EUDI Wallet - Protocols and interfaces to be supported
COMMISSION IMPLEMENTING REGULATION (EU) 2024/XXX (DRAFT)
The European Commission has published a draft Implementing Act under REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market. This draft lays down specific rules for the European Digital Identity Wallets concerning the protocols and interfaces that must be supported to ensure interoperability and security across Member States.
The document contains all articles outlining the technical and operational requirements for the implementation of the European Digital Identity Wallets, including mechanisms for data protection, communication protocols, and the responsibilities of wallet providers and users.
Article 1: Subject matter and scope
This Regulation lays down rules on the interfaces and protocols of the wallet solutions.
Article 2: Definitions
For the purpose of this Regulation, the following definitions apply:
‘wallet user’ means a natural or legal person who is the subject of the person identification data associated with the wallet unit that they are in control of;
‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;
‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices, and which is managed and operated by a wallet provider;
‘wallet provider’ means a natural or legal person who provides wallet solutions;
‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;
‘wallet secure cryptographic application’ means an application that manages critical assets by using the cryptographic functions provided by the wallet secure cryptographic device;
‘wallet secure cryptographic device’ means an environment that hosts the wallet secure cryptographic application and provides cryptographic functions;
‘critical assets’ means information that would put a wallet unit in a critical state in case the assets get compromised and therefore needs protection against duplication and tampering;
‘wallet cryptographic operation’ means a cryptographic mechanism necessary in the context of authentication of the wallet user and the issuance or presentation of person identification data or electronic attestations of attributes;
‘wallet relying party’ means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;
‘provider of person identification data’ means a natural or legal person responsible for ensuring that the person identification data of a user is cryptographically bound to a wallet unit;
‘wallet relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet relying party issued by a provider of wallet relying party access certificates;
‘provider of wallet relying party access certificates’ means a natural or legal person mandated by a Member State to issue relying party access certificates to wallet relying parties registered in that Member State;
‘wallet unit attestation’ means a data object that describes the components of the wallet unit, allowing authentication and validation of those components and is cryptographically bound to wallet secure cryptographic devices;
‘embedded disclosure policy’ means a set of rules, embedded in an electronic attestation of attributes by its provider, that indicates the conditions that a wallet relying party has to meet to access the electronic attestation of attributes;
‘cryptographic binding’ means the method to link person identification data or electronic attestations of attributes to wallet units through cryptographic means.
Article 3: General provisions
Wallet providers shall ensure that wallet units support protocols and interfaces that enable the following: a) Issuance of person identification data and electronic attestations of attributes to wallet units in accordance with Article 4; b) Presentation of attributes of person identification data or electronic attestations of attributes to wallet relying parties and other wallet units in accordance with Article 5; c) Communication of data erasure requests to wallet relying parties in accordance with Article 6; d) Reporting of wallet relying parties to supervisory authorities established under Article 51 of Regulation (EU) 2016/679 in accordance with Article 7.
Regarding the protocols and interfaces referred to in paragraph 1, points (a) and (b), wallet providers shall ensure that wallet units: a) When interacting with wallet relying parties, authenticate and validate the wallet relying party access certificates; b) When interacting with other wallet units, authenticate and validate the wallet unit attestations of other wallet units; c) Where applicable, authenticate and validate requests made using wallet relying party access certificates or wallet unit attestations from other wallet units; d) Display to wallet users information contained in the wallet relying party access certificates or, in the case of other wallet units, the wallet unit attestations, including, where applicable, the attributes that wallet users are being requested to present; e) Present wallet unit attestations of the wallet unit to wallet relying parties or wallet units that request it; f) Do not present any requested attributes to wallet relying parties or wallet units until the following requirements are met: i) The wallet secure cryptographic application has authenticated the identity of the wallet user; ii) Embedded disclosure policies have been processed within the wallet unit in accordance with Article 11 of Implementing Regulation 2024/XXX concerning integrity and core functionalities, where applicable; iii) Wallet users have approved the presentation.
Article 4: Issuance of person identification data and electronic attestations of attributes to wallet units
Wallet providers shall ensure that wallet solutions support protocols and interfaces for the issuance of person identification data and electronic attestations of attributes to wallet units.
Wallet providers shall ensure that wallet solutions request person identification data and electronic attestations of attributes only from parties having an authentic and valid wallet relying party access certificate issued to a provider of person identification data or provider of electronic attestations of attributes.
Wallet providers shall ensure that wallet units authenticate and validate wallet relying party access certificates using only the trusted list of providers of wallet relying party access certificates referred to in Article 18 of Implementing Regulation (EU) 2024/XXX concerning notifications to the Commission, before requesting the issuance of person identification data and verifying that the wallet relying party access certificate is issued to a provider of person identification data.
Article 5: Presentation of attributes to wallet relying parties
Wallet providers shall ensure that wallet solutions support protocols and interfaces for the presentation of attributes to wallet relying parties, remotely and in proximity, in accordance with the standard set out in the Annex.
Wallet providers shall ensure that wallet units respond to successfully authenticated and validated requests from wallet relying parties, as set out in Article 3, in accordance with the standard set out in the Annex.
Wallet providers shall ensure that wallet solutions support proving the possession of private keys corresponding to public keys used in cryptographic bindings.
Wallet providers shall ensure that wallet solutions support the selective disclosure of attributes of personal identification data and electronic attestations of attributes.
Article 6: Communication of data erasure requests
Wallet providers shall ensure that wallet solutions support protocols and interfaces allowing wallet users to request from wallet relying parties with whom they have interacted through those wallet units the erasure of their personal data provided through those wallet units, in accordance with Article 17 of Regulation (EU) 2016/679.
The protocols and interfaces referred to in paragraph 1 shall allow wallet users to select the wallet relying parties to which data erasure requests are to be submitted.
Wallet units shall display to the wallet user previously submitted data erasure requests made through those wallet units.
Article 7: Reporting of wallet relying parties to supervisory authorities established under Article 51 of Regulation (EU) 2016/679
Wallet providers shall ensure that wallet units allow wallet users to easily report wallet relying parties to supervisory authorities established under Article 51 of Regulation (EU) 2016/679 of the Member State that issued the electronic identification scheme under which the relevant wallet is provided.
Wallet providers shall implement the protocols and interfaces for reporting wallet relying parties in compliance with national procedural laws of the Member State that issued the electronic identification scheme under which the relevant wallet is provided.
Wallet providers shall ensure that wallet units allow wallet users to substantiate the reports, including by attaching relevant information to identify the wallet relying parties and the wallet users’ claims in machine-readable format.