Skip to main content

EUDI Wallet - Identity and qualified certificates

Commission Implementing Regulation (EU) 2025/1566 establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1

The reference standards and specifications referred to in Article 24(1c) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply from 19 August 2027.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX - Reference standard for the verification of the identity and attributes of persons to whom a qualified certificate or qualified electronic attestation of attributes is to be issued

The standard ETSI TS 119 461 V2.1.1 (2025-02) for conformance with Annex C clause C.3 applies, with the following adaptations:

  1. 2.1 Normative references; [1] ETSI EN 319 401 V3.1.1 (2024-06): 'Electronic Signatures and Trust Infrastructures (ESI); General Policy Requirements for Trust Service Providers'.

  2. C.3 Use cases for issuance of qualified certificate or qualified electronic attestations of attributes in accordance with Article 24(1), (1a) and (1b) of Regulation (EU) No 910/2014; [CONDITIONAL] QTS-C3-01: If identity verification for qualified certificate or a qualified electronic attestation is done in conjunction with identity verification to issue authoritative evidence, that identity verification process shall:

    • have been peer reviewed or certified by an accredited conformity assessment body to comply with assurance level high in accordance with Regulation (EU) No 910/2014, or
    • comply with the requirements set out in clauses C3.1 to C3.6.

  3. C.3.4 Use case for identity proofing by other identification means; QTS-C.3.4-06A: The independent conformity assessment body referred to in [CONDITIONAL] QTS-C.3.4-06, point c) shall be accredited as per Article 3 (18) of Regulation (EU) No 910/2014, and, if all applicable requirements are fulfilled, the assessment should result in a certificate of compliance based on a certification audit. This formal certification process shall be based on a security evaluation process that refers to the levels of assurance defined for notified electronic identification means or certified European Digital Identity Wallets under Regulation (EU) No 910/2014 and shall include rigorous testing to evaluate resistance against potential security threats. These evaluations shall employ pertinent technical standards to demonstrate robustness against such attacks.

  4. 9.2.3.4 Use case for automated operation; USE-9.2.3.4-04: The IPSP shall establish target values for the FAR and FRR, based on a risk analysis and its threats intelligence procedure, by following the methodology established in the ENISA report 'Methodology for sectoral cybersecurity assessments' [i.28] or an equivalent methodology, in fully automated identity proofing processes. These target values shall be equal to or lower than those set for hybrid use cases, when they exist. The IPSP shall maintain these target values for FAR and FRR consistently, supported by a risk analysis and its threats intelligence procedure.

  5. 8.3.3 Validation of physical identity document; VAL-8.3.3-21: The effectiveness of the measures for complying with the requirements VAL-8.3.3-05X, VAL-8.3.3-05A, VAL-8.3.3-05B, VAL-8.3.3-05C, VAL-8.3.3-07A and VAL-8.3.3-07X, shall be tested by an accredited laboratory or a national competent authority, whenever they are designated, at the latest by 19 August 2027 and then be repeated every second year.

  6. 7.12. Termination and termination plans; OVR-7.12-02: The termination plan shall comply with the requirements set out in the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014 [i.1]