On Nov. 8, EU CNCL confirmed provisional agreement reached on eID.
European digital identity update: Council and Parliament reach an agreement on eID.
Concerns proposal for regulation amending eIDAS Regulation (EIDAS Reg 910/2014).
Follows EU CNCL Jun. 2023 confirmed provisional agreement on eID, see #177663.
Digital Identity Wallet
The revised regulation constitutes a clear paradigm shift for digital identity, aiming to ensure universal access for people and businesses to secure, trustworthy electronic ID.
Under the new law, member states will offer citizens and businesses digital wallets that will be able to link national digital identities with proof of other personal attributes.
E.g. driving license, diplomas, bank account etc.; citizens will be able to prove identity and share electronic documents from their digital wallets on their mobile phone.
New European digital identity wallets will enable Europeans to access online services with national digital identification, which will be recognized throughout Europe, without having to use private identification methods or unnecessarily sharing personal data.
User control ensures that only information that needs to be shared will be shared.
Provisional Agreement
Since the initial provisional agreement on some of the main elements of the legislative proposal at end of June 2023 (see #177663), a thorough series of technical meetings followed in order to complete a text that allowed the finalization of the file in full.
Some relevant aspects agreed by the co-legislators today are set out below.
E-Signatures
Wallet will be free to use for natural persons by default, but states may provide for measures to ensure that the free-of-charge use is limited to non-professional purposes.
Wallet Business Model
The issuance, use and revocation will be free of charge for natural persons; validation of electronic attestation of attributes: states shall provide free-of-charge validation mechanisms only to verify authenticity and validity of wallet and of the relying parties.
Wallet Code
Application software components will be open source, but states are granted necessary leeway so that, for justified reasons, specific components other than those installed on user devices may not be disclosed; consistency between the wallet as an eID means and the underpinning scheme under which it is issued has been ensured.
QWACs
Finally, the revised law clarifies the scope of the qualified web authentication certificates (QWACs), which ensures that users can verify who is behind a website, while preserving the current well-established industry security rules and standards.
Next Steps
Technical work will continue to complete legal text in accordance with the agreement.
When finalized, text will be submitted to member states’ representatives (COREPER) for endorsement; subject to a legal/linguistic review, the revised regulation will then need to be formally adopted by Parliament and Council before it can be issued in OJ.
EP Statement
On same day, Parliament issued their own statement on the provisional agreement.
According to agreed text, the new Digital Identity Wallet will allow citizens to identify and authenticate themselves online without having to resort to commercial providers.
The EU wallet will be used on a voluntary basis; during negotiations, MEPs secured provisions to safeguard citizens’ rights and foster an inclusive digital system by avoiding discrimination against those opting not to use the digital wallet.
Agreement provides for free qualified electronic signatures for EU wallet users, which are the most trusted, and have the same legal standing as a handwritten signature, as well as wallet-to-wallet interactions, to improve the fluidity of digital exchanges.
MEPs have also mandated the wallet's open-source nature to encourage transparency, innovation and to enhance security; they set stringent rules for the registration and oversight of companies involved to ensure accountability and traceability.
Data Protection and Privacy
Via the so-called privacy dashboard, users will be able to have full control of their data and request that their data be deleted, as provided for under the GDPR Reg 2016/679.
Additionally, the right to use a pseudonym is enshrined in the legislation.
The legislation clarifies the scope of qualified website authentication certificates, which ensures that users can verify who is standing behind a website, while preserving the current well established industry security rules and standards.
Legislation will now have to be endorsed by both EP and Council before it becomes law; Industry, Research and Energy Committee will hold a vote on the file on Nov. 28.
EC Statement
On the same day, European Commission also issued statement welcoming the deal.
In addition to securely storing their digital identity, the wallet will allow users to open bank accounts, make payments and hold digital documents, such as a mobile driving license, a medical prescription, a professional certificate or a travel ticket.
The wallet will offer a user-friendly and practical alternative to online identification.
Will fully respect the user's choice whether or not to share personal data, it will offer the highest degree of security certified independently to the same standards, and relevant parts of code will be issued open source to exclude any possibility of misuse.
It will contain a dashboard of all transactions accessible to its holder, offer possibility to report alleged violations of data protection, and allow interaction between wallets.
Moreover, citizens will be able to onboard the wallet with existing national eID schemes and benefit from free eSignatures for non-professional use.
Feb. 27, 2024 EIDAS Regulation Corrigenda
On Feb. 27, 2024, EU CNCL issued notice of corrigenda to EIDAS Reg 910/2014.
Procedure 2(b) (obvious errors in a number of language versions).
New Digital Identity Wallet will allow citizens to identify and authenticate themselves online without having to resort to commercial providers, raising trust and security.
The EU wallet will be used on a voluntary basis; during negotiations, MEPs secured provisions to safeguard citizens’ rights and foster an inclusive digital system by avoiding discrimination against people opting not to use the digital wallet.
The law provides for free qualified electronic signatures for EU wallet users, which are the most trusted, and have the same legal standing as a handwritten signature, as well as wallet-to-wallet interactions, to improve the fluidity of digital exchanges.
MEPs have also mandated an open-source wallet to encourage transparency, innovation and to enhance security; they also set stringent rules for the registration and oversight of companies involved to ensure accountability and traceability.
Parliament gave green light to regulation with 335 votes to 190, with 31 abstentions.
It will now have to be formally endorsed by the EU Council of Ministers to become law.
Mar. 4, 2024 EU CNCL Note
On Mar. 4, 2024, EU CNCL issued information note on outcome of EP first reading.
When it voted on Feb. 29, 2024, the plenary adopted the compromise amendment (amendment number 6), as well as amendment 7 to the legislative resolution.
No other amendments were adopted; EC's proposal as thus amended constitutes the Parliament's first-reading position which is contained in its legislative resolution.
Parliament's position reflects what had been previously agreed between institutions.
The Council should therefore be in a position to approve the Parliament's position.
Act would then be adopted in the wording which corresponds to Parliament's position.
Mar. 18, 2024 Final Text of Act
On Mar. 18, 2024, EU CNCL issued final text (PE-CONS 68/23) of the act for adoption, with clerical correction concerning page 46, Article 1, point (3)(a), new point (2).
On the same day, it issued note concerning the proposed adoption of legislative act.
Coreper asked to confirm its agreement and to suggest that the Council approve the European Parliament's position, as set out in PE-CONS 68/23 + COR 1, as an "A" item at a forthcoming meeting; if the Council approves EP's position, act will be adopted.
Mar. 26, 2024 EU CNCL Adoption
On Mar. 26, 2024, EU CNCL adopted new framework for European digital identity (eID).
Document dated Mar. 26, 2024, was received on Mar. 27, 2024, due to a fixed feed.
Revised regulation will be published in Official Journal in coming weeks and will enter into force 20 days after its publication; regulation will be fully implemented by 2026.
Apr. 2024 Official Journal
On Apr. 30, 2024, EU CNCL issued final Reg 2024/1183 on the new eID framework.
Secure signature creation devices of which the conformity has been determined in accordance with Article 3(4) of Dir 1999/93/EC shall continue to be considered to be qualified electronic signature creation devices until May 21, 2027.
Qualified certificates issued to natural persons under Dir 1999/93/EC shall continue to be considered as qualified certificates for electronic signatures until May 21, 2026.
The management of remote qualified electronic signature and seal creation devices by qualified trust service providers other than qualified trust service providers providing qualified trust services for the management of remote qualified electronic signature and seal creation devices in accordance with Articles 29a and 39a may be carried out without the need to obtain the qualified status until May 21, 2026.
Qualified trust service providers granted qualified status before May 20, 2024, shall submit a conformity assessment report to supervisory body proving compliance with Article 24(1), (1a) and (1b) as soon as possible and in any event by May 21, 2026.
Regulation enters into force on the 20th day following OJ publication, May 20, 2024.