What is the European Digital Identity Regulation?
The Regulation amends Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (‘the eIDAS Regulation’). This amendment is required, as digitalisation of all functions of society has increased dramatically. The provision of both public and private services is increasingly becoming digital after the COVID-19 pandemic.
The European Digital Identity will be available to EU citizens, residents, and businesses who want to identify themselves or provide confirmation of certain personal information. It can be used for both online and offline public and private services across the EU. Every EU citizen and resident in the Union will be able to use a personal digital wallet.
What is a digital identity?
A digital identity is a digital representation of a natural or legal person. It can be used during interactions and transactions.
Attributes contain information about a subject. This can include details such as the legal name or date of birth, as well as details from other organisations, such as professional qualifications, bank balance or medical history.
The information contained in a digital identity allows for the authentication of a user or the presentation of his/her digital attributes, giving him/her access to public or private services online or offline. The overall objective is to enable citizens and businesses to prove who they are or to prove their attributes/characteristics, without needing physical documents.
What is emerging in the market today is a new environment where the focus has shifted from the provision and use of digital identities to the provision and reliance on specific attributes related to those identities. For example, access to services may rely on the verification of qualifications or age (for example to buy alcohol online or enter a nightclub), or whether a person has been vetted.
While the issuance and acceptance of such attributes require that the person has been identified, it is the attribute and the fulfilment of its requirements that provides access to specific services and therefore takes centre stage over the provision of digital identity. A digital identity system that does not allow a seamless link with attributes and credentials is therefore no longer addressing current societal demands.
Latest news about the European Digital Identity Regulation
8 November 2023 - The European Commission welcomes the final agreement on EU Digital Identity Wallet
The Commission welcomes the final agreement reached by the European Parliament and the Council of the EU at the final trilogue on the Regulation introducing European Digital Identity Wallets.
This concludes the co-legislators' work implementing the results of the provisional political agreement reached on 29 June 2023 on a legal framework for an EU Digital Identity, the first trusted and secure digital identity framework for all Europeans.
This marks an important step towards the Digital Decade 2030 targets on the digitalisation of public services.
All EU citizens will be offered the possibility to have an EU Digital Identity Wallet to access public and private online services in full security and protection of personal data all over Europe.
In addition to public services, Very Large Online Platforms designated under the Digital Services Act (including services such as Amazon, Booking.com or Facebook) and private services that are legally required to authenticate their users will have to accept the EU Digital Identity Wallet for logging into their online services.
In addition, the wallets' features and common specifications will make it attractive for all private service providers to accept them for their services, thus creating new business opportunities.
The Wallet will also facilitate service providers' compliance with various regulatory requirements.
In addition to securely storing their digital identity, the Wallet will allow users to open bank accounts, make payments and hold digital documents, such as a mobile Driving Licence, a medical prescription, a professional certificate or a travel ticket.
The Wallet will offer a user-friendly and practical alternative to online identification guaranteed by EU law.
The Wallet will fully respect the user's choice whether or not to share personal data, it will offer the highest degree of security certified independently to the same standards, and relevant parts of its code will be published open source to exclude any possibility of misuse, illegal tracking, tracing or government interception.
The legislative discussions have strengthened the ambition of the regulation in a number of areas important for citizens.
The Wallet will contain a dashboard of all transactions accessible to its holder, offer the possibility to report alleged violations of data protection, and allow interaction between wallets.
Moreover, citizens will be able to onboard the wallet with existing national eID schemes and benefit from free eSignatures for non-professional use.
Where is the final text? Which is the next step?
The agreement reached by the co-legislators is now subject to formal approval by the European Parliament and the Council.
Once formally adopted, the European Digital Identity framework will enter into force on the 20 th day following its publication in the Official Journal.
Member States will have to provide EU Digital Identity Wallets to their citizens 24 months after adoption of Implementing Acts setting out the technical specifications for the EU Digital Identity Wallet and the technical specifications for certification.
29 June 2023 - Council and Parliament strike a deal on a European digital identity (eID).
With a view to ensuring secure, trusted, and seamless access to cross-border public and private services in the EU, the Council presidency and European Parliament representatives reached a provisional political agreement on the core elements of a new framework for a European digital identity (eID).
The revised regulation constitutes a clear paradigm shift for digital identity in Europe aiming to ensure universal access for people and businesses to secure and trustworthy electronic identification and authentication by means of a personal digital wallet on a mobile phone.
One of the main policy objectives of the revised regulation is to provide citizens and other residents, as defined by national law, with a harmonised European digital identity means based on the concept of a European digital identity wallet.
As an electronic identification means (‘eID means’) issued under national schemes, the wallet would be an eID means in its own right. The text of the provisional agreement further develops the concept of the wallet and its interplay with national electronic identification means.
Assurance levels should characterise the degree of confidence in the electronic identification means, thus providing assurance that the person claiming a particular identity is in fact the person to which that identity is assigned. In this respect, the wallet must be issued within an electronic identification system meeting the assurance level ‘high’. The provisional agreement also clarifies that the issuance, use for authentication and revocation of wallets should be free of charge to natural persons. The wallet will also provide the possibility of e-signatures to natural persons free of charge.
The revised regulation also offers a harmonised approach to security, for citizens relying on a European digital identity representing them online, and for online service providers who will be able to fully rely on and accept digital identity solutions independently of where they have been issued.
The new rules imply a shift for issuers of European digital identity solutions, providing a common technical architecture and reference framework and common standards to be developed with member states. Users would therefore be able to rely on an improved ecosystem for electronic identity and trust services recognised and accepted everywhere in the EU.
Which is the next step? Technical work will continue to complete the legal text in accordance with the political agreement. When finalised, the text will be submitted to the member states’ representatives (Coreper) for endorsement. Subject to a legal/linguistic review, the revised regulation will then need to be formally adopted by the Parliament and the Council before it can be published in the EU’s Official Journal and enter into force.
6 December 2022 - The Council of the EU adopted its position (‘general approach’) on the proposed legislation regarding the framework for a European digital identity (eID). The revised regulation aims to ensure universal access for people and businesses to secure and trustworthy electronic identification and authentication by means of a personal digital wallet on a mobile phone.
June 2021 - The European Commission proposed a framework for a European digital identity that would be available to all EU citizens, residents and businesses, via a European digital identity wallet.
The proposed framework amends the 2014 regulation on electronic identification and trust services for electronic transactions in the internal market (eIDAS regulation), which laid the foundations for safely accessing public services and carrying out transactions online and across borders in the EU.
The proposal required member states to issue a digital wallet under a notified eID scheme, built on common technical standards, following compulsory certification. To set up the necessary technical architecture, speed up the implementation of the revised regulation, provide guidelines to member states and avoid fragmentation, the proposal was accompanied by a recommendation for the development of a Union toolbox defining the technical specifications of the wallet.
The European Digital Identity is available to any EU citizen, resident, or business in the EU who want to use it. It is widely useable as a way of identification, or to confirm certain personal attributes for the purpose of access to public and private digital services across the EU. It gives full control to users to choose which aspects of their identity, data and certificates they share with third parties, and keep track of such sharing.
June 2021, European Commission, Proposal for a regulation establishing a framework for a European Digital Identity.
It aims to provide, for cross-border use:
- access to highly secure and trustworthy electronic identity solutions,
- that public and private services can rely on trusted and secure digital identity solutions,
- that natural and legal persons are empowered to use digital identity solutions,
- that these solutions are linked to a variety of attributes and allow for the targeted sharing of identity data limited to the needs of the specific service requested,
- acceptance of qualified trust services in the EU and equal conditions for their provision.
9 March 2021 - The Commission Communication entitled “2030 Digital Compass: the European way for the Digital Decade” sets the objective of a Union framework which, by 2030, leads to wide deployment of a trusted, user-controlled identity, allowing each user to control their own online interactions and presence.
1-2 October 2020 - The European Council called on the Commission to propose the development of a Union-wide framework for secure public electronic identification, including interoperable digital signatures, to provide people with control over their online identity and data as well as to enable access to public, private and cross-border digital services.
19 February 2020 - The Commission Communication entitled “Shaping Europe’s Digital Future” announced a revision of Regulation (EU) No 910/2014 of the European Parliament and of the Council with the aim of improving its effectiveness, extend its benefits to the private sector and promote trusted digital identities for all Europeans.
Understanding the European Digital Identity Regulation
Ursula von der Leyen, President of the European Commission, in her State of the Union address (16 September 2020), said: "Every time an App or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality. That is why the Commission will propose a secure European e-identity. One that we trust and that any citizen can use anywhere in Europe to do anything from paying your taxes to renting a bicycle. A technology where we can control ourselves what data is used and how"
The European Digital Identity can be used, for example:
- in public services requesting birth certificates, medical certificates, reporting a change of address,
- in banking, opening a bank account,
- in filing tax returns,
- in applying for a university, at home or in another Member State,
- in storing a medical prescription that can be used anywhere in Europe,
- in proving information like age,
- in renting a car using a digital driving license,
- in checking in to a hotel.
Using the European Digital Identity: applying for a bank loan.
Applying for a bank loan is a process that typically includes numerous steps, from setting up appointments and having physical meetings, to collecting and signing all the paper documents - and repeating the operation if documents are missing.
By using the European Digital Identity, the user only has to select the necessary documents that are stored locally on his digital wallet to reply to the bank’s request. Then, verifiable digital documents are created and sent securely for verification to the bank, who can then continue with the application process.
The European Digital Identity Regulation sets out the harmonised conditions for the establishment of a framework for European Digital Identity Wallets to be issued by Member States, which should empower all Union citizens and other residents as defined by national law to share securely data related to their identity in a user friendly and convenient way under the sole control of the user.
All European Digital Identity Wallets will allow users to electronically identify and authenticate online and offline across borders for accessing a wide range of public and private services.
The European Digital Identity Wallets should also allow users to create and use qualified electronic signatures and seals which are accepted across the EU.
In order to streamline the cybersecurity obligations imposed on trust service providers, as well as to enable these providers and their respective competent authorities to benefit from the legal framework established by the NIS 2 Directive, trust services are required to take appropriate technical and organisational measures pursuant to the NIS 2 Directive, such as measures addressing system failures, human error, malicious actions or natural phenomena in order to manage the risks posed to the security of network and information systems which those providers use in the provision of their services as well as to notify significant incidents and cyber threats in accordance with the NIS 2 Directive.
With regard to the reporting of incidents, trust service providers should notify any incidents having a significant impact on the provision of their services, including such caused by theft or loss of devices, network cable damages or incidents occurred in the context of identification of persons. The cybersecurity risk management requirements and reporting obligations under the NIS 2 Directive will be considered complementary to the requirements imposed on trust service providers under this Regulation.
Before the European Digital Identity Regulation
Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market (‘the eIDAS Regulation’) does not harmonise national European digital identitIES (eIDs), but enables their mutual recognition through a notification process.
There is currently no obligation for Member States to provide their citizens and businesses with eID enabling secure access to public services.
The eIDAS Regulation establishes three levels of assurance (low, substantial and high), and each level has certain minimum criteria and functional requirements. For the mutual recognition to work in practice, national eID schemes need to be interoperable.
While eIDAS plays an undisputed role in the internal market, a lot has changed since its adoption. eIDAS, adopted in 2014, is based on national eID systems following diverse standards and focuses on a relatively small segment of the electronic identifications needs of citizens and businesses: secure cross-border access to public services.
3 examples, from the European Commission.
Example 1 – authenticating to an online service proving who you are: Kurt has moved to a country where a large number of public services can be accessed online. To access the online service required for the submission of the annual tax return, Kurt needs to identify and prove that he is who he claims to be using a digital identity solution. Using the eID issued by his home country, he is able to access the service thanks to eIDAS. Due to the Single Digital Gateway Regulation, from December 2023 on, Kurt will also able to request from his home country the tax returns required to prove his income status from previous years, using the same eID.
Example 2-use of an attribute offline: Sarah is in the queue for a nightclub and the door security guard asks for her ID. Instead of showing her physical ID card, which contains lots of personal information, she instead uses her digital identity. She signs in on her phone using secure biometric authentication and shows the QR code to the security guard. The security guard can then scan this code, see it is a valid identity, and receive confirmation that Sarah is over 18 years old, without seeing any more details such as her date of birth or address.
Example 3-use of an attribute online: Carmen needs to travel to another country for work. She must provide a medical certificate before taking the job. Carmen will get the medical certificate that confirms she complies with the rules set by the employer. Whoever gave Carmen the certificate can add the information from this certificate as attributes to Carmen’s personal data store app (sometimes known as a ‘digital wallet’). This attribute (the medical certificate in this case) can be shared online with the employer before Carmen arrives in the country..
Cyber Risk GmbH
Tel: +41 79 505 89 60
We process and store data in compliance with both, the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR). The service provider is Hostpoint. The servers are located in the Interxion data center in Zürich, the data is saved exclusively in Switzerland, and the support, development and administration activities are also based entirely in Switzerland.
Understanding Cybersecurity in the European Union.