This Implementing Regulation establishes detailed rules for certifying European Digital Identity Wallets (wallets) to ensure high levels of security and trust. It sets out requirements for national certification schemes, certification bodies, and wallet providers to verify that wallets meet cybersecurity, data protection and functional requirements.The Regulation creates a harmonized framework for wallet certification across EU Member States through:
- Establishing national certification schemes that must cover functional, cybersecurity and data protection requirements
- Defining roles and responsibilities of scheme owners, certification bodies, and wallet providers
- Setting requirements for incident/vulnerability management and maintenance of certification schemes
- Specifying evaluation activities and lifecycle management for wallet certification
Key provisions include:
- Certification must verify wallets meet ‘high’ assurance level requirements for security
- Detailed requirements for evaluating wallet secure cryptographic applications and devices
- Mandatory surveillance evaluations and vulnerability assessments every 2 years
- Maximum 5-year validity period for certificates of conformity
- Public disclosure requirements for wallet security information
- Comprehensive risk register identifying security threats that must be addressed
The Regulation contains 9 detailed annexes covering aspects like risk assessment methodology, evaluation procedures, certification documentation requirements, and surveillance schedules. It aims to create a robust and harmonized certification framework while allowing flexibility in implementation approaches.
