit synergies with the common services of the technical system pursuant to Regulation (EU) 2018/1724 of the Parliament and of the Council establishing a single digital gateway and amending Regulation (EU) No 1024/2012 (5).

(14) In order to enhance interoperability for electronic attestations of attributes issued by non-qualified trust service providers, the principles and requirements established in this Regulation may be followed by issuers of attestations with regard to non-qualified electronic attestation of attributes.

(15) Regulation (EU) 2016/679 of the European Parliament and of the Council (6) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (7) apply to the personal data processing activities under this Regulation.

(16) With the objective to provide the Commission and Member States with sufficient time to set up the list of providers of electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source, the requirements in this Regulation concerning the catalogue of attributes, the catalogue of schemes for the attestations of attributes, and the verification points for attributes, should become applicable 12 months after the date of entry into force of this Regulation.

(17) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (8) and delivered its opinion on 31 January 2025.

(18) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Subject matter and scope

This Regulation lays down the reference standards, specifications, and procedures, to be updated on a regular basis to keep in line with technology and standards developments and with the work carried out on the basis of Recommendation (EU) 2021/946, and in particular the Architecture and Reference Framework, relating to:

(1) qualified electronic attestations of attributes;

(2) electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source;

(3) the list of providers of electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source;

(4) catalogue of attributes and catalogue of schemes for the attestations of attributes referred to in points (1) and (2);

(5) the verification of attributes with reference to authentic sources or designated intermediaries.

Article 2

Definitions

For the purpose of this Regulation, the following definitions apply:

(1) ‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;

(2) ‘wallet user’ means a user who is in control of the wallet unit;

(3) ‘catalogue of attributes’ means a digital repository of attributes that is maintained and published online by the Commission;

(4) ‘scheme for the attestation of attributes’ means a set of rules applicable to one or more types of electronic attestation of attributes;

(5) ‘type of electronic attestation of attributes’ means a specifically named and semantically described group of electronic attestation of attributes;

(6) ‘catalogue of schemes for the attestation of attributes’ means a digital repository listing schemes for the attestation of attributes registered in accordance with this Regulation and that is maintained [and published online] by the Commission;

(7) ‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;

(8) ‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and which the wallet user uses to interact with the wallet unit;

(9) ‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;

(10) ‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;

(11) ‘wallet provider’ means a natural or legal person who provides wallet solutions;

(12) ‘critical assets’ means assets within or in relation to a wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the wallet unit;

(13) ‘owner of a scheme for the attestation of attributes’ means an entity responsible for establishing and maintaining a scheme for the attestation of attributes.

Article 3

Issuance of qualified electronic attestations of attributes and electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source

Article 4

Revocation of qualified electronic attestations of attributes and electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source