FantasticSearch

1. For the purpose of ensuring that all natural and legal persons in the Union have secure, trusted and seamless cross-border access to public and private services, while having full control over their data, each Member State shall provide at least one European Digital Identity Wallet within 24 months of the date of entry into force of the implementing acts referred to in paragraph 23 of this Article and in Article 5c(6).

2. European Digital Identity Wallets shall be provided in one or more of the following ways:

(a) directly by a Member State;

(b) under a mandate from a Member State;

(c) independently of a Member State but recognised by that Member State.

3. The source code of the application software components of European Digital Identity Wallets shall be open-source licensed. Member States may provide that, for duly justified reasons, the source code of specific components other than those installed on user devices shall not be disclosed.

4. European Digital Identity Wallets shall enable the user, in a manner that is user-friendly, transparent, and traceable by the user, to:

(a) securely request, obtain, select, combine, store, delete, share and present, under the sole control of the user, person identification data and, where applicable, in combination with electronic attestations of attributes, to authenticate to relying parties online and, where appropriate, in offline mode, in order to access public and private services, while ensuring that selective disclosure of data is possible;

(b) generate pseudonyms and store them encrypted and locally within the European Digital Identity Wallet;

(c) securely authenticate another person’s European Digital Identity Wallet, and receive and share person identification data and electronic attestations of attributes in a secured way between the two European Digital Identity Wallets;

(d) access a log of all transactions carried out through the European Digital Identity Wallet via a common dashboard enabling the user to:

(i) view an up-to-date list of relying parties with which the user has established a connection and, where applicable, all data exchanged;

(ii) easily request the erasure by a relying party of personal data pursuant to Article 17 of the Regulation (EU) 2016/679;

(iii) easily report a relying party to the competent national data protection authority, where an allegedly unlawful or suspicious request for data is received;

(e) sign by means of qualified electronic signatures or seal by means of qualified electronic seals;

(f) download, to the extent technically feasible, the user’s data, electronic attestation of attributes and configurations;

(g) exercise the user’s rights to data portability.

5. European Digital Identity Wallets shall, in particular:

(a) support common protocols and interfaces:

(i) for issuance of person identification data, qualified and non-qualified electronic attestations of attributes or qualified and non-qualified certificates to the European Digital Identity Wallet;

(ii) for relying parties to request and validate person identification data and electronic attestations of attributes;

(iii) for the sharing and presentation to relying parties of person identification data, electronic attestation of attributes or of selectively disclosed related data online and, where appropriate, in offline mode;

(iv) for the user to allow interaction with the European Digital Identity Wallet and display an EU Digital Identity Wallet Trust Mark;

(v) to securely onboard the user by using an electronic identification means in accordance with Article 5a(24);

(vi) for interaction between two persons’ European Digital Identity Wallets for the purpose of receiving, validating and sharing person identification data and electronic attestations of attributes in a secure manner;

(vii) for authenticating and identifying relying parties by implementing authentication mechanisms in accordance with Article 5b; (viii) for relying parties to verify the authenticity and validity of European Digital Identity Wallets;

(ix) for requesting a relying party the erasure of personal data pursuant to Article 17 of Regulation (EU) 2016/679;

(x) for reporting a relying party to the competent national data protection authority where an allegedly unlawful or suspicious request for data is received;

(xi) for the creation of qualified electronic signatures or electronic seals by means of qualified electronic signature or electronic seal creation devices;

(b) not provide any information to trust service providers of electronic attestations of attributes about the use of those electronic attestations;

(c) ensure that the relying parties can be authenticated and identified by implementing authentication mechanisms in accordance with Article 5b;

(d) meet the requirements set out in Article 8 with regard to assurance level high, in particular as applied to the requirements for identity proofing and verification, and electronic identification means management and authentication;

(e) in the case of the electronic attestation of attributes with embedded disclosure policies, implement the appropriate mechanism to inform the user that the relying party or the user of the European Digital Identity Wallet requesting that electronic attestation of attributes has the permission to access such attestation;

(f) ensure that the person identification data, which is available from the electronic identification scheme under which the European Digital Identity Wallet is provided, uniquely represents the natural person, legal person or the natural person representing the natural or legal person, and is associated with that European Digital Identity Wallet;

(g) offer all natural persons the ability to sign by means of qualified electronic signatures by default and free of charge.

Notwithstanding point (g) of the first subparagraph, Member States may provide for proportionate measures to ensure that the use of qualified electronic signatures free-of-charge by natural persons is limited to non-professional purposes.

6. Member State shall inform users, without delay, of any security breach that could have entirely or partially compromised their European Digital Identity Wallet or its contents, in particular if their European Digital Identity Wallet has been suspended or revoked pursuant to Article 5e.

7. Without prejudice to Article 5f, Member States may provide, in accordance with national law, for additional functionalities of European Digital Identity Wallets, including interoperability with existing national electronic identification means. Those additional functionalities shall comply with this Article.

8. Member States shall provide validation mechanisms free-of-charge, in order to:

(a) ensure that the authenticity and validity of European Digital Identity Wallets can be verified;

(b) allow users to verify the authenticity and validity of the identity of relying parties registered in accordance with Article 5b.

9. Member States shall ensure that the validity of the European Digital Identity Wallet can be revoked in the following circumstances:

(a) upon the explicit request of the user;

(b) where the security of the European Digital Identity Wallet has been compromised;

(c) upon the death of the user or cease of activity of the legal person.

10. Providers of European Digital Identity Wallets shall ensure that users can easily request technical support and report technical problems or any other incidents having a negative impact on the use of European Digital Identity Wallets.

11. European Digital Identity Wallets shall be provided under an electronic identification scheme with assurance level high.

12. European Digital Identity Wallets shall ensure security-by-design.

13. The issuance, use and revocation of the European Digital Identity Wallets shall be free of charge to all natural persons.

14. Users shall have full control of the use of and of the data in their European Digital Identity Wallet. The provider of the European Digital Identity Wallet shall neither collect information about the use of the European Digital Identity Wallet which is not necessary for the provision of European Digital Identity Wallet services, nor combine person identification data or any other personal data stored or relating to the use of the European Digital Identity Wallet with personal data from any other services offered by that provider or from third-party services which are not necessary for the provision of European Digital Identity Wallet services, unless the user has expressly requested otherwise. Personal data relating to the provision of the European Digital Identity Wallet shall be kept logically separate from any other data held by the provider of the European Digital Identity Wallet. If the European Digital Identity Wallet is provided by private parties in accordance with paragraph 2, points (b) and (c), of this Article, the provisions of Article 45h(3) shall apply mutatis mutandis.

15. The use of European Digital Identity Wallets shall be voluntary. Access to public and private services, access to the labour market and freedom to conduct business shall not in any way be restricted or made disadvantageous to natural or legal persons that do not use European Digital Identity Wallets. It shall remain possible to access public and private services by other existing identification and authentication means.

16. The technical framework of the European Digital Identity Wallet shall:

(a) not allow providers of electronic attestations of attributes or any other party, after the issuance of the attestation of attributes, to obtain data that allows transactions or user behaviour to be tracked, linked or correlated, or knowledge of transactions or user behaviour to be otherwise obtained, unless explicitly authorised by the user;

(b) enable privacy preserving techniques which ensure unlinkability, where the attestation of attributes does not require the identification of the user.

17. Any processing of personal data carried out by the Member States or on their behalf by bodies or parties responsible for the provision of European Digital Identity Wallets as electronic identification means shall be carried out in accordance with appropriate and effective data protection measures. Compliance of such processing with Regulation (EU) 2016/679 shall be demonstrated. Member States may introduce national provisions to further specify the application of such measures.

18. Member States shall, without undue delay, notify the Commission of information about:

(a) the body responsible for establishing and maintaining the list of registered relying parties that rely on European Digital Identity Wallets in accordance with Article 5b(5) and the location of that list;

(b) the bodies responsible for the provision of European Digital Identity Wallets in accordance with Article 5a(1);

(c) the bodies responsible for ensuring that the person identification data is associated with the European Digital Identity Wallet in accordance with Article 5a(5), point (f);

(d) the mechanism allowing for the validation of the person identification data referred to in Article 5a(5), point (f), and of the identity of the relying parties;

(e) the mechanism by which to validate the authenticity and validity of European Digital Identity Wallets. The Commission shall make available the information notified pursuant to the first subparagraph to the public through a secure channel, in electronically signed or sealed form suitable for automated processing.

19. Without prejudice to paragraph 22 of this Article, Article 11 shall apply mutatis mutandis to the European Digital Identity Wallet.

20. Article 24(2), points (b), and (d) to (h), shall apply mutatis mutandis to providers of European Digital Identity Wallets.

21. European Digital Identity Wallets shall be made accessible for use, by persons with disabilities, on an equal basis with other users, in accordance with Directive (EU) 2019/882 of the European Parliament and of the Council ().

22. For the purposes of the provision of European Digital Identity Wallets, European Digital Identity Wallets and the electronic identification schemes under which they are provided shall not be subject to the requirements laid down in Articles 7, 9, 10, 12 and 12a.

23. By 21 November 2024, the Commission shall, by means of implementing acts, establish a list of reference standards and, where necessary, establish specifications and procedures for the requirements referred to in paragraphs 4, 5, 8 and 18 of this Article on the implementation of the European Digital Identity Wallet. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).