(1)

The Treaty on European Union (TEU) resolved to facilitate the free movement of persons while ensuring the safety and security of the peoples of Europe, by establishing an area of freedom, security and justice, in accordance with the provisions of the TEU and of the Treaty on the Functioning of the European Union (TFEU).

(2)

Citizenship of the Union confers on every citizen of the Union the right of free movement, subject to certain limitations and conditions. Directive 2004/38/EC of the European Parliament and of the Council (2) gives effect to that right. Article 45 of the Charter of Fundamental Rights of the European Union (the ‘Charter’) also provides for freedom of movement and residence. Freedom of movement entails the right to exit and enter Member States with a valid identity card or passport.

(3)

Pursuant to Directive 2004/38/EC, Member States are to issue and renew identity cards or passports to their nationals in accordance with national laws. Furthermore, that Directive provides that Member States may require Union citizens and their family members to register with the relevant authorities. Member States are required to issue registration certificates to Union citizens under the conditions set out therein. Pursuant to that Directive, Member States are also required to issue residence cards to family members who are not nationals of a Member State and, on application, to issue documents certifying permanent residence and to issue permanent residence cards.

(4)

Directive 2004/38/EC provides that Member States may adopt the necessary measures to refuse, terminate or withdraw any right conferred by that Directive in the case of abuse of rights or fraud. Document forgery or false presentation of a material fact concerning the conditions attached to the right of residence have been identified as typical cases of fraud under that Directive.

(5)

Prior to the adoption of rules at Union level, considerable differences existed between the security levels of national identity cards and residence documents for Union citizens and their family members residing in another Member State. Such differences increase the risk of falsification and document fraud and also give rise to practical difficulties for citizens when they wish to exercise their right of free movement.

(6)

Secure travel and identity documents are crucial whenever it is necessary to establish without doubt a person’s identity. A high level of document security is important to prevent abuses and threats to internal security, in particular related to terrorism and cross-border crime. Insufficiently secure national identity cards have in the past been among the most frequently detected false documents used for travel within the Union.

(7)

In order to deter identity fraud, Member States should ensure that the falsification and counterfeiting of identification documents and the use of such falsified or counterfeit documents are adequately penalised by their national law.

(8)

Issuing authentic and secure identity cards requires a reliable identity registration process and secure ‘breeder’ documents to support the application process. The Commission, the Member States and the relevant Union agencies should continue to work together to make breeder documents less vulnerable to fraud, given the increased use of false breeder documents.

(9)

This Regulation does not require Member States to introduce identity cards or residence documents where they are not provided for under national law, nor does it affect the competence of the Member States to issue, under national law, other residence documents which fall outside the scope of Union law, for example residence cards issued to all residents on the territory regardless of their nationality. Furthermore, this Regulation does not affect the principle, arising from the case-law of the Court of Justice, that the entitlement to the right of free movement and residence can be attested by any means of proof.

(10)

This Regulation does not prevent Member States from accepting, in a non-discriminatory manner, documents other than travel documents for identification purposes, such as driving licences.

(11)

Identification documents issued to citizens whose right of free movement has been restricted in accordance with Union or national law, and which expressly indicate that they cannot be used as travel documents, should not be considered as falling within the scope of this Regulation.

(12)

Travel documents compliant with part 5 of International Civil Aviation Organization (ICAO) Document 9303 on Machine Readable Travel Documents (seventh edition, 2015) (‘ICAO Document 9303’), that do not serve identification purposes in the issuing Member States, such as the passport card issued by Ireland, should not be considered as falling within the scope of this Regulation.

(13)

The reference in this Regulation to ICAO Document 9303 should not be understood as preventing Member States from applying the specifications of subsequent editions.

(14)

This Regulation does not affect the use of identity cards and residence documents with eID function by Member States for other purposes, nor does it affect the rules laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council (3), which provides for Union-wide mutual recognition of electronic identifications in access to public services and which helps citizens who are moving to another Member State by requiring mutual recognition of electronic identification means subject to certain conditions. Improved identity cards should ensure easier identification and contribute to better access to services.

(15)

Proper verification of identity cards and residence documents requires that Member States use the correct title for each type of document covered by this Regulation. In order to facilitate the checking of documents covered by this Regulation in other Member States, the document title should also appear in at least one additional official language of the Union. Where Member States already use, for identity cards, well-established designations other than the title ‘Identity card’, they should be able to continue to do so in their official language or languages. However, no new designations should be introduced in the future.

(16)

Security features are necessary to verify if a document is authentic and to establish the identity of a person. The establishment of minimum security standards and the integration of biometric data in identity cards and in residence cards of family members who are not nationals of a Member State are important steps in rendering their use in the Union more secure. The inclusion of such biometric identifiers should allow Union citizens to fully benefit from their right of free movement.

(17)

The storage of biometric data as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council (4), namely the facial image and two fingerprints of the holder, on identity and residence cards, as already provided for in respect of biometric passports for Union citizens and residence permits for third-country nationals, represents an appropriate combination of reliable identification and authentication with a reduced risk of fraud, for the purpose of strengthening the security of identity and residence cards. As the Court of Justice confirmed, the mandatory inclusion of fingerprints on the storage medium is compatible with the fundamental rights to respect for private life and to the protection of personal data as guaranteed in Articles 7 and 8 of the Charter.

(18)

As a general practice, Member States should, for the verification of the authenticity of the document and the identity of the holder, primarily verify the facial image and, where necessary to confirm without doubt the authenticity of the document and the identity of the holder, Member States should also verify the fingerprints.

(19)

Members States should ensure that, in cases where a verification of biometric data does not confirm the authenticity of the document or the identity of its holder, a compulsory manual check is carried out by qualified staff.

(20)

This Regulation does not provide a legal basis for setting up or maintaining databases at national level for the storage of biometric data in Member States, which is a matter of national law that needs to comply with Union data protection law, including its necessity and proportionality requirements. Moreover, this Regulation does not provide a legal basis for setting up or maintaining a centralised database at Union level.

(21)

The facial image stored on the storage medium of identity cards and residence documents should only be accessed by duly authorised staff of competent national authorities, Union agencies and private entities for the purposes of verifying the authenticity of the document or verifying the identity of the holder where the document is required to be produced by law. Such access should comply with Union data protection law. In addition, private entities should be required to obtain the consent of the holder to access the facial image, unless Union or national law provides that no such agreement is required in the specific case. Consent of the data subject should thus be understood as an additional safeguard and not provide in itself a legal ground for processing by private entities. This Regulation does not provide for rules on the retention of facial images, once accessed, outside the storage medium of identity cards and residence documents. Such retention would need to be provided for by other Union law or national law, which must comply with Union data protection law, and should be limited to the purposes of verifying the authenticity of the document or the identity of the holder. In addition, the facial images should not be retained for longer than is necessary for those purposes, should be deleted as soon as the verification has been completed and should not be transferred to third countries or international organisations unless permitted by Union data protection law. Those safeguards are intended to ensure appropriate protection of the facial image while not prohibiting its use to the benefit of the document’s holder, particularly in the context of cross-border travel.

(22)

The verification of the fingerprints stored on the storage medium should only be carried out by duly authorised staff of competent national authorities and Union agencies and only where the document is required to be produced by Union or national law. The fingerprints accessed for that purpose should not be retained.

(23)

Biometric data stored for the purpose of the personalisation of identity cards or residence documents should be kept in a highly secure manner and no longer than 90 days from the date of issue printed on the document during personalisation. After that period, those biometric data should be immediately erased or destroyed. This Regulation should not be understood as prohibiting the processing of those data where required by Union or national law, in compliance with Union data protection law.

(24)

The specifications of ICAO Document 9303, which ensure global interoperability including in relation to machine readability and use of visual inspection, should be taken into account for the purpose of this Regulation.

(25)

Member States should be able to decide whether to include a person’s gender on a document covered by this Regulation. Where a Member State includes a person’s gender on such a document, the specifications of ICAO Document 9303 ‘F’, ‘M’ or ‘X’ or the corresponding single initial used in the language or languages of that Member State should be used, as appropriate.

(26)

Implementing powers should be conferred on the Commission in order to ensure that future security standards and technical specifications adopted pursuant to Council Regulation (EC) No 1030/2002 (5) are duly taken into account, where appropriate, for identity cards and residence cards. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (6). To that end, the Commission should be assisted by the Committee established by Article 6 of Council Regulation (EC) No 1683/95 (7). Where necessary, it should be possible for the implementing acts adopted to remain secret in order to prevent the risk of counterfeiting and falsifications.

(27)

Member States should ensure that appropriate and effective procedures for the collection of biometric identifiers are in place and that such procedures comply with the rights and principles set out in the Charter, the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe and the United Nations Convention on the Rights of the Child. Member States should ensure that the best interest of the child is a primary consideration throughout the collection procedure. To that end, qualified staff should receive appropriate training on child-friendly practices for the collection of biometric identifiers.

(28)

Where difficulties are encountered in the collection of biometric identifiers, Member States should ensure that appropriate procedures are in place to respect the dignity of the person concerned. Therefore, specific considerations relating to gender and to the specific needs of children and of vulnerable persons should be taken into account. Qualified staff should receive training on best practices for the collection of biometric identifiers from children and vulnerable persons.

(29)

The introduction of minimum security and format standards for identity cards should allow Member States to rely on the authenticity of those documents when Union citizens exercise their right of free movement. The introduction of reinforced security standards should provide sufficient guarantees to public authorities and private entities to enable them to rely on the authenticity of identity cards when used by Union citizens for identification purposes.

(30)

A distinguishing sign in the form of the two-letter country code of the Member State issuing the document, printed in negative in a blue rectangle and encircled by 12 yellow stars, facilitates the visual inspection of the document, in particular when the holder is exercising the right of free movement.

(31)

While the option to provide for additional national features is maintained, Member States should ensure that those features do not diminish the efficiency of the common security features or negatively affect the cross-border compatibility of the identity cards, such as the capability that the identity cards can be read by machines used by Member States other than those which issue the identity cards.

(32)

The introduction of security standards in identity cards and in residence cards of family members who are not nationals of a Member State should not result in a disproportionate increase in fees for Union citizens or third-country nationals. Member States should take that principle into consideration when issuing calls for tender.

(33)

Member States should take all necessary steps to ensure that biometric data correctly identify the person to whom an identity card is issued. To that end, Member States could consider collecting biometric identifiers, particularly the facial image, by means of live enrolment by the national authorities issuing identity cards.

(34)

Member States should exchange with each other such information as is necessary to access, authenticate and verify the information contained on the secure storage medium. The formats used for the secure storage medium should be interoperable, including in respect of automated border crossing points.

(35)

Directive 2004/38/EC addresses the situation where Union citizens, or family members of Union citizens who are not nationals of a Member State, who do not have the necessary travel documents are to be given every reasonable opportunity to prove by other means that they are covered by the right of free movement. Such means can include identification documents used on a provisional basis and residence cards issued to such family members.

(36)

This Regulation respects the obligations set out in the Charter and in the United Nations Convention on the Rights of Persons with Disabilities. Therefore, Member States are encouraged to work with the Commission to integrate additional features that render identity cards more accessible and user-friendly to people with disabilities, such as visually impaired persons. Member States are to explore the use of solutions, such as mobile registration devices, for the issuance of identity cards to persons incapable of visiting the authorities responsible for issuing identity cards.

(37)

Residence documents issued to citizens of the Union should include specific information to ensure that they are identified as such in all Member States. This should facilitate the recognition of the Union citizen’s use of the right of free movement and of the rights inherent to that use, but harmonisation should not go beyond what is appropriate to address the weaknesses of current documents. Member States are free to select the format in which those documents are issued and could issue them in a format complying with the specifications of ICAO Document 9303.

(38)

As regards residence documents issued to family members who are not nationals of a Member State, it is appropriate to make use of the same format and security features as those provided for in Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954 of the European Parliament and of the Council (8). In addition to proving the right of residence, those documents also exempt their holders who are otherwise subject to a visa obligation from the requirement to obtain a visa when accompanying or joining the Union citizen within the Union territory.

(39)

Directive 2004/38/EC provides that documents issued to family members who are not nationals of a Member State are to be called ‘Residence card of a family member of a Union citizen’. In order to facilitate their identification, residence cards of a family member of a Union citizen should bear a standardised title and code.

(40)

Taking into account both the security risk and the costs incurred by Member States, identity cards as well as residence cards of family members of Union citizens that do not meet the requirements of this Regulation should be phased out. For documents that are missing important security features, or are not machine readable, a shorter phasing-out period is necessary on security grounds.

(41)

Regulation (EU) 2016/679 applies with regard to the personal data to be processed in the context of the application of this Regulation, including, for example, the obligation on controllers and processors to take appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing those personal data It is necessary to further specify safeguards applicable to the processed personal data and in particular to sensitive data such as biometric data. Data subjects should be made aware of the existence in their documents of the storage medium containing their biometric data including its accessibility in contactless form as well as of all instances where the data contained in their identity cards and residence documents are used. In any case, data subjects should have access to personal data processed in their identity cards and residence documents and should have the right to have them rectified by way of issuance of a new document where such data are erroneous or incomplete. The storage medium should be highly secure and effectively protect personal data stored on it from unauthorised access.

(42)

Member States should be responsible for the proper processing of biometric data, from collection to integration of the data on the highly secure storage medium, in accordance with Regulation (EU) 2016/679.

(43)

Member States should exercise particular caution when cooperating with an external service provider. Such cooperation should not exclude any liability of the Member States arising under Union or national law for breaches of obligations with regard to personal data.

(44)

It is necessary to specify in this Regulation the basis for the collection and storage of data on the storage medium of identity cards and residence documents. In accordance with Union or national law and respecting the principles of necessity and proportionality, Member States should be able to store other data on a storage medium for electronic services or for other purposes relating to the identity card or residence document. The processing of such other data including their collection and the purposes for which they can be used should be authorised by Union or national law. All national data should be physically or logically separated from biometric data referred to in this Regulation and should be processed in accordance with Regulation (EU) 2016/679.

(45)

In accordance with the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (9), the Commission should, within six years after the date of application of this Regulation, carry out an evaluation of this Regulation, including on the basis of information gathered through specific monitoring arrangements, in order to assess the actual effects of this Regulation and the need for any further action. For the purpose of monitoring, Member States should collect statistics on the number of identity cards and residence documents which they issued.

(46)

Since the objectives of this Regulation, namely to enhance security and to facilitate the exercise of the right of free movement by Union citizens and their family members, cannot be sufficiently achieved by the Member States but can rather, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(47)

In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(48)

In accordance with Article 3 of the Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU, Ireland has notified, by letter of 18 October 2024, its wish to take part in the adoption and application of this Regulation.

(49)

This Regulation respects the fundamental rights and observes the principles recognised in particular by the Charter including human dignity, the right to the integrity of the person, the prohibition of inhuman or degrading treatment, the right to equality before the law and non-discrimination, the rights of children, the rights of the elderly, respect for private and family life, the right to the protection of personal data, the right of free movement and the right to an effective remedy. Member States should comply with the Charter when implementing this Regulation.

(50)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10) and delivered an opinion on 13 September 2024,