Adoption of eIDAS 2: paradigm shift for digital identity in Europe
- Articles and memoranda
- Posted 18.07.2024
What happened?
On 30 April 2024, the eIDAS 2 Regulation introducing a European Digital Identity Framework1 (also known as “EUDI”) was published in the Official Journal of the European Union. This regulation amends the eIDAS Regulation2, in particular by establishing a mandatory European Digital Identity Wallet that can be linked to the national digital identities of users and by expanding the list of trust services by introducing new qualified trust services.
With the eIDAS 2 Regulation, the European Commission wanted to harmonize and secure digital identification across the European Union with the aim of increasing security on the Internet and protecting users’ data, and meet certain interoperability requirements to address the shortcomings of the eIDAS Regulation.
Key takeaways
The ID Wallet
The most significant change of the eIDAS 2 Regulation is the introduction of a fully mobile, secure and user-friendly European Digital Identity Wallet (the “ID Wallet”). This ID Wallet is defined as “an electronic identification means which allows the user to securely store, manage and validate person identification data and electronic attestations of attributes for the purpose of providing them to relying parties and other users of European Digital Identity Wallets, and to sign by means of qualified electronic signatures or to seal by means of qualified electronic seals.”
This is hence a means of electronic identification, for public or private services, characterised by citizens’ full control over their own data and interoperability between EU Member States. The ID Wallet has the structure of a digital ‘wallet’ in which verifiable data and official documents – so-called ‘attributes’ – can be collected (including, for example, driving licenses, diplomas and bank accounts).
General requirements for the ID Wallet are laid down to ensure that qualified electronic attestations of attributes by public authorities have the equivalent legal effect of lawfully issued attestations in paper form. The conformity of the ID Wallet with those requirements would be certified by accredited conformity assessment bodies or certified private entities designated by EU Member States. Hence, public authorities or accredited private entities will be able to issue wallets.
New trust services
Another novelty introduced by the eIDAS 2 Regulation is the designation of new trust services such as the electronic attestation of attributes, the management of remote electronic signature and seal creation devices, the electronic archiving (i.e. a service that enables the receipt, storage, retrieval and deletion of electronic data and documents in order to ensure their durability and readability as well as to preserve their integrity, confidentiality and proof of origin throughout the storage period), or the recording of electronic data in an electronic ledgers (i.e. a sequence of electronic data records that guarantees the integrity of these records and the accuracy of their chronological order).
Various requirements for qualified or non-qualified trust service providers
Qualified trust service providers will be, inter alia, subject, at their own expense and at least every 24 months, to an audit by a conformity assessment body in order to verify that they comply with the requirements of eIDAS 2 and Article 21 of the NIS2 Directive, i.e. cybersecurity risk-management measures.3
Non-qualified trust service providers will have to comply with notification obligations4 and other additional requirements for managing legal, business, operational and other direct or indirect risks to the provision of the said non-qualified trust service.
Compliance with the GDPR5
The eIDAS 2 Regulation provides that any processing of personal data carried out by the Member States or on their behalf by bodies or parties responsible for the provision of European Digital Identity Wallets as electronic identification means shall be carried out in accordance with appropriate and effective data protection measures. Compliance of such processing with the GDPR shall be demonstrated.
What’s next?
eIDAS 2 entered into force on the 20th day following its publication in the Official Journal of the EU. Implementing acts from the Commission with the technical specifications for the ID Wallet will follow within 6 to 12 months thereafter. By way of illustration, by 21 November 2024 the Commission will have to establish a list of reference standards for the certification of the ID Wallet. Within 24 months from the date of entry into force of the implementing acts, EU Member States will have to make available at least one ID Wallet to all citizens and residents. The Commission will also eventually publish and maintain in a machine-readable form a list of certified ID Wallets.
1 | Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework. | |||
2 | Regulation (EU) 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. | |||
3 | Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). | |||
4 | Notably in case of any security breaches or disruptions in the provision of the service that have a significant impact on the trust service provided or on the personal data maintained therein. | |||
5 | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. | |||