With a view to ensuring a trusted and secure digital identity for all Europeans, the EU Council presidency and European Parliament representatives reached on 8 November a provisional agreement on a new framework for a European digital identity (eID).
Advertisement
What is the European Digital Identity Wallet?
EU Digital Identity Wallets are personal digital wallets, in the form of apps allowing citizens to digitally identify themselves, store and manage identity data and official documents in digital form. These may include a driving licence, medical prescriptions or educational qualifications. Many citizens are already using digital wallets on their mobile phones to store their boarding passes when they travel or to keep their virtual bank cards for convenient payment. These wallets, often offered by online platforms, allow their users to log in to various services online, from shopping to reading news but these logins are not necessarily giving users full control on what data they share to identify themselves with online services. Moreover, there are no harmonised eID wallets provided by Member States. Under the new rules, EU Digital Identity Wallets issued by Member States will be available to everyone. With the EU Digital Identity Wallets, citizens will be able to prove, across the EU, their identity where necessary to access services online, to share digital documents, or simply to prove a specific personal attribute, such as age, without revealing their full identity or other personal details. Citizens will at all times have full control of the data they share and by whom.
What will change for Europeans?
The main novelty offered by the new rules is that all EU citizens, residents and businesses will have the right to have an EU Digital Identity Wallet which would be accepted in all Member States. Holding a wallet will be entirely a voluntary choice of the citizens. Users will be able to control what personal data they want to share with online services. While public services and certain private services (large platforms and those required by law to use strong user authentication) will be obliged to recognise the EU Digital Identity Wallets, its highest security features and the legal certainty brought will make it attractive for all private service providers to recognize it for services, thus, creating new business opportunities across the internal market.
Will the EU Digital Identity Wallet be used also for access to private services?
Yes. EU citizens should be able to use their EU Digital Identity Wallet for accessing digital services all across the Internet, including certain private services. As such, it improves the effectiveness and extends the benefits of secure and convenient digital identity to the private sector.
For some private services acceptance of the wallet will be obligatory, notably where strong assurance of the identity of their customers is needed. This is the case for example for making payments and for opening bank accounts and for certain use cases in the areas of transport, energy, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications. A requirement to recognise the wallet for authentication also applies to Very Large Online Platforms designated under the DSA such as provided by Meta, Amazon, Apple, Booking.com, Tik Tok or Zalando.
What can users do with the new EU Digital Identity Wallet?
Users will be able to use it to authenticate digitally when logging into both public and private online services across the EU, or authorise online transactions, in particular where strong user authentication is required. Examples of these could be accessing a bank account, initiating a payment or applying for a loan, submitting tax declarations, enrolling for a university, etc.
For what purpose can I use my EU Digital Identity Wallet?
Here are a few examples of how the European Digital Identity Wallet could be used once in place:
Use the EU Digital Identity Wallet: Peter has installed an EU Digital Identity Wallet on his mobile phone. It has been provided by his home country, ensuring that the wallet has been issued to him personally, relying on the highest security and data protection standards. Peter’s digital wallet allows him to download, store and use his basic personal data, a driving licence, a diploma, and a bank card he used to carry around in his physical wallet. The wallet will also allow Peter to sign electronically any digital transaction, such as an employment or rental contract.
Renting a car at an airport: Sarah used to queue at the rent-a-car counter of the airport. She would have to wait for the car rental company to scan a copy of the passport or identity card, the driving licence, the credit card and sign all documents. With the EU Digital Identity Wallet this could be done conveniently beforehand. Sarah will be able to head to the car park, pick up the car, and drive to her hotel. The car rental company may either give her the key in the parking lot or else enable the car to be started via the mobile phone.
Identify to an online service to prove who you are: Kurt has moved to a new country for work. He needs to register as a resident in the new country and he can use his EU Digital Identity Wallet for this purpose. Kurt can also use his wallet to prove his identity remotely for various online services in his new country of residence, such as to open a bank account, buy a SIM card for his mobile phone or subscribe to a public transport pass.
Booking hotel accommodation online: Myra would like to book a hotel room online. The minimum age to book a hotel room varies between 18 to 21 years old, depending on the hotel’s policies and the country’s laws. For this purpose, she has to prove that she has the required minimum legal age. If Myra choses to use her EU Digital Identity Wallet for book her room online, she will be able to prove her age and other required personal information to complete the booking.
Will users be able to use the EU Digital Identity Wallet for banking?
Yes, citizens will be able to use the EU Digital Identity Wallet for identification and authentication for payments, opening an account and other services in full security and protection of personal data. In all these cases, the wallet will not replace, but complement solutions offered by banks.
Will users have to pay for the EU Digital Identity Wallet?
The use of the wallet, including electronic signatures for non-professional use, will be free for natural persons. Businesses may be subject to fees to use the wallet services, depending on Member States’ choice for the business model of the wallet. This may mean in practice for instance that service providers, such as telecom operators or credit card companies may be asked to pay for identification services the wallet will offer to onboard to new mobile phone contracts or credit cards. Using the wallet for sharing credentials and attributes may also incur costs to the providers of these attributes or credentials. The Commission will provide practical and non-binding guidelines to facilitate Member States’ implementation regarding the business model of the Wallet.
What is the added value of the EU Digital Identity Wallet compared to the current system?
Digital identification systems offered by governments in the EU today have several important shortcomings: They are not available to the whole population, they are often limited to online public services and not allow for seamless access cross-border.
The EU Digital Identity Wallets take a step change from the current system, offering personal digital wallets that are safe, free, convenient to use, protect personal data and can be used all over the EU to identify online and to share electronic documents. By offering a harmonised system all over the EU, the new rules move far beyond the existing cross-border legal framework for trusted digital identities, the European electronic identification and trust services initiative (eIDAS Regulation).
Adopted in 2014, the currently applicable eIDAS provides the basis for cross-border electronic identification, authentication and website certification within the EU. However, it does not contain any obligation for Member States to provide their citizens and businesses with a digital identification system enabling secure access to public services or to ensure their use across EU borders. Nor does it contain provisions regarding use of such identification for private services, or with mobile devices. This leads to discrepancies between countries.
Some countries offer identification systems to their citizens while others do not and, when they do, not all these systems can be used cross-border. At the time of adoption of the Commission proposal, 19 notified eID schemes were used by 14 Member States, and take-up is low, their use is often cumbersome and business cases are very limited. This applies in particular to cross-border situations where at the time of adoption of the Commission proposal, in reality the access to only a small part of online services in another country was possible, while access to private services cross-border was not possible at all.
The EU set ambitious targets for the digital transformation; according to the Digital Decade Policy Programme, by 2030 all Europeans should have access to a voluntary digital ID and key public services online.
What happens to existing eIDs?
The EU Digital Identity Wallets will build on existing national systems. Today, not every person living in the EU has access to a means of digital identification. The EU Digital Identity Wallets will not replace but complement existing national solutions allowing for seamless identification and authentication in the public and private sector all over the EU and for sharing personal electronic attributes and credentials.
How can users obtain an EU Digital Identity Wallet?
Member States will offer the wallet to their citizens and residents at the national level. Everyone will be able to download, install and use the EU Digital Identity Wallet on their personal mobile phone or device. Member States can make use of national digital eID schemes to facilitate registering citizens for the wallet (with the help of additional security measures where necessary).
How is a high standard of security for European Digital Identity Wallets ensured in all Member States?
The EU eID Wallet takes a step change to the system of interconnecting national eID which exists today. It provides a fully harmonised framework which is implemented to common technical specifications in the same way in all Member States. All key features and requirements of the wallet will be implemented following common technical standards. This is one of the main innovations of the Regulation for a European Digital Identity Framework. It means that the wallet can be used in the same way in all Member States and offer users the same basic services and functionalities irrespective of which Member State issues it.
This will also ensure compliance with data protection rules all over Europe and include features, such as a dashboard to allow the user to see the log of all interactions of the wallet, a possibility to download and transfer data and a possibility to directly lodge a complaint in case of data breaches. All technical specifications for the wallet are developed together with a group of experts of Member States. In addition, the progress of this work is put to public scrutiny and feedback. First sets have already been published on Github. Once the technical specifications are finalised, they will be made mandatory through implementing acts following the usual process of public consultation.
To ensure that these requirements are observed by all Member States, all wallets must be independently certified to the highest security standards. The certification system will also follow harmonized standards and follow the EU Cybersecurity Act. Until this system is fully operational, wallets will be certified at national level. However also in this transition period, standards will be the same and the certification by national bodies will follow common standards established by implementing acts. In addition, all certification schemes will be submitted for opinion and recommendations to a joint board (European Digital Identity Cooperation Board) as an additional safeguard to ensure a harmonized approach and the highest degree of security.
Will the Commission provide for a unique European Digital Identity to replace national digital identities?
No, replacing national digital identities is not the aim of the Regulation. Digital identities will continue to be provided by Member States, however the European Digital Identity Wallet will provide a harmonised platform to allow the use of national digital ID seamlessly in all EU Member States. The European Digital Identity framework extends the functionalities and usability of national eIDs by means of a personal digital wallet.
How will Member States participate in the new European Digital Identity Governance Framework?
The Regulation sets out a new comprehensive governance framework for both electronic identification and trust services to support the implementation and supervision of the European Digital Identity Framework.
The new governance framework notably includes a new cooperation and coordination body (European Digital Identity Cooperation Group) to advise the Commission in the preparation of implementing legislation, organise peer reviews, discuss requests for mutual assistance and exchange views, best practices and other information between all parties. The new set-up will improve the consistency and effectiveness of the current governance system and replace the current fragmented structure.
How will the systems be interoperable and work across different Member States?
The Regulation imposes common functionalities to all eID wallets issued by Member States.
Moreover, the Commission is working closely with Member States to develop common standards, technical specifications and protocols needed to ensure that all wallets operate in the same way across the EU and offer the same functionalities, security and data protection features.
The technical specifications will be made mandatory by means of implementing legislation ensuring that wallets in all Member States are fully interoperable and observe the same standards.
What is the Commission doing to help Member States prepare for deployment of the EU Digital Identity Wallet?
The Commission is in the process of developing a wallet prototype based on the technical specifications. The software will be available for voluntary use by Member States
In addition, the Commission is co-funding four large-scale pilots under the Digital Europe Programme testing the wallet in a diverse range of everyday use cases, including providing identification to online and offline public and private services, displaying one’s mobile driving licence, authorising payments, exchanging diplomas, signing documents electronically, and presenting medical prescriptions.
The results of the pilots will enhance both the technical specifications and the wallet prototype.
When will the EU Digital Identity Wallet be operational?
Member States should issue the new EU Digital Identity Wallets 24 months after adoption of the implementing legislation setting out the full technical specifications for the wallet. The Implementing Act should be available 6 months after adoption of this new Regulation.
Why will the European Digital Identity Wallets be developed under an open-source licence?
Transparency on the technical set-up of the European Digital Identity Wallets is a key element to winning public trust and building a fully secure system. The legislator has decided that the European Digital Identity Wallet will be open-source licensed. The publication of the source code will contribute to public trust and improve the functionality and security of the wallet as everybody can scrutinize the technological set-up proposed and provide feedback on the choices made. Security weaknesses, bugs or malfunctions can be better identified and corrected in this way. Member States may limit the disclosure of parts of the source code for reasons of public security.
What is a Qualified Website Authentication Certificate (QWAC)?
A QWAC is a certificate that makes it possible to authenticate a website and that confirms that the person or company behind a website is genuine and legitimate. It gives assurance with a high level of confidence in the identity of the entity standing behind the website, irrespective of the platform used to display it.
As such, QWACs prevent identity fraud, protect the fundamental rights of European consumers in the digital world and are an important part of the European digital trust framework.
QWACs are issued by Qualified Trust Service Providers under close supervision by Member States’ authorities, similarly to all other qualified trust services.
National trusted lists may be used to confirm the qualified status of QAWCs and of their trust service providers, including their full compliance with the requirements of this Regulation with regards to the issuance of qualified certificates for website authentication.
Will all (European) websites be required to use QWACs?
No. The provision and the use of website authentication services, including QWACs, is entirely voluntary.
Why should QWACs be recognised by web-browsers?
QWACs are electronic certificates that provide independent assurance of the authenticity of a website by certifying its ownership. They thereby improve the security and transparency of the Internet.
As QWACs attest the authenticity of websites, they require the technical support of web-browsers to function correctly. As web browsers have not voluntarily recognised QWACs since their creation by the eIDAS regulation in 2014, the Commission has proposed to make this recognition compulsory.
Recognition means that web browsers are required to ensure support and interoperability for the QWAC for the sole purpose of displaying identity data in a user-friendly manner. Recognition of QWACs implies that browsers shouldn’t question the origin, integrity or data in the certificate.
However, the requirement to recognise QWACs does not affect browser security policies and leaves web browsers free to preserve their own procedures and criteria for encryption and authentication of other certificates.
Provisional Political Agreement on EU Digital Identity Wallet
European Digital Identity proposed Regulation
European Digital Identity Recommendation
Report on the evaluation of the eIDAS Regulation
Architecture and Reference Framework (Github)
Source: European Commission
