Skip to main content

EUDI Wallet - Peer review of electronic identification schemes

Commission Implementing Regulation (EU) 2025/1568 establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: General principles for the peer review

  1. Where a Member State makes a pre-notification of an electronic identification scheme to the Commission and to the other Member States, the peer review shall be initiated in accordance with Article 2.

  2. The Member State that makes a pre-notification of an electronic identification scheme may, at any point, withdraw its pre-notification. Where the Member State withdraws their pre-notification of the electronic identification scheme, the peer review shall be considered as terminated.

  3. Any Member State may decide to participate in the peer review of the electronic identification scheme of another Member State.

  4. Each Member State involved in a peer review shall bear the costs it incurs in the process.

  5. Representatives of the Member States that conduct the peer review shall use the information obtained through the peer review solely for the purposes of that review and shall not disclose any sensitive or confidential information obtained during the peer review to third parties.

  6. A Member State that decides to participate in the peer review of an electronic identification scheme of another Member State shall disclose any conflict of interest in relation to representatives appointed by that Member State. Where there is a conflict of interest, the Member State whose electronic identification scheme is being peer-reviewed may refuse the participation of the relevant representative in the assessment of its electronic identification scheme.

  7. Any disputes arising during the peer review in relation to the peer review activities as laid down in Article 4(4) of this Regulation shall be settled in accordance with the Cooperation Group's rules of procedure.

  8. An electronic identification scheme shall not be subject to further peer review within two years from the conclusion of a peer review, except where significant changes set out in Article 6(1) were made to the peer-reviewed electronic identification scheme.

Article 2: Initiation of the peer review

  1. The pre-notification shall include at least:

    (a) a comparison between the pre-notified electronic identification scheme and requirements laid down in Implementing Regulation (EU) 2015/1502, under the form of a level of assurance mapping document for the peer review in accordance with Annex I to this Regulation;

    (b) a high-level description of the electronic identification scheme, of its ecosystem and of electronic identification in the Member State having made the pre-notification, under the form of a whitepaper in accordance with Annex II to this Regulation;

    (c) information regarding interoperability of the electronic identification scheme and the requirements laid down in Implementing Regulation (EU) 2015/1501, under the form of an interoperability framework mapping document in accordance with the template set out in Annex III to this Regulation.

  2. The Commission shall disseminate the pre-notification information to the Cooperation Group.

  3. The information required under paragraph 1, point (c), shall be provided at least in English. Member States shall not be obliged to translate any document where this would create an unreasonable administrative or financial burden.

Article 3: Preparation of the peer review

  1. Upon confirmation of receipt of a complete pre-notification, the Commission shall inform the Cooperation Group of the initiation of the peer review and schedule a meeting where the pre-notified electronic identification scheme is put on the meeting agenda for presentation to the Cooperation Group by the Member State having made the pre-notification.

  2. The chair of the Cooperation Group shall ensure that the scheduled meeting referred to in paragraph 1 takes place no later than two months after the Cooperation Group is informed of the initiation of the peer review.

  3. The date of the presentation shall be considered the official start date of the peer review.

  4. After the Member State having made the pre-notification has given the presentation referred to in paragraph 3, the other Member States may appoint representatives to participate in the peer review on their behalf. If they do so, they shall provide the names and contact details of their representatives. Those appointed representatives shall form the peer review group. The members of the peer review group shall agree on assigning the following roles:

    (a) one coordinator who shall be responsible for organising the peer review and managing communication with Member States, the Cooperation Group and the Commission;

    (b) up to three rapporteurs depending on the scope of the peer review and each one of them to lead a working group as referred to in Article 4(2);

    (c) at least one active member per working group, who shall assist in generating questions and providing feedback to the rapporteurs and contribute to drafting the final peer review report.

  5. The coordinator referred to in paragraph 4, point (a), shall oversee proper execution of the peer review and monitor compliance with the procedural requirements set out in this Regulation. To that end, the coordinator shall carry out the following tasks in a timely manner:

    (a) organisation of the questions and answers;

    (b) finalisation of the peer review report;

    (c) drafting of the opinion on the peer reviewed electronic identification scheme.

  6. The rapporteurs referred to in paragraph 4, point (b), shall identify questions for the Member State having made the pre-notification and draft the elements of the peer review report that relate to the area of responsibility of their respective working group.

  7. Taking into account the guidance provided by the Cooperation Group, the Member State having made the pre-notification and the Member States involved in the peer review shall agree on any organisational arrangements relating to the peer review not specifically provided for in this Regulation, including rules and guidelines regarding confidentiality and conflicts of interest.

  8. The duration of the peer review shall not exceed three months from the official start date of the peer review referred to in paragraph 3 and may be extended by a maximum of two months where all Member States involved in the peer review agree to do so.

Article 4: Organisation of the peer review

  1. The peer review group shall conduct the peer review based on the information provided in accordance with Article 2(1) by the Member State having made the pre-notification.

  2. The peer review shall be organised in three working groups, or using any other process agreed in the Cooperation Group in accordance with its Rules of Procedure. Where working groups are used, each working group shall be composed of one rapporteur and at least one active member.

  3. The working groups referred to in paragraph 2 shall be the following:

    (a) an enrolment working group, peer-reviewing the alignment of the pre-notified electronic identification scheme with the requirements in relation to enrolment as set out in section 2.1 of the Annex to Implementing Regulation (EU) 2015/1502;

    (b) an electronic identification means management and authentication working group, peer-reviewing the alignment of the pre-notified electronic identification scheme with the requirements in relation to electronic identification means management and authentication as set out in sections 2.2 and 2.3 of the Annex to Implementing Regulation (EU) 2015/1502;

    (c) a management and organisation working group peer-reviewing the alignment of the pre-notified electronic identification scheme with the requirements in relation to management and organisation as set out in section 2.4 of Implementing Regulation (EU) 2015/1502.

  4. The peer review shall include, but is not limited to, one or more of the following activities:

    (a) assessment of relevant documentation provided by the Member State having made the pre-notification;

    (b) examination of processes described as part of that documentation;

    (c) technical seminars;

    (d) consideration of independent third-party assessments, where relevant assessments of this kind are available;

    (e) drafting of the peer review report that summarises the peer review's findings and results.

  5. The working groups may make duly justified requests for additional information, supported by additional documentation, from the Member State having made the pre-notification where the information provided in accordance with Article 2(1) is not sufficient, for the termination of the peer review.

  6. The Member State having made the pre-notification shall comply with such requests except where one of the following applies:

    (a) it does not possess the information or documentation and obtaining it would generate an unreasonable administrative burden;

    (b) the information or documentation requested concerns matters of public security or national security;

    (c) the information concerns business matters, professional or company secrets;

    (d) the sensitivity of the information makes it impossible to establish a secure channel to communicate the information to the members of the peer review group.

  7. In such cases, the Member State having made the pre-notification shall inform the coordinator of the reasons for refusing to provide the requested information or documentation and shall provide a high-level summary of the information or a redacted version of the documentation.

Article 5: Outcome of the peer review

  1. Without prejudice to Article 3(9), the peer review group shall:

    (a) provide a draft peer review report to the Member State having made the pre-notification no later than three months after the start date of the peer review referred to in Article 3(3) unless the peer review is subject to an extension in accordance with Article 3(8) where the report is due according to the agreed extension;

    (b) provide the draft final peer review report to the Commission and the Cooperation Group after taking into consideration any observations from the Member State having made the pre-notification on the content of the draft peer review report, and no later than three months and two weeks after the official start date of the peer review pursuant to Article 3(3) unless the peer review is subject to an extension in accordance with Article 3(8) where the report is due according to the agreed extension;

    (c) provide the Member State having made the pre-notification with a draft opinion on the pre-notified electronic identification scheme no later than three months and two weeks after the official start date of the peer review referred to in Article 3(3) unless the peer review is subject to an extension in accordance with Article 3(8) where the opinion is due according to the agreed extension and shall prepare the draft opinion using the template set out in Annex IV;

    (d) provide the Commission and the Cooperation Group with a draft final opinion on the pre-notified electronic identification scheme no later than three months and three weeks after the start date of the peer review referred to in Article 3 (3) unless the peer review is subject to an extension in accordance with Article 3(8) where the opinion is due according to the agreed extension.

  2. Before the Cooperation Group adopts and publishes, on a dedicated website of the Commission, its final opinion on the conclusion of the peer review in accordance with paragraph 9, it may require additional information or clarification from the Member State having made the pre-notification or from the peer review group.

  3. The Member State having made the pre-notification shall provide the required additional information referred to in paragraph 2, except where one of the following applies:

    (a) the Member State does not possess the information and obtaining it would cause an unreasonable administrative burden;

    (b) the information concerns matters of public or national security;

    (c) the information concerns matters of business, professional or company secrets;

    (d) the sensitivity of the information makes it impossible to establish a secure channel to communicate the information to the Cooperation Group.

  4. The final peer review report shall list the information that was requested by the peer review group or by the Cooperation Group but could not be provided on one or more grounds set out in paragraph 3, without specifying the reasons provided by the Member State having made the pre-notification. The impact of any unavailability of information may be examined by the peer review group in the final peer review report.

  5. The peer review group shall present the final peer review report and its draft final opinion to the Cooperation Group no later than four months, or in the case of prolongation in accordance with Article 3(8) no later than six months after the official start date of the peer review pursuant to Article 3(3).

  6. The final opinion of the peer review group on the electronic identification scheme of the Member State having made the pre-notification shall list any commitments made by that Member State.

  7. After the presentation of the final peer review report and the final opinion of the peer review group, the Cooperation Group shall adopt and publish its own opinion on the conclusion of the peer review, indicating if and how the peer-reviewed electronic identification scheme meets the requirements set out in Implementing Regulation (EU) 2015/1502 that apply to the assurance levels indicated by the Member State having made the pre-notification, in accordance with Annex I of this Regulation. The adoption process shall follow the rules of procedure of the Cooperation Group.

  8. The opinion of the Cooperation Group shall identify the Member State having made the pre-notification as well as the pre-notified electronic identification scheme and its assurance level. The opinion shall also state whether the peer review was completed successfully.

  9. Information provided in accordance with Article 2(1) shall be published by the Cooperation Group, except where the Member State that provided the information has indicated in writing that such information should not be made public.

Article 6: Significant changes in peer-reviewed electronic identification schemes

  1. Where a notified electronic identification scheme changes in a manner that is likely to impact its interoperability, security or trustworthiness, the Member State having made the notification shall without undue delay notify the Cooperation Group of those changes and update the information previously provided.

  2. Following the receipt of a notification referred to in paragraph 1, and provided the notified electronic identification scheme has been peer-reviewed, any Member State of the Cooperation Group may request an update to the peer review.

  3. In case of a request for an update, the procedures set out in Articles 3 to 5 shall apply accordingly and the peer review group shall limit the peer review to the elements that have been changed pursuant to the original notification and to the impacts of those changes.

Article 7: Repeal

Implementing Decision (EU) 2015/296 is hereby repealed.

Article 8: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX I - List of minimum information to be provided in the levels of assurance mapping document for the peer review referred to in Article 2(1), point (a)

The level of assurance mapping document for the peer review referred to in Article 2, paragraph 1, point (a) shall include at least the following information:

  1. general information, including:

    • (a) the name of the notifying Member State
    • (b) the title of the electronic identification scheme (if any)
    • (c) the level or levels of assurance of the electronic identification scheme, indicated as low, substantial or high.

  2. the authority or authorities responsible for the electronic identification scheme, including:

    • (a) the name or names of the authority or authorities responsible for the electronic identification scheme
    • (b) the email address of the authority or authorities responsible for the electronic identification scheme.

  3. information on relevant parties, entities and bodies involved in the electronic identification scheme, including:

    • (a) the name of the entity or entities managing the registration process of the unique person identification data
    • (b) the name of the party or parties issuing the electronic identification means, and where applicable, an indication whether the party or parties are referred to in Article 7(a), point (i), (ii) or (iii) of Regulation (EU) No 910/2014
    • (c) the name of the party or parties operating the authentication procedure (the 'eIDAS node')
    • (d) the name or names of the governance organisation or organisations participating in the supervisory regime related to the electronic identification scheme.

  4. a description of the electronic identification scheme, including:

    • (a) where applicable, the document or documents that shall be enclosed for each of the following topics:
    • a brief description of the electronic identification scheme, including the context in which it operates, its scope, and availability to private relying parties
    • a list of the additional attributes which may be provided in relation to natural persons under the electronic identification scheme if requested by a relying party
    • a list of the additional attributes which may be provided in relation to legal persons under the electronic identification scheme if requested by a relying party.
    • (b) the applicable supervisory, liability and management regime, including:
    • a description of the supervisory regime of the electronic identification scheme including the evaluation process with respect to the following:
    • the supervisory regime applicable to the party or parties issuing the electronic identification means
    • the supervisory regime applicable to the party or parties operating the eIDAS node.
    • Where applicable, these descriptions shall include the roles, responsibilities and powers of the governance organisations that participate in the supervisory regime referred to in point 3(d), and the entity to which they report. If the organisations do not report to the authority responsible for the scheme, full details of the entity to which they report shall be provided.
    • a description of the applicable national liability regime, including:
    • a description of the liability of the Member State under Article 11(1) of Regulation (EU) No 910/2014
    • a description of the liability of the party or parties issuing the electronic identification means under Article 11(2) of Regulation (EU) No 910/2014
    • a description of the liability of the party or parties operating the eIDAS node under Article 11(3) of Regulation (EU) No 910/2014.
    • arrangements for managing, suspending or revoking either the entire identification scheme, or specific electronic identification means, or the eIDAS node, or its compromised parts.
    • (c) a description of the electronic identification scheme components, including:
    • a description of how the requirements in relation to minimum technical specifications and procedures for assurance levels for electronic identification means, as set out in Implementing Regulation (EU) 2015/1502, have been met, to substantiate the indicated assurance level for the enrolment
    • a description of how the following processes are addressed under the electronic identification scheme, including documentation for the combination of options that were chosen by the Member State, for:
    • application and registration
    • identity proofing and verification of a natural person:
    • identity proofing and verification of a legal person
    • binding between the electronic identification means for natural and legal persons.
    • with regards to the electronic identification means management, a description of how the following processes are addressed under the electronic identification means:
    • characteristics and design of the electronic identification means, including, where appropriate, information on security certification
    • issuance, delivery and activation
    • suspension, revocation and reactivation
    • renewal and replacement.
    • with regards to authentication, a description of the authentication mechanism, including terms of access to authentication by relying parties other than public sector bodies
    • with regards to the management and organisation, a description of the management and organisation of the following aspects:
    • general provisions on management and organisation
    • published notices and user information
    • information security management
    • record keeping.
    • facilities and staff
    • technical controls.
    • compliance and audit.
    • (d) a description of how interoperability and minimum technical and operational security requirements are met
    • (e) a list of all the supporting documentation submitted and a statement to which of the elements above they relate, including references to any domestic legislation which relates to the electronic identification provision relevant to the notification and relevant audit reports, certification practice statements, and test reports.
    • (f) the relevant documents and information as regards the certification of the electronic identification scheme pursuant to Article 12a(1) and, where applicable, to Article 12a(5), of Regulation (EU) No 910/2014.

ANNEX II - List of minimum information to be provided in the white paper referred to in Article 2(1), point (b)

  1. The white paper shall describe the overall ecosystem of the electronic identification scheme being pre-notified, as well as the history of the electronic identification scheme and of electronic identification in the Member State.

  2. The white paper shall also provide a description of the electronic identification scheme and the electronic identification means provided under this scheme, including a brief description of the elements that are also covered by the levels of assurance mapping document referred to in Article 2(1), point (a) of this Regulation, the interoperability framework mapping document referred to in Article 2(1), point (c) of this Regulation, and other documents.

  3. The white paper shall also describe the role of the electronic identification scheme in the overall ecosystem and its relation to relying parties and other services provided within the ecosystem.

ANNEX III - Template for the interoperability framework mapping document

Interoperability Requirements

Article of Implementing Regulation (EU) 2015/1501RequirementDescription
4Mapping of national assurance levels
The mapping of national assurance levels of the notified electronic identification schemes shall follow the requirements laid down in Implementing Regulation (EU) 2015/1502.
The results of the mapping shall be notified to the Commission using the notification template laid down in Implementing Decision (EU) 2015/1984.		<To be filled out by the Member State>
5Nodes
1. A node in one Member State shall be able to connect with nodes of other Member States.
2. The nodes shall be able to distinguish between public sector bodies and other relying parties through technical means.
3. A Member State implementation of the technical requirements set out in this Regulation shall not impose disproportionate technical requirements and costs on other Member States in order for them to interoperate with the implementation adopted by the first Member State.		<To be filled out by the Member State>
6Data Privacy and confidentiality
1. Protection of privacy and confidentiality of the data exchanged and the maintenance of data integrity between the nodes shall be ensured by using best available technical solutions and protection practices.
2. The nodes shall not store any personal data, except for the purpose set out in Article 9(3) of Implementing Regulation (EU) 2015/1501.		<To be filled out by the Member State>
7Data integrity and authenticity for the communication
Communication between the nodes shall ensure data integrity and authenticity to make certain that all requests and responses are authentic and have not been tampered with. For this purpose, nodes shall use solutions which have been successfully employed in cross-border operational use.		<To be filled out by the Member State>
8Message format for the communication
The nodes shall use for syntax common message formats based on standards that have already been deployed more than once between Member States and proven to work in an operational environment.
The syntax shall allow:
(a) proper processing of the minimum set of person identification data uniquely representing a natural or legal person;
(b) proper processing of the assurance level of the electronic identification means;
(c) distinction between public sector bodies and other relying parties;
(d) flexibility to meet the needs of additional attributes relating to identification.		<To be filled out by the Member State>
9Management of security information and metadata
1. The node operator shall communicate the metadata of the node management in a standardised machine processable manner and in a secure and trustworthy way.
2. At least the parameters relevant to security shall be retrieved automatically.
3. The node operator shall store data which, in the event of an incident, enable reconstruction of the sequence of the message exchange for establishing the place and the nature of the incident. The data shall be stored for a period of time in accordance with national requirements and, as a minimum, shall consist of the following elements:
(a) node's identification;
(b) message identification;
(c) message date and time.		<To be filled out by the Member State>
10Information assurance and security standards
1. Node operators of nodes providing authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation.
2. Node operators shall deploy security critical updates without undue delay.		<To be filled out by the Member State>
11Person identification data
1. A minimum data set of person identification data uniquely representing a natural or a legal person shall meet the requirements set out in the Annex to Implementing Regulation (EU) 2015/1501 when used in a cross-border context.
2. A minimum data set for a natural person representing a legal person shall contain the combination of the attributes listed in the Annex to Implementing Regulation (EU) 2015/1501 for natural persons and legal persons when used in a cross-border context.
3. Data shall be transmitted based on original characters and, where appropriate, also transliterated into Latin characters.		<To be filled out by the Member State>

ANNEX IV - Template for the opinion on the electronic identification scheme of a Member State

Opinion No. XX/202X of the Cooperation Group on the <insert Member State> eID scheme <insert scheme name>

Having regard to Article 12(5) of Regulation (EU) 910/2014 ('the European Digital Identity Regulation'),

Having regard to Implementing Regulation (EU) 2025/1568.

Having regard to the Rules of Procedure of the Cooperation Group,

Whereas:

Article 12(5) of the European Digital Identity Regulation obliges Member States to carry out peer reviews of electronic identification schemes to be notified under Article 9(1), point (a) of the European Digital Identity Regulation.

Article 5(10) of Commission Implementing Regulation (EU) 2025/1568 on cooperation mandates the Cooperation Group to adopt opinions on how an electronic identification scheme to be notified meets the requirements of the European Digital Identity Regulation.

<insert Member State>, with a view to notifying its eID scheme <insert scheme name> in accordance with Article 9(1) of the European Digital Identity Regulation, provided the following information to the Member States on <insert date> (hereinafter referred to as: 'pre-notification') in line with Article 7(g) of the European Digital Identity Regulation:

  • Notification form;

  • Supporting Documentation.

On <insert date of CG meeting>, the Cooperation Group:

  • agreed to organise the peer review of the <insert Member State> eID scheme <insert scheme name> according to Article 46e(5)(d) of the European Digital Identity Regulation and Implementing Regulation (EU) 2025/1568;

  • formed a 'Peer Review Group'; and

  • agreed which topics the peer review process would cover and how it would be organised according to the provisions of Implementing Regulation (EU) 2025/1568.

The Peer Review Group submitted its report according to Article 5 of Implementing Regulation (EU) 2025/1568 to the Cooperation Group on <insert date>. The Cooperation Group has examined and discussed the Peer Review Report.

Taking into account the outcomes of the peer review, the peer review report and the additional information provided by <insert Member State> regarding:

and that <insert Member State> commits to:

The Cooperation Group adopted the following opinion:

Opinion

Based on the examination of the pre-notification documents provided by <insert Member State> and the findings of the Peer Review Report, the Cooperation Group is of the opinion that the pre-notification documents and additional information provided by <insert Member State> demonstrate sufficiently how the <insert Member State>eID scheme <insert scheme name> to be notified meets the requirements

  • for assurance level 'High';

  • for assurance level 'Substantial';

  • for assurance level 'Low';

in line with the requirements of Articles 7, 8(1)-(2), 12(1), 12a(1) and 12a(5) of the European Digital Identity Regulation and with the requirements of Implementing Regulation (EU) 2015/1502.

According to Article <insert number> of the Rules of Procedure, the Cooperation Group agrees to publish this opinion.

<insert Member State>, <insert date>