UPDATE ......Confluence has now been updated to version 9.2.6. Please see following page for details and feedback about changes:
Updates
The main goal of EU Implementing Regulation 2024/2981 is to establish the detailed rules for how European Digital Identity Wallets (introduced under the revised eIDAS Regulation, “eIDAS 2.0”) are certified. The regulation ensures that wallets (applications that allow citizens to securely store and use digital credentials such as ID cards, diplomas, or licenses) achieve the highest level of trust and security (“assurance level high”). This certification framework provides a uniform approach across the EU, so that wallets can be recognized and trusted in every member state.
A key element of the regulation is thescope of certification. It requires that not only the wallet application itself but also its critical cryptographic components, the Wallet Secure Cryptographic Application (WSCA) and Wallet Secure Cryptographic Device (WSCD),are included in the evaluation. Certification covers software, hardware, risk management, data protection, vulnerability handling, and lifecycle management (updates, patching, recertification). Wallet providers must maintain a risk register that addresses threats like identity theft, data loss, fake credentials, or service disruption, and demonstrate how their design mitigates them.
If you would like to review the original text of the regulation with the key sections highlighted, please see this file.
Key Provisions of the Regulation
...
- High Assurance Level
Wallets must meet the "high" assurance level as defined in eIDAS and Implementing Regulation (EU) 2015/1502, focusing on the total solution’s security—even if individual components have lower assurance, provided justifications are documented [2].
...
ENISA, in collaboration with the European Commission, is preparing a European-level certification scheme, slated for publication by the end of 2026, to fully harmonise wallet certification across the Union. [3]
...
- Stronger Security and Trust
Wallets holding academic degrees, research access credentials, or institutional identifiers would be certified under a high-assurance standard—boosting trust among education institutions and researchers. - Cross-Border Interoperability
Certification harmonisation across EU countries allows students, researchers, and academic staff to use their credentials seamlessly across different Member States' institutions and services. - Data Protection and Privacy Safeguards
These wallets must adhere to data protection rules (e.g., GDPR), offering users better control over sharing personal data like student IDs or research affiliations. - Secure Cryptographic Infrastructure
Research-sensitive credentials—like access to labs or e-signatories—will be protected by certified cryptographic technologies, including WSCDs, promoting both security and compliance. - Risk Management and Lifecycle Oversight
Certification schemes will require robust incident handling and updates for educational wallets—important for vulnerability-prone tools used in academia and research. - Future European Standards Alignment
In time, education and research wallets will benefit from the upcoming EU-wide certification scheme and peer collaboration with ENISA, supporting scalability and mutual recognition across sectors.
Related Standards
- EN ISO/IEC 15408-3:2022 (AVA_VAN.5)
Mentioned in Annex IV for vulnerability assessment of the Wallet Secure Cryptographic Device (WSCD), requiring evaluation at this specific level. [1] - EN ISO/IEC 30111:2019
Referred to in the context of vulnerability management processes that certificate holders must establish. - Regulation (EU) 2015/1502
Cited as the implementing regulation defining the "high" assurance level requirements applicable to wallet solutions. [1] - Regulation (EU) 2019/881 (EUCC – European Common Criteria Certification Scheme)
Mentioned as the voluntary cybersecurity certification scheme to be referred to when available and relevant. [1]
...