EUDI Wallet - Trust framework
COMMISSION IMPLEMENTING REGULATION (EU) 2024/XXX
The European Commission has published a draft Implementing Act under REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market. This draft lays down specific rules concerning notifications to the Commission regarding the European Digital Identity Wallet ecosystem. These rules are crucial for ensuring the trustworthiness and transparency of entities within the ecosystem, including wallet providers and relying parties.
The document outlines the process for notifying the Commission, the criteria for validation of identity providers and wallet units, and the publication of the necessary information, forming the core of the trust framework for the European Digital Identity system.
Article 1: Subject matter and scope
This Regulation establishes the trust framework for the validation of:
- the electronic registers used by a Member State to publish information on wallet relying parties registered in that Member State in accordance with Article 5b(5) of Regulation (EU) No 910/2014 (‘registers’), the location of the registers, and the identification of the registrars;
- the identity of the registered wallet relying parties;
- the authenticity and validity of wallet units;
- the identification of the wallet providers;
- the authenticity of person identification data;
- the identification of the providers of person identification data.
Article 2: Definitions
For the purpose of this Regulation, the following definitions apply:
‘wallet provider’ means a natural or legal person who provides wallet solutions;
‘wallet solution’ means a combination of software, hardware, services, settings, and configurations, including wallet instances, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices, and which is managed and operated by a wallet provider;
‘wallet instance’ means the application installed and configured on a wallet user’s device or environment, which is part of a wallet unit, and that the wallet user uses to interact with the wallet unit;
‘wallet secure cryptographic application’ means an application that manages critical assets by using the cryptographic functions provided by the wallet secure cryptographic device;
‘wallet secure cryptographic device’ means an environment that hosts the wallet secure cryptographic application and provides cryptographic functions;
‘critical assets’ means information that would put a wallet unit in a critical state in case the assets get compromised and therefore needs protection against duplication and tampering;
‘wallet cryptographic operation’ means a cryptographic mechanism necessary in the context of authentication of the wallet user and the issuance or presentation of person identification data or electronic attestations of attributes;
‘provider of person identification data’ means a natural or legal person responsible for ensuring that the person identification data of a user is cryptographically bound to a wallet unit;
‘wallet relying party’ means a relying party that intends to rely upon wallet units for the provision of public or private services by means of digital interaction;
‘wallet unit’ means a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user;
‘wallet user’ means a natural or legal person who is the subject of the person identification data associated with the wallet unit that they are in control of;
‘register’ means an electronic register used by a Member State to make information on wallet relying parties registered in that Member State publicly available as set out in Article 5b(5) of Regulation (EU) No 910/2014;
‘registrar’ means a natural or legal person mandated by a Member State to establish a register;
‘provider of wallet relying party access certificates’ means a natural or legal person mandated by a Member State to issue relying party access certificates to wallet relying parties registered in that Member State;
‘wallet relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet relying party issued by a provider of wallet relying party access certificates.
Article 3: Notifications system
The Commission shall make available to Member States a secure electronic notification system, enabling Member States to notify the information on the bodies and mechanisms referred to in Article 5a(18) of Regulation (EU) No 910/2014.
The secure electronic notification system shall comply with the technical requirements laid down in Annex I.
Article 4: Notifications by Member States
Member States shall submit, through the secure electronic notification system referred to in Article 3(1), at least the information specified in Annex II.
Member States shall make the notifications at least in English. Member States shall not be obliged to translate any document supporting the notifications where this would create an unreasonable administrative or financial burden.
The Commission may request additional information or clarifications from the Member States for the purpose of verifying the completeness and consistency of the notified information.
Article 5: Publications by the Commission
The Commission shall establish, maintain and publish a list compiling the necessary information notified by Member States on registrars and registers as referred to in Annex II section 1.
The Commission shall establish, maintain and publish a list compiling the necessary information notified by Member States on wallet providers, providers of person identification data and providers of wallet relying party access certificates, as referred to in Annex II sections 2, 3 and 4.
The Commission shall ensure the lists referred to in paragraphs 1 and 2 of this Article can be accessed: a) in both electronically signed or sealed form suitable for automated processing and through a human-readable website available in at least English; b) without the need to register or to be authenticated to obtain or read the lists; c) securely by using state-of-the-art transport layer encryption.
In addition to the publications of the lists referred to in paragraphs 1 and 2, the Commission shall publish: a) the technical specifications the Commission uses for the structure of the lists; b) the details of the URL where the lists are published; c) the certificates to be used to verify the signature or seal on the lists; d) the details on mechanisms used to validate future changes to the location referred to in point (b) or to the certificates referred to in point (c).