[To Eurosmart members only]

eIDAS 2: Publication of the JURI draft opinion

The Committee for Legal Affairs (JURI) of the European Parliament is in charge of drafting an opinion on the revision of eIDAS. This week, the JURI rapporteur, MEP Pascal Arimont (EPP, Belgium), published his draft opinion on eIDAS.

MEP Pascal Arimont modified the legislation to state that the Wallet should allow the user to consult the history of the transactions, transfer the Wallet's data, restore the access on a different device and block access to the Wallet in case of a security breach.

Interestingly, MEP Pascal Arimont deleted most of the references to the Digital Markets Act (Recital 21). The Commission's proposal stated that gatekeepers should give access to hardware and software features to providers of identification services. MEP Pascal Arimont deleted this part of the text.

The JURI Committee has exclusive competence on the legal effects of trust services, meaning that ITRE (leading Committee on the file) must integrate JURI amendments on this topic. For other issues, the JURI opinion is only advisory.

Transparency and privacy

MEP Pascal Arimont modified Article 6a on the Wallets to specify that "European Digital Identity Wallets shall enable the user in a manner that is transparent to and traceable by the user: to [+ list of functionalities]". In his view, this also means that the user should be able to access and request a copy of the list of actions, transactions or uses of electronic attestations of attributes or person identification data that the user has authorised.  

The draft opinion also insists on the possibility of using services anonymously or under a pseudonym unless specific rules say otherwise.

Security of the Wallet and Qualified Trust Services

Wallets

MEP Pascal Arimont also added in Recital 9 that "Wallets should be developed in a manner that ensures a high level of security, including the encryption of content". MEP Pascal Arimont also introduced a reference to the use of open-source technology or technologies reflecting the ability to function on major operating systems for the purpose of interoperability.

Echoing Eurosmart's proposal, MEP Pascal Arimont modified Article 6a to allow users to transfer and restore their Wallet's data and block access to the Wallet in case of a security breach.

Qualified trust services

Regarding qualified trust services, MEP Pascal Arimont specified that the supervisory body could withdraw their qualified status if they fail to comply with NIS 2 requirements.

In addition, he stated explicitly in Article 45c that "where a qualified electronic attestation of attributes has been suspended after initial issuance, it shall lose its validity for the duration of the suspension".

Technical and functionality requirements

MEP Pascal Arimont modified the definition of "electronic identification means" to state that they are used for authentication, online and offline, for public and private services. In addition, MEP Pascal Arimont made clear that Member States shall notify a European Digital Identity Wallet and not just any eID scheme within 12 months after entry into force.

MEP Pascal Arimont added a few Wallet functionality requirements in Article 6a. The Wallets shall not only enable the user to sign by means of qualified electronic signatures but also to use qualified electronic seals. The user should also be able to contact the support services of the Wallet issuer.

Regarding technical specifications and standards for the Wallet, MEP Pascal Arimont added in Recital 36 that the toolbox should include "recognised existing standards". MEP Pascal Arimont modified Article 6a to state that the Commission shall adopt delegated acts to supplement the Regulation to establish technical and operational specifications for the Wallet. The Commission should do so within six months of the Regulation's entry into force. For reference standards, the Commission should adopt implementing acts -as foreseen in the initial proposal.

MEP Pascal Arimont added an entire paragraph to Article 45d on the verification of attributes against authentic sources. The Commission shall adopt delegated acts to lay down technical specifications with reference to the catalogue of attributes and schemes for the attestation of attributes and verification procedures for qualified electronic attestations of attributes.

Reference to the Digital Markets Act

MEP Pascal Arimont's draft opinion contains very few words on the Digital Markets Act (DMA). The MEP decided to delete most of Recital 21 on the DMA. For instance, he deleted the part of the Recital that said that the DMA requires gatekeepers to allow business users and providers of ancillary service (e.g. identification) access to and interoperability with the same OS, hardware and software features that are available or used in the provision by the gatekeeper of any ancillary services. MEP Pascal Arimont's short version reads as follows:

21) This Regulation should rely on Regulation XXX/XXXX [Digital Markets Act], which, among others, requires gatekeepers to allow its business users to freely choose the identification service they want to use or interoperate with. This should cover European Digital Identity Wallets, or Member States' notified electronic identification means.

Recitals are not legally binding, but they are used to interpret the legislation (for instance, if a case is brought to Court). This amendment is a clear step backwards for the development of multiple identification solutions in the EU.

Next steps

Other MEPs from the JURI Committee will amend the draft opinion.

If you have any questions on this topic, please contact Camille Dornier - Policy Manager: camille.dornier@eurosmart.com