EUDI Wallet - Integrity and core functionalities
Commission Implementing Regulation (EU) 2024/2979, adopted on 28 November 2024, establishes detailed rules under Regulation (EU) No 910/2014 concerning the integrity and core functionalities of European Digital Identity Wallets. This regulation aims to ensure that these digital wallets, which allow citizens and businesses to securely store and manage their electronic identification and authentication credentials, meet consistent standards across EU Member States. By defining specific technical and operational requirements, it seeks to enhance trust and interoperability within the European Digital Identity ecosystem, facilitating seamless cross-border digital interactions.
An electronic edition of the same is available here.
CHAPTER I - GENERAL PROVISIONS
Article 1: Subject matter and scope
This Regulation lays down rules for the integrity and core functionalities of the wallets, to be updated on a regular basis to keep in line with technology and standards developments and with the work carried out on the basis of Recommendation (EU) 2021/946, and in particular the Architecture and Reference Framework.
Article 2: Definitions
For the purpose of this Regulation, the following definitions apply:
‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;
‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;
‘critical assets’ means assets within or in relation to a wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the wallet unit;
‘provider of person identification data’ means a natural or legal person responsible for issuing and revoking the person identification data and ensuring that the person identification data of a user is cryptographically bound to a wallet unit;
‘wallet user’ means a user who is in control of the wallet unit;
‘wallet-relying party’ means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;
‘wallet provider’ means a natural or legal person who provides wallet solutions;
‘wallet unit attestation’ means a data object that describes the components of the wallet unit or allows authentication and validation of those components;
‘embedded disclosure policy’ means a set of rules, embedded in an electronic attestation of attributes by its provider, that indicates the conditions that a wallet-relying party has to meet to access the electronic attestation of attributes;
‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;
‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;
‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;
‘wallet cryptographic operation’ means a cryptographic mechanism necessary in the context of authentication of the wallet user and the issuance or presentation of person identification data or electronic attestations of attributes;
‘wallet-relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet-relying party issued by a provider of wallet-relying party access certificates;
‘provider of wallet-relying party access certificates’ means a natural or legal person mandated by a Member State to issue relying party access certificates to wallet-relying parties registered in that Member State.
CHAPTER II - INTEGRITY OF EUROPEAN DIGITAL IDENTITY WALLETS
Article 3: Wallet unit integrity
Wallet units shall not perform any functionality listed in Article 5a(4) of Regulation (EU) No 910/2014, except wallet user authentication to access the wallet unit, until the wallet unit has successfully authenticated the wallet user.
Wallet providers shall, for each wallet unit, sign or seal, at least one wallet unit attestation compliant with the requirements laid down in Article 6. The certificate used to sign or seal the wallet unit attestation shall be issued under a certificate listed in the trusted list referred to in Implementing Regulation (EU) 2024/2980.
Article 4: Wallet instances
Wallet instances shall use at least one wallet secure cryptographic device to manage critical assets.
Wallet providers shall ensure integrity, authenticity and confidentiality of the communication between wallet instances and wallet secure cryptographic applications.
Where critical assets relate to performing electronic identification at assurance level high, the wallet cryptographic operations or other operations processing critical assets shall be performed in accordance with the requirements for the characteristics and design of electronic identification means at assurance level high, as set out in Commission Implementing Regulation (EU) 2015/1502 (11).
Article 5: Wallet secure cryptographic applications
Wallet providers shall ensure that wallet secure cryptographic applications:
(a) perform wallet cryptographic operations involving critical assets other than those needed for the wallet unit to authenticate the wallet user only in cases where those applications have successfully authenticated wallet users;
(b) where they authenticate wallet users in the context of performing electronic identification at assurance level high; perform authentication of wallet users, in accordance with, the requirements for the characteristics and design of electronic identification means at assurance level high, as set out in Implementing Regulation (EU) 2015/1502;
(c) are able to securely generate new cryptographic keys;
(d) are able to perform secure erasure of critical assets;
(e) are able to generate a proof of possession of private keys;
(f) protect the private keys generated by those wallet secure cryptographic applications during the existence of the keys;
(g) comply with the requirements for the characteristics and design of electronic identification means at assurance level high, as set out in Implementing Regulation (EU) 2015/1502;
(h) are the only components able to execute wallet cryptographic operations and any other operation with critical assets in the context of performing electronic identification at assurance level high.
Where wallet providers decide to provide a wallet secure cryptographic application to an embedded secure element these wallet providers shall base their technical solution on the technical specifications listed in Annex I or on other equivalent technical specifications.
Article 6: Wallet unit authenticity and validity
Wallet providers shall ensure that each wallet unit contains wallet unit attestations.
Wallet providers shall ensure that the wallet unit attestations referred to in paragraph 1 contain public keys and that the corresponding private keys are protected by a wallet secure cryptographic device.
Wallet providers shall:
(a) inform wallet users of their rights and obligations in relation to their wallet unit;
(b) provide mechanisms, independent of wallet units, for the secure identification and authentication of wallet users;
(c) ensure wallet users have the right to request revocation of their wallet unit attestations, using the authentication mechanisms referred to in point (b).
Article 7: Revocation of wallet unit attestations
Wallet providers shall be the only entities capable of revoking wallet unit attestations for wallet units that they have provided.
Wallet providers shall establish a publicly available policy specifying the conditions and the timeframe for the revocation of wallet unit attestations.
Where wallet providers have revoked wallet unit attestations, they shall inform affected wallet users within 24 hours of the revocation of their wallet units, including the reason for the revocation and the consequences for the wallet user. This information shall be provided in a manner that is concise, easily accessible and using clear and plain language.
Where wallet providers have revoked wallet unit attestations, they shall make publicly available the validity status of the wallet unit attestation in a privacy preserving manner and describe the location of that information in the wallet unit attestation.
CHAPTER III - CORE FUNCTIONALITIES AND FEATURES OF EUROPEAN DIGITAL IDENTITY WALLETS
Article 8: Formats for person identification data and electronic attestations of attributes
Wallet providers shall ensure that wallet solutions support the usage of person identification data and electronic attestations of attributes issued in compliance with the list of standards set out in Annex II.
Article 9: Transaction logs
Irrespective of whether or not a transaction is successfully completed, wallet instances shall log all transactions with wallet-relying parties and other wallet units, including electronic signing and sealing.
The logged information shall at least contain:
(a) the time and date of the transaction;
(b) the name, contact details, and the unique identifier of the corresponding wallet-relying party and the Member State in which that wallet-relying party is established, or in case of other wallet units, relevant information from the wallet unit attestation;
(c) the type or types of data requested and presented in the transaction;
(d) in the case of non-completed transactions, the reason for such non-completion.
Wallet providers shall ensure integrity, authenticity and confidentiality of the logged information.
Wallet instances shall log reports sent by the wallet user to the data protection authorities via their wallet unit.
The logs referred to in paragraphs 1 and 2 shall be accessible to the wallet provider, where it is necessary for the provision of wallet services, on the basis of explicit prior consent by the wallet user.
The logs referred to in paragraphs 1 and 2 shall remain accessible for as long as they are required by Union law or national law.
Wallet providers shall enable wallet users to export the logged information referred to in paragraph 2.
Article 10: Embedded disclosure
Wallet providers shall ensure that electronic attestations of attributes with common embedded disclosure policies set out in Annex III can be processed by the wallet units that they provide.
Wallet instances shall be able to process and present such embedded disclosure policies referred to in paragraph 1 in conjunction with data received from the requesting wallet-relying party.
Wallet instances shall verify whether the wallet-relying party complies with the requirements of the embedded disclosure policy and inform the wallet user of the result.
Article 11: Qualified electronic signatures and seals
Wallet providers shall ensure that wallet users are able to receive, qualified certificates for qualified electronic signatures or seals which are linked to qualified signature or seal creation devices that are either local, external, or remote in relation to the wallet instances.
Wallet providers shall ensure that wallet solutions are able to securely interface with one of the following types of qualified signature or seal creation devices: local, external, or remotely managed qualified signature or seal creation devices for the purposes of using the qualified certificates referred to in paragraph 1.
Wallet providers shall ensure that wallet users who are natural persons have, at least for non-professional purposes, free-of-charge access to signature creation applications which allow the creation of free-of-charge qualified electronic signatures using the certificates referred to in paragraph 1.
Article 12: Signature creation applications
The signature creation applications used by wallet units may be provided either by wallet providers, by providers of trust services or by wallet-relying parties.
Signature creation applications shall have the following functions:
(a) signing or sealing wallet user-provided data;
(b) signing or sealing relying party-provided data;
(c) creating signatures or seals in accordance with at least the mandatory formats referred to in Annex IV;
(d) informing wallet users about the result of the signature or seal creation process.The signature creation applications may either be integrated into or be external to wallet instances. Where signature creation applications rely on remote qualified signature creation devices and where they are integrated into wallet instances, they shall support the application programming interface referred to in Annex IV.
Article 13: Data export and portability
Wallet units shall, where technically feasible and excepting cases of critical assets, support secure export and portability of personal data of the wallet user, to allow the wallet user to migrate to a wallet unit of a different wallet solution in a way that ensures level of assurance high as set out in Implementing Regulation (EU) 2015/1502.
Article 14: Pseudonyms
Wallet units shall support the generation of pseudonyms for wallet users in compliance with the technical specifications set out in Annex V.
Wallet units shall support the generation, upon the request of a wallet-relying party, of a pseudonym which is specific and unique to that wallet-relying party and provide this pseudonym to the wallet-relying party, either standalone or in combination with any person identification data or electronic attribute attestation requested by that wallet-relying party.
CHAPTER IV - FINAL PROVISIONS
Article 15: Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 28 November 2024.
ANNEX I - LIST OF STANDARDS REFERRED TO IN ARTICLE 5
- SAM.01 Secured Applications for Mobile – Requirements for supporting 3rd party Applets on eSIM and eSE via SAM. v1.1 2023, GSMA;
- GPC_GUI_217 GlobalPlatform SAM Configuration Technical specification for implementation of SAM v1.0 2024-04;
- GPC_SPE_034 GlobalPlatform Card Specification Technical specification for smart cards v2.3.1 2018-03;
- GPC_SPE_007 GlobalPlatform Amendment A Confidential Card Content Management v1.2 2019-07;
- GPC_SPE_013 GlobalPlatform Amendment D Secure Channel Protocol 03 v1.2 2020-04;
- GPC_SPE_093 GlobalPlatform Amendment F Secure Channel Protocol 11 v1.4 2024-03;
- GPD_SPE_075 Open Mobile API Specification OMAPI API for mobile apps to access secure elements on user devices. v3.3 2018-08, GlobalPlatform.
ANNEX II - LIST OF STANDARDS REFERRED TO IN ARTICLE 8
- ISO/IEC 18013-5:2021;
- Verifiable Credentials Data Model 1.1, W3C Recommendation, 3 March 2022.
ANNEX III - LIST OF COMMON EMBEDDED DISCLOSURE POLICIES REFERRED TO IN ARTICLE 10
- No policy: Indicates that no policy applies to the electronic attestations of attributes.
- Authorised relying parties only policy: Indicates that wallet users may only disclose electronic attestations of attributes to authenticated relying parties which are explicitly listed in the disclosure policies.
- Specific root of trust: Indicates that wallet users should only disclose the specific electronic attestation of attributes to authenticated wallet-relying parties with wallet-relying party access certificates derived from a specific root (or list of specific roots) or intermediate certificate(s).
ANNEX IV - SIGNATURE AND SEAL FORMATS REFERRED TO IN ARTICLE 12
- Mandatory signature or seal format:
- PAdES (PDF Advanced Electronic Signature): As specified in ETSI EN 319 142-1 V1.1.1 (2016-04); Electronic Signatures and Infrastructures (ESI); PAdES digital signatures; Part 1: Building blocks and PAdES baseline signatures.
List of optional signature or seal formats:
(a) XAdES: As specified in ‘ETSI EN 319 132-1 V1.2.1 (2022-02) Electronic Signatures and Infrastructures (ESI); XAdES digital signatures; Part 1: Building blocks and XAdES baseline signatures (XAdES)’ for signing of XML format;
(b) JAdES: As specified in ‘ETSI TS 119 182-1 V1.2.1 (2024-07) Electronic Signatures and Infrastructures (ESI); JAdES digital signatures; Part 1: Building blocks and JAdES baseline signatures’ for signing of JSON format;
(c) CAdES (CMS Advanced Electronic Signature): As specified in ‘ETSI EN 3191 22-1 V1.3.1 (2023-06) Electronic Signatures and Infrastructures (ESI); CAdES digital signatures; Part 1: Building blocks and CAdES baseline signatures’ for the signing of CMS format;
(d) ASiC (Associated Signature Container):
As specified in ‘ETSI EN 319 162-1 V1.1.1 (2016-04) Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC); Part 1: Building blocks and ASiC baseline containers’ and
ETSI EN 319 162-2 V1.1.1 (2016-04) Electronic Signatures and Infrastructures (ESI); Associated Signature Containers (ASiC); Part 2: Additional ASiC containers’ for the signing of containers.
Application programming interface:
- Cloud Signature Consortium (CSC) specification v2.0 (20 April 2023).
ANNEX V - TECHNICAL SPECIFICATIONS FOR PSEUDONYM GENERATION REFERRED TO IN ARTICLE 14
Technical specifications:
- WebAuthn – W3C Recommendation, 8 April 2021, Level 2, https://www.w3.org/TR/2021/REC-webauthn-2-20210408/.