Skip to main content

EUDI Wallet - Trust framework

Commission Implementing Regulation (EU) 2024/2980, adopted on 28 November 2024, establishes detailed rules for the application of Regulation (EU) No 910/2014 concerning notifications to the Commission within the European Digital Identity Wallet ecosystem. This regulation specifies the procedures and requirements for Member States to notify the Commission about trusted entities, including wallet providers, providers of person identification data, and wallet-relying parties. By defining these notification protocols, the regulation aims to enhance transparency and trust within the European Digital Identity Framework, ensuring that authenticated entities operate securely and reliably across the Union.

An electronic edition of the regulation is available here.

Article 1: Subject matter and scope

This Regulation establishes obligations in relation to notifications that enable the validation of:

  1. the electronic registers used by a Member State to publish information on wallet-relying parties registered in that Member State in accordance with Article 5b(5) of Regulation (EU) No 910/2014 (‘registers of wallet-relying parties’), the location of the registers of wallet-relying parties, and the identification of the registrars of wallet-relying parties;

  2. the identity of the registered wallet-relying parties;

  3. the authenticity and validity of wallet units;

  4. the identification of the wallet providers;

  5. the authenticity of person identification data;

  6. the identification of the providers of person identification data;

to be updated on a regular basis to keep in line with technology and standards developments and with the work carried out on the basis of Recommendation (EU) 2021/946, and in particular the architecture and reference framework.

Article 2: Definitions

For the purpose of this Regulation, the following definitions apply:

  1. ‘wallet provider’ means a natural or legal person who provides wallet solutions;

  2. ‘provider of person identification data’ means a natural or legal person responsible for issuing and revoking the person identification data and ensuring that the person identification data of a user is cryptographically bound to a wallet unit;

  3. ‘wallet-relying party’ means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;

  4. ‘register of wallet-relying parties’ means an electronic register used by a Member State to make information on wallet-relying parties registered in that Member State publicly available as set out in Article 5b(5) of Regulation (EU) No 910/2014;

  5. ‘registrar of wallet-relying parties’ means the body responsible for establishing and maintaining the list of registered wallet-relying parties established in their territory who has been designated by a Member State;

  6. ‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;

  7. ‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;

  8. ‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;

  9. ‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;

  10. ‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;

  11. ‘critical assets’ means assets within or in relation to a wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the wallet unit;

  12. ‘wallet user’ means a user who is in control of the wallet unit;

  13. ‘provider of wallet-relying party access certificates’ means a natural or legal person mandated by a Member State to issue relying party access certificates to wallet-relying parties registered in that Member State;

  14. ‘wallet-relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet-relying party issued by a provider of wallet-relying party access certificates.

Article 3: Notification system

  1. The Commission shall make available to Member States a secure electronic notification system, no later than twelve months after the publication of this Regulation in the Official Journal of the European Union, enabling Member States to notify the information on the bodies and mechanisms referred to in Article 5a(18) of Regulation (EU) No 910/2014.

  2. The secure electronic notification system shall comply with the technical requirements laid down in Annex I.

Article 4: Notifications by Member States

  1. Member States shall submit, through the secure electronic notification system referred to in Article 3(1), at least the information specified in Annex II.

  2. Member States shall make the notifications at least in English. Member States shall not be obliged to translate any document supporting the notifications where this would create an unreasonable administrative or financial burden.

  3. The Commission may request additional information or clarifications from the Member States for the purpose of verifying the completeness and consistency of the notified information.

Article 5: Publications by the Commission

  1. The Commission shall establish, maintain and publish a list compiling the information notified by Member States on registrars of wallet-relying parties and registers of wallet-relying parties as referred to in Annex II section 1.

  2. The Commission shall establish, maintain and publish a list compiling the information notified by Member States on wallet providers, providers of person identification data and providers of wallet-relying party access certificates, as referred to in Annex II sections 2, 3 and 4.

  3. The Commission shall ensure the lists referred to in paragraphs 1 and 2 of this Article can be accessed:

    (a) in both electronically signed or sealed form suitable for automated processing and through a human-readable website available in at least English;

    (b) without the need to register or to be authenticated to obtain or read the lists;

    (c) securely by using state-of-the-art transport layer encryption.

  4. In addition to the publications of the lists referred to in paragraphs 1 and 2, the Commission shall publish:

    (a) the technical specifications the Commission uses for the structure of the lists;

    (b) the details of the URL where the lists are published;

    (c) the certificates to be used to verify the signature or seal on the lists;

    (d) the details on mechanisms used to validate changes to the location referred to in point (b) or to the certificates referred to in point (c).

Article 6: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 28 November 2024.