Skip to main content

EUDI Wallet - Person identification data and electronic attestations of attributes

COMMISSION IMPLEMENTING REGULATION (EU) 2024/XXX

The European Commission has published a draft Implementing Act under REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market. This draft lays down specific rules regarding person identification data and electronic attestations of attributes issued to European Digital Identity Wallets. These rules are crucial for ensuring secure and interoperable identity verification and trust services across Member States, facilitating digital transactions in both public and private sectors.

The document outlines all the requirements and technical standards for the handling, issuance, and management of person identification data and electronic attestations of attributes, detailing the responsibilities of wallet providers and relevant authorities.

Article 1: Subject matter and scope

This Regulation lays down rules for the issuance of person identification data and electronic attestations of attributes to wallet units.

Article 2: Definitions

For the purpose of this Regulation, the following definitions apply:

  1. 'wallet user' means a natural or legal person who is the subject of the person identification data associated with the wallet unit that they are in control of;

  2. 'wallet unit' means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;

  3. 'wallet solution' means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices, and which is managed and operated by a wallet provider;

  4. 'wallet instance' means the application installed and configured on a wallet user's device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;

  5. 'wallet secure cryptographic application' means an application that manages critical assets by using the cryptographic functions provided by the wallet secure cryptographic device;

  6. 'wallet secure cryptographic device' means an environment that hosts the wallet secure cryptographic application and provides cryptographic functions;

  7. 'wallet provider' means a natural or legal person who provides wallet solutions;

  8. 'critical assets' means information that would put a wallet unit in a critical state in case the assets get compromised and therefore needs protection against duplication and tampering;

  9. 'wallet cryptographic operation' means a cryptographic mechanism necessary in the context of authentication of the wallet user and the issuance or presentation of person identification data or electronic attestations of attributes;

  10. 'embedded disclosure policy' means a set of rules, embedded in an electronic attestation of attributes by its provider, that indicates the conditions that a wallet relying party has to meet to access the electronic attestation of attributes;

  11. 'wallet relying party' means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;

  12. 'provider of person identification data' means a natural or legal person responsible for ensuring that the person identification data of a user is cryptographically bound to a wallet unit;

  13. 'wallet unit attestation' means a data object that describes the components of the wallet unit, allow authentication and validation of those components and are cryptographically bound to wallet secure cryptographic devices;

  14. 'wallet relying party access certificate' means a certificate for electronic seals or signatures authenticating and validating the wallet relying party issued by a provider of wallet relying party access certificates;

  15. 'provider of wallet relying party access certificates' means a natural or legal person mandated by a Member State to issue relying party access certificates to wallet relying parties registered in that Member State;

  16. 'cryptographic binding' means the method to link person identification data or electronic attestations of attributes to wallet units through cryptographic means.

Article 3: Issuance of person identification data to wallet units

  1. Providers of person identification data shall issue the person identification data to wallet users in accordance with the electronic identification schemes under which their wallet solutions are provided.

  2. Providers of person identification data shall ensure that person identification data issued to wallet units contains the information required for authentication and validation of the person identification data.

  3. Providers of person identification data shall ensure that person identification data issued to wallet units comply with the technical specifications set out in the Annex.

  4. Member States shall ensure that the set of person identification data attributes issued to a given wallet user is unique.

  5. Providers of person identification data shall ensure that person identification data that they issue apply cryptographically binding to the wallet unit to which they are issued.

  6. Member States shall make publicly available a list of wallet solutions that they support for issuing person identification data.

  7. Member States shall enroll wallet users in accordance with the requirements relating to enrolment, as set out in Commission Implementing Regulation (EU) 2015/15026.

  8. Providers of person identification data shall identify themselves to wallet units using their wallet relying party access certificate when issuing person identification data to wallet units.

  9. Before issuing person identification data to wallet units, providers of person identification data shall authenticate and validate the wallet unit attestations of those wallet units using the wallet provider trusted list established in accordance with Implementing Regulation (EU) 2024/XXX regards notifications to the Commission concerning European Digital Identity Wallets and verify that the wallet unit belongs to a wallet solution the provider of person identification data accepts.

Article 4: Issuance of electronic attestations of attributes to wallet units

  1. Electronic attestations of attributes issued to wallet units shall comply with the list of standards set out in Annex I of Implementing Regulation (EU) 2024/XXX regards integrity and core functionalities.

  2. Providers of electronic attestations of attributes shall identify themselves to wallet units using their wallet relying party access certificate.

  3. Providers of electronic attestations of attributes shall ensure that electronic attestations of attributes issued to wallet units contain the information required for authentication and validation of those electronic attestations of attributes.

Article 5: Revocation of person identification data and electronic attestations of attributes

  1. Providers of person identification data or electronic attestation of attributes issued to a wallet unit shall have written and publicly accessible policies for validity status management, including, where applicable, the conditions under which such person identification data or electronic attestation of attributes can be revoked.

  2. Providers of person identification data or electronic attestation of attributes shall be the only entities able to revoke the person identification data or electronic attestations of attributes that they issued.

  3. Where providers of person identification data or electronic attestations of attributes have revoked person identification data or electronic attestations of attributes, they shall inform wallet users subject of those person identification data or electronic attestations of attributes without delay of the revocation and of the reasons for the revocation. This shall be done in a manner that is concise, easily accessible and using clear and plain language.

  4. Providers of person identification data or electronic attestation of attributes issued to a wallet unit shall revoke that data or attestation, in each of the following circumstances:

    (a) upon the explicit request of the wallet user on whose wallet unit the person identification data or electronic attestation of attributes are stored; (b) where it is known to the providers that the security or trustworthiness of the person identification data or electronic attestation of attributes has been compromised; (c) upon becoming aware of the death or dissolution of the wallet user; (d) upon becoming aware that the value of one or more attributes in the person identification data or the electronic attestation of attributes have changed; (e) where the wallet unit to which the person identification data or electronic attestation of attributes was issued to has been revoked; (f) in other situations determined by the providers of person identification data or electronic attestations of attributes in their policies referred to in paragraph 1.

  5. Providers of person identification data or of electronic attestation of attributes issued to a wallet unit shall ensure that revocations cannot be reverted.

  6. Where providers of person identification data or electronic attestations of attributes revoke person identification data and electronic attestations of attributes issued to wallet units, they shall make publicly available the validity status of person identification data or electronic attestations of attributes they issue and indicate the location of that information in the person identification data or electronic attestations of attributes.

Article 6: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.