EUDI Wallet - Certification
COMMISSION IMPLEMENTING REGULATION (EU) 2024/XXX
The European Commission has published a draft Implementing Act under REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market. This draft lays down specific rules for the certification of European Digital Identity Wallets. These certification requirements aim to ensure the security and trustworthiness of wallet solutions across Member States, promoting harmonisation and preventing market fragmentation.
The document outlines the certification process for wallet providers, detailing the functional and cybersecurity requirements, incident management, and the lifecycle of certification for European Digital Identity Wallets. It also specifies the role of national certification schemes and the responsibilities of certification bodies in maintaining the integrity of wallet solutions.
CHAPTER I - GENERAL PROVISIONS
Article 1 Definitions
For the purpose of this Regulation, the following definitions apply:
‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices, and which is managed and operated by a wallet provider;
‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;
‘wallet secure cryptographic application’ means an application that manages critical assets by using the cryptographic functions provided by the wallet secure cryptographic device;
‘wallet provider’ means a natural or legal person who provides wallet solutions;
‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;
‘wallet user’ means a natural or legal person who is the subject of the person identification data associated with the wallet unit that they are in control of;
‘wallet secure cryptographic device’ means an environment that hosts the wallet secure cryptographic application and provides cryptographic functions;
‘wallet cryptographic operation’ means a cryptographic mechanism necessary in the context of authentication of the wallet user and the issuance or presentation of person identification data or electronic attestations of attributes;
‘critical assets’ means information that would put a wallet unit in a critical state in case the assets get compromised and therefore needs protection against duplication and tampering;
‘provider of person identification data’ means a natural or legal person responsible for ensuring that the person identification data of a user is cryptographically bound to a wallet unit;
‘risk register’ means a record of information relevant to the certification process about identified risks;
‘scheme owner’ means an organisation which is responsible for maintaining a certification scheme;
‘object of certification’ means products, processes and services or a combination thereof to which specified requirements apply;
‘incident’ means an incident as defined in point (6) of Article 6 of Directive (EU) 2022/2555.
CHAPTER II - NATIONAL CERTIFICATION SCHEMES
Article 2 Establishment and scope
Member States shall establish national certification schemes for the purposes of the certification of a wallet solution and the electronic identification scheme under which that wallet solution is provided, in the terms of Article 5c(3) of Regulation (EU) No 910/2014.
Member States shall identify scheme owners for all national certification schemes.
The object of certification defined in national certification schemes shall be the provision and operation of wallet solutions, and of the electronic identification schemes under which those wallet solutions are provided.
In accordance with the Annex of Implementing Regulation (EU) 2015/1502, the object of certification in national certification schemes shall include the following elements:
(a) the software components of a wallet solution and of the electronic identification scheme under which it is provided,
(b) the processes that support the provision and operation of a wallet solution, including the user onboarding process as referred to in Article 5a of Regulation (EU) No 910/2014, covering at least enrolment and management.National certification schemes shall cover the specific architecture of a wallet solution and of the electronic identification scheme under which that wallet solution is provided. When national certification schemes cover more than one specific architecture, they shall include different sub-schemes, each of which covering a specific architecture.
For each specific architecture, national certification schemes shall set out at least the following aspects:
(a) the specific architecture of a wallet solution and of the electronic identification scheme under which it is provided;
(b) the security functions associated to assurance levels set out in Article 8 of Regulation (EU) No 910/2014;
(c) the security requirements necessary to cover the cybersecurity risks identified in the risk register set out in Annex I of this Regulation, up to the required assurance level, and to meet, where applicable, the following objectives:
– to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire life cycle of the objects of certification,
– to protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, loss or alteration or lack of availability during the entire life cycle of the objects of certification,
– that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer,
– to identify and document known dependencies and vulnerabilities,
– to verify that the objects of certification do not contain known vulnerabilities,
– to restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident,
– that the objects of certification are secure by default and by design,
– that the objects of certification are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates;(d) a mapping of the functions referred to in point (b) of this paragraph to the components of the architecture;
(e) an evaluation plan in accordance with section 7.4.1 of EN ISO/IEC 17065:2012, Conformity assessment – Requirements for bodies certifying products, processes and services;
(f) a description of how the security functions, the mapping, the security requirements and the evaluation plan referred to in points (b) to (e) allow wallet providers to adequately address the cybersecurity risks identified in the risk register referred to in point (c), up to the required assurance level.
The evaluation plan as referred to in paragraph 6, point (e), shall be tailored to a wallet solution architecture and shall describe the evaluation activity to be included in the evaluation of a wallet solution and of the electronic identification scheme under which it is provided, if it is based on this architecture.
National certification schemes shall contain an evaluation activity to determine if the implementation of wallet solutions and the electronic identification scheme under which those wallet solutions are provided match the architecture set out in paragraph 6, point (a), as well as an evaluation activity to determine if the evaluation plan proposed together with the implementation matches the evaluation plan referred to in paragraph 6, point (e).
The evaluation activity referred to in paragraph 8 shall require wallet providers to provide information meeting the requirements listed in Annex II.
Article 3 General requirements
National certification schemes shall cover functional and cybersecurity requirements which shall reference, when available and relevant, the following certification schemes:
(a) European cybersecurity certification schemes established pursuant to Regulation (EU) 2019/881, including the EUCC;
(b) national cybersecurity certification schemes covered by the EUCC, in accordance with Article 49 of Implementing Regulation (EU) 2024/482.
National certification schemes may, in addition to the requirements referred to in paragraph 1, refer to:
(a) other relevant national certification schemes;
(b) international, European, and national standards;
(c) technical specifications that meet the requirements set out in Annex II to Regulation (EU) No 1025/2012.
National certification schemes shall:
(a) specify the elements listed in section 6.5 of EN ISO/IEC 17067;
(b) be implemented as a type 6 scheme, in accordance with section 5.3.8 of EN ISO/IEC 17067.
National certification schemes shall comply with the following requirements:
(a) only wallet providers referred to in Article 5a(2) of Regulation (EU) No 910/2014 shall be eligible to be certified under the national certification schemes;
(b) only the EU Digital Identity Wallet Trust Mark, as referred to in Article 5a(5) of Regulation (EU) No 910/2014, shall be used as mark of conformity;
(c) wallet providers shall include at least references to Regulation (EU) No 910/2014 and this Regulation when making reference to the scheme;
(d) responsibilities and the legal action to be taken where certification under the scheme is being used fraudulently shall be established.
Article 4 Incident and vulnerability management
National certification schemes shall contain incident and vulnerability management requirements in accordance with paragraphs 2 to 9.
National certification schemes shall contain requirements for the holder of a certificate of conformity of a wallet solution and of the electronic identification scheme under which that wallet solution is provided to notify their certification body, without undue delay, of any breach or compromise of the wallet solution, or of the electronic identification scheme under which it is provided, that is likely to impact its conformity to the national certification schemes’ requirement.
National certification schemes shall contain requirements for the holder of a certificate of conformity to establish and maintain all necessary vulnerability management procedures, taking into account the procedures set out in existing European and international standards, including EN ISO/IEC 30111.
National certification schemes shall contain requirements for the holder of the certificate of conformity to notify the certification body that issued that certificate of conformity of the vulnerabilities and change affecting the wallet solution, based on defined criteria on the impact of these vulnerabilities and change.
National certification schemes shall contain requirements for the holder of the certificate of conformity to produce a vulnerability impact analysis report for any vulnerability that originates from the software components of the wallet solution, including the following information:
(a) the impact of the vulnerability on the certified wallet solution;
(b) possible risks associated with the proximity or availability of an attack;
(c) whether the vulnerability can be remedied using available means;
(d) where the vulnerability can be remedied using available means, possible ways to remedy the vulnerability.
The holder of the certificate of conformity shall transmit, without undue delay, the vulnerability impact analysis report referred to in paragraph 5 to the certification body.
National certification schemes shall contain requirements on the holder of certificate of conformity to establish, maintain and operate a vulnerability management policy meeting the requirements set out in Annex I to the Cyber Resilience Act.
National certification schemes shall establish vulnerability disclosure requirements applicable to supervisory bodies.
National certification schemes shall contain requirements on the holder of the certificate of conformity to disclose and register any publicly known and remediated vulnerability in the wallet solution in the European vulnerability database, established in accordance with Article 12(2) of Directive (EU) 2022/2555 or in other online repositories referred to in Article 55(1), point (d), of Regulation (EU) 2019/881.
CHAPTER III REQUIREMENTS ON SCHEME OWNERS
Article 6 General requirements
Scheme owners shall maintain national certification schemes and govern their operations.
Scheme owners may subcontract all or part of the operation of national certification schemes to a third party. When subcontracting to a private party, scheme owners shall set out the duties and responsibilities of all parties by contract. Scheme owners shall remain responsible for all subcontracted activities performed by their subcontractors.
Scheme owners shall perform their monitoring activities in particular on the basis of the following information:
(a) information coming from certification bodies, national accreditation bodies, and relevant market surveillance authorities;
(b) information resulting from its own or another authority’s audits and investigations;
(c) complaints received pursuant to Article 14.
Scheme owners shall notify the Cooperation Group of their revisions of the national certification schemes. That notification shall provide adequate information for the Cooperation Group to issue recommendations and opinions about the updated national certification schemes. Those recommendations and opinions should be considered by scheme owners.
CHAPTER IV REQUIREMENTS ON WALLET PROVIDERS
Article 7 Certification requirements
National certification schemes shall contain cybersecurity requirements based on an analysis of each specific supported architecture. Those cybersecurity requirements shall aim to mitigate the identified high-level cybersecurity risks, as established in the risk register set out in Annex I.
In line with Article 5a(23) of Regulation (EU) No 910/2014, national certification schemes shall require wallet solutions and the electronic identification schemes under which they are provided to be resistant against attackers with high attack potential for assurance level high as referred to in section 2.2.1 of the Annex to Implementing Regulation (EU) 2015/1502.
The provider of the wallet solution and the electronic identification scheme under which the wallet solution is provided shall comply with the security criteria established by national certification schemes, which shall include the following requirements:
(a) the essential requirements as set out in Annex I to the Cyber Resilience Act where applicable, or requirements meeting the security objectives set out in Article 51 of the Regulation (EU) 2019/881;
(b) the establishment and implementation of policies and procedures concerning the management of risks associated with the operation of a wallet solution, including the identification and assessment of risks and the treatment of the identified risks;
(c) the establishment and implementation of policies and procedures related to the management of changes and to the management of vulnerabilities in accordance with Article 4 of this Regulation;
(d) the establishment and implementation of human resource management policies and procedures, including requirements on expertise, reliability, experience, security training, and qualifications of personnel involved in the development or operation of the wallet solution;
(e) requirements on the wallet solution's operating environment, including in the form of assumptions on the security of the devices and platforms on which the software components of the wallet solution run, and where applicable and relevant, conformity assessment requirements to confirm that those assumptions are met on the relevant devices and platforms;
(f) for each assumption that is not backed by a certificate of conformity or other acceptable assurance information, a description of the mechanism that the wallet provider uses to enforce the assumption, as well as a justification that the mechanism is sufficient to ensure that the assumption is met;
(g) the establishment and implementation of measures to ensure the consistency between the various components of the wallet solution;
(h) the establishment and implementation of measures to ensure the use of a currently certified version of the wallet solution.
For the purposes of paragraph 3, point (g), of this Article, consistency shall refer to whether the components of the wallet solution, such as a variant of the wallet instance and a specific WSCA, are intended to function together and are provided in versions that function together as intended.
National certification schemes shall contain functional requirements which the provider of the wallet solution and the electronic identification scheme under which the wallet solution is provided shall comply with. The requirements shall include the following aspects:
(a) functional requirements on update mechanisms for every software component of a wallet solution and the electronic identification scheme under which it is provided;
(b) functional requirements for the operations listed in Annex III.
National certification schemes shall contain requirements for the applicant for certification to provide or otherwise make available to the certification body the following information:
(a) evidence related to the information referred to in Annex IV, point 1, including where necessary details on the wallet solution and its source code including:
– architecture information: for every component of the wallet solution (including product, process and service components), a description of its essential security properties, including its external dependencies,
– functions and assurance levels: for every security function of the wallet solution, a description of the function and the required assurance level, based on the Annex to Implementing Regulation (EU) 2015/1502, which sets out a number of technical specifications and procedures that apply to the various functions implemented by the electronic identification means,
– mapping the functions to architecture components: a description of how the functions of the wallet are implemented using the different components of the wallet solution, based on a rationale explaining why a given assurance level is required, and how the function is implemented with all required security aspects at the appropriate level,
– evaluation plan for each component of the solution, and for the integration of these components: proposed plan of the activities to be performed by the certification body to confirm that the implementation of the wallet solution and the electronic identification scheme under which it is provided meet the requirements of national certification schemes,
– rationale and justification of risk coverage: a justification of the mapping of functions to components, of the suitability of the proposed evaluation plan to appropriately cover all functions, and of the coverage of the cybersecurity risks identified in the risk register by the functions and the evaluation plan at the appropriate assurance level;(b) the information listed in Annex V, which also shall be made publicly available;
(c) a complete list of the certificates of conformity and other assurance information used as evidence during the evaluation activities;
(d) any other information relevant for the evaluation activities.
CHAPTER V REQUIREMENTS ON CERTIFICATION BODIES
Article 8 General requirements
Certification bodies shall be accredited in accordance with EN ISO/IEC 17065:2012, Conformity assessment – Requirements for bodies certifying products, processes and services, provided that they comply with the requirements set out in national certification schemes in accordance with paragraph 2.
For the purposes of accreditation, certification bodies shall comply with all the following competence requirements:
(a) detailed and technical knowledge of the relevant architectures of a wallet solution and of the electronic identification scheme under which that wallet solution is provided, as well as of the threats and risks impacting those architectures;
(b) knowledge of available security solutions and of their properties pursuant to the Annex of Implementing Regulation (EU) 2015/1502;
(c) knowledge about the activities performed in virtue of certificates of conformity applied to components of the wallet solution and the electronic identification scheme under which the wallet solution is provided, as being the object of certification.
Certification bodies shall perform their monitoring activities in particular on the basis of the following information:
(a) information coming from certification bodies, national accreditation bodies, and relevant market surveillance authorities;
(b) information resulting from its own or another authority’s audits and investigations;
(c) complaints received pursuant to Article 14.
CHAPTER VI CONFORMITY ASSESSMENT ACTIVITIES
Article 12 Evaluation activities
National certification schemes shall contain methods and procedures to be used by the conformity assessment bodies when conducting their evaluation activities in accordance with EN ISO/IEC 17065:2012, Conformity assessment – Requirements for bodies certifying products, processes and services, which shall include at least the following aspects:
(a) the methods and procedures to conduct evaluation activities, including those related to WSCD, as set out in Annex IV;
(b) the audit of the implementation and evaluation plan of the wallet solution and the electronic identification scheme under which it is provided, based on the latest risk register, as set out in Annex I, complemented where necessary by implementation-specific risks;
(c) functional testing activities, based, when available, on test suites that are defined according to technical specifications or standards and appropriate for the conduct of such functional testing activities;
(d) an assessment of the suitability and existence of maintenance processes, including at least version management, update management and vulnerability management;
(e) an assessment of the operating effectiveness of the maintenance processes, including at least version management, update management and vulnerability management;
(f) a dependency analysis activity, including a methodology to assess the acceptability of assurance information, provided by the wallet provider, which shall include the elements set out in Annex VI;
(g) a vulnerability assessment, at the appropriate level, including at least the following aspects:
– a review of the design of the wallet solution, and where relevant, of its source code;
– testing of the resistance of the wallet solution against attackers with high attack potential for assurance level of high pursuant to Section 2.2.1 of the Annex to Implementing Regulation (EU) 2015/1502;(h) for regular vulnerability assessment, a process to assess the evolution of the threat environment and its impact on the coverage of the risks by the wallet solution, to determine which evaluation activities are required on the various components of the wallet solution.
National certification schemes shall set out sampling rules, in order to avoid the repetition of identical evaluation activities and to focus on activities that are specific to a given variant. Those sampling rules shall allow functional and security tests to be performed only on a sample of variants of a target component of a wallet solution and the electronic identification scheme under which it is provided and on a sample of target devices. National certification schemes shall require all certification bodies to justify their use of sampling.
National certification schemes shall require the evaluation, by the certification body, of the WSCA based on the methods and procedures set out in Annex IV.
CHAPTER VII CERTIFICATION LIFECYCLE
Article 17 Certification lifecycle
The validity of certificates of conformity issued under national certification schemes shall be subject to regular evaluation activities by the certification body carried out in accordance with the requirements set out in Annex IX. The evaluation activities shall include at least the following activities:
(a) a yearly surveillance evaluation consisting of the verification of the operating effectiveness of the maintenance processes, including at least version management, change management and vulnerability management;
(b) a vulnerability assessment every two years including a review of the coverage of the risks in the risk register considering the updated risks;
(c) additional activities such as penetration testing in case of an increased risk level or the emergence of new threats.
National certification schemes shall contain a process for the recertification of a wallet solution and the electronic identification scheme under which it is provided, upon request of the holder of the certificate of conformity before the expiry of the initial certificate of conformity. That process for recertification shall include a full evaluation of the wallet solution and of the electronic identification scheme under which it is provided, including a vulnerability assessment, and an evaluation of the wallet solution, and of the electronic identification scheme under which the wallet solution is provided, following the principles set out in Annex IX.
National certification schemes shall contain a process for managing the changes in a certified wallet solution and the electronic identification scheme under which it is provided. That process for managing changes shall include a subprocess to determine whether a change is to be covered by a special evaluation as referred to in paragraph 4 or by the verification of the operating effectiveness of the maintenance processes as referred to in paragraph 1, point (a).
National certification schemes shall contain a process for special evaluations in accordance with EN ISO/IEC 17065:2012, Conformity assessment – Requirements for bodies certifying products, processes and services. That process for special evaluations shall include a selection of activities to be performed to address the specific issue that triggered the special evaluation.
National certification schemes shall set out rules related to the cancellation of a certificate of conformity.
CHAPTER VIII RECORDKEEPING AND PROTECTION OF INFORMATION
Article 18 Retention of records
National certification schemes shall contain requirements for certification bodies concerning a record system for all relevant information produced in connection with the conformity assessment activities that they perform, including data issued and received by wallet providers and by the electronic identification schemes under which the wallets are provided. The records of such information shall be stored in a secure manner. The records may be kept electronically and shall remain accessible for as long as required by Union law or national law, and for at least five years after the cancellation or expiry of the relevant certificate of conformity.
National certification schemes shall set out requirements for the holder of the certificate of conformity to store the following information securely for the purpose of this Regulation, and for at least five years after the cancellation or expiry of the relevant certificate of conformity:
(a) records of the information provided to the certification body or any of its sub-contractors during the certification process;
(b) specimens of the certified wallet solution.
National certification schemes shall require the holder of the certificate of conformity to make the information referred to in paragraph 1 available to the certification body or the supervisory body referred to in Article 46a(1) of Regulation (EU) No 910/2014 upon request.
CHAPTER IX FINAL PROVISIONS
Article 20 Transition to a European cybersecurity certification scheme
This Regulation shall be subject to a periodic review, the first on the adoption of the first European cybersecurity certification scheme for wallet solutions and the electronic identification schemes under which they are provided, with the objective of taking into account the contribution of such a European cybersecurity certification scheme to the overall certification of wallet solutions and the electronic identification schemes under which they are provided.
Article 21 Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.