Articles, European Digital Identity Regulation



Preamble 31 to 40

(31) European Digital Identity Wallets should be secure-by-design and should implement advanced security features to protect against identity and other data theft, denial of service and any other cyber threat. Such security should include state-of-the-art encryption and storage methods that are accessible only to, and decryptable only by, the user and that rely on end-to-end encrypted communication with other European Digital Identity Wallets and relying parties. Additionally, European Digital Identity Wallets should require secure, explicit and active user confirmation for the operations performed via European Digital Identity Wallets.


(32) The use, free of charge, of European Digital Identity Wallets should not result in the processing of data beyond data that is necessary for the provision of European Digital Identity Wallet services.

This Regulation should not allow the processing of personal data stored in or resulting from the use of the European Digital Identity Wallet by the provider of the European Digital Identity Wallet for purposes other than the provision of European Digital Identity Wallet services. To ensure privacy, European Digital Identity Wallet providers should ensure unobservability by not collecting data and not having insight into the transactions of the users of the European Digital Identity Wallet. Such unobservability means that the providers are not able to see the details of the transactions made by the user.

However, in specific cases, on the basis of explicit prior consent by the user in each of those specific cases, and fully in accordance with Regulation (EU) 2016/679, providers of European Digital Identity Wallets could be granted access to the information necessary for the provision of a particular service related to European Digital Identity Wallets.


(33) The transparency of European Digital Identity Wallets and the accountability of their providers are key elements to creating social trust and trigger acceptance of the framework. The functioning of European Digital Identity Wallets should therefore be transparent and, in particular, allow for verifiable processing of personal data.

To achieve this, Member States should disclose the source code of the user application software components of European Digital Identity Wallets, including those that are related to processing of personal data and data of legal persons. The publication of this source code under an open-source licence should enable society, including users and developers, to understand its operation, audit and review the code. This would increase users’ trust in the ecosystem and contribute to the security of European Digital Identity Wallets by enabling anyone to report vulnerabilities and errors in the code.

Overall, this should provide suppliers with an incentive to deliver and maintain a highly secure product. However, in certain cases, the disclosure of the source code for the libraries used, communication channel or other elements that are not hosted on the user device, could be limited by Member States, for duly justified reasons, especially for the purpose of public security.


(34) The use of European Digital Identity Wallets as well as the discontinuation of their use should be the exclusive right and choice of users. Member States should develop simple and secure procedures for the users to request immediate revocation of validity of European Digital Identity Wallets, including in the case of loss or theft.

Upon the death of the user or the cessation of activity by a legal person, a mechanism should be established to enable the authority responsible for settling the succession of the natural person or assets of the legal person to request the immediate revocation of European Digital Identity Wallets.


(35) In order to promote the uptake of European Digital Identity Wallets and the wider use of digital identities, Member States should not only promote the benefits of the relevant services, but should also, in cooperation with the private sector, researchers and academia, develop training programmes aiming to strengthen the digital skills of their citizens and residents, in particular for vulnerable groups such as persons with disabilities and older persons. Member States should also raise awareness of the benefits and risks of European Digital Identity Wallets by means of communication campaigns.


(36) To ensure that the European Digital Identity Framework is open to innovation, technological development and future-proof, Member States are encouraged, jointly, to set up sandboxes to test innovative solutions in a controlled and secure environment in particular to improve the functionality, protection of personal data, security and interoperability of the solutions and to inform future updates of technical references and legal requirements.

That environment should foster the inclusion of SMEs, start-ups and individual innovators and researchers, as well as relevant industry stakeholders. Such initiatives should contribute to and strengthen the regulatory compliance and technical robustness of European Digital Identity Wallets to be provided to Union citizens and residents in the Union, thus preventing the development of solutions that do not comply with Union law on data protection or that are open to security vulnerabilities.


(37) Regulation (EU) 2019/1157 of the European Parliament and of the Council (11) strengthens the security of identity cards with enhanced security features by August 2021. Member States should consider the feasibility of notifying them under electronic identification schemes to extend the cross-border availability of electronic identification means.


(38) The process of notification of electronic identification schemes should be simplified and accelerated to promote access to convenient, trusted, secure and innovative authentication and identification solutions and, where relevant, to encourage private identity providers to offer electronic identification schemes to Member State’s authorities for notification as national electronic identification schemes under Regulation (EU) No 910/2014.


(39) Streamlining of the current notification and peer-review procedures will prevent heterogeneous approaches to the assessment of various notified electronic identification schemes and facilitate trust-building between Member States. New, simplified, mechanisms are intended to foster Member States’ cooperation on the security and interoperability of their notified electronic identification schemes.


(40) Member States should benefit from new, flexible tools to ensure compliance with the requirements of this Regulation and of the relevant implementing acts adopted pursuant thereto. This Regulation should allow Member States to use reports and assessments, performed by accredited conformity assessment bodies, as provided for in the context of certification schemes to be established at Union level under Regulation (EU) 2019/881, to support their claims on the alignment of the schemes or of parts thereof with Regulation (EU) No 910/2014.


Note: This is the final text of Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, establishing the European Digital Identity Framework.