32025R1568

This document is an excerpt from the EUR-Lex website

EUROPA
EUR-Lex home
Implementing regulation - EU - 2025/1568 - EN - EUR-Lex

Help

Search tips

Need more search options? Use the Advanced search

Document 32025R1568

Help

Commission Implementing Regulation (EU) 2025/1568 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards procedural arrangements for peer reviews of electronic identification schemes and for cooperation on the organisation of such reviews within the Cooperation Group and repealing Commission Implementing Decision (EU) 2015/296

C/2025/5043

OJ L, 2025/1568, 30.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1568/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2025/1568/oj

HTML

PDF - authentic OJ

e-signature

How to verify the authenticity of the Official Journal

Official Journal
of the European Union

L series

2025/1568

30.7.2025

COMMISSION IMPLEMENTING REGULATION (EU) 2025/1568

of 29 July 2025

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards procedural arrangements for peer reviews of electronic identification schemes and for cooperation on the organisation of such reviews within the Cooperation Group and repealing Commission Implementing Decision (EU) 2015/296

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 12(6) and Article 46e(7) thereof,

Whereas:

(1)

Regulation (EU) No 910/2014 provides for a peer review mechanism with respect to electronic identification schemes that are to be notified, in which Member States can participate on a voluntary basis. Peer reviews should enable Member States to understand the electronic identification schemes to be notified in accordance with Article 9(1), point (a), of Regulation (EU) No 910/2014 and effectively cooperate with a view to ensuring interoperability of those schemes and building trust across the Union. Peer reviews should be organised in such a way as to ensure equitable distribution of efforts and broad representation of all Member States and should not be understood as audits.

(2)

Commission Implementing Decision (EU) 2015/296 (2) established the procedural arrangements for cooperation on electronic identification schemes within the context of the former eIDAS Cooperation Network, including for peer reviews conducted by members of that network. Since the peer review tasks are now to be organised by the European Digital Identity Cooperation Group established pursuant to Commission Decision C(2024)6132 of 5.9.2024 establishing the European Digital Identity Cooperation Group and amending Implementing Decision (EU) 2015/296, following Article 46e(1) of Regulation (EU) No 910/2014 (‘Cooperation Group’), Implementing Decision (EU) 2015/296 should be repealed.

(3)

To make peer reviews easily accessible, any Member State should be able to request the initiation of a peer review. The request should indicate the reasons for requesting the peer review and contain sufficient information to corroborate that the peer review may contribute to the interoperability or security of electronic identification schemes to be notified. To this end, creating uniform rules for the minimum required information is necessary to ensure that the peer review can be completed in an efficient and timely manner. The Commission may organise meetings of the Cooperation Group to facilitate the timely initiation and conclusion of a peer review.

(4)

Where a Member State provides information to the other Member States on an electronic identification scheme in accordance with Article 7, point (g) of Regulation (EU) No 910/2014 (‘pre-notification’), that action should formally be considered as a request by the notifying Member State to perform a peer review of its electronic identification scheme.

(5)

To ensure effective preparation and execution of the peer review, standardised roles and responsibilities in the peer review should be identified. Member States should have the possibility to appoint representatives to fulfil those roles and responsibilities. As it is critical to ensure that all peer reviews run smoothly and are conducted in a streamlined and expeditious manner, the practicalities of each peer review, indicatively its exact scope and timing, should be agreed among the Member States involved in that peer review.

(6)

To ensure that all Member States contribute to the implementation of the peer review mechanism, as well as to enable them to benefit from peer learning, representatives of each Member State should contribute to an equitable distribution of efforts among Member States across all peer reviews to be conducted.

(7)

To foster a high level of trust in peer reviewed electronic identification schemes, Member States should provide the minimum required information, while ensuring the confidentiality of potentially sensitive information. Such information should be evaluated by three working groups in the peer reviews, each with a mandate corresponding to the central topics for evaluating an electronic identification scheme as set out in Commission Implementing Regulation (EU) 2015/1501 (3) and Commission Implementing Regulation (EU) 2015/1502 (4).

(8)

As Implementing Decision (EU) 2015/296 already established English as the language of cooperation, unless otherwise agreed, it is existing practice of Member States to undertake the peer review process in English. Therefore, Member States should provide relevant information for the peer review at least in English. However, translation should not cause unreasonable administrative or financial burdens. In this respect, Member States are free to use automated translation tools, including the ones provided by the Commission.

(9)

Taking into account the importance of peer reviews as a tool to ensure the trustworthiness of notified electronic identification schemes, a streamlined process should be established for the adoption of a clear and comprehensive final peer review report. During that process, the Cooperation Group and the Member States participating in the peer review should have the possibility to put additional questions to the Member State whose electronic identification scheme is being peer reviewed, while that Member State should have the opportunity to provide additional observations. To ensure transparency, the process should be completed with the publication of the Cooperation Group’s opinion on the conclusion of the peer review.

(10)

Since electronic identification schemes may undergo changes after conclusion of their peer review, it is also necessary to set up a process for initiating an update of prior peer reviews if such changes can impact the interoperability, security or trustworthiness of the notified electronic identification scheme. This would enable the peer reviews to remain relevant over time as electronic identification schemes evolve.

(11)

Regulation (EU) 2016/679 of the European Parliament and of the Council (5), and, where relevant, Regulation (EU) 2018/1725 of the European Parliament and of the Council (6), Directive 2002/58/EC of the European Parliament and of the Council (7) apply to the personal data processing activities under this Regulation.

(12)	The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered its opinion on 28 May 2025.

(13)	The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

General principles for the peer review

1. Where a Member State makes a pre-notification of an electronic identification scheme to the Commission and to the other Member States, the peer review shall be initiated in accordance with Article 2.

2. The Member State that makes a pre-notification of an electronic identification scheme may, at any point, withdraw its pre-notification. Where the Member State withdraws their pre-notification of the electronic identification scheme, the peer review shall be considered as terminated.

3. Any Member State may decide to participate in the peer review of the electronic identification scheme of another Member State.

4. Each Member State involved in a peer review shall bear the costs it incurs in the process.

5. Representatives of the Member States that conduct the peer review shall use the information obtained through the peer review solely for the purposes of that review and shall not disclose any sensitive or confidential information obtained during the peer review to third parties.

6. A Member State that decides to participate in the peer review of an electronic identification scheme of another Member State shall disclose any conflict of interest in relation to representatives appointed by that Member State. Where there is a conflict of interest, the Member State whose electronic identification scheme is being peer-reviewed may refuse the participation of the relevant representative in the assessment of its electronic identification scheme.

7. Any disputes arising during the peer review in relation to the peer review activities as laid down in Article 4(4) of this Regulation shall be settled in accordance with the Cooperation Group’s rules of procedure.

8. An electronic identification scheme shall not be subject to further peer review within two years from the conclusion of a peer review, except where significant changes set out in Article 6(1) were made to the peer-reviewed electronic identification scheme.

Article 2

Initiation of the peer review

1. The pre-notification shall include at least:

(a)	a comparison between the pre-notified electronic identification scheme and requirements laid down in Implementing Regulation (EU) 2015/1502, under the form of a level of assurance mapping document for the peer review in accordance with Annex I to this Regulation;

(b)	a high-level description of the electronic identification scheme, of its ecosystem and of electronic identification in the Member State having made the pre-notification, under the form of a whitepaper in accordance with Annex II to this Regulation;

(c)	information regarding interoperability of the electronic identification scheme and the requirements laid down in Implementing Regulation (EU) 2015/1501, under the form of an interoperability framework mapping document in accordance with the template set out in Annex III to this Regulation.

2. The Commission shall disseminate the pre-notification information to the Cooperation Group.

3. The information required under paragraph 1, point (c), shall be provided at least in English. Member States shall not be obliged to translate any document where this would create an unreasonable administrative or financial burden.

Article 3

Preparation of the peer review

1. Upon confirmation of receipt of a complete pre-notification, the Commission shall inform the Cooperation Group of the initiation of the peer review and schedule a meeting where the pre-notified electronic identification scheme is put on the meeting agenda for presentation to the Cooperation Group by the Member State having made the pre-notification.

2. The chair of the Cooperation Group shall ensure that the scheduled meeting referred to in paragraph 1 takes place no later than two months after the Cooperation Group is informed of the initiation of the peer review.

3. The date of the presentation shall be considered the official start date of the peer review.

4. After the Member State having made the pre-notification has given the presentation referred to in paragraph 3, the other Member States may appoint representatives to participate in the peer review on their behalf. If they do so, they shall provide the names and contact details of their representatives. Those appointed representatives shall form the peer review group.

The members of the peer review group shall agree on assigning the following roles:

(a)	one coordinator who shall be responsible for organising the peer review and managing communication with Member States, the Cooperation Group and the Commission;

(b)	up to three rapporteurs depending on the scope of the peer review and each one of them to lead a working group as referred to in Article 4(2);

(c)	at least one active member per working group, who shall assist in generating questions and providing feedback to the rapporteurs and contribute to drafting the final peer review report.

5. The coordinator referred to in paragraph 4, point (a), shall oversee proper execution of the peer review and monitor compliance with the procedural requirements set out in this Regulation. To that end, the coordinator shall carry out the following tasks in a timely manner:

(a)	organisation of the questions and answers;

(b)	finalisation of the peer review report;

(c)	drafting of the opinion on the peer reviewed electronic identification scheme.

6. The rapporteurs referred to in paragraph 4, point (b), shall identify questions for the Member State having made the pre-notification and draft the elements of the peer review report that relate to the area of responsibility of their respective working group.

7. Taking into account the guidance provided by the Cooperation Group, the Member State having made the pre-notification and the Member States involved in the peer review shall agree on any organisational arrangements relating to the peer review not specifically provided for in this Regulation, including rules and guidelines regarding confidentiality and conflicts of interest.

8. The duration of the peer review shall not exceed three months from the official start date of the peer review referred to in paragraph 3 and may be extended by a maximum of two months where all Member States involved in the peer review agree to do so.

Article 4

Organisation of the peer review

1. The peer review group shall conduct the peer review based on the information provided in accordance with Article 2(1) by the Member State having made the pre-notification.

2. The peer review shall be organised in three working groups, or using any other process agreed in the Cooperation Group in accordance with its Rules of Procedure. Where working groups are used, each working group shall be composed of one rapporteur and at least one active member.

3. The working groups referred to in paragraph 2 shall be the following:

(a)	an enrolment working group, peer-reviewing the alignment of the pre-notified electronic identification scheme with the requirements in relation to enrolment as set out in section 2.1 of the Annex to Implementing Regulation (EU) 2015/1502;

(b)

an electronic identification means management and authentication working group, peer-reviewing the alignment of the pre-notified electronic identification scheme with the requirements in relation to electronic identification means management and authentication as set out in sections 2.2 and 2.3 of the Annex to Implementing Regulation (EU) 2015/1502;

(c)	a management and organisation working group peer-reviewing the alignment of the pre-notified electronic identification scheme with the requirements in relation to management and organisation as set out in section 2.4 of Implementing Regulation (EU) 2015/1502.

4. The peer review shall include, but is not limited to, one or more of the following activities:

(a)	assessment of relevant documentation provided by the Member State having made the pre-notification;

(b)	examination of processes described as part of that documentation;

(c)	technical seminars;

(d)	consideration of independent third-party assessments, where relevant assessments of this kind are available;

(e)	drafting of the peer review report that summarises the peer review’s findings and results.

5. The working groups may make duly justified requests for additional information, supported by additional documentation, from the Member State having made the pre-notification where the information provided in accordance with Article 2(1) is not sufficient, for the termination of the peer review.

6. The Member State having made the pre-notification shall comply with such requests except where one of the following applies:

(a)	it does not possess the information or documentation and obtaining it would generate an unreasonable administrative burden;

(b)	the information or documentation requested concerns matters of public security or national security;

(c)	the information concerns business matters, professional or company secrets;

(d)	the sensitivity of the information makes it impossible to establish a secure channel to communicate the information to the members of the peer review group.

7. In such cases, the Member State having made the pre-notification shall inform the coordinator of the reasons for refusing to provide the requested information or documentation and shall provide a high-level summary of the information or a redacted version of the documentation.

Article 5

Outcome of the peer review

1. Without prejudice to Article 3(9), the peer review group shall:

(a)

provide a draft peer review report to the Member State having made the pre-notification no later than three months after the start date of the peer review referred to in Article 3(3) unless the peer review is subject to an extension in accordance with Article 3(8) where the report is due according to the agreed extension;

(b)

provide the draft final peer review report to the Commission and the Cooperation Group after taking into consideration any observations from the Member State having made the pre-notification on the content of the draft peer review report, and no later than three months and two weeks after the official start date of the peer review pursuant to Article 3(3) unless the peer review is subject to an extension in accordance with Article 3(8) where the report is due according to the agreed extension;

(c)

provide the Member State having made the pre-notification with a draft opinion on the pre-notified electronic identification scheme no later than three months and two weeks after the official start date of the peer review referred to in Article 3(3) unless the peer review is subject to an extension in accordance with Article 3(8) where the opinion is due according to the agreed extension and shall prepare the draft opinion using the template set out in Annex IV;

(d)

provide the Commission and the Cooperation Group with a draft final opinion on the pre-notified electronic identification scheme no later than three months and three weeks after the start date of the peer review referred to in Article 3 (3) unless the peer review is subject to an extension in accordance with Article 3(8) where the opinion is due according to the agreed extension.

2. Before the Cooperation Group adopts and publishes, on a dedicated website of the Commission, its final opinion on the conclusion of the peer review in accordance with paragraph 9, it may require additional information or clarification from the Member State having made the pre-notification or from the peer review group.

3. The Member State having made the pre-notification shall provide the required additional information referred to in paragraph 2, except where one of the following applies:

(a)	the Member State does not possess the information and obtaining it would cause an unreasonable administrative burden;

(b)	the information concerns matters of public or national security;

(c)	the information concerns matters of business, professional or company secrets;

(d)	the sensitivity of the information makes it impossible to establish a secure channel to communicate the information to the Cooperation Group.

4. The final peer review report shall list the information that was requested by the peer review group or by the Cooperation Group but could not be provided on one or more grounds set out in paragraph 3, without specifying the reasons provided by the Member State having made the pre-notification. The impact of any unavailability of information may be examined by the peer review group in the final peer review report.

5. The peer review group shall present the final peer review report and its draft final opinion to the Cooperation Group no later than four months, or in the case of prolongation in accordance with Article 3(8) no later than six months after the official start date of the peer review pursuant to Article 3(3).

6. The final opinion of the peer review group on the electronic identification scheme of the Member State having made the pre-notification shall list any commitments made by that Member State.

7. After the presentation of the final peer review report and the final opinion of the peer review group, the Cooperation Group shall adopt and publish its own opinion on the conclusion of the peer review, indicating if and how the peer-reviewed electronic identification scheme meets the requirements set out in Implementing Regulation (EU) 2015/1502 that apply to the assurance levels indicated by the Member State having made the pre-notification, in accordance with Annex I of this Regulation. The adoption process shall follow the rules of procedure of the Cooperation Group.

8. The opinion of the Cooperation Group shall identify the Member State having made the pre-notification as well as the pre-notified electronic identification scheme and its assurance level. The opinion shall also state whether the peer review was completed successfully.

9. Information provided in accordance with Article 2(1) shall be published by the Cooperation Group, except where the Member State that provided the information has indicated in writing that such information should not be made public.

Article 6

Significant changes in peer-reviewed electronic identification schemes

1. Where a notified electronic identification scheme changes in a manner that is likely to impact its interoperability, security or trustworthiness, the Member State having made the notification shall without undue delay notify the Cooperation Group of those changes and update the information previously provided.

2. Following the receipt of a notification referred to in paragraph 1, and provided the notified electronic identification scheme has been peer-reviewed, any Member State of the Cooperation Group may request an update to the peer review.

3. In case of a request for an update, the procedures set out in Articles 3 to 5 shall apply accordingly and the peer review group shall limit the peer review to the elements that have been changed pursuant to the original notification and to the impacts of those changes.

Article 7

Repeal

Implementing Decision (EU) 2015/296 is hereby repealed.

Article 8

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1) OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj http://data.europa.eu/eli/reg/2014/910/2024-10-18.

(2) Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 53, 25.2.2015, p. 14, ELI: http://data.europa.eu/eli/dec_impl/2015/296/oj).

(3) Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 235, 9.9.2015, p. 1, ELI: http://data.europa.eu/eli/reg_impl/2015/1501/oj).

(4) Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 235, 9.9.2015, p. 7, ELI: http://data.europa.eu/eli/reg_impl/2015/1502/oj).

(5) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(6) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(7) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

ANNEX I

List of minimum information to be provided in the levels of assurance mapping document for the peer review referred to in Article 2(1), point (a)

The level of assurance mapping document for the peer review referred to in Article 2, paragraph 1, point (a) shall include at least the following information:

(1)

general information, including:

(a)	the name of the notifying Member State;

(b)	the title of the electronic identification scheme (if any);

(c)	the level or levels of assurance of the electronic identification scheme, indicated as low, substantial or high.

(2)

the authority or authorities responsible for the electronic identification scheme, including:

(a)	the name or names of the authority or authorities responsible for the electronic identification scheme;

(b)	the email address of the authority or authorities responsible for the electronic identification scheme.

(3)

information on relevant parties, entities and bodies involved in the electronic identification scheme, including:

(a)	the name of the entity or entities managing the registration process of the unique person identification data;

(b)	the name of the party or parties issuing the electronic identification means, and where applicable, an indication whether the party or parties are referred to in Article 7(a), point (i), (ii) or (iii) of Regulation (EU) No 910/2014;

(c)	the name of the party or parties operating the authentication procedure (the ‘eIDAS node’);

(d)	the name or names of the governance organisation or organisations participating in the supervisory regime related to the electronic identification scheme.

(4)

a description of the electronic identification scheme, including:

(a)

where applicable, the document or documents that shall be enclosed for each of the following topics:

—	a brief description of the electronic identification scheme, including the context in which it operates, its scope, and availability to private relying parties;

—	a list of the additional attributes which may be provided in relation to natural persons under the electronic identification scheme if requested by a relying party;

—	a list of the additional attributes which may be provided in relation to legal persons under the electronic identification scheme if requested by a relying party.

(b)

the applicable supervisory, liability and management regime, including:

—

a description of the supervisory regime of the electronic identification scheme including the evaluation process with respect to the following:

—	the supervisory regime applicable to the party or parties issuing the electronic identification means;

—	the supervisory regime applicable to the party or parties operating the eIDAS node.

Where applicable, these descriptions shall include the roles, responsibilities and powers of the governance organisations that participate in the supervisory regime referred to in point 3(d), and the entity to which they report. If the organisations do not report to the authority responsible for the scheme, full details of the entity to which they report shall be provided.

—

a description of the applicable national liability regime, including:

—	a description of the liability of the Member State under Article 11(1) of Regulation (EU) No 910/2014;

—	a description of the liability of the party or parties issuing the electronic identification means under Article 11(2) of Regulation (EU) No 910/2014;

—	a description of the liability of the party or parties operating the eIDAS node under Article 11(3) of Regulation (EU) No 910/2014.

—	arrangements for managing, suspending or revoking either the entire identification scheme, or specific electronic identification means, or the eIDAS node, or its compromised parts.

(c)

a description of the electronic identification scheme components, including:

—	a description of how the requirements in relation to minimum technical specifications and procedures for assurance levels for electronic identification means, as set out in Implementing Regulation (EU) 2015/1502, have been met, to substantiate the indicated assurance level for the enrolment;

—

a description of how the following processes are addressed under the electronic identification scheme, including documentation for the combination of options that were chosen by the Member State, for:

—	application and registration;

—	identity proofing and verification of a natural person:

—	identity proofing and verification of a legal person;

—	binding between the electronic identification means for natural and legal persons.

—

with regards to the electronic identification means management, a description of how the following processes are addressed under the electronic identification means:

—	characteristics and design of the electronic identification means, including, where appropriate, information on security certification;

—	issuance, delivery and activation;

—	suspension, revocation and reactivation;

—	renewal and replacement.

—	with regards to authentication, a description of the authentication mechanism, including terms of access to authentication by relying parties other than public sector bodies;

—

with regards to the management and organisation, a description of the management and organisation of the following aspects:

—	general provisions on management and organisation;

—	published notices and user information;

—	information security management;

—	record keeping.

—	facilities and staff;

—	technical controls.

—	compliance and audit.

(d)	a description of how interoperability and minimum technical and operational security requirements are met;

(e)

a list of all the supporting documentation submitted and a statement to which of the elements above they relate, including references to any domestic legislation which relates to the electronic identification provision relevant to the notification and relevant audit reports, certification practice statements, and test reports.

(f)	the relevant documents and information as regards the certification of the electronic identification scheme pursuant to Article 12a(1) and, where applicable, to Article 12a(5), of Regulation (EU) No 910/2014.

ANNEX II

List of minimum information to be provided in the white paper referred to in Article 2(1), point (b)

The white paper shall describe the overall ecosystem of the electronic identification scheme being pre-notified, as well as the history of the electronic identification scheme and of electronic identification in the Member State.

The white paper shall also provide a description of the electronic identification scheme and the electronic identification means provided under this scheme, including a brief description of the elements that are also covered by the levels of assurance mapping document referred to in Article 2(1), point (a) of this Regulation, the interoperability framework mapping document referred to in Article 2(1), point (c) of this Regulation, and other documents.

The white paper shall also describe the role of the electronic identification scheme in the overall ecosystem and its relation to relying parties and other services provided within the ecosystem.

ANNEX III

Template for the interoperability framework mapping document

Interoperability Requirements

Article of Implementing Regulation (EU) 2015/1501

Requirement

Description

Mapping of national assurance levels

The mapping of national assurance levels of the notified electronic identification schemes shall follow the requirements laid down in Implementing Regulation (EU) 2015/1502. The results of the mapping shall be notified to the Commission using the notification template laid down in Implementing Decision (EU) 2015/1984.

Nodes

1.	A node in one Member State shall be able to connect with nodes of other Member States.

2.	The nodes shall be able to distinguish between public sector bodies and other relying parties through technical means.

3.	A Member State implementation of the technical requirements set out in this Regulation shall not impose disproportionate technical requirements and costs on other Member States in order for them to interoperate with the implementation adopted by the first Member State.

Data Privacy and confidentiality

1.	Protection of privacy and confidentiality of the data exchanged and the maintenance of data integrity between the nodes shall be ensured by using best available technical solutions and protection practices.

2.	The nodes shall not store any personal data, except for the purpose set out in Article 9(3) of Implementing Regulation (EU) 2015/1501.

Data integrity and authenticity for the communication

Communication between the nodes shall ensure data integrity and authenticity to make certain that all requests and responses are authentic and have not been tampered with. For this purpose, nodes shall use solutions which have been successfully employed in cross-border operational use.

Message format for the communication

The nodes shall use for syntax common message formats based on standards that have already been deployed more than once between Member States and proven to work in an operational environment.

The syntax shall allow:

(a)	proper processing of the minimum set of person identification data uniquely representing a natural or legal person;

(b)	proper processing of the assurance level of the electronic identification means;

(c)	distinction between public sector bodies and other relying parties;

(d)	flexibility to meet the needs of additional attributes relating to identification.

Management of security information and metadata

1.	The node operator shall communicate the metadata of the node management in a standardised machine processable manner and in a secure and trustworthy way.

2.	At least the parameters relevant to security shall be retrieved automatically.

The node operator shall store data which, in the event of an incident, enable reconstruction of the sequence of the message exchange for establishing the place and the nature of the incident. The data shall be stored for a period of time in accordance with national requirements and, as a minimum, shall consist of the following elements:

(a)	node’s identification;

(b)	message identification;

(c)	message date and time.

Information assurance and security standards

Node operators of nodes providing authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation.

2.	Node operators shall deploy security critical updates without undue delay.

Person identification data

1.	A minimum data set of person identification data uniquely representing a natural or a legal person shall meet the requirements set out in the Annex to Implementing Regulation (EU) 2015/1501 when used in a cross-border context.

2.	A minimum data set for a natural person representing a legal person shall contain the combination of the attributes listed in the Annex to Implementing Regulation (EU) 2015/1501 for natural persons and legal persons when used in a cross-border context.

3.	Data shall be transmitted based on original characters and, where appropriate, also transliterated into Latin characters.

ANNEX IV

Template for the opinion on the electronic identification scheme of a Member State

Opinion No. XX/202X of the Cooperation Group on the <insert Member State> eID scheme <insert scheme name>

Having regard to Article 12(5) of Regulation (EU) 910/2014 (‘the European Digital Identity Regulation’),

Having regard to Implementing Regulation (EU) 2025/1568.

Having regard to the Rules of Procedure of the Cooperation Group,

Whereas:

Article 12(5) of the European Digital Identity Regulation obliges Member States to carry out peer reviews of electronic identification schemes to be notified under Article 9(1), point (a) of the European Digital Identity Regulation.

Article 5(10) of Commission Implementing Regulation (EU) 2025/1568 on cooperation mandates the Cooperation Group to adopt opinions on how an electronic identification scheme to be notified meets the requirements of the European Digital Identity Regulation.

<insert Member State>, with a view to notifying its eID scheme <insert scheme name> in accordance with Article 9(1) of the European Digital Identity Regulation, provided the following information to the Member States on <insert date> (hereinafter referred to as: ‘pre-notification’) in line with Article 7(g) of the European Digital Identity Regulation:

—	Notification form;

—	Supporting Documentation.

On <insert date of CG meeting>, the Cooperation Group:

—	agreed to organise the peer review of the <insert Member State> eID scheme <insert scheme name> according to Article 46e(5)(d) of the European Digital Identity Regulation and Implementing Regulation (EU) 2025/1568;

—	formed a ‘Peer Review Group’; and

—	agreed which topics the peer review process would cover and how it would be organised according to the provisions of Implementing Regulation (EU) 2025/1568.

The Peer Review Group submitted its report according to Article 5 of Implementing Regulation (EU) 2025/1568 to the Cooperation Group on <insert date>. The Cooperation Group has examined and discussed the Peer Review Report.

Taking into account the outcomes of the peer review, the peer review report and the additional information provided by <insert Member State> regarding:

–

and that <insert Member State> commits to:

–

The Cooperation Group adopted the following opinion:

Opinion

Based on the examination of the pre-notification documents provided by <insert Member State> and the findings of the Peer Review Report, the Cooperation Group is of the opinion that the pre-notification documents and additional information provided by <insert Member State> demonstrate sufficiently how the <insert Member State>eID scheme <insert scheme name> to be notified meets the requirements

—	for assurance level ‘High’;

—	for assurance level ‘Substantial’;

—	for assurance level ‘Low’;

in line with the requirements of Articles 7, 8(1)-(2), 12(1), 12a(1) and 12a(5) of the European Digital Identity Regulation and with the requirements of Implementing Regulation (EU) 2015/1502.

According to Article <insert number> of the Rules of Procedure, the Cooperation Group agrees to publish this opinion.

ELI: http://data.europa.eu/eli/reg_impl/2025/1568/oj

ISSN 1977-0677 (electronic edition)

Top

Choose the experimental features you want to try