Preamble 21 to 30
(21) It is beneficial to facilitate the uptake and use of European Digital Identity Wallets by seamlessly integrating them with the ecosystem of public and private digital services already implemented at national, local or regional level.
To achieve that goal, it should be possible for Member States to provide for legal and organisational measures in order to increase flexibility for providers of European Digital Identity Wallets and to allow for additional functionalities of European Digital Identity Wallets to those provided for in this Regulation, including by enhanced interoperability with existing national electronic identification means.
Such additional functionalities should by no means be to the detriment of providing core functions of European Digital Identity Wallets provided for in this Regulation or promote existing national solutions over European Digital Identity Wallets. Since they go beyond this Regulation, such additional functionalities do not benefit from the provisions on cross-border reliance on European Digital Identity Wallets set out in this Regulation.
(22) European Digital Identity Wallets should include a functionality to generate user-chosen and managed pseudonyms, to authenticate when accessing online services.
(23) In order to achieve a high level of security and trustworthiness, this Regulation establishes the requirements for European Digital Identity Wallets. The conformity of European Digital Identity Wallets with those requirements should be certified by accredited conformity assessment bodies designated by Member States.
(24) In order to avoid divergent approaches and harmonise the implementation of the requirements laid down by this Regulation, the Commission should, for the purpose of certifying European Digital Identity Wallets, adopt implementing acts to establish a list of reference standards and, where necessary, to establish specifications and procedures for the purpose of expressing detailed technical specifications of those requirements.
To the extent that the certification of the conformity of European Digital Identity Wallets with relevant cybersecurity requirements is not covered by existing cybersecurity certification schemes that are referred to in this Regulation, and as regards non-cybersecurity requirements relevant to European Digital Identity Wallets, Member States should establish national certification schemes pursuant to the harmonised requirements set out in and adopted pursuant to this Regulation.
Member States should transmit their draft national certification schemes to the European Digital Identity Cooperation Group, which should be able to issue opinions and recommendations.
(25) Certification of conformity with the cybersecurity requirements established in this Regulation should, where available, rely on the relevant European cybersecurity certifications schemes established pursuant to Regulation (EU) 2019/881 of the European Parliament and of the Council, which establishes a voluntary European cybersecurity certification framework for ICT products, processes and services.
(26) In order to continuously assess and mitigate risks linked to security, certified European Digital Identity Wallets should be subject to regular vulnerability assessments aiming to detect any vulnerability in the certified product-related components, certified process-related components and certified service-related components of the European Digital Identity Wallet.
(27) By protecting users and companies from cybersecurity risks, the essential cybersecurity requirements laid down in this Regulation also contribute to enhancing the protection of personal data and privacy of individuals. Synergies on both standardisation and certification on cybersecurity aspects should be considered through the cooperation between the Commission, the European Standardisation Organizations, the European Union Agency for Cybersecurity (ENISA), the European Data Protection Board established by Regulation (EU) 2016/679 and the national data protection supervisory authorities.
(28) The onboarding of Union citizens and residents in the Union to the European Digital Identity Wallet should be facilitated by relying on electronic identification means issued at assurance level high.
Electronic identification means issued at assurance level substantial should be relied upon only where harmonised technical specifications and procedures using electronic identification means issued at assurance level substantial in combination with supplementary means of identity verification will allow the fulfilment of the requirements set out in this Regulation as regards assurance level high.
Such supplementary means should be reliable and easy to use and could be built on the possibility to use remote onboarding procedures, qualified certificates supported by qualified electronic signatures, qualified electronic attestation of attributes or a combination thereof.
To ensure sufficient uptake of European Digital Identity Wallets, harmonised technical specifications and procedures for the onboarding of users by using electronic identification means, including those issued at assurance level substantial, should be set out in implementing acts.
(29) The objective of this Regulation is to provide the user with a fully mobile, secure and user-friendly European Digital Identity Wallet. As a transitional measure until the availability of certified tamper-proof solutions, such as secure elements within the users’ devices, European Digital Identity Wallets should be able to rely upon certified external secure elements for the protection of the cryptographic material and other sensitive data or upon notified electronic identification means at assurance level high in order to demonstrate compliance with the relevant requirements of this Regulation as regards the assurance level of the European Digital Identity Wallet. This Regulation should be without prejudice to national conditions with regard to the issuance and use of a certified external secure element where the transitional measure is dependent on it.
(30) European Digital Identity Wallets should ensure the highest level of data protection and security for the purposes of electronic identification and authentication to facilitate access to public and private services, irrespective of whether such data is stored locally or on cloud-based solutions, taking due account of the different levels of risk.
Note: This is the final text of Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, establishing the European Digital Identity Framework.