You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Current »

The main goal of EU Implementing Regulation 2024/2981 is to establish the detailed rules for how European Digital Identity Wallets (introduced under the revised eIDAS Regulation, “eIDAS 2.0”) are certified. The regulation ensures that wallets (applications that allow citizens to securely store and use digital credentials such as ID cards, diplomas, or licenses) achieve the highest level of trust and security (“assurance level high”). This certification framework provides a uniform approach across the EU, so that wallets can be recognized and trusted in every member state.

A key element of the regulation is the scope of certification. It requires that not only the wallet application itself but also its critical cryptographic components, the Wallet Secure Cryptographic Application (WSCA) and Wallet Secure Cryptographic Device (WSCD),are included in the evaluation. Certification covers software, hardware, risk management, data protection, vulnerability handling, and lifecycle management (updates, patching, recertification). Wallet providers must maintain a risk register that addresses threats like identity theft, data loss, fake credentials, or service disruption, and demonstrate how their design mitigates them.

If you would like to review the original text of the regulation with the key sections highlighted, please see this file.

Key Provisions of the Regulation

  • Harmonised Certification Framework

It mandates a unified approach across EU Member States for certifying digital identity wallets—covering functional requirements, cybersecurity, and data protection—to ensure secure, trustworthy, and interoperable wallet solutions [2].

  • High Assurance Level

Wallets must meet the "high" assurance level as defined in eIDAS and Implementing Regulation (EU) 2015/1502, focusing on the total solution’s security—even if individual components have lower assurance, provided justifications are documented [2].

  • Certification of Components

The regulation clarifies which elements—like the Wallet Secure Cryptographic Application (WSCA), Wallet Secure Cryptographic Device (WSCD), wallet software, and environment—must be included in certification. It emphasizes compliance with certified standards such as EUCC and Common Criteria (EAL4, AVA_VAN.5)

  • Support for Secure Hardware

Solutions like embedded secure elements or SIM platforms must be standardised and certified to support secure and user-friendly mobile wallets [2].

  • Risk-Based and Lifecycle Approach

The framework requires risk registers, incident and vulnerability management, evaluation of updates, and overall lifecycle maintenance. Surveillance evaluations, public disclosures, and certification validity limits (e.g., 5 years) are also included [2].

  • National Scheme Ownership and Coordination

National certification schemes must appoint a scheme owner and ensure cooperation with ENISA, the Commission, and Member States for harmonisation and mutual recognition [2].

  • Upcoming European Scheme (2026)

ENISA, in collaboration with the European Commission, is preparing a European-level certification scheme, slated for publication by the end of 2026, to fully harmonise wallet certification across the Union. [3]


Implications for the Education and Research Wallet in Europe

Assuming the "education and research wallet" refers to digital identity wallets used for purposes like accessing academic services, sharing credentials, or research authentication—here’s how Regulation 2024/2981 could impact them:

  1. Stronger Security and Trust
    Wallets holding academic degrees, research access credentials, or institutional identifiers would be certified under a high-assurance standard—boosting trust among education institutions and researchers.
  2. Cross-Border Interoperability
    Certification harmonisation across EU countries allows students, researchers, and academic staff to use their credentials seamlessly across different Member States' institutions and services.
  3. Data Protection and Privacy Safeguards
    These wallets must adhere to data protection rules (e.g., GDPR), offering users better control over sharing personal data like student IDs or research affiliations.
  4. Secure Cryptographic Infrastructure
    Research-sensitive credentials—like access to labs or e-signatories—will be protected by certified cryptographic technologies, including WSCDs, promoting both security and compliance.
  5. Risk Management and Lifecycle Oversight
    Certification schemes will require robust incident handling and updates for educational wallets—important for vulnerability-prone tools used in academia and research.
  6. Future European Standards Alignment
    In time, education and research wallets will benefit from the upcoming EU-wide certification scheme and peer collaboration with ENISA, supporting scalability and mutual recognition across sectors.

Related Standards

  • EN ISO/IEC 15408-3:2022 (AVA_VAN.5)
    Mentioned in Annex IV for vulnerability assessment of the Wallet Secure Cryptographic Device (WSCD), requiring evaluation at this specific level. [1]
  • EN ISO/IEC 30111:2019
    Referred to in the context of vulnerability management processes that certificate holders must establish.
  • Regulation (EU) 2015/1502
    Cited as the implementing regulation defining the "high" assurance level requirements applicable to wallet solutions. [1]
  • Regulation (EU) 2019/881 (EUCC – European Common Criteria Certification Scheme)
    Mentioned as the voluntary cybersecurity certification scheme to be referred to when available and relevant. [1]


References

[1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R2981

[2] EUR-LexLexcovery.

[3] european-accreditation.org



  • No labels