UPDATE ......Confluence has now been updated to version 9.2.6. Please see following page for details and feedback about changes:
Updates
This draft regulation outlines a structured and verifiable process for registering relying parties. It ensures It ensures that all entities wanting to connect to the European Digital Identity Wallet (e.g., universities, banks, public authorities, service providers) are formally registered, transparent, and trustworthy across the EU.
Most Important Points
Creation of National Registers: Each Member State must establish a national register of wallet-relying parties and make the information publicly accessible, both in human-readable and machine-readable form.
Registration Policies: Member States must publish transparent rules for the registration process, including authentication procedures, required documents, and official data sources.
Online and Automated Registration: Registration processes should be simple, digital, and (where possible) automated, with quick verification of applications.
Certificates for Access and Registration: Wallet-relying parties must obtain access certificates, and possibly registration certificates, to be recognized by wallets throughout the EU.
Suspension or Revocation of Registration: Registrations can be suspended or cancelled if the party provides false information, violates policies, or breaches EU/national law.
Record-Keeping: Member States must store registration data and updates for a legally defined period (e.g., up to 10 years).
Alignment with Existing Standards: The mechanism is designed to be compatible with standards like OpenID Connect, OAuth 2.0, and SCIM.
Unique Identification: Each relying party is assigned a globally unique identifier to prevent impersonation or duplication.
Authentication Mechanisms: Secure protocols (e.g., mutual TLS, signed tokens) are used to verify the identity of relying parties during interactions.
Credential Management: Relying parties must securely manage their credentials (e.g., client secrets, certificates) and rotate them periodically.
Policy Enforcement: Identity providers enforce access control policies and validate the trustworthiness of relying parties before granting access.
Audit & Logging: All interactions are logged to enable traceability and detect suspicious behavior.
...
This regulation does not directly list technical standards but rather establishes the governance and legal framework for registers and certificates.
Feedback from DC4EU
The DC4EU consortium’s feedback on the this draft regulation stress that registration processes must be harmonised across Member States to avoid fragmentation and call for national registers to provide transparent, machine-readable information. The consortium raises technical concerns about the regulation’s reliance on specific standards, notably mandatory use of X.509 PKI certificates and older specifications such as RFC 5755 and RFC 9162, which they believe may create unnecessary complexity and poor interoperability. Instead, they recommend considering modern alternatives, including distributed ledger technologies (DLT) or JSON-based approaches rather than older ASN.1 structures.
The feedback also emphasises the importance of efficient, automated registration processes that work quickly and consistently, regardless of national differences in access to official data. They call for clearer rules on the issuance, suspension, and revocation of access and registration certificates, as well as timely notification to affected entities. Concerns are expressed about provisions that allow suspension or deregistration without prior notice, which they argue undermines legal certainty; they propose introducing formal redress mechanisms. Overall, DC4EU urges that the regulation be more technically adaptable, legally transparent, and uniformly implemented across the EU to build trust and avoid unnecessary burdens.