Skip to main content

EUDI Wallet - Certification

Commission Implementing Regulation (EU) 2024/2981, adopted on 28 November 2024, establishes certification requirements for European Digital Identity Wallets under Regulation (EU) No 910/2014. This regulation defines the functional, cybersecurity, and data protection standards that wallets must meet to ensure secure and interoperable digital identity solutions across EU Member States. By setting these certification criteria, the regulation fosters trust and reliability within the European Digital Identity ecosystem, enabling seamless cross-border digital interactions for citizens and businesses.

An electronic edition of the regulation is available here.

CHAPTER I - GENERAL PROVISIONS

Article 1 - Subject matter and scope

This Regulation sets out reference standards and establishes specifications and procedures to build a robust framework for the certification of wallets to be updated on a regular basis to keep in line with technology and standards developments and with the work carried out on the basis of Recommendation (EU) 2021/946 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework, and in particular the Architecture and Reference Framework.

Article 2 - Definitions**

For the purpose of this Regulation, the following definitions apply:

  1. ‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;
  2. ‘scheme owner’ means an organisation which is responsible for developing and maintaining a certification scheme;
  3. ‘object of certification’ means products, processes and services or a combination thereof to which specified requirements apply;
  4. ‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;
  5. ‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;
  6. ‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;
  7. ‘risk register’ means a record of information relevant to the certification process about identified risks;
  8. ‘wallet provider’ means a natural or legal person who provides wallet solutions;
  9. ‘certification body’ means a third-party conformity assessment body operating certification schemes;
  10. ‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;
  11. ‘critical assets’ means assets within or in relation to a wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the wallet unit;
  12. ‘wallet user’ means a user who is in control of the wallet unit;
  13. ‘incident’ means an incident as defined in point (6) of Article 6 of Directive (EU) 2022/2555 of the European Parliament and of the Council;
  14. ‘embedded disclosure policy’ means a set of rules, embedded in an electronic attestation of attributes by its provider, that indicates the conditions that a wallet-relying party has to meet to access the electronic attestation of attributes.

CHAPTER II - NATIONAL CERTIFICATION SCHEMES

Article 3 - Establishment of national certification schemes

  1. Member States shall assign a scheme owner for each national certification scheme.

  2. The object of certification defined in national certification schemes shall be the provision and operation of wallet solutions and of the electronic identification schemes under which they are provided.

  3. In accordance with Implementing Regulation (EU) 2015/1502, the object of certification in national certification schemes shall include the following elements:
    (a) the software components, including settings and configurations of a wallet solution and of the electronic identification scheme under which the wallet solutions are provided;
    (b) the hardware components and platforms on which the software components referred to in point (a) run on or rely upon for critical operations, in cases where they are provided directly or indirectly by the wallet solution and electronic identification scheme under which they are provided and when they are required to meet the desired level of assurance for those software components. When the hardware components and platforms are not provided by the wallet provider, national certification schemes shall formulate assumptions for evaluation of the hardware components and platforms, under which resistance against attackers with high attack potential in line with Implementing Regulation (EU) 2015/1502 can be provided, and specify the evaluation activities to confirm these assumptions as referred in Annex IV;
    (c) the processes that support the provision and operation of a wallet solution, including the user onboarding process as referred to in Article 5a of Regulation (EU) No 910/2014, covering at least enrolment, electronic means management and organisation pursuant to section 2.1, 2.2, and 2.4 of Annex I to Implementing Regulation (EU) 2015/1502.

  4. National certification schemes shall include a description of the specific architecture of the wallet solutions and of the electronic identification scheme under which they are provided. When national certification schemes cover more than one specific architecture, they shall include a profile for each specific architecture.

  5. For each profile, national certification schemes shall set out at least the following:
    (a) the specific architecture of a wallet solution and of the electronic identification scheme under which they are provided;
    (b) the security controls associated to assurance levels set out in Article 8 of Regulation (EU) No 910/2014;
    (c) an evaluation plan drawn-up in accordance with section 7.4.1 of EN ISO/IEC 17065;2012;
    (d) the security requirements necessary to address the cybersecurity risks and threats listed in the risk register set out in Annex I of this Regulation, up to the required assurance level, and to meet, where applicable, the objectives defined in Article 51 of Regulation (EU) 2019/881;
    (e) a mapping of the controls referred to in point (b) of this paragraph to the components of the architecture;
    (f) a description of how the security controls, the mapping, the security requirements and the evaluation plan referred to in points (b) to (c) allow providers of wallet solutions and the electronic identification scheme under which they are provided to adequately address the cybersecurity risks and threats identified in the risk register referred to in point (d), up to the required assurance level based on a risk assessment to refine and complement the risks and threats listed in the risk register with risks and threats specific to the architecture.

  6. The evaluation plan referred to in paragraph 5, point (c) shall list evaluation activities to be included in the evaluation of wallet solutions and of the electronic identification scheme under which they are provided.

  7. The evaluation activity referred to in paragraph 6 shall require providers of wallet solutions and the electronic identification scheme under which they are provided to provide information meeting the requirements listed in Annex II.

Article 4 - General requirements

  1. National certification schemes shall cover functional, cybersecurity and data protection requirements by using, when available and applicable, the following certification schemes:
    (a) European cybersecurity certification schemes established pursuant to Regulation (EU) 2019/881, including the EUCC;
    (b) national cybersecurity certification schemes covered by the EUCC, in accordance with Article 49 of Implementing Regulation (EU) 2024/482.

  2. National certification schemes may, in addition, when available and applicable, refer to:
    (a) other relevant national certification schemes;
    (b) international, European, and national standards;
    (c) technical specifications that meet the requirements set out in Annex II to Regulation (EU) No 1025/2012 of the European Parliament and of the Council.

  3. National certification schemes shall:
    (a) specify the elements listed in section 6.5 of EN ISO/IEC 17067:2013;
    (b) be implemented as a type 6 scheme, in accordance with section 5.3.8 of EN ISO/IEC 17067:2013.

  4. National certification schemes shall comply with the following requirements:
    (a) only providers referred to in Article 5a(2) of Regulation (EU) No 910/2014 are eligible to be issued certificates under the national certification schemes;
    (b) only the Trust Mark is used as mark of conformity;
    (c) providers of wallet solutions and the electronic identification scheme under which they are provided include references to Regulation (EU) No 910/2014 and this Regulation when referring to the scheme;
    (d) providers of wallet solutions and the electronic identification scheme under which they are provided, complement the scheme’s risk assessment as referred to in Article 3, paragraph 5 point (f), to identify risks and threats specific to their implementation and propose appropriate treatment measures for all relevant risks and threats;
    (e) responsibilities and the legal action are established and include references to the applicable national legislation, which defines the responsibilities and possible legal action, where certification under the scheme is being used fraudulently.

  5. The assessment referred to in paragraph 4, point (d) shall be shared with the certification body for evaluation.

Article 5 - Incident and vulnerability management

  1. National certification schemes shall contain incident and vulnerability management requirements in accordance with paragraphs 2 to 9.
  2. The holder of a certificate of conformity of a wallet solution and of the electronic identification scheme under which it is provided shall notify their certification body without undue delay of any breach or compromise of the wallet solution, or of the electronic identification scheme under which it is provided, that is likely to impact its conformity with the requirements of the national certification schemes’ requirements.
  3. The holder of a certificate of conformity shall establish, maintain and operate a vulnerability management policy and procedures, taking into account the procedures set out in existing European and international standards, including EN ISO/IEC 30111:2019.
  4. The holder of the certificate of conformity shall notify the issuing certification body of the vulnerabilities and changes affecting the wallet solution, based on defined criteria on the impact of these vulnerabilities and changes.
  5. The holder of the certificate of conformity shall prepare a vulnerability impact analysis report for any vulnerability that affects the software components of the wallet solution. The report shall include the following information:
    (a) the impact of the vulnerability on the certified wallet solution;
    (b) possible risks associated with the proximity or likelihood of an attack;
    (c) whether the vulnerability can be remedied using available means;
    (d) where the vulnerability can be remedied using available means, possible ways to remedy the vulnerability.
  6. Where notification is required in paragraph 4, the holder of the certificate of conformity shall transmit, without undue delay, the vulnerability impact analysis report referred to in paragraph 5 to the certification body.
  7. The holder of a certificate of conformity shall establish, maintain and operate a vulnerability management policy meeting the requirements set out in Annex I to the Cyber Resilience Act.
  8. National certification schemes shall establish vulnerability disclosure requirements applicable to certification bodies.
  9. The holder of a certificate of conformity shall disclose and register any publicly known and remediated vulnerability in the wallet solution or in one of the online repositories referred to in Annex V.

Article 6 - Maintenance of national certification schemes

  1. National certification schemes shall contain a process for reviewing their operation on a periodic basis. That process shall aim at confirming their adequacy and at identifying aspects requiring improvement, taking into account feedback from stakeholders.
  2. National certification schemes shall include provisions concerning their maintenance. This process shall include at least the following requirements:
    (a) rules for the governance of the national certification schemes’ definition and requirements;
    (b) the establishment of timelines for the issuance of certificates following the adoption of updated versions of the national certification schemes, both for new certificates of conformity and for previously issued ones;
    (c) a periodic review of the national certification schemes, to ensure that the national certification schemes’ requirements are being applied in a consistent manner, taking into account at least the following aspects:
    — requests for clarification addressed to the scheme owner related to the national certification scheme requirements;
    — feedback from stakeholders and other interested parties;
    — responsiveness of the national certification scheme owner to requests of information.
    (d) rules for monitoring reference documents and procedures for the evolution of national certification schemes’ reference versions, including at least transition periods;
    (e) a process to ensure the latest cybersecurity risks and threats as listed in the risk register set out in Annex I of this Regulation are covered;
    (f) a process for managing other changes in national certification schemes.
  3. National certification schemes shall contain requirements for performing evaluations on currently certified products within a certain period after the revision of the scheme, or after the release of new specifications or standards, or new versions thereof, with which the wallet solutions and the electronic identification scheme under which they are provided shall comply.

CHAPTER III - REQUIREMENTS RELATING TO SCHEME OWNERS

Article 7 - General requirements

  1. Scheme owners shall develop and maintain national certification schemes and govern their operations.
  2. Scheme owners may subcontract all or part of their tasks to a third party. When subcontracting to a private party, scheme owners shall set out the duties and responsibilities of all parties by contract. Scheme owners shall remain responsible for all subcontracted activities performed by their subcontractors.
  3. Scheme owners shall perform their monitoring activities, if applicable, at least on the basis of the following information:
    (a) information coming from certification bodies, national accreditation bodies, and relevant market surveillance authorities;
    (b) information resulting from its own or another authority’s audits and investigations;
    (c) complaints and appeals received pursuant to Article 15.
  4. Scheme owners shall inform the Cooperation Group of revisions to the national certification schemes. That notification shall provide adequate information for the Cooperation Group to issue recommendations to scheme owners and opinions about the updated national certification schemes.

CHAPTER IV - REQUIREMENTS RELATING TO PROVIDERS OF WALLET SOLUTIONS AND THE ELECTRONIC IDENTIFICATION SCHEME UNDER WHICH THEY ARE PROVIDED

Article 8 - General requirements

  1. National certification schemes shall contain cybersecurity requirements based on a risk assessment of each specific supported architecture. Those cybersecurity requirements shall aim to treat the identified cybersecurity risks and threats, as established in the risk register set out in Annex I.
  2. In line with Article 5a(23) of Regulation (EU) No 910/2014, national certification schemes shall require wallet solutions, and the electronic identification schemes under which they are provided, to be resistant against attackers with high attack potential for assurance level high, as referred to Implementing Regulation (EU) 2015/1502.

CHAPTER IX - FINAL PROVISIONS

Article 21 - Transition to a European cybersecurity certification scheme

This Regulation shall be subject to review, on the adoption of the first European cybersecurity certification scheme for wallet solutions and the electronic identification schemes under which they are provided, with the objective of taking into account the contribution of such a European cybersecurity certification scheme to the overall certification of wallet solutions and the electronic identification schemes under which they are provided.

Article 22 - Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 28 November 2024.