The legal and technical road to EU Digital Identity Wallets

The European Digital Identity Framework (Regulation (EU) 910/2014 following amending Regulation (EU) 2024/1183) entered into force on 20 May 2024.

The adoption of the Regulation entails that EU Digital Identity Wallets, transforming how citizens verify their identity and securely and privately exchange information, will soon become a reality across the EU.

Here is a broad overview of the journey to adoption:

Read on to learn more about the details of this legislative and technical journey that will culminate with widely adopted and technically developed EU Digital Identity Wallets.

In the beginning there was eIDAS

The adoption of the eIDAS regulation in 2014 (Regulation (EU) No 910/2014) sought to create a digital single market via electronic identification and trust services.

The eIDAS Regulation's goal was to create a common foundation for secure and seamless electronic interaction among citizens and public authorities.

eIDAS stands for "electronic IDentification, Authentication and trust Services". Each element of the name is represented in the three pillars that form the core of the Regulation:

• eID: establishing a framework for mutual recognition of eID means across the EU;
• Trust services: defining and regulating trust services such as electronic signatures, electronic seal and electronic time stamping;
• Interoperability: creating rules to ensure that eIDs and trust services can be used cross-border.

Assessing eIDAS

Article 49 of the eIDAS Regulation mandated a review of the Regulation by 1 July 2020, and an assessment as to whether updates to the Regulation would be necessary, taking into account technological advancements made in the years following the entry into force, among other factors.

The European Commission launched an impact assessment of eIDAS Regulation in 2020, with a public consultation, targeted surveys, and in-depth interviews carried out with a broad range of public and private stakeholders.

It was found that an update was needed as implementation was uneven, with only 14 Member States notifying at least one eID scheme. While it created a strong foundation, it failed to achieve its overarching goal of promoting cross-border identification and authentication to public services.

The road to a new proposal to amend eIDAS

Following the impact assessment, the Commission drafted a proposal for amending the eIDAS Regulation, addressing the identified failings and gaps of the original Regulation that led to the limited uptake; including, among other issues, no obligation for Member States to notify an eID scheme, and a lack of private sector focus, thus not creating any incentives for private sector eID usage.

The amending Regulation proposed many changes to address the dynamically changing technical and legal landscape. These include the increasing digitalisation of society with a corresponding desire for seamless digital experiences, andemergence of privacy issues. Numerous actors, including social media companies, have become de facto digital identity keepers, free to profit from citizens' personal data.

The amending Regulation addresses these failings, most notably by the new requirement for Member States to offer European Digital Identity Wallets that are privacy enhancing, giving citizens back control over their data when identifying themselves online and offline.

It would also help to achieve the Digital Decade target of 100% of EU citizens being able to use digital identity to access public services by 2030.

The legislation advances

The ordinary legislative procedure for EU legislation is both complex and lengthy, with the three main European institutions playing clearly defined roles:

The European Commission: It continues to participate throughout the process by providing opinions on amendments, facilitating negotiations between the Parliament and Council, and potentially withdrawing or modifying its proposal if necessary.

The European Parliament: Represents EU citizens and enters into negotiations with the European Council.

The European Council: Represents individual Member States and enters into negotiations with the European Parliament.

After the Commission launches a legislative proposal, the European Parliament and European Council must approve the Commission's proposal, with each institution able to amend, accept, or reject it through up to three readings until they reach agreement; otherwise the proposal fails.

Trilogue negotiations and the final vote

The three institutions meet once their negotiating positions are finalised in informal Trilogue meetings with the aim of reaching a political agreement and drafting a legislative text that can be adopted.

Once the legislative text is finalised it is submitted for a final vote in the Parliament and Council. The Parliament adopted the EU Digital Identity Regulation on 29 February2024 and the Council on 26 March 2024. It was published on 30 April 2024 in the Official Journal of the European Union and entered into force on 20 May 2024.

Implementing Acts to come

When uniform implementation of an EU Regulation across every Member State is required, implementing acts are adopted, detailing the technical or legal requirements for implementation. You can find a full overview of every implementing act, including its current status and timeline as well as links to each act, on our EU Digital Identity Regulation page.

Explore the implementing acts

Implementing acts are adopted through a process called Comitology. We'll explain how this works in more detail in our next article.

What does the adoption of the legislation mean?

The European Digital Identity Regulation amends the original eIDAS Regulation: it updates Articles of the latter or introduces new ones. Concretely, this means that both texts form the legal basis - to get the whole picture, you need to read them side-by-side. To facilitate this, a consolidated version is available.

The 2024 text is referred to colloquially as the "European Digital Identity Regulation" because it introduces some important changes as to the management of digital identities, namely using wallets, stating that everyone in the EU has the "right to a digital identity that is under their sole control and that enables them to exercise their rights in the digital environment and to participate in the digital economy."

The European Digital Identity Framework is the tool to create a digital identity that is under citizen control. It seeks to create a harmonised means of safe, privacy-enhancing digital identification that is available to every citizen, resident, and business to access online public and private services across Europe and to enhance the right of citizens to participate in the digital society safely. It does so via three main pillars:

European Digital Identity Wallets: Each Member State will have to provide at least one European Digital Identity Wallet to its citizens. They will be able to use the wallet to authenticate to digital services on top of safely storing, sharing, and signing digital documents.

Trust services: Trust services are regulated digital services designed to ensure the security, authenticity, and integrity of electronic transactions. The new European Digital Identity Framework introduces, amongst others, the ability of citizens to sign by means of qualified electronic signatures (QES) through the Wallet, free of charge for personal use.

eID Schemes: They form the foundation for secure and trustworthy digital identities across the Union. The Regulation aims to enhance the way individuals and businesses access online services while promoting interoperability and ensuring security.

New legal obligations

• Member States must offer at least one European Digital Identity Wallet to every citizen within 24 months as of the adoption of implementing acts setting out the core functionalities and certification of the wallets. This means wallets will become available by the end of 2026. Member States can offer a wallet directly themselves, mandate an external party to create a wallet, or recognise a wallet created by the private sector.
• Various actors in the EU Digital Identity Wallet ecosystem, including wallet providers and trust service providers will each have to follow specific rules.
• It will be mandatory for public authorities to accept EU Digital Identity Wallets when they are issued by Member States at the end of 2026.

Stay tuned for a deep dive into the technical work behind EU Digital Identity Wallets, and how it pioneered a more agile way to create EU legislation.