EUDI Wallet - Person identification data and electronic attestations of attributes
Commission Implementing Regulation (EU) 2024/2977, adopted on 28 November 2024, establishes detailed rules under Regulation (EU) No 910/2014 concerning issuing person identification data and electronic attestations of attributes to European Digital Identity Wallets. This regulation ensures that wallet solutions meet consistent standards across EU Member States, enabling secure and reliable electronic identification and authentication credentials storage. Defining technical and procedural requirements for data issuance and revocation enhances trust and interoperability within the European Digital Identity ecosystem, facilitating seamless and secure digital interactions across borders.
An electronic edition of the same is available here.
Article 1: Subject matter and scope
This Regulation lays down rules for the issuance of person identification data and electronic attestations of attributes to wallet units, to be updated on a regular basis to keep in line with technology and standards developments and with the work carried out on the basis of Recommendation (EU) 2021/946, and in particular the architecture and reference framework.
Article 2: Definitions
For the purpose of this Regulation, the following definitions apply:
‘wallet user’ means a user who is in control of the wallet unit;
‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;
‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;
‘provider of person identification data’ means a natural or legal person responsible for issuing and revoking the person identification data and ensuring that the person identification data of a user is cryptographically bound to a wallet unit;
‘wallet unit attestation’ means a data object that describes the components of the wallet unit or allows authentication and validation of those components;
‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;
‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;
‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;
‘wallet provider’ means a natural or legal person who provides wallet solutions;
‘critical assets’ means assets within or in relation to a wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the wallet unit;
‘wallet-relying party’ means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;
‘wallet-relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet-relying party issued by a provider of wallet-relying party access certificates;
‘provider of wallet-relying party access certificates’ means a natural or legal person mandated by a Member State to issue relying party access certificates to wallet-relying parties registered in that Member State.
Article 3: Issuance of person identification data to wallet units
Providers of person identification data shall issue person identification data to wallet units in accordance with the electronic identification schemes under which wallet solutions are provided.
Providers of person identification data shall ensure that person identification data issued to wallet units contains the information necessary for authentication and validation of the person identification data.
Providers of person identification data shall ensure that person identification data issued to wallet units comply with the technical specifications set out in the Annex.
Member States shall ensure that the person identification data issued to a given wallet user is unique for the Member State.
Providers of person identification data shall ensure that person identification data that they issue is cryptographically bound to the wallet unit to which it is issued.
Member States shall make publicly available a list of wallet solutions that are supported by providers of person identification data that is part of electronic identification schemes of that Member State.
Member States shall enroll wallet users in accordance with the requirements relating to enrolment at assurance level high, as set out in Commission Implementing Regulation (EU) 2015/1502 (11). In the context of the enrolment process, providers of person identification data shall perform identity verification of the wallet user in accordance with the requirements related to identity proofing and verification before issuing the person identification data to the wallet unit of the corresponding wallet user.
When issuing person identification data to wallet units, providers of person identification data shall identify themselves to wallet units using their wallet-relying party access certificate or by using another authentication mechanism in accordance with an electronic identity scheme notified at assurance level high.
Before issuing person identification data to a wallet unit, providers of person identification data shall authenticate and validate the wallet unit attestation of the wallet unit and verify that the wallet unit belongs to a wallet solution the provider of person identification data accepts or use another authentication mechanism in accordance with an electronic identity scheme notified at assurance level high.
Article 4: Issuance of electronic attestations of attributes to wallet units
Electronic attestations of attributes issued to wallet units shall comply with at least one of the standards in the list set out in Annex I of Implementing Regulation (EU) 2024/2979.
Providers of electronic attestations of attributes shall identify themselves to wallet units using their wallet-relying party access certificate.
Providers of electronic attestations of attributes shall ensure that electronic attestations of attributes issued to wallet units contain the information necessary for authentication and validation of those electronic attestations of attributes.
Article 5: Revocation of person identification data
Providers of person identification data issued to a wallet unit shall have written and publicly accessible policies relating to validity status management, including, where applicable, the conditions under which such person identification data can be revoked without delay.
Only providers of person identification data or electronic attestation of attributes can revoke the person identification data or electronic attestations of attributes issued by them.
Where providers of person identification data have revoked person identification data, they shall, through dedicated and secure channels, inform wallet users subject of those person identification data within 24 hours of the revocation and of the reasons for the revocation. This shall be done in a manner that is concise, easily accessible and using clear and plain language.
Where providers of person identification data revoke person identification data issued to wallet units, they shall do so in each of the following circumstances:
- (a) upon the explicit request of the wallet user to whose wallet unit the person identification data or electronic attestation of attributes were issued to;
- (b) where the wallet unit attestation to which the person identification data was issued to has been revoked;
- (c) in other situations determined by the providers of person identification data or electronic attestations of attributes in their policies referred to in paragraph 1.
Providers of person identification data issued to a wallet unit shall ensure that revocations cannot be reverted.
The revoked person identification data shall remain accessible for as long as required by Union law or national law.
Where providers of person identification data revoke person identification data issued to wallet units, they shall make publicly available the validity status of person identification data they issue, in a privacy preserving manner, and indicate the location of that information in the person identification data.
Providers of person identification data shall enable privacy preserving techniques which ensure unlinkability where the electronic attestations of attributes do not require the identification of the user.
Article 6: Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 28 November 2024.
ANNEX - TECHNICAL SPECIFICATIONS FOR PERSON IDENTIFICATION DATA REFERRED TO IN ARTICLE 3(3)
1. Set of natural person identification data
Table 1: Mandatory person identification data for the natural person
Data Identifier | Definition | Presence |
---|---|---|
family_name | Current last name(s) or surname(s) of the user to whom the person identification data relates. | Mandatory |
given_name | Current first name(s), including middle name(s) where applicable, of the user to whom the person identification data relates. | Mandatory |
birth_date | Day, month, and year on which the user to whom the person identification data relates was born. | Mandatory |
birth_place | The country as an alpha-2 country code as specified in ISO 3166-1, or the state, province, district, or local area or the municipality, city, town, or village where the user to whom the person identification data relates was born. | Mandatory |
nationality | One or more alpha-2 country codes as specified in ISO 3166-1, representing the nationality of the user to whom the person identification data relates. | Mandatory |
Where an attribute value is not known for the person or cannot otherwise be issued as part of the person identification dataset, Member States shall use an attribute value appropriate to the situation instead.
Table 2: Optional person identification data for the natural person
Table 2: Optional person identification data for the natural person
Data Identifier | Definition | Presence |
---|---|---|
resident_address | The full address of the place where the user to whom the person identification data relates currently resides or can be contacted (street name, house number, city, etc.). | Optional |
resident_country | The country where the user to whom the person identification data relates currently resides, as an alpha-2 country code as specified in ISO 3166-1. | Optional |
resident_state | The state, province, district, or local area where the user to whom the person identification data relates currently resides. | Optional |
resident_city | The municipality, city, town, or village where the user to whom the person identification data relates currently resides. | Optional |
resident_postal_code | The postal code of the place where the user to whom the person identification data relates currently resides. | Optional |
resident_street | The name of the street where the user to whom the person identification data relates currently resides. | Optional |
resident_house_number | The house number where the user to whom the person identification data relates currently resides, including any affix or suffix. | Optional |
personal_administrative_number | A value assigned to the natural person that is unique among all personal administrative numbers issued by the provider of person identification data. Where Member States opt to include this attribute, they shall describe in their electronic identification schemes under which the person identification data is issued the policy that they apply to the values of this attribute, including, where applicable, specific conditions for the processing of this value. | Optional |
portrait | Facial image of the wallet user compliant with ISO 19794-5 or ISO 39794 specifications. | Optional |
family_name_birth | Last name(s) or surname(s) of the person identification data user at the time of birth. | Optional |
given_name_birth | First name(s), including middle name(s), of the person identification data user at the time of birth. | Optional |
sex | Values shall be one of the following: 0 = not known; 1 = male; 2 = female; 3 = other; 4 = inter; 5 = diverse; 6 = open; 9 = not applicable. For values 0, 1, 2, and 9, ISO/IEC 5218 applies. | Optional |
email_address | Electronic mail address of the user to whom the person identification data relates [in conformance with RFC 5322]. | Optional |
mobile_phone_number | Mobile telephone number of the user to whom the person identification data relates, starting with the '+' symbol as the international code prefix and the country code, followed by numbers only. | Optional |
2. Set of legal person identification data
Table 3: Mandatory person identification data for the legal person
Data Element | Presence |
---|---|
Current legal name | Mandatory |
A unique identifier constructed by the sending Member State in accordance with the technical specifications for the purposes of cross-border identification and which is as persistent as possible in time. | Mandatory |
Where a data element is not known for the person or cannot otherwise be issued as part of the person identification dataset, Member States shall use an attribute value appropriate to the situation instead.
Table 4: Optional person identification data for the legal person
Data Element | Presence |
---|---|
Current address | Optional |
VAT registration number | Optional |
Tax reference number | Optional |
European unique identifier referred to in Directive (EU) 2017/1132 of the European Parliament and of the Council | Optional |
Legal Entity Identifier (LEI) referred to in Commission Implementing Regulation (EU) 2022/1860 | Optional |
Economic Operator Registration and Identification (EORI) referred to in Commission Implementing Regulation (EU) No 1352/2013 | Optional |
Excise number provided in Article 2(12) of Council Regulation (EU) No 389/2012 | Optional |
3. Set of metadata about person identification data
Table 5: Metadata about the person identification data
Data Identifier | Definition | Presence |
---|---|---|
expiry_date | Date (and if possible, time) when the person identification data will expire. | Mandatory |
issuing_authority | Name of the administrative authority that issued the person identification data, or the ISO 3166 alpha-2 country code of the respective Member State if there is no separate authority entitled to issue person identification data. | Mandatory |
issuing_country | Alpha-2 country code, as specified in ISO 3166-1, of the country or territory of the provider of the person identification data. | Mandatory |
document_number | A number for the person identification data, assigned by the provider of person identification data. | Optional |
issuing_jurisdiction | Country subdivision code of the jurisdiction that issued the person identification data, as specified in ISO 3166-2:2020, Clause 8. The first part of the code shall be the same as the value for the issuing country. | Optional |
location_status | The location of validity status information on the person identification data where the providers of person identification data revoke person identification data. | Optional |
4. Encoding of person identification data attributes
Person identification data shall be issued in two formats:
- The format specified in ISO/IEC 18013-5:2021.
- Verifiable Credentials Data Model 1.1, W3C Recommendation, 3 March 2022.
5. Trust infrastructure details
The list of providers of person identification data made available by the Commission in accordance with Implementing Regulation (EU) 2024/2980 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards notifications to the Commission concerning the European Digital Identity Wallet ecosystem shall enable authentication of person identification data.