Articles, European Digital Identity Regulation



Preamble 41 to 50

(41) Public service providers use the person identification data available from electronic identification means pursuant to Regulation (EU) No 910/2014 to match the electronic identity of the users from other Member States with the person identification data provided to those users in the Member State performing the cross-border identity matching process.

However, in many cases, despite the use of the minimum data set provided under the notified electronic identification schemes, ensuring accurate identity matching when Member States act as relying parties requires additional information about the user and specific complementary unique identification procedures to be performed at national level.

To further support the usability of electronic identification means, provide better online public services and increase legal certainty in relation to the electronic identity of the users, Regulation (EU) No 910/2014 should require Member States to take specific online measures to ensure unequivocal identity matching when users intend to access online cross-border public services.


(42) When developing European Digital Identity Wallets, it is essential to take into consideration the needs of users. Meaningful use cases and online services relying on European Digital Identity Wallets should be available.

For the convenience of users and in order to ensure cross-border availability of such services, it is important to undertake actions in order to facilitate a similar approach to design, development and implementation of online services in all Member States.

Non-binding guidelines on how to design, develop and implement online services relying on European Digital Identity Wallets have the potential of becoming a useful tool to achieve that goal. Such guidelines should be prepared taking into account the interoperability framework of the Union. Member States should have a leading role when it comes to adopting those guidelines.


(43) In accordance with Directive (EU) 2019/882 of the European Parliament and of the Council (12), persons with disabilities should be able to use European Digital Identity Wallets, trust services and end-user products used in the provision of those services on an equal basis with other users.


(44) In order to ensure effective enforcement of this Regulation, a minimum for the maximum of administrative fines for both qualified and non-qualified trust service providers should be established. Member States should provide for effective, proportionate and dissuasive penalties. When determining the penalties, the size of the affected entities, their business models and the severity of the infringements should be duly taken into consideration.


(45) Member States should lay down rules on penalties for infringements such as direct or indirect practices leading to confusion between non-qualified and qualified trust services or to the abusive use of the EU trust mark by non-qualified trust service providers. The EU trust mark should not be used under conditions which, directly or indirectly, lead to the perception that any non-qualified trust services offered by those providers are qualified.


(46) This Regulation should not cover aspects related to the conclusion and validity of contracts or other legal obligations where there are requirements as regards form laid down by Union or national law. In addition, it should not affect national form requirements pertaining to public registers, in particular commercial and land registers.


(47) The provision and use of trust services and the benefits brought in terms of convenience and legal certainty in the context of cross-border transactions, in particular when qualified trust services are used, are becoming increasingly important for international trade and cooperation.

International partners of the Union are establishing trust frameworks inspired by Regulation (EU) No 910/2014. In order to facilitate the recognition of qualified trust services and of their providers, the Commission may adopt implementing acts to set the conditions under which trust frameworks of third countries could be considered equivalent to the trust framework for qualified trust services and providers thereof in this Regulation.

Such an approach should complement the possibility for the mutual recognition of trust services and providers thereof established in the Union and in third countries in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU).

When setting out the conditions under which the trust frameworks of third countries could be considered to be equivalent to the trust framework for qualified trust services and providers thereof under Regulation (EU) No 910/2014, compliance with the relevant provisions in the Directive (EU) 2022/2555 of the European Parliament and of the Council (13) and Regulation (EU) 2016/679 should be ensured, as well as the use of trusted lists as essential elements to build trust.


(48) This Regulation should foster choice and the possibility of switching between European Digital Identity Wallets where a Member State has endorsed more than one European Digital Identity Wallet solution on its territory.

In order to avoid lock-in effects in such situations, where technically feasible, the providers of European Digital Identity Wallets should ensure the effective portability of data at the request of European Digital Identity Wallet users, and should not be allowed to use contractual, economic or technical barriers to prevent or to discourage effective switching between different European Digital Identity Wallets.


(49) To ensure the proper functioning of European Digital Identity Wallets, European Digital Identity Wallet providers need effective interoperability and fair, reasonable and non-discriminatory conditions for the European Digital Identity Wallets to access specific hardware and software features of mobile devices.

Those components could include, in particular, near field communication antennas and secure elements, including universal integrated circuit cards, embedded secure elements, microSD cards and Bluetooth Low Energy.

Access to those components could be under the control of mobile network operators and equipment manufacturers. Therefore, where needed to provide the services of European Digital Identity Wallets, original equipment manufacturers of mobile devices or providers of electronic communication services should not refuse access to such components.

In addition, the undertakings that are designated as gatekeepers for core platform services as listed by the Commission pursuant to Regulation (EU) 2022/1925 of the European Parliament and of the Council (14) should remain subject to the specific provisions of that Regulation, building on Article 6(7) thereof.


(50) In order to streamline the cybersecurity obligations imposed on trust service providers, as well as to enable those providers and their respective competent authorities to benefit from the legal framework established by Directive (EU) 2022/2555, trust services are required to take appropriate technical and organisational measures pursuant to that Directive, such as measures addressing system failures, human error, malicious actions or natural phenomena in order to manage the risks posed to the security of network and information systems which those providers use in the provision of their services as well as to notify significant incidents and cyber threats in accordance with that Directive.

With regard to the reporting of incidents, trust service providers should notify any incidents having a significant impact on the provision of their services, including such caused by theft or loss of devices, network cable damage or incidents that occur in the context of the identification of persons.

The cybersecurity risk management requirements and reporting obligations under Directive (EU) 2022/2555 should be considered to be complementary to the requirements imposed on trust service providers under this Regulation.

Where appropriate, established national practices or guidance in relation to the implementation of security and reporting requirements and supervision of compliance with such requirements under Regulation (EU) No 910/2014 should continue to be applied by the competent authorities designated under Directive (EU) 2022/2555. This Regulation does not affect the obligation to notify personal data breaches pursuant to Regulation (EU) 2016/679.


Note: This is the final text of Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, establishing the European Digital Identity Framework.