Regulation (EU) No 910/2014 - implementing acts

Subject: Regulation (EU) No 910/2014 - implementing acts

The success of the eIDAS wallet provided for in Regulation (EU) No 910/2014 depends on the trust users place in this new digital identity system. The recent implementing act proposals from the Commission risk undermining that trust and violating the agreement with the European Parliament. The eIDAS system has to deliver the highest level of privacy and security, which means ensuring that users have control over their data and the transparency of the entire ecosystem.

In the implementing act on identity matching, the current Commission proposal contradicts the eIDAS Regulation and the agreement with Parliament.

1. Why is the Commission pushing for an extension of user identification to the provision of private services without an appropriate reference thereto in the basic act? Or could the Commission indicate what part of the basic act it is basing its position on?

2. How does the Commission justify the extension of the obligation for relying party registration to private services, despite the fact that private sector access to centralised systems for identity matching via unique identifiers is explicitly not mentioned in Article 11a Regulation (EU) No 910/2014 as a possible use case.

You may reply with additional information in an annex.

Submitted: 26.2.2025

Answer given by Executive Vice-President Virkkunen on behalf of the European Commission (26 March 2025)

The intention of Regulation (EU) No 910/2014 (1) as amended by Regulation (EU) 2024/1183 (2) is to enable all EU citizens and residents to identify in a secure way and under full protection of personal data for online public and private services. Providing digital identification guaranteed by governments to the private sector is therefore a basic objective of the regulation.

In addition, user identification by private services is mandated in paragraph 2 of Article 5f on the cross-border reliance on European Digital Identity Wallets in the basic act.

It specifically states that where ‘... strong user authentication for online identification or where strong user authentication for online identification is required by contractual obligation, including in the areas of transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications, those private relying parties shall, ... also accept European Digital Identity Wallets that are provided in accordance with this regulation.’

Relying parties, whether private or public must register in the Member State where they are established in order to rely upon European Digital Identity Wallets.

As noted above, there is already a broad obligation for the private sector to rely upon the European Digital Identity Wallet for user authentication and identification.

As Regulation (EU) No 910/2014 is not regulating how to provide for identity matching for private relying parties, it is up to Member States how to tackle this.

1 ∙ ⸱ https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng

2 ∙ ⸱ https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202401183