Skip to main content

EUDI Wallet - Cross-border identity matching

Commission Implementing Regulation (EU) 2025/846 establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: Subject matter

This Regulation lays down rules for cross-border identity matching of natural persons by public sector bodies or by bodies acting on behalf of a public sector body, to be updated on a regular basis to keep in line with technology and standards developments and with the work carried out on the basis of Recommendation (EU) 2021/946, and in particular the Architecture and Reference Framework.

Article 2: General requirements

  1. Where a public sector body acts as a relying party in the context of an online cross-border service offered by or on behalf of that public sector body, Member States shall ensure that the process set out in paragraph 2 is used to ensure unequivocal identity matching of natural persons.

  2. Unequivocal identity matching shall be done by, or on behalf of, the relying party, or a register relied upon by relying parties, or a centralised system, by requesting, as applicable, receiving, and validating the authenticity of the information listed in paragraphs 3 or 4.

  3. When reliance is on a wallet, the information to be used for unequivocal identity matching shall be the mandatory person identification data set out in Section 1 of the Annex to Implementing Regulation (EU) 2024/2977, together with any optional data that is needed to ensure that the presented dataset is unique including, where appropriate, additional information or complementary procedures.

  4. When reliance is on a notified electronic identification scheme, the information to be used for unequivocal identity matching shall be the mandatory attributes of the minimum data set for a natural person set out in Section 1 of the Annex to Implementing Regulation (EU) 2015/1501 including, where appropriate, any additional information or complementary procedures.

  5. When determining whether there is an unequivocal identity match, the relying party, or the party acting on its behalf, shall match the information provided by the user to those the relying party or a party acting on its behalf or a register relied upon by relying parties that has already registered.

  6. The outcome of the process described in paragraph 5 shall, to the extent possible, not be affected by differences in transliteration, blank spaces, hyphenation, concatenation, and similar orthographic variations that are required under Union law or national law of the Member State.

  7. Where the match is exact for the information referred to in paragraph 2 and relates to only one natural person or the outcome of the process leads to a new registration of the user that is equivalent in its function to a successful identity matching process, the identity matching process shall be deemed successful resulting in an unequivocal identity match. Where the match is not exact or relates to more than one natural person, or the party performing the identity matching cannot guarantee that the match is unequivocal, the identity matching process shall be deemed unsuccessful.

  8. Member States may rely on centralised identity matching systems, operated by a public sector body established in that Member State, to ensure that notified electronic identification means or wallets from another Member State can be matched with existing registrations and records using online procedures.

  9. Where Member States enable wallet-relying parties which are not public sector bodies to perform identity matching the mechanisms and procedures laid down in this Regulation shall apply, where applicable.

Article 3: Obligations of relying parties where the identity matching process is successful

  1. The first time a user performs the identity matching process and it is deemed successful pursuant to Article 2(7), the relying party or the party acting on its behalf, or a register relied upon by relying parties or the centralised system shall ensure that the user is informed of the fact that the user has been granted access to the service to which that they requested access to.

  2. Where applicable, the user shall also be informed if he or she:

    (a) has been registered as a new user;

    (b) has been successfully matched to a single existing user of the relying party or;

    (c) has been successfully matched to a single existing user in a register relied upon by the relying party or the party acting on its behalf;

    (d) can reuse completed identity matching processes in the future by choosing one of the following options including the retention time:

    • storage of an association in a register operated by the relying party or in a register relied upon by the relying party that can be reused in future access requests;

    • issuance of a dedicated electronic attestation of attributes containing an association that can be reused in future access requests;

    • alternative options provided by the relying party or the party acting on behalf of the relying party or the centralised system that can be reused in future access requests.

Article 4: Obligations of relying parties where the identity matching process is not successful

  1. Where an identity matching process is deemed unsuccessful pursuant to Article 2(7), the relying party or the party acting on its behalf or the centralised system shall ensure that the user of a notified electronic identification means or of a wallet is informed if:

    (a) the data made available was not successfully and unequivocally matched to any existing user of the relying party or in a register relied upon by the relying party or the party acting on its behalf;

    (b) other options for identity matching available to the user or other methods for gaining access to the service are available.

  2. The options or other methods referred to in paragraph 1, point (b) may include:

    (a) a different notified electronic identification means or a different wallet;

    (b) an update of information already registered with the relying party, the party acting on its behalf or a register relied upon by the relying party or the centralised identity matching system;

    (c) additional information provided by the relying party or a party acting on their behalf for identity matching or the centralised system.

  3. Where the complementary methods result in a successful and unequivocal match or registration, the outcome shall follow the obligations set out in Article 3.

  4. Where the relying party or the centralised system determines either initially or after unsuccessfully performing the complementary identity matching processes that the user has not previously been registered, the relying party or the centralised system may consider this user as a new user and where applicable, register the user in accordance with national law or administrative practices.

  5. Where the complementary methods do not result in a successful and unequivocal match, the party performing the identity matching may assess if the user has no prior interaction or interactions with the relying party or a register relied upon by the relying party and therefore shall be considered as a new user.

  6. Where there is a new user relying parties shall apply the process set out in Article 3. Relying parties may register new users in accordance with national law or administrative practices.

Article 5: Obligations of relying parties following the completion of the identity matching process

  1. Where an identity matching process as set out in Article 2 is completed, whether successfully or unsuccessfully, the relying party or the party acting on its behalf or the register relied upon by the relying party shall keep the logs relating to the identity matching process and its outcome, including where available, the following:

    (a) the values provided by the user and the relying party that is used to perform the identity matching process;

    (b) the date and time of the identity matching process;

    (c) any relevant documentation provided as part of the complementary methods referred to in Article 4(1) and (2) necessary for dispute handling;

    (d) where applicable, any identifiers or account numbers used by the relying party, or a register relied upon by relying parties, or the party acting on its behalf, or the centralised identity matching system that relates to the natural person.

  2. Relying parties or the parties acting on their behalf, shall consider security and privacy by design principles related to the logging of the information included in paragraph 1.

  3. Relying parties or the parties acting on their behalf, shall retain the logs for a minimum of 6 months and a maximum of 12 months for security purposes. For other purposes, including enabling the registration and processing of user complaints, the retention time may be extended if required by Union or national law.

Article 6: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 24 December 2026.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 6 May 2025.

For the Commission

The President

Ursula VON DER LEYEN