On Tuesday 6 December, the EU Council adopted its position with a view to starting inter-institutional negotiations with the European Parliament on the future European Digital Identity Wallet (eID), which should provide EU citizens and businesses with a secure and reliable means of identification (see EUROPE 13053/7).
“We are facing a major breakthrough in the way people use their identity and credentials in their daily contact with public and private entities and in the way they use digital services. They do all of this while keeping a firm grip on their data”, commented the Czech Deputy Prime Minister for Digitisation, Ivan Bartoš.
In concrete terms, the text adopted by the Council of the EU primarily provides that ‘eID’ wallets should have a ‘high’ level of assurance, to ensure that the person claiming an identity is actually the holder.
Prompted by some Member States that have already implemented a wallet with a ‘substantial’ national means of assurance, a further provision has been introduced to allow users to use their national means of digital identification in conjunction with additional procedures to ensure the high level of assurance set by the future Regulation.
Part of the text also focusses on cyber security. On this point, the EU Council considers that the Regulation should build on existing certification schemes under the cyber security legislation (see EUROPE 12283/7), to certify the compliance of developed wallets.
Therefore, certain provisions of this legislation, such as the peer review mechanism between national cybersecurity certification authorities, should apply to the digital wallet. For their part, Member States should designate accredited public and private bodies to certify the wallet.
In addition, the part of the text dedicated to the notification of user parties has also been revised. Here, the text provides that only the minimum required information is needed to authenticate to the wallet. However, the text also contains specific provisions due to sectoral requirements, such as those applicable to the processing of special categories of personal data.
A number of provisions have been added to ensure that the text is properly linked to other existing regulations, such as the Digital Markets Act (DMA) (see EUROPE 13054/14). In this respect, gatekeepers would be required, inter alia, to ensure, free of charge, effective interoperability with “the same operating system, hardware or software features” for the wallet as those available or used for the provision of their own complementary services.
The text also states that “the issuance, use for authentication and revocation of wallets should be free of charge for natural persons”, but that where wallets are used for authentication, services that rely on the use of the wallet may incur costs, in particular for the issuance of electronic proof of wallet attributes.
Finally, Member States also agreed that the 24-month implementation period of the text should be calculated from the adoption of future implementing acts. (Original version in French by Thomas Mangin)