European digital identity (eID): Council makes headway towards EU digital wallet, a paradigm shift for digital identity in Europe
The Council adopted its common position (‘general approach’) on the proposed legislation regarding the framework for a European digital identity (eID). The revised regulation aims to ensure universal access for people and businesses to secure and trustworthy electronic identification and authentication by means of a personal digital wallet on a mobile phone.
“Digital technologies can make our life so easy. I am convinced that a European digital identity wallet is indispensable for our citizens and businesses. We are looking at a massive advancement in how people use their identity and credentials in everyday contact with both public and private entities, and in how they use digital services. All while firmly keeping control over their data.”
Ivan Bartos, Czech Deputy Prime minister for digitalisation and minister of regional development
In June 2021, the Commission proposed a framework for a European digital identity that would be available to all EU citizens, residents and businesses, via a European digital identity wallet.
The proposed new framework amends the 2014 regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS regulation), which laid the foundations for safely accessing public services and carrying out transactions online and across borders in the EU.
The proposal requires member states to issue a digital wallet under a notified eID scheme, built on common technical standards, following compulsory certification. To set up the necessary technical architecture, speed up the implementation of the revised regulation, provide guidelines to member states and avoid fragmentation, the proposal was accompanied by a recommendation for the development of a Union toolbox defining the technical specifications of the wallet.
The European digital identity wallet
One of the main policy objectives of the proposal is to provide citizens and other residents, as defined by national law, with a harmonised European digital identity means based on the concept of a European digital identity wallet.
As an electronic identification means (‘eID means’) issued under national schemes at assurance level ‘high’, the Wallet would be an eID means in its own right based on the issuing of personal identification data and the wallet by member states. The text of the Council’s general approach therefore further develops the concept of the wallet and its interplay with national electronic identification means.
Assurance levels
Assurance levels should characterise the degree of confidence in the electronic identification means, thus providing assurance that the person claiming a particular identity is in fact the person to which that identity is assigned. In this respect, the wallet must be issued within an electronic identification system meeting the assurance level ‘high’.
Furthermore, a specific provision on the on-boarding of users has been added to address the concerns of member states where a significant number of national eID means at assurance level ‘substantial’ has already been issued.
The provision enables a user to use their national eID means in conjunction with additional remote on-boarding procedures to make identity proofing at assurance level ‘high’ possible and, ultimately, to obtain a wallet.
Since the draft eID regulation relies on cybersecurity certifications schemes that should bring a harmonised level of trust in the security of wallets, the secure storage of cryptographic material is expected to become subject to cybersecurity certification too.
The text therefore contains a new recital addressing these technical preconditions of achieving of assurance level ‘high’ and enabling a follow-up process within the implementation of European digital identity wallets.
Notification of relying parties
The part of the proposal on the notification of relying parties has been rephrased. As a rule, the notification process by means of which the relying party communicates its intent to rely on the wallet should be cost-effective, proportionate-to-risk and ensure that the relying party provides at least the information necessary to authenticate to the wallet.
By default, only minimum information is required, and the notification should allow for the use of automated or simple self-reporting procedures.
A specific regime may, however, be necessary due to sectoral requirements, such as those applicable to the processing of special categories of personal data. A provision has therefore been introduced aiming to cover cases where a more stringent registration or authorisation procedure is required.
Conversely, where Union or national law does not lay down specific requirements to access information provided by means of the wallet, member states may exempt such relying parties from the obligation to notify their intent to rely on wallets.
Certification
The regulation should leverage, rely on, and mandate the use of relevant and existing Cybersecurity Act certification schemes, or parts thereof, to certify the compliance of wallets, or parts thereof, with the applicable cybersecurity requirements.
Consequently, the Cybersecurity Act framework applies fully, including the peer review mechanism between national cybersecurity certification authorities provided within the Cybersecurity Act.
To align the eID regulation and the Cybersecurity Act to the extent possible, member states will designate public and private bodies accredited to certify the wallet as provided in the Cybersecurity Act.
Implementing period for the provision of the wallet and fees
Based on guidance by member states, the Council’s text proposes that the implementing period of 24 months be counted from the adoption of the implementing acts.
The text also clarifies that the issuance, use for authentication and revocation of wallets should be free of charge to natural persons.
However, when wallets are used for authentication, services relying on the use of the wallet may incur costs, e.g., the issuance of the electronic attestations of attributes to the wallet.
Access to hardware and software features
The text provides for explicit articulation with existing legislation, which ensures access to hardware and software features as part of core platform services provided by gatekeepers.
A newly added provision clarifies that providers of wallets and issuers of notified electronic identification means acting in a commercial or professional capacity are business users of gatekeepers within the meaning of the definition in the Digital Markets Act (DMA).
Wording has been also added to outline the implication of the interlink with the DMA, namely that gatekeepers should be required to ensure, free of charge, effective interoperability with, and access for the purposes of interoperability to, the same operating system, hardware or software features that are available or used in the provision of its own complementary and supporting services.
Alternate possibilities to issue electronic attestation of attributes by public bodies
The issuance of qualified electronic attestation of attributes by qualified providers has been retained, including the obligation for member states to ensure that attributes can be verified against an authentic source within the public sector.
In addition, a possibility has been introduced that electronic attestation of attributes with the same legal effects as qualified electronic attestation of attributes be issued to the wallet directly by the public sector body responsible for the authentic source or by designated public sector body on behalf of a public sector body responsible for an authentic source, provided that the necessary requirements are met.
Record matching
Regarding record matching, the concept of unique and persistent identifier has been retained for Wallets. The relevant definition clarifies that the identifier may consist of a combination of several national and sectoral identifiers if it serves its purpose.
It is explicitly stated that record matching may be facilitated by qualified electronic attestation of attributes. Furthermore, a safeguarding provision has been added, under which member states must ensure the protection of personal data and prevent the profiling of users. Lastly, member states, in their capacity as relying parties, must ensure record matching.
Next steps
The adoption of the general approach will allow the Council to enter negotiations with the European Parliament (‘trilogues’) once the latter adopts its own position with a view to reaching an agreement on the proposed regulation.
The final text of the ‘general approach” will be available at a later stage.
