REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL AMENDING REGULATION (EU) NO 910/2014 AS REGARDS ESTABLISHING A FRAMEWORK FOR A EUROPEAN DIGITAL IDENTITY

[Digital Identity Regulation, EDI Regulation, EDIR]

Summary

The Regulation aims at disseminating digital identity solutions across public and private services. The Regulation will create the European Digital Identity Wallet (EDIW) – an end-to-end solution for user authentication, delivery of user data to other entities, and qualified signatures and seals. Some vendors will be obliged to accept EDIW. The Regulation will also introduce regulations aimed at harmonizing digital identity solutions within the EU. In addition, the Regulation will define new qualified trust services and modify the existing obligations of their providers.

Impact

The Regulation will regulate the responsibilities of EDIW acceptors (trusting parties). Accepting EDIW will be mandatory for:

• providers who use strong user authentication for identification purposes in online services due to a legal or contractual obligation (applies in particular to financial market players),
• very large online platforms as defined by the Digital Services Act,
• Member States when they require electronic identification using an electronic identification means and authentication to access an online service provided by a public sector body.

The Regulation will also regulate the obligations of EDIW issuers (including, but not limited to, providing full user control over their e-wallet, or certification). EDIW issued in another Member State will be accepted. A mechanism for mutual recognition of other means of electronic identification will also be introduced.

The Regulation will introduce changes affecting existing trust service providers (including audit changes). New qualified trust services will also be created – electronic archiving, electronic records service, and management of remote electronic signature (seal) device.

Web browser vendors will be required to display qualified certificates for website authentication in a user-friendly manner.

Each Member State will be required to notify at least one electronic identification scheme (so far – under the current e-IDAS Regulation – not all Member States have done so).

Selected issues

European Digital Identity Wallets (EDIW) should be made available by member states within 24 months from the date the Commission adopts the so-called reference standards. Payment service providers are obliged to enable the use of EDIW as strong authentication (SCA) within 36 months of the above date. On 21/11/2024, the deadline for the Commission to adopt these standards passed. If they are adopted in 2024, then by the end of 2026 users should have EDIW on their phones, and by the end of 2027 they should be able to use their EDIW for strong authentication instead of a bank, SKOK, KIP or MIP application.

In 2027, the scope of mandatory SCA will be determined by the PSR, not the Polish Payment Services Act (ustawa o usługach płatniczych). The scope of SCA in the PSR is broadly similar to PSD2 (however, there are constant changes in the work of successive Presidencies). In addition to the PSR, the use of “strong authentication methods” (in Polish “robust” authentication) is also mentioned in RTS 1774 to DORA, but eIDAS requirements do not address this dimension.

The user will be able to perform SCA using any EDIW primarily in the account login scenario and in the remote transaction initiation scenario. In the case of transactions initiated by or through a payee in apps, it may mean the need for widespread implementation of app-to-app communication. In terms of so-called proximity transactions (POS, ATM, vending machines), the requirement to honor EDIW as SCA does not apply, even though the use of SCA is mandatory in them.

An EDIW provider that is not an enterprise as defined by DORA will not be an ICT TPSP. Nor will it be a regulated outsourcing. In this regard, it would be worthwhile to explicitly prejudge in the PSR that an EDIW provider is not a so-called TSP (technical service provider) participating in the SCA. The goal is to avoid the uncertainty relartive to their liability under Article 58 of the PSR or the obligation to enter into an outsourcing agreement under Article 87 of the PSR (numbering the provisions according to the first draft of the PSR).