Preamble 11 to 20
(11) European Digital Identity Wallets should facilitate the application of the ‘once only’ principle, thus reducing the administrative burden on and supporting cross-border mobility of Union citizens and residents in the Union and businesses across the Union and fostering the development of interoperable e-government services across the Union.
(12) Regulation (EU) 2016/679, Regulation (EU) 2018/1725 of the European Parliament and of the Council and Directive 2002/58/EC apply to the processing of personal data in the implementation of this Regulation.
Therefore, this Regulation should lay down specific safeguards to prevent providers of electronic identification means and electronic attestation of attributes from combining personal data obtained when providing other services with the personal data processed to provide the services falling within the scope of this Regulation. Personal data related to the provision of European Digital Identity Wallets should be kept logically separate from any other data held by the provider of the European Digital Identity Wallet.
This Regulation should not prevent providers of European Digital Identity Wallets from applying additional technical measures that contribute to the protection of personal data, such as physical separation of personal data related to the provision of European Digital Identity Wallets from any other data held by the provider. Without prejudice to Regulation (EU) 2016/679, this Regulation further specifies the application of principles of purpose limitation, data minimisation, and data protection by design and by default.
(13) European Digital Identity Wallets should have the function of a common dashboard embedded into the design, in order to ensure a higher degree of transparency, privacy and control of the users over their personal data. That function should provide an easy, user-friendly interface with an overview of all relying parties with whom the user shares data, including attributes, and the type of data shared with each relying party.
It should allow users to track all transactions executed through the European Digital Identity Wallet with at least the following data: the time and date of the transaction, the counterpart identification, the personal data requested and the data shared. That information should be stored even if the transaction was not concluded. It should not be possible to repudiate the authenticity of the information contained in the transaction history. Such a function should be active by default.
It should allow users easily to request the immediate erasure by a relying party of personal data pursuant Article 17 of Regulation (EU) 2016/679 and easily to report the relying party to the competent national data protection authority where an allegedly unlawful or suspicious request for personal data is received, directly via the European Digital Identity Wallet.
(14) Member States should integrate different privacy-preserving technologies, such as zero knowledge proof, into the European Digital Identity Wallet. Those cryptographic methods should allow a relying party to validate whether a given statement based on the person’s identification data and attestation of attributes is true, without revealing any data on which that statement is based, thereby preserving the privacy of the user.
(15) This Regulation sets out the harmonised conditions for the establishment of a framework for European Digital Identity Wallets to be provided by Member States. All Union citizens, and residents in the Union as defined by national law, should be empowered to securely request, select, combine, store, delete, share and present data related to their identity and request the erasure of their personal data in a user-friendly and convenient way, under the sole control of the user, while enabling selective disclosure of personal data. This Regulation reflects shared European values and respects fundamental rights, legal safeguards and liability, thus protecting democratic societies, Union citizens and residents in the Union.
Technologies used to achieve those objectives should be developed aiming towards the highest level of security, privacy, user convenience, accessibility, wide usability and seamless interoperability. Member States should ensure equal access to electronic identification to all their citizens and residents. Member States should not, directly or indirectly, limit access to public or private services to natural or legal persons not opting to use European Digital Identity Wallets and should make available appropriate alternative solutions.
(16) Member States should rely on the possibilities offered by this Regulation to provide, under their responsibility, European Digital Identity Wallets for use by the natural and legal persons residing on their territory. To offer Member States flexibility and leverage the state-of-the-art technology, this Regulation should enable provision of European Digital Identity Wallets directly by a Member State, under a mandate from a Member State, or independently of a Member State, but recognised by that Member State.
(17) For the purposes of registration, relying parties should provide the information necessary to allow for their electronic identification and authentication towards European Digital Identity Wallets.
When declaring their intended use of the European Digital Identity Wallet, relying parties should provide information regarding the data that they will request, if any, in order to provide their services and the reason for the request. Relying party registration facilitates the verification by Member States with regard to the lawfulness of the activities of the relying parties in accordance with Union law.
The obligation to register provided for in this Regulation should be without prejudice to obligations laid down in other Union or national law, such as the information to be provided to the data subjects pursuant to the Regulation (EU) 2016/679. Relying parties should comply with the safeguards offered by Articles 35 and 36 of that Regulation, in particular by performing data protection impact assessments and by consulting the competent data protection authorities prior to data processing where data protection impact assessments indicate that the processing would result in a high risk.
Such safeguards should support the lawful processing of personal data by relying parties, in particular with regard to special categories of data, such as health data. The registration of relying parties is intended to enhance transparency and trust in the use of European Digital Identity Wallets. Registration should be cost-effective and proportionate to the related risks in order to ensure uptake by service providers. In that context, registration should provide for the use of automated procedures, including the reliance on and the use of existing registers by Member States, and should not entail a pre-authorisation process.
The registration process should enable a variety of use-cases that can differ in terms of mode of operation, whether online or in offline mode, or in terms of the requirement to authenticate devices for the purposes of interfacing with the European Digital Identity Wallet. Registration should apply exclusively to relying parties providing services by means of digital interaction.
(18) Safeguarding Union citizens and residents in the Union against the unauthorised or fraudulent use of European Digital Identity Wallets is of high importance for ensuring trust in and for the wide uptake of European Digital Identity Wallets. Users should be provided with effective protection against such misuse.
In particular, when facts that form the basis for fraudulent or otherwise illegal use of a European Digital Identity Wallet are established by a national judicial authority in the context of another procedure, supervisory bodies that are responsible for European Digital Identity Wallet issuers should, upon notification, take the necessary measures to ensure that the registration of the relying party and the inclusion of relying parties in the authentication mechanism are withdrawn or suspended until the notifying authority confirms that the irregularities identified have been remedied.
(19) All European Digital Identity Wallets should enable users to electronically identify themselves and authenticate online and in offline mode across borders to access a wide range of public and private services. Without prejudice to Member States’ prerogatives as regards the identification of their citizens and residents, European Digital Identity Wallets can also serve the institutional needs of public administrations, international organisations and the Union’s institutions, bodies, offices and agencies.
Authentication in offline mode would be important in many sectors, including in the health sector where services are often provided through face-to-face interaction and ePrescriptions should be able to rely on QR-codes or similar technologies to verify authenticity.
Relying on the assurance level high with regard to electronic identification schemes European Digital Identity Wallets should benefit from the potential offered by tamper-proof solutions such as secure elements, to comply with the security requirements under this Regulation. European Digital Identity Wallets should also allow users to create and use qualified electronic signatures and seals which are accepted across the Union. Once on-boarded to a European Digital Identity Wallet, natural persons should be able to use it to sign with qualified electronic signatures, by default and free of charge, without having to go through any additional administrative procedures.
Users should be able to sign or seal self-claimed assertions or attributes.To achieve simplification and cost-reduction benefits for persons and businesses across the Union, including by enabling powers of representation and e-mandates, Member States should provide European Digital Identity Wallets that rely on common standards and technical specifications to ensure seamless interoperability and to adequately increase IT security, strengthen robustness against cyber-attacks and thus significantly reduce the potential risks of ongoing digitalisation for Union citizens, residents in the Union and undertakings.
Only Member States’ competent authorities can provide a high level of confidence in establishing the identity of a person and therefore provide assurance that the person claiming or asserting a particular identity is in fact the person he or she claims to be. It is therefore necessary for the provision of European Digital Identity Wallets to rely on the legal identity of Union citizens, residents in the Union or legal persons.
Reliance on the legal identity should not hinder European Digital Identity Wallet users to access services under a pseudonym, where there is no legal requirement for legal identity for authentication. Trust in European Digital Identity Wallets would be enhanced if issuing and managing parties are required to implement appropriate technical and organisational measures to ensure the highest level of security that is commensurate to the risks raised for the rights and freedoms of the natural persons, in accordance with Regulation (EU) 2016/679.
(20) The use of a qualified electronic signature should be free of charge to all natural persons for non-professional purposes. It should be possible for Member States to provide for measures to prevent the use of qualified electronic signatures for professional purposes by natural persons free-of-charge, while ensuring that any such measures are proportionate to identified risks and are justified.
Note: This is the final text of Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, establishing the European Digital Identity Framework.