Preparing for the Regulations on European Digital Identity Wallets.

Emanuele Gambula – Lexify 21.08.2024

Connect with the Author

Email: [email protected] LinkedIn: LinkedIn Profile

Introduction

The European Digital Identity Framework established by Regulation (EU) No 910/2014 is a crucial component for enabling easier digital on-boarding of financial services establishment and an interoperable digital identity ecosystem across the European Union. In this regard, article 5a(23) of Regulation (EU) No. 910/2014 (“eIDAS Regulation”), as recently amended by Regulation (EU) No. 1183/2024 (“eIDAS 2 Regulation”) which entered into force in May of this year, mandates the European Commission, where necessary, to establish relevant specifications and procedures. This is achieved by means of four new EU Regulations on dealing with protocols and interfaces integrity and core functionalities of European Digital Identity Wallets (“EUDI wallets”), the person identification data, electronic attestation of attributes as well as the trust framework (collectively and individually defined as the “Implementing Regulations”). Please note that to date the Implementing Regulations are only drafts and the formal adoption by the European Commission is planned within the fourth quarter 2024[1].

The scope of these new Implementing Regulations is to establish various requirements for digital identities, expanding the functionalities and usability European digital identity and EUDI wallets. In this regard, EUDI wallet providers, as well as technology providers within this sector, are the most affected. An EUDI wallet concerns a digital identity, which is a digital representation of a natural or legal person that includes detailed information such as the legal name, date of birth, professional qualifications, bank balance, or medical history.

Implementing Regulation dealing with protocols and interfaces integrity and core functionalities of the wallets

Wallet secure cryptographic applications[2] are necessary not only for the protection of critical assets, such as cryptographic private keys, but also for the provision of crucial functionalities, such as the presentation of electronic attestations of attributes[3].The Implementing Regulation defines cryptographic application as “an application that manages critical assets by using the cryptographic functions provided by the wallet secure cryptographic device”. To ensure data protection by design and by default, the wallets should be provided with several privacy enhancing features, specifically:

  • the wallets are to be used without the wallet user being trackable across different wallet relying parties;
  • embedded disclosure policies should warn the wallet users against inappropriate disclosure of identity information;
  • implementation of privacy by default do not affect interoperability between wallets; and
  • The generation of pseudonyms should enable wallet users to authenticate themselves without providing wallet relying parties with unnecessary information.

In order to ensure that all wallets are technically capable of receiving and presenting person identification data and electronic attestations of attributes in cross-border scenarios without impairing interoperability, wallets should support predetermined types of data formats in accordance with the Implementing Regulation. In addition, wallets may support other formats and functionalities to facilitate specific use cases.

The Implementing Regulation defines wallet unit as “a unique configuration of a wallet solution that includes wallet instances, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a wallet provider to an individual wallet user” [4]. It is stated that at least one wallet unit attestation compliant with the requirements laid down in the Implementing Regulation, specifically: wallet providers shall ensure that each wallet unit contains wallet unit attestations that:

  1. describe the components of the wallet unit;
  2. allow authentication and validation of those components;
  3. are cryptographically bound to wallet secure cryptographic devices; and
  4. contain a public key, and that the corresponding private key is protected by the wallet secure cryptographic application.

One of the main obligations of the wallet providers is the request of users’ revocation of the wallet unit meaning that the wallet provider shall be capable of revoking wallet unit attestations for wallet units that they have provided. For this purpose, the wallet provider shall establish a publicly available policy specifying the conditions and the timeframe for the revocation of data objects relating to wallet units that they have provided.

Furthermore, specific standards are provided for wallet solutions that support the usage of person identification data and electronic attestations of attributes (e.g. ISO/IEC.18013-5:2021)[5]. Certain information shall be registered and kept stored especially when it comes to reports sent by the wallet user to the data protection authorities via their wallet unit. This data is (a) the time and date of the transaction; (b) the name of the corresponding wallet relying party; (c) the personal data presented in the transaction; (d) in the case of non-completed transactions, the reason for such non-completion (see Art. 9 of the Implementing Regulation).

Similarly to the article 20 of the EU Regulation 2016/679 (so-called “GDPR”), wallet providers must ensure backup and recovery of the data, included data listed above, of the wallet user to allow the wallet user to migrate free of charge to another wallet unit of the same wallet solution provided under the same electronic identification scheme[6].

The Implementing Regulation outlines obligations for wallet providers to ensure that their users can receive and use qualified electronic signatures or seals linked to qualified creation devices, whether these devices are local, external, or remote. Wallet providers must ensure that their solutions can interface with these devices to use the qualified certificates provided. Additionally, they must offer natural persons free access to signature creation applications for non-professional purposes, allowing them to create qualified electronic signatures at no cost.

Finally, wallet instances must be capable of verifying the qualified status of trust service providers that facilitate remote signing or sealing through the wallet. In this regard, the signature creation applications used by wallet units may be provided either by wallet providers, by providers of qualified trust services or by wallet relying parties in compliance with the requirements provided by the Implementing Regulation, including but not limited to the correct format of the supporting signatures or seals (e.g. PAdES, XAdES, JAdES etc.)[7].

Regulation dealing with the certification of the wallets

According to the Implementing Regulation on the certification of the wallets Member States shall establish national certification schemes for the purposes of the certification of a wallet solution and the electronic identification scheme under which that wallet solution is provided. Below it is outlined some topics that should be considered by those that provide or are involved in wallet solutions:

  • establish and maintain all necessary vulnerability management procedures, taking into account the procedures set out in existing European and international standards, including EN ISO/IEC 30111;
  • produce a vulnerability impact analysis report for any vulnerability that originates from the software components of the wallet solution, including the following information: (a) the impact of the vulnerability on the certified wallet solution; (b) possible risks associated with the proximity or availability of an attack; (c) whether the vulnerability can be remedied using available means; (d) where the vulnerability can be remedied using available means, possible ways to remedy the vulnerability. In addition, this analysis shall be transmitted, without undue delay, to the certification body;
  • maintain and operate a vulnerability management policy in accordance with the Annex I of the Cyber Resilience Act (to be issued). For the sake of completeness, Annex I of the Cyber Resilience Act will include several aspects such as: “(…) (b) ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems; (c) protect the confidentiality of stored, transmitted or otherwise processed data, personal or other, such as by encrypting relevant data at rest or in transit by state of the art mechanisms; (d) protect the integrity of stored, transmitted or otherwise processed data, personal or other, commands, programs and configuration against any manipulation or modification not authorised by the user, as well as report on corruptions (…)”[8];
  • be aware that national certification schemes shall contain a process for reviewing their operation on a periodic basis.

Furthermore, according to article 7 of the Implementing Regulation, the provider of the wallet solution and the electronic identification scheme under which the wallet solution is provided shall comply with the security criteria established by national certification schemes, which shall include inter alia the following requirements:

  • the essential requirements as set out in Annex I to the Cyber Resilience Act where applicable, or requirements meeting the security objectives set out in Article 51 of the Regulation (EU) 2019/881[9];
  • the establishment and implementation of policies and procedures concerning the management of risks associated with the operation of a wallet solution, including the identification and assessment of risks and the treatment of the identified risks;
  • requirements on the wallet solution’s operating environment, including in the form of assumptions on the security of the devices and platforms on which the software components of the wallet solution run, and where applicable and relevant, conformity assessment requirements to confirm that those assumptions are met on the relevant devices and platforms;

In addition, national certification schemes shall contain requirements[10] for the applicant for certification to provide or otherwise make available to the certification body the details on the wallet solution and its source code including but not limited to:

  • architecture information: for every component of the wallet solution (including product, process and service components), a description of its essential security properties, including its external dependencies;
  • functions and assurance levels: for every security function of the wallet solution, a description of the function and the required assurance level and a description of how the functions of the wallet are implemented using the different components of the wallet solution, based on a rationale explaining why a given assurance level is required, and how the function is implemented with all required security aspects at the appropriate level.

EUDI Wallets and MiCA Regulation: intersections

Considering that EUDI Wallets typically pertain to activities related to digital identity, and therefore represent a use case distinct from that associated with crypto-assets, we believe that the requirements established for EUDI Wallets should apply to entities falling within the scope of the eIDAS Regulation. Specifically, if a Crypto Asset Service Provider (“CASP”) or an issuer is also a trust service provider and it provides EUDI Wallets, then it will be subject to the requirements set forth by the eIDAS Regulation and its Implementing Regulations. Please note that the eIDAS Regulation defines trust service provider as a natural or a legal person who provides one or more trust services which consist of:

  • the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
  • the creation, verification and validation of certificates for website authentication; or
  • the preservation of electronic signatures, seals or certificates related to those services[11].

For example, if a CASP is offering the service of custody and administration of crypto-assets on behalf of clients under the Regulation (EU) 2023/1114 (“MiCA Regulation”)[12] through an EUDI Wallet (e.g. through the creation of electronic signatures), such entity would be subject to the requirements set forth by the eIDAS Regulation and its Implementing Regulations, as described in the paragraphs above. In this regard, some operators are already aligning their technical and compliance requirements with the eIDAS Regulation and the relevant European regulatory framework[13].

With the introduction of EUDI Wallets, developers will have the opportunity to create solutions that integrate digital identity with digital attestations of personal attributes, effectively transforming customers’ phones into a comprehensive digital wallet. Specifically, EUDI Wallets could contain not only identification documents but also attestations of attributes associated with an individual’s or an enterprise’s digital identity. These digital attributes, such as those relating to residency, professional qualifications, driver’s licenses, and much more, can be utilized in various contexts, including in relation to the use of crypto-assets, such as Central Bank Digital Currencies (“CBDCs”).

Conclusion

In summary, the proposed Implementing Regulations establish a comprehensive framework for ensuring that digital wallet providers comply with stringent cybersecurity and data management standards including the necessity for cryptographic protections, privacy-enhancing features, and ensuring interoperability across different wallet solutions. Furthermore, wallet providers must adhere to certification requirements that involve vulnerability management, compliance with national and European standards, as well as rigorous security criteria provided by the relevant Regulation and the Cyber Resilience Act. By meeting these obligations, wallet providers will enhance the security, trustworthiness, and user-centric nature of digital wallets, which is crucial for fostering confidence in the digital identity ecosystem within the European Union.

At Lexify we assist our clients in navigating these complex regulatory requirements. Our expertise in cybersecurity, data protection, and compliance can help ensure that your EUDI Wallets solutions meet all necessary legal and technical standards providing comprehensive support to help you achieve compliance and build trust in the digital economy.


[1] See the following address: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14338-European-Digital-Identity-Wallets-trust-framework_en.

[2] See Article 2(5) of the Regulation.

[3] See Recital 4 of the Regulation.

[4] See Article 2(2) of the Regulation.

[5] See Annex I of the Regulation.

[6] See Article 13 of the Regulation.

[7] See Annex III of the Regulation.

[8] Available at the following address: https://eur-lex.europa.eu/resource.html?uri=cellar:864f472b-34e9-11ed-9c68-01aa75ed71a1.0001.02/DOC_2&format=PDF.

[9] See article 51 Regulation (EU)2019/881: “A European cybersecurity certification scheme shall be designed to achieve, as applicable, at least the following security objectives: (a) to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire life cycle of the ICT product, ICT service or ICT process; (b) to protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, loss or alteration or lack of availability during the entire life cycle of the ICT product, ICT service or ICT process; (c) that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer; (d) to identify and document known dependencies and vulnerabilities; (e) to record which data, services or functions have been accessed, used or otherwise processed, at what times and by whom; (f) to make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom; (g) to verify that ICT products, ICT services and ICT processes do not contain known vulnerabilities; (h) to restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident; (i) that ICT products, ICT services and ICT processes are secure by default and by design; (j) that ICT products, ICT services and ICT processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure updates.”

[10] See Article 7 of the Regulation.

[11] See article 3(16) of eIDAS Regulation.

[12] See article 3(1)(17).

[13] See, IOTA Identity Integrates Zero Knowledge Credentials, available at the following address: https://blog.iota.org/iota-identity-zero-knowledge/,


Connect with Us

Thank you for taking the time to read our article. We hope you found it informative and engaging. If you have any questions, feedback, or would like to explore our services further, we’re here to assist you.

Contact Information

For inquiries about our legal assistance, please contact us:

  • Phone: +41 774613847

Follow Us

Stay updated and connected with us on social media for the latest news, insights, and updates:

Retour en haut