.svg)
The European Council has adopted its position on the proposed legislation for a European digital identity (eID) framework, making a fair amount of amendments in the process.
First touted in 2021, the revised regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS) regulation, which makes way for a pan-EU form of digital identity, aims to ensure universal access for people and businesses to trustworthy electronic identification and authentication by means of a personal digital wallet on a mobile phone.
The proposal requires member states to issue a digital wallet under a notified eID scheme, built on common technical standards and following a compulsory certification scheme.
Now that a position has been reached by the 27 national governments, the Council, which is made up of EU member state ministers, will be able to enter negotiations, with a view to reaching an agreement on the proposed regulation with the European Parliament — otherwise known as the trilogues — once the latter adopts its own position.
“Digital technologies can make our life so easy. I am convinced that a European digital identity wallet is indispensable for our citizens and businesses,” said Ivan Bartoš, deputy prime minister of the Czech Republic.
“We are looking at a massive advancement in how people use their identity and credentials in everyday contact with both public and private entities, and in how they use digital services,” he said. “All while firmly keeping control over their data.”
Plenty of changes
To set up the necessary technical architecture, speed up the implementation of the revised regulation, provide guidelines to member states and avoid fragmentation, the proposal was accompanied by a recommendation for the development of a EU-based toolbox defining the technical specifications of the wallet.
Among the amendments made, the Council’s text proposes that the implementing period of 24 months be counted from the adoption of the implementing acts.
The text also clarifies that the issuance, use for authentication and revocation of wallets should be free of charge to natural persons.
However, when wallets are used for authentication, services relying on the use of the wallet may incur costs, such as the issuance of the electronic evidence of attributes to the wallet.
The Council’s text tries to align with existing legislation, which ensures access to hardware and software features as part of core platform services provided by gatekeepers.
A newly-added provision clarifies that providers of wallets and issuers of notified electronic identification acting in a commercial or professional capacity are business users of gatekeepers within the meaning of the definition in the Digital Markets Act (DMA), which targets large technology companies and came into force last month.
Wording has also been added to outline the implication of the interlink with the DMA, namely that gatekeepers should be required to ensure hardware or software features that are available or used in the provision of their own complementary and supporting services.
According to the text, this needs to be free of charge and interoperable.
What is the digital wallet?
One of the main policy objectives of the proposal is to provide citizens and other residents, as defined by national law, with a harmonised European digital identity that is based on the concept of a European digital identity wallet.
The digital wallet would be an eID in its own right, based on the issuing of personal identification data and the wallet by member states.
Here, the Council’s amendments develop the concept of the wallet and its interplay with national electronic identification means.
One of the key issues that the Council appears to have tackled in its position is assurance levels, so that those who interact with eID can be confident that it belongs to the person in question.
This means that the assurance level, as set out by the eIDAS regulation already, must be “high”.
Here, ministers have suggested a specific provision on the onboarding of users to address the concerns of member states where a significant number of national eID means that the assurance level of “substantial” has already been issued.
The provision enables a user to use their national eID in conjunction with additional remote onboarding procedures. This aims to make identity proofing at assurance level “high” possible and, ultimately, mean that users can obtain a digital wallet.
As the draft eID regulation relies on cybersecurity certification schemes that should bring a harmonised level of trust in the security of wallets, the secure storage of cryptographic material is expected to become subject to cybersecurity certification too.
The Council’s recommended text contains a new recital addressing the technical preconditions of achieving a high assurance level and enabling a follow-up process within the implementation of European digital identity wallets.
“The regulation should leverage, rely on, and mandate the use of relevant and existing Cybersecurity Act certification schemes, or parts thereof, to certify the compliance of wallets, or parts thereof, with the applicable cybersecurity requirements,” the Council said.
Consequently, the Cybersecurity Act framework applies fully, including the peer review mechanism between national cybersecurity certification authorities provided within the Cybersecurity Act.
To align the eID regulation and the Cybersecurity Act to the largest extent possible, member states will designate public and private bodies accredited to certify the wallet as provided in the Cybersecurity Act.
Relying parties
In addition, the part of the digital identity proposal that focuses on the notification of relying parties has been rephrased.
As a rule here, the notification process through which the relying party communicates its intent to rely on the wallet should be cost-effective, proportionate to risk and ensure that the relying party provides at least the information necessary to authenticate to the wallet.
By default, only minimum information is required and the notification should allow for the use of automated or simple self-reporting procedures.
A specific regime may, however, be necessary due to sectoral requirements, such as those applicable to the processing of special categories of personal data. Here, a provision has been introduced by the Council aiming to cover cases where a more stringent registration or authorisation procedure is required.
Conversely, where EU or national law does not lay down specific requirements to access information provided by means of the wallet, member states may exempt such relying parties from the obligation to notify their intent to rely on wallets.
