European digital identity framework – Towards the interinstitutional discussions

European digital identity framework – Towards the interinstitutional discussions

Eurosmart’s recommendations on Council’s general approach

The Council of the European Union announced, on 6 December 2022, the adoption of its general approach on the Proposal for a Regulation amending Regulation (EU) No 910/2014 as regards Establishing a Framework for a European Digital Identity.

Ahead of the interinstitutional discussions (Trilogues), Eurosmart shares its policy and technical position to initiate an active debate between the co-legislators.

The European Digital Security industry is pleased that the legislative process is progressing. The current Council’s position constitutes a real improvement; however, it falls short of addressing some of the concerns shared between different stakeholders represented by Eurosmart.

Executive summary

Eurosmart calls upon the co-legislators to carefully review some essential provisions with regards to:

1. EU digital wallet’s level of assurance

Eurosmart supports the interaction of the wallet with national electronic identification schemes and means. This approach allows the wallet to rely on electronic identification means (e.g. electronic identity document) to carry out an electronic authentication with the strength matching the level of assurance “high”. Moreover, Eurosmart welcomes the generic principle whereby the on-boarding of a wallet with a level of assurance “high” could be achieved using an electronic identification means of level of assurance “high” or “substantial”.

2. Security Certification

Eurosmart recommends requesting as soon as possible new security certification schemes to ENISA under the Cybersecurity Act (Regulation 2019/881) covering, security certification of software, biometric technologies, services, and process.

3. Access to hardware and software features including the Secure Element

To ensure consistency, Eurosmart considers that the exemption decided by the Member States for relying parties to authenticate to the wallet should be subject to an implementing act. The rules for exemption should also match the requirements for data protection (decided by the Member State where the wallet is issued).

4. Notification of relying parties

Eurosmart recommends adding providers of electronic identification means as business users of gatekeepers within the meaning of the respective definition in the Digital Market Act. Moreover, additional provisions should be included to avoid gatekeepers claiming unjustified potential security risks to refuse access to virtual assistants, software components, hardware components and operating systems.

5. The alternate possibilities to issue electronic attestation of attributes by public bodies

Eurosmart welcomes the possibility that electronic attestation of attributes, with the same legal effects as a qualified electronic attestation of attributes, may be issued to the Wallet directly by the public sector body responsible for the authentic source or by a designated public sector body on behalf of a public sector body responsible for an authentic source.

6. Record Matching

The proposed definition of record matching in article 3(55) remains unclear and introduces substantial ambiguities. Eurosmart recommends using the following definition: “Record matching means a process where person identification data or unique and persistent identifier are matched with or linked to an existing account belonging to the same person.”