A new draft amendment to the EU Regulation No 910/2014 Establishes a framework for a European Digital Identity.
Link to the regulations:
The new draft regulation gives all EU citizens the ‘inalienable right’ to a digital identity with the main points of their sole control and ability to exercise their rights as citizens in the digital environment and participate in the digital economy.
This right is achieved by using new technologies, including:
- cryptographically verifiable identifiers,
- unique user-generated digital pseudonyms,
- self-sovereign identities and domain-specific identifiers,
Meaning, for the first time, Self-Sovereign Identity may be formally written into law.
Self-Sovereign Identity (SSI) is an approach to digital identity that gives individuals control of their digital identities.
SSI addresses the difficulty of establishing trust in an interaction. To be trusted, one party in an interaction will present credentials to the other parties, and those relying parties can verify that the credentials came from an issuer they trust. This way, the verifier’s trust in the issuer is transferred to the credential holder.
To support such technical standards, a ‘European Digital Identity Wallet’ will ‘allow the user to store and manage identity data credentials and attributes linked to her/his identity, to provide them to relying parties on request’.
Interestingly, Member States are obliged to provide at least one wallet that serves this purpose.
The EU Commission shall keep a public register of all issuers of European Digital Identity Wallets, including their main specifications.
Another important part is that Regulations support the ‘Once only’ principle – citizens of the EU should not have to provide the exact data for KYC / KYB processes more than once.
For issuers, verifiers, and identity wallets, it must also be technologically impossible to receive any information on the use of the Wallet or identity attributes, apart from what is explicitly consented to—maintaining privacy by design and supporting GDPR by default.
Relying parties must specify to the user a clear and lawful purpose for each request to access Credentials, which should be necessary and proportionate for the intended use case of the relying party – and follow the principle of data minimization.
The European Digital Identity Board (EDIB) is established to audit compliance with the Regulations. Each Member State must create a Governance framework that will guarantee proper implementation, coordination, and enforcement of the Regulation.
There’s a huge market opportunity here, which is a huge step forward in how personal data should be managed and protected by the law. Crucially, this reinforces everything the #SSI community and keeping personal data with the user.