EUROPEAN COMMISSION

Brussels, 19.11.2025

COM(2025) 838 final

2025/0358(COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the establishment of European Business Wallets

{SWD(2025) 837 final}

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

•Reasons for and objectives of the proposal

–Reduce administrative burdens, streamline compliance processes, and improve service delivery

–Ensure economic operators and public sector bodies have access to secure and trusted digital identification across borders, meeting user needs and demand

•Consistency with existing policy provisions in the policy area

The European Business Wallets proposal builds on and extends the ecosystem established under the European Digital Identity Framework (EUDI) - Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183. The European Business Wallets aim to complement the EUDI Framework by offering functionalities tailored to the needs of public sector bodies and economic operators, including the digital management of representation rights and mandates, and a secure channel for exchanging official documents and attestations supported by a common directory. Full interoperability with the European Digital Identity Wallets will be guaranteed.

The proposal is complementary to the EU company law acquis and uses the existing European Unique Identifier which all limited liability companies and commercial partnerships (as well as the future 28th regime companies) have in accordance with EU company law. In addition, the proposal is compatible with the Business Registers Interconnection System (BRIS), developed in accordance with the codified Company Law Directive (EU) 2017/1132. Finally, the proposal is also in line with Beneficial Ownership Registers Interconnection System (BORIS), developed in accordance with the Anti-Money Laundering Directive (EU) 2015/849. These interconnections use the European Unique Identifier (EUID) to uniquely identify companies and other legal entities, and legal arrangements in the EU, but do not cover all economic operators or public sector bodies, such as sole traders, self-employed or public institutions. The European Business Wallets extend this ecosystem by offering a trusted and interoperable mean for all these entities.

•Consistency with other Union policies

–The Single Digital Gateway (SDG) and its Once-Only Technical System (OOTS) implement the “once-only” principle, requiring authorities to reuse data already held in another Member State without repeated submissions by businesses. The European Business Wallets proposal will complement the SDG and OOTS by providing trusted identification and authentication of economic operators and public administrations and a secure exchange layer that enables businesses and public sector bodies to share and reuse verified data and official attestations seamlessly across borders.

–The Digital Product Passport (DPP), central to the EU’s circular economy agenda, depends on trusted access to conformity and sustainability data. The Business Wallets proposal can prove legal identity and any granted access rights, allow conformity declarations to be signed and sealed, and ensure product data is exchanged securely and verifiably across borders.

–The Interoperable Europe Act (IEA) establishes the framework for cross-border interoperability of public services. The Business Wallets proposal will complement this by serving as a trusted infrastructure that administrations can integrate into digital-by-default service delivery, reinforcing the removal of technical and organisational barriers.

–The upcoming proposal on the 28th Regime corporate legal framework will provide simple, flexible and fast procedures for companies to set up and operate and attract investment in the EU through digital solutions. It will ensure that digital tools such as the EU Company certificate and the EU digital Power of Attorney can be used in the European Business Wallets. 

–The VAT in the Digital Age (ViDA) package modernises VAT reporting, introduces mandatory e-invoicing across borders and strengthens fraud prevention. The Business Wallets proposal will enable secure storage and verifiable exchange of VAT attestations and transaction data, thereby supporting real-time reporting and trusted invoicing.

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

•Legal basis

•Subsidiarity (for non-exclusive competence)

•Proportionality

•Choice of the instrument

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Stakeholder consultations

•Collection and use of expertise

•Regulatory fitness and simplification

•Fundamental rights

4.BUDGETARY IMPLICATIONS

5.OTHER ELEMENTS

•Implementation plans and monitoring, evaluation and reporting arrangements

•Detailed explanation of the specific provisions of the proposal

Chapter II establishes the key components for the European Business Wallets framework. It sets out the principle of legal equivalence, serving as a provision which equates actions performed through a European Business Wallet to those carried out in person, on paper, or via any other means or processes: an essential element to remove administrative frictions in concerned exchanges. The principle of equivalence also applies to the use of the qualified electronic registered delivery service by self-employed persons and sole traders. In the same chapter, a minimum, interoperable set of core functionalities, together with qualified electronic registered delivery service as a standalone service to users of European Digital Identity Wallets, is defined alongside with technical requirements, further expanded in the Annex and envisioned to be complemented by implementing acts. Provisions of this chapter also address who can provide European Business Wallets, the relevant requirements that must be met by such legal persons and the process that an eligible entity must undergo at national level in order to be included in the trusted list of providers. To guarantee consistent cross-border recognition, the proposal relies on European Business Wallets’ owners' identification data issued as electronic attestations of attributes by qualified trust service providers, national public sector bodies, or by the Commission for Union entities. Using these attestations ensures that every Business Wallet owner can be reliably identified on the basis of official and verifiable information. In addition, a unique identifier is attributed to each Business Wallet owner. Where a European Unique Identifier is assigned under Company Law Directive (EU) 2017/1132 or the Anti-Money Laundering Directive, the Business Wallets will use the European Unique Identifier as the unique identifier. In other cases, Member States designate existing national registers and corresponding registration numbers as the authentic source for generating an equivalent identifier. The structure and technical specifications of this identifier, ensuring Union-wide uniqueness and interoperability, will be defined by implementing acts.

To enable a straightforward communication through the Business Wallets, the proposal also establishes a European Digital Directory, which will be created and maintained by the Commission, will enable economic operators and public sector bodies to be easily contacted, while implementing adequate measures for the protection personal data. In this regard, the Commission will establish standards, technical specifications and the categories of information to be communicated to the Commission for the Directory through implementing acts.

Chapter II also establishes the governance and supervision mechanism. To minimise fragmentation and leverage existing expertise, the proposal names the existing eIDAS supervisory bodies to act as the supervisory authorities in each Member State for Business Wallets’ providers established in the respective territories. These authorities also assist providers of Business Wallets in accessing the information needed for the issuance of owner identification data by issuers of owner identification data based on information available from authentic sources, cooperate closely with the competent authorities for qualified trust service providers, and notify the Commission of the national registries holding data on economic operators and public sector bodies. In this regard, the Regulation provides for the role and tasks of such authorities. Given the Treaties’ institutional balance, EU institutions, bodies and agencies (Union entity) are not subject to Member State supervision. The proposal rather provides a Union-level supervisory arrangement under the Commission.

In Chapter III the obligations placed on public sector bodies are set out. These provisions ensure that public sector bodies enable economic operators to use the European Business Wallets for the purposes of identifying, authenticating, signing or sealing, submitting documents, and sending or receiving notifications in administrative or reporting procedures. For the exchange of documents and notifications, public sector bodies must themselves hold a European Business Wallet and use the secure communication channel. The obligations have to be met by set time frames. Public sector bodies may also recognise the use of European Business Wallets and the communication channel (for sole traders and self-employed) as the sole means for submitting electronic documents and attestations when required under Union law. The Commission will review these obligations and their scope over time.

Chapter IV sets out the international dimension of the European Business Wallet framework, establishing the possibility for the recognition of systems developed in third countries that offer functionalities equivalent to the proposal where relevant conditions guarantee a comparable level of trust, security, and interoperability. This approach allows the EU to facilitate trusted global exchanges with non-EU partners while maintaining the Union’s high standards for digital identity, authentication, and data integrity.

Chapter V contains the horizontal and closing provisions. It provides for the evaluation and review of the proposed regulation to assess the effectiveness of its implementation and the functioning of the supervisory framework.

2025/0358 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the establishment of European Business Wallets

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee( 1 ) ,

Acting in accordance with the ordinary legislative procedure,

Whereas:

(1)In its Communication of 29 January 2025 ‘A Competitiveness Compass for the EU’( 2 ) the Commission announced that European Business Wallets, building on the European Digital Identity Framework, will constitute the cornerstone for conducting business in a simple and digital manner within the Union, providing companies with a seamless environment in which to interact with public administrations.

(2)Regulation (EU) No 910/2014 of the European Parliament and of the Council( 3 ) establishes the European Digital Identity Framework and introduces the European Digital Identity Wallets, enabling users to securely store and manage their digital identity and electronic attestations of attributes, and to access a wide range of online services. The European Digital Identity Framework features new trust services, including the issuance of electronic attestations of attributes, thereby enhancing the security and reliability of online transactions and interactions.

(3)In order to foster a competitive and digital European economy, and to facilitate cross-border business, it is necessary to establish a seamless and secure environment for digital interaction between economic operators and public sector bodies in different configurations.

(4)In order to ensure the interoperability and security of European Business Wallets, the technical specifications established in Regulation (EU) No 910/2014 and subsequent implementing regulations established pursuant to that Regulation as well as the technology and standards developments and the work carried out on the basis of Recommendation (EU) 2021/946, and in particular the Architecture and Reference Framework, should apply, with the specifications laid down in this Regulation taking precedence in the event of any inconsistency.

(5)In order to enhance the functioning of the digital single market, ensure interoperability and reduce administrative burdens, it is essential to ensure compatibility between and European Business Wallets and existing systems and solutions at both Union and national level. As prescribed by the Interoperable Europe Act and to enhance secure and efficient data exchanges across the Union, the implementation of the European Business Wallets should, to the extent possible, where appropriate and following technical analysis, make use of existing EU digital infrastructures and building blocks, including those developed under the Once Only Technical System, the Business Registers Interconnection System and the European Digital Identity Wallet, thereby ensuring complementarity, interoperability, and efficient use of public resources.

(6)The European Business Wallets are a digital tool for economic operators to interact with public sector bodies in the context of meeting reporting obligations and fulfilling administrative procedures. The use of the core functionalities of the European Business Wallets to identify and authenticate, sign or seal, submit documents and send or receive notifications should be without prejudice to procedural requirements that might be part of an administrative procedure and that cannot be fulfilled by the core functionalities of the European Business Wallets. These procedural requirements may include any additional safeguards or verifications, such as checks to ensure the awareness or understanding of the contents of a document or the implications of the signature of a contract, or specific actions that are required as part of an administrative procedure and are not supported by the core functionalities of the European Business Wallets. Public sector bodies should therefore ensure that all relevant procedural requirements are met, including any specific actions or processes which need to be fulfilled as part of an administrative procedure and which cannot be performed through the European Business Wallets.

(7)Public sector bodies have the flexibility to decide how to ensure that they can accept European Business Wallets considering the diversity of their IT infrastructure and their needs for interoperability. This approach allows public sector bodies to maintain their existing operational frameworks, while benefiting from the advantages of the European Business Wallets.

(8)This Regulation is without prejudice to the procedural autonomy, the constitutional requirements and the judicial independence that govern the organisation and functioning of national justice systems of the Member States, as well as to the framework, integrity and procedural safeguards of judicial proceedings.

(9)This Regulation is without prejudice to the Member States’ responsibility for safeguarding national security and their power to safeguard other essential State functions, including ensuring the territorial integrity of the State and maintaining law and order.

(10)This Regulation should be without prejudice to the right of legal persons to submit only once information to public sector bodies as well as to the right of Member States to continue using other systems for the submission of documents and data between competent authorities as established under Union law, such as in Regulation 2018/1724( 4 ) and Directive (EU) 2017/1132 establishing the Business Registers Interconnection System

(11)In order to reduce administrative burden and improve competitiveness, all entities conducting economic activities, including companies, organisations, self-employed persons, sole traders and any other type of business, regardless of size, sector or legal form, should be able to use European Business Wallets. To ensure that legally valid notifications, and documents can be exchanged, and reporting obligations fulfilled by means of European Business Wallets, it is necessary to establish a reliable and secure communication channel that can be used by European Business Wallet owners across the Union. A qualified electronic registered delivery service (‘QERDS’) should therefore be integrated as a secure communication channel in the European Business Wallets, and should enable the secure and legally valid exchange of information between parties, as provided for in Article 43 of Regulation (EU) No 910/2014.

(12)In order to provide a tailored solution for self-employed persons and sole traders, it is essential to ensure the seamless integration of European Digital Identity Wallets with European Business Wallets. That integration should enable those persons to authenticate using their European Digital Identity Wallet and access trust services offered for the European Business Wallets, including the QERDS established as a secure communication channel in this Regulation, using those Wallets, without the need to create a separate business identity. Providers of European Business Wallets should therefore be allowed to offer the secure communication channel as a standalone service to self-employed persons and sole traders that use European Digital Identity Wallets in a business capacity, with ensured interoperability to facilitate app switching, as well as trust services such as electronic signatures and qualified and non-qualified time stamping services. Such access to the secure communication channel for self-employed persons and sole traders, should be promoted by ensuring an offer, at reasonable and affordable prices, that reflects the usage needs and is accompanied by terms of use that do not impose an undue burden on those persons.

(13)The European Business Wallets, in combination with Regulation (EU) 2018/1724, should support the forthcoming 28th Regime( 5 ) by providing the digital infrastructure for fully digital procedures, enabling start-ups and scale-ups to conduct EU-wide operations in a rapid and efficient manner. The Business Wallets should provide the digital infrastructure for the 28th Regime's digital-first strategy, streamlining cross-border interactions and reducing administrative burden, such as facilitating the secure storing and signature of contracts and certificates or submitting, receiving and sharing electronic applications and documents. By providing this infrastructure, the Business Wallets should help make the "digital by default" principle a reality, facilitating the growth and development of EU companies and enhancing their competitiveness.

(14)Given the objective of creating a unified digital ecosystem for electronic identification, authentication, and the exchange of electronic documents, notifications, and attestations of attributes, the inclusion of Union entities among public sector bodies covered this Regulation, is necessary. Such an inclusion should create a coherent framework for owners of European Business Wallets to engage with all levels of public administration thereby reducing administrative complexities and driving uptake of the European Business Wallets.

(15)In order to ensure the proper issuance and integration of European Business Wallets throughout the operations and systems of Union entities, this Regulation should have due regard to the specific nature and structure of such institutions, bodies, offices and agencies. To ensure the respect of administrative autonomy and security of Union entities. They should be allowed to acquire European Business Wallets from already established providers of European Business Wallets, or develop their own European Business Wallets or act themselves as provider for Union entities. Where Union entities act as providers of European Business Wallets, they should also be subject to a supervisory framework. In such cases, the Commission should be tasked to the supervise the provision of European Business Wallets by Union entities.

(16)Regulation (EU) No 910/2014 established a framework for electronic identification and trust services in the internal market. Building on the ecosystem established by Regulation (EU) No 910/2014, the European Business Wallets should offer economic operators and public sector bodies a secure and reliable solution for digital identification and authentication, data sharing, and the delivery of legally valid notifications. The trust framework for European Business Wallets, including the use of trusted lists, should build upon the structures established under Regulation (EU) No 910/2014.

(17)The European Business Wallets should allow individuals granted the power to act on behalf of an entity in legal, financial, and administrative matters to exercise their functions by signing any attestations, declarations, or documents executed through a legally valid electronic signature within the meaning of Regulation (EU) 910/2014, which establishes that electronic signatures shall have the equivalent legal effect of a handwritten signature.

(18)To support the delegation of powers and mandates within a professional context, the European Business Wallets should incorporate a mandate and role-based authorisation system that governs access to services and transactions within the European Business Wallet in such a way as to preserve the integrity of the identity of the owner of that Wallet. That system should enable economic operators and public sector bodies to assign rights to authorised representatives through clearly defined technical mandates allowing the owner of a specific European Business Wallet to grant full rights to generally use the solution and act on its behalf, and an administrative mandate, allowing the owner of a Business Wallet to assign roles and responsibilities to various users of the solution within their organisation. This authorisation system should ensure compatibility with the EU digital power of attorney, as established by Directive (EU) 2025/25 of the European Parliament and of the Council 6 . This authorisation system should be robust and scalable, to ensure that economic operators and public sector bodies, as the owners of European Business Wallets, can delegate authority to multiple users, including employees or other authorised natural or legal persons, thereby facilitating the efficient and secure management of internal activities and ensuring that access to European Business Wallets and their functions is controlled and auditable. This system should govern access to services and transactions within the European Business Wallet, preserving the integrity of the owners' identities.

(19)In order to facilitate the conduct of cross-border business transactions, reduce administrative burdens, and promote economic growth, it is necessary to establish a clear and predictable legal framework that recognises the legal equivalence between the use of the European Business Wallets, or their core functionalities and the secure communication channel where the latter is used by self-employed persons and sole traders, and other accepted methods for economic operators to identify, authenticate, submit documents and receive notifications when interacting with public sector bodies in the Union. To that end, the use of the core functionalities of a European Business Wallet, or the secure communication channel where the latter is used by self-employed persons and sole traders, should have the same legal effect as if lawfully carried out in person, in paper form, or via any other means or process that would otherwise be deemed compliant with applicable legal, administrative, or procedural requirements.

(20)To ensure a consistent user experience and to guarantee the utility, reliability, and interoperability of European Business Wallets across the Union, providers of European Business Wallets should implement a core set of functionalities. They should retain the freedom to offer additional features as part of their commercial offering, fostering innovation and responding to market needs. In order to ensure uniform conditions for the development and use of the core functionalities, implementing powers should be conferred on the Commission to set out requirements and technical specifications necessary to ensure interoperability and seamless functioning across the Union. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council( 7 ) and should include the powers to define the necessary standards and protocols for the secure communication channel, taking into account the latest technological developments.

(21)European Business Wallets should simplify the complex interactions between economic operators and public sector bodies, and could also facilitate interactions among economic operators themselves, reducing administrative burden on economic operators in a broad range of economic sectors. In order to foster innovation and competitiveness, the European Business Wallets should enable sector-specific use cases and enhance operational efficiencies, while ensuring flexibility and adaptability to support the unique requirements of different sectors, including, but not limited to, agriculture, energy, environment, social security coordination. 

(22)The use of the European Business Wallets in such contexts can aid in the reduction of costs and promote a wide range of applications and use cases across the Union, such as the submission of declarations, applications for public funding, access to public services and facilitating secure data sharing and access within data spaces, such as the submission of A1 certificates concerning posted workers provided for under Regulation (EU) 883/2004.

(23)The establishment of the European Business Wallets alongside the Once Only Technical System is expected to create powerful synergies that maximise efficiency and operational ease. In particular, economic operators should be able to use the European Business Wallet to hold and transmit evidence retrieved from competent public authorities through the Once-Only Technical System. Where appropriate, economic operators should also be able to combine evidence held in the European Business Wallet with evidence retrieved via the Once Only Technical System in the context of public procedures. Consequently, by providing a secure digital platform for storing and exchanging business documents, the European Business Wallets should facilitate the exchange of such documents between public sector bodies through the mechanisms established under Once-Only Technical System.

(24)In order to ensure coordination between the Union’s ongoing digitalisation of judicial cooperation, the modernisation of secure cross-border information exchange, and the need to provide economic operators with efficient digital tools to interact with authorities, it is necessary to establish a coherent framework that enables smooth interaction between such relevant systems. Enhancing such coordination will reduce administrative burden, improve legal certainty, and strengthen the effectiveness of cross-border cooperation, by ensuring that communication channels used by economic operators function seamlessly within the European digital market. In that context, European Business Wallets should complement the systems set out in Regulation (EU) 2023/2844 and Regulation (EU) 2023/969, where a seamless interaction between these systems and the Business Wallets should be maintained through the Business Wallets gateway, enabling relevant authorities to maintain these systems whilst promoting simplification for European companies.

(25)To facilitate a flexible and efficient exchange of information and services when using European Business Wallets, and to ensure seamless integration of European Business Wallets with existing digital identity solutions, it should be possible to use European Digital Identity Wallets and electronic attestations of attributes for onboarding to and access management of the European Business Wallets. This should enable users to leverage existing digital identities and electronic attestations of attributes to access European Business Wallets, thereby streamlining the onboarding process and enhancing the overall user experience. The use of electronic attestations of attributes in the context of the European Business Wallets should cater to the diverse needs of European Business Wallet owners and may be used to issue and enable the secure and trustworthy verification of key attributes, such as an owner's current address, VAT registration number, tax reference number, Legal Entity Identifier (LEI), Economic Operator Registration and Identification (EORI) number and excise number. European Business Wallets should support a wide range of use cases, from simple authentication and identification to more complex transactions and interactions.

(26)In order to ensure the secure and trustworthy operation of European Business Wallets, providers of European Business Wallets should ensure that each European Business Wallet they provide is pre-configured to interact with certain trust services, which are required to enable the core functionalities of European Business Wallets, including the creation of qualified electronic signatures, the creation of qualified electronic seals, and the issuance and validation of qualified and non-qualified electronic attestations of attributes. To support these functionalities, European Business Wallets should allow for the sharing and storage of specific information and documents relating to the owner, such as messages and documents for the secure communication channel, signed and sealed documents, and sets of attributes for attestation-related services.

(27)To allow for the legal recognition of electronic attestations of attributes presented via European Business Wallets, it is necessary to allow for the creation and validation of linked attestations, whereby one attestation is cryptographically linked to another in a manner that allows the verification of the authenticity and integrity of each individual attestation, and of all linked attestations collectively. To that end, the European Business Wallet infrastructure should, through the use of the chain of attestations, enable the submission of a single instance of an attestation and facilitate its subsequent reuse across relevant procedures. Such functionality should allow European Business Wallet owners to transmit a reference to a document where appropriate with a cryptographic element, such as a hash key to a sealed attestation issued by a European Business Wallet, thereby attesting to the integrity and authenticity of the original submission.

(28)In order to ensure that the standards and technical specifications for European Business Wallets ensure harmonisation across various solutions, it is necessary to define the standards and protocols for the core functionalities and technical requirements for European Business Wallets in an Annex to this Regulation. The Annex should set out the requirements for the implementation of European Business Wallets. To ensure the long-term viability and effectiveness of the European Business Wallets, implementing powers should be conferred on the Commission to establish and update the procedures and technical specifications on the implementation of core functionalities, thereby allowing for the integration of additional features and new technologies that would enable new use cases, such as agentic AI or the provision of a digital identity to an owner’s asset, and enabling the European Business Wallets to continue to support the evolving needs of economic operators in a secure and trustworthy manner. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council. To the extent possible, the standards and technical specifications of the European Business Wallet should take into account relevant technical solutions and standards used by existing ICT systems by economic operators, facilitating the alignment of these systems to be aligned to and made interoperable with the European Business Wallet.

(29)To support the timely development of the market for European Business Wallets, the adoption of the implementing acts on core functionalities and the accompanying technical specifications should be prioritised. Where appropriate, these should build on the existing standards including those out in the Architecture and Reference Framework provided for in the context of Regulation (EU) No 910/2014, to support the re-use of familiar technical standards and uptake of the European Business Wallets.

(30)To ensure the high level of trust, functionality, and security of European Business Wallets necessary to the cross-border provision of their services, and in particular to mitigate the risk of fraud, providers of European Business Wallets should be subject to clear and proportionate requirements and obligations without being subject to additional national requirements.

(31)To ensure proper supervision in line with this Regulation, entities that would like to become providers of European Business Wallets should be required to notify their intention to provide such European Business Wallets to the supervisory bodies prior to offering their services. In order to safeguard the integrity and accountability of European Business Wallet providers and to ensure the security of data stored or exchanged in the European Business Wallets ecosystem, providers should be established within the Union. This should ensure that such providers fall under the jurisdiction and supervision of a competent body in a Member State, allowing for effective enforcement of this Regulation and the protection of users' rights and data. Furthermore, providers of European Business Wallets should not present a risk to the security of the Union, namely by not being subject to control by a third country or by a third-country entity, to ensure that the Union's critical digital infrastructure remains secure and resilient. In line with the requirements set out in this Regulation, the Commission may adopt implementing acts to ensure cooperation and interoperability with solutions established or endorsed by like-minded partners of the Union.

(32)The Union must protect its security interest against providers which could represent a persistent security risk due to the potential interference from third countries. To that end, it is necessary to reduce the risk of persisting dependency on high-risk suppliers in the internal market, including in the ICT supply chain, as they could have potentially serious negative impacts on the security of economic operators and public sector bodies across the Union and the Union’s critical infrastructure, especially with regards to the integrity, confidentiality and availability of data and services. Any restrictions should be based on a proportionate risk assessment and corresponding mitigation measures as defined in Union policies and laws. Such limitations may apply, for example, to high-risk suppliers, as identified under Union law.

(33)In order to establish the identity of economic operators in a secure and reliable manner, this Regulation should allow for the use of qualified electronic attestations of attributes to issue European Business Wallet owner identification data. Qualified electronic attestations of attributes can be easily updated or revoked. The use of qualified electronic attestations of attributes for establishing the identity of economic operators provides an efficient, and secure solution that is suited to the needs of the digital economy. Qualified trust service providers issuing these attestations are regulated under Regulation (EU) No 910/2014 and are subject to strict requirements and scrutiny, ensuring a high level of security and trust in the issuance process. The authentic sources used to verify the data contained in the qualified electronic attestations of attributes are business registers and other registers, and the use of the Business Registers Interconnection System (‘BRIS’) and the Beneficial Ownership Registers Interconnection System (‘BORIS’) should be promoted to facilitate the verification of this data, thereby ensuring the accuracy and reliability of the identification data.

(34)This Regulation should not affect the functioning or the role of business registers as authentic sources and should not alter the way they operate or the data filed therein but rather build upon and complement the existing infrastructure. In this regard, where electronic attestations of attributes are issued by or on behalf of an authentic source, such as a business register, the register could directly issue the relevant data, further enhancing the security and reliability of the identification process.

(35)Regulation (EU) No 910/2014 requires Member States to ensure that measures are taken to allow qualified trust service providers to verify by electronic means, at the request of the user, the authenticity of the attributes listed in Annex VI of Regulation (EU) No 910/2014, such as educational and professional qualifications, titles and licenses, powers and mandates to represent natural or legal persons, public permits and licenses and financial and company data. The European Business Wallets framework should build on this existing requirement that should cover all official data that is relevant for economic operators in the context of the European Business Wallets and enable the electronic verification of attributes to facilitate the issuance of European Business Wallet owner identification data and other electronic attestations of attributes.

(36)As all economic operators and entities conducting economic activities should be able to use European Business Wallets, including self-employed persons and sole traders, European Business Wallet owner identification data should be provided in a manner that is specifically designed to verify their identity and attested attributes within a business context. To ensure consistency with existing Union frameworks and facilitate cross-border interoperability, the European Business Wallet framework should use the European Unique Identifier (EUID) provided by the codified Company Law Directive (EU) 2017/1132( 8 ) and Commission Implementing Regulation (EU)2021/369( 9 ) as well as Regulation (EU) 2024/1624( 10 ) and Commission Implementing Regulation (EU) 2021/369( 11 ). Companies and other legal entities as well as arrangements such as trusts are assigned a European Unique Identifier to enable their unequivocal identification in cross-border situations. The European Unique Identifier is currently made publicly accessible through BRIS and used by BORIS. Accordingly, the European Business Wallet framework should rely on the issuance and recording process of European Unique Identifiers as the means of verifying the identity of economic operators to which European Unique Identifiers are provided in accordance with Directive (EU) 2017/1132. The European Business Wallet framework should rely on the issuance and recording process of European Unique Identifiers for other economic operators falling under Directive (EU) 2015/849.

(37)To ensure that all European Business Wallet owners can be reliably identified and their electronic attestation of attributes are associated with a unique entity, it is also necessary to assign a unique identifier to other economic operators and public sector bodies. To ensure uniform conditions for the implementation of unique identifiers, in particular their effectiveness and consistency, implementing powers should be conferred on the Commission to specify the detailed requirements for the unique identifiers. Those powers should be exercised in accordance with Regulation (EU) No 182/2011. Given the diverse approaches among Member States regarding the registration of some economic operators and public sector bodies, it is important to ensure transparency and accessibility for providers of European Business Wallet owner identification data. To this end, Member States should notify to the Commission the authentic sources that are relevant for the issuance of European Business Wallet owner identification data.

(38)In order to ensure the efficient, secure, and transparent functioning of the European Business Wallet framework, it is necessary to establish a European Digital Directory, that includes personal data of economic operators. The Commission should be empowered to set up and maintain this Directory, as a trusted source of information on economic operators and public sector bodies using European Business Wallets. The Directory should enable European Business Wallet owners to be easily contacted to promote legal certainty in relation to dealings between businesses and in relation to interactions with public sector bodies, particularly in the view of promoting trade between Member States. European Business Wallet Providers, liaising with the Commission, should submit the necessary information to support the functioning of the European Digital Directory and collaborate with the relevant qqualified trust service providers to ensure that the data submitted remains accurate. Such actions shall not indirectly create a requirement for economic operators to update such information. In this regard the Digital Directory will rely on the information made available by business registers also through BRIS while ensuring that such information will not be duplicated.

(39)Regulation (EU) 2016/679 of the European Parliament and of the Council applies to all personal data processing activities under this Regulation. Where the European Digital Directory includes the processing of personal data this will be carried out in accordance with the relevant data protection principles, such as the data minimisation and purpose limitation principle, obligations, such as data protection by design and by default, and include, where appropriate, features of pseudonymisation.

(40)To avoid excessive regulatory burdens, ex post supervision of providers of European Business Wallets and monitoring of their activities should be provided for, rather than requiring prior compliance verification for every aspect of their operations. This approach should allow for a more flexible and efficient regulatory environment, while maintaining the necessary safeguards to protect users and ensure compliance with the requirements of the European Business Wallets framework. The notification process for providers of European Business Wallets should be streamlined and efficient, with clear requirements and timelines for applicants. Qualified trust service providers, which are already subject to a robust regulatory framework under Regulation (EU) No 910/2014, should benefit from a particularly light process to be able to provide European Business Wallets.

(41)In order to ensure transparency and accountability in the European Business Wallet ecosystem, a publicly available list of notified providers of European Business Wallets should be established and maintained by the Commission. That list should include information transmitted by the national supervisory bodies concerning providers, including qualified trust service providers, that have completed the notification process. Making that information publicly available should enable users to verify the authenticity and trustworthiness of providers, thereby promoting a high level of security and trust in the European Business Wallet ecosystem.

(42)Effective oversight by supervisory bodies, vested with sufficient powers and provided with adequate resources, is essential to ensure that European Business Wallets made available in the Union comply with the requirements laid down in this Regulation. To best ensure such oversight and relevant expertise, Member States should designate the same supervisory body or bodies as designated pursuant to Article 46a(1) and Article 46b(1) of Regulation (EU) No 910/2014.

(43)Due consideration should be given to ensuring effective cooperation between supervisory bodies designated under this Regulation, Article 46b of Regulation (EU) No 910/2014 and the competent authorities designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555 of the European Parliament and of the Council( 12 )Since the competent authorities are distinct entities, they should cooperate closely and in a timely manner, including by exchanging relevant information to ensure effective supervision and compliance of European Business Wallet providers with the applicable obligations under Regulation (EU) No 910/2014 and Directive (EU) 2022/2555.

(44)To harmonise the enforcement of this Regulation, national supervisory bodies should be empowered to impose administrative fines. It is necessary to specify the upper limit of administrative fines and the criteria for their determination in order to promote equal treatment of providers of European Business Wallets across the Union regardless of their Member State of establishment. The competent supervisory authority should assess each case individually, taking into account all relevant circumstances, including the nature, gravity and duration of the infringement, its consequences and any measures taken to ensure compliance and mitigate harm. In this regard, Member States should notify the Commission of the rules laid down in national law allowing the supervisory body to impose penalties by [Publications Office, insert the date 12 months after the entry into force of this Regulation] and should notify the Commission without delay of any subsequent amendments to those rules.

(45)In order to ensure the proper functioning of the internal market and to protect the rights of economic operators, it is necessary to establish a mechanism for the Commission to intervene in cases where a provider of European Business Wallets is found to be non-compliant with the requirements of this Regulation and no effective measures have been taken by the competent supervisory authority to remedy the situation. This mechanism should allow for the Commission to carry out an evaluation of compliance, consult with the Member States concerned and the provider, and adopt implementing acts to provide for corrective or restrictive measures. This should enable the Commission to take swift and effective action to address any non-compliance and to ensure that the European Business Wallets are used in a secure and trustworthy manner.

(46)The Cooperation Group established pursuant to Regulation (EU) No 910/2014 should be given the additional responsibility for the coordination of national practices and policies related to this Regulation and facilitate discussions between competent authorities regarding the Regulation's application and enforcement, thereby delivering on the objectives of the Cooperations Group’s establishment and retaining expertise for the benefit of implementing the European Business Wallet framework.

(47)In order to support effective take-up and interoperability, all public sector bodies should be required to enable the use of the European Business Wallet in all relevant administrative procedures for the purposes of identification and authentication, signing or sealing documents, submitting documents and sending or receiving notifications. In this regard, public sector bodies should by [Publications Office, please insert the date 24 months after the entry into force of this Regulation] ensure that the use of European Business Wallets by economic operators is possible and that, where the receipt or communication of documents or notifications is concerned, they are able to access the Business Wallets’ secure communication channel. To ensure seamless and interoperable application of this Regulation in this regard, public sector bodies should own a European Business Wallet for the purposes of receiving or sending documents and notifications. The obligation for public sector bodies to accept European Business Wallets by economic operators should not affect systems used for the exchange or submission of documents or data between competent authorities.

(48)In order to avoid disrupting existing interactions between economic operators and public sector bodies, it is necessary to enable a transition period until [Publications Office, please insert the date 36 months after the entry into force of this Regulation]. During such period public sector bodies may choose not to offer the European Business Wallets' secure communication channel and instead support alternative solutions already in place which enable economic operators to communicate with public sector bodies prior to offering the European Business Wallets’ secure communication channel. In order to ensure an adequate level of security and interoperability, any alternative solution used during this transition period should comply with the requirements for Qualified Electronic Registered Delivery Services set out in Regulation (EU) No 910/2014 and offer a gateway to European Business Wallets. The gateway should enable users of European Business Wallets to access the alternative solutions used during the transition period. After this period, public sector bodies should support the secure communication channel of the European Business Wallets to ensure a harmonised and efficient means of communication across the Union, to the benefits of European businesses. 

(49)European Business Wallets contribute to the provision of a cross-border digital public service within the meaning of the Interoperable Europe Act (EU) 2024/903. The assessment required under that Regulation has been carried out, and the resulting report will be published on the Interoperable Europe Portal.

(50)To ensure that the European Business Wallets ecosystem continues to meet the needs of economic operators and public sector bodies, it is necessary to assess its implementation and impact in light of the purpose of this Regulation. The evaluation should, in particular, take into account the risk of legal fragmentation within the internal market regarding the electronic submission of documents and attestations of attributes as well as the technological developments and progression of the market for European Business Wallets and associated trust services.

(51)To avoid duplication and reduce administrative burden, public sector bodies should not require the same information or documents to be submitted again through physical or alternative digital means, or in the inverse, once these have been validly transmitted via the European Business Wallet in accordance with this Regulation. Accordingly, Member States should not adopt or maintain additional national requirements regarding matters falling within the scope of this Regulation, unless explicitly provided for herein, since this would affect its direct and uniform application.

(52)In order to enable effective access to Union procedures and markets and facilitate the participation of economic operators established outside the Union in the European Business Wallet framework, it is necessary to enable providers of European Business Wallets to issue European Business Wallets to such operators, provided that their identity can be verified with a high level of certainty. To prevent duplicate registrations and safeguard the integrity of the internal market, such operators should not be allowed to obtain more than one set of European Business Wallet owner identification data and one unique identifier. Member States’ should cooperate to mitigate the risk of duplicate registrations and ensure the uniqueness of registrations of economic operators established outside of the Union.

(53)The implementing act concerning the requirements and procedures for the unique identifier should encompass the conditions for their issuance to third country economic operators. In particular, it should set the conditions that promote coordination between providers of European Business Wallet owner identification data, ensuring that each third country economic operator is attributed only one unique identifier for the purpose of the European Business Wallet owner identification data. Prior to the provision of a European Business Wallet to an economic operator established outside the Union the relevant provider should confirm that the conditions for verifying the identity of the economic operator have been met. That should allow economic operators from third countries to use European Business Wallets, while preserving the security and trustworthiness of the ecosystem.

(54)In order to ensure uniform conditions for the implementation of the recognition and interoperability of business wallets or similar systems and framework from third countries to support and promote partnerships and cooperation, implementing powers should be conferred on the Commission to set the conditions under which such similar systems or framework benefit from the provisions of this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council.

(55)Regulation (EU) No 910/2014 offers a secure and convenient means for natural persons, such as citizens and residents, to identify themselves and access online services. It requires Member States to ensure that European Digital Identity Wallets are provided to legal persons, despite a lack of clarity on the specific technical implementation of European Digital Identity Wallets for legal persons. This uncertainty about the purpose and functioning of the European Digital Identity Wallets for legal persons increases legal and technical complexity for Member States. It is therefore necessary to amendment Article 5a of Regulation (EU) No 910/2014 to ensure that the mandatory issuance of European Digital Identity Wallets relates only to natural persons.

(56)The framework established by this Regulation should provide a secure, Union-wide digital infrastructure and should therefore constitute the principal instrument for such purposes. To fully realise the benefits of the European Business Wallet framework for both economic operators and public sector bodies, it is necessary to promote its use as the default tool for secure digital identification, authentication, and the exchange of electronic documents and attestations of attributes.

(57)To ensure a coherent and horizontal application across sectors of Union legislation, reduce administrative cost on economic operators and to improve budgetary efficiency, Union law concerning electronic identification, authentication, or the exchange of electronic documents, notifications, or attestations of attributes, particularly where specific technical requirements, systems, or protocols are established, should be applied in a manner consistent with this Regulation. Accordingly, any future legislative or non-legislative initiatives in these fields should adhere to the Business-Wallet-by-Default principle and should be designed and developed to build upon and enable the use of European Business Wallets. Where such alignment is not possible, the Commission should provide a written justification through an Impact Assessment, accompanying the relevant initiative, setting out the reasons for not enabling the use of European Business Wallets. The Commission should evaluate and review this Regulation by [Publications Office, please insert the date 3 years post adoption] and every four years thereafter and report to the European Parliament and the Council. This review is essential for assessing the continued relevance of the prescribed core functions and technical specifications, especially those associated with the QERDS as a secure communication channel, in the context of the latest technological advancements. Furthermore, the Commission should evaluate the notification procedures for providers of European Business Wallet, as well as the implementation and effectiveness of the rules on penalties established by Member States, to evaluate market developments and compliance levels.

(58)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council( 13 ), and delivered an opinion on [insert date].

HAVE ADOPTED THIS REGULATION:

Chapter I - Subject matter, scope and definitions

Article 1

Subject matter

This Regulation enables secure digital identification and authentication, data sharing and legally valid notifications, reduces administrative burdens and compliance costs, and supports cross-border business and competitiveness. In particular, it:

(1)establishes a framework for the provision of European Business Wallets;

(2)establishes the principle of equivalence, giving equivalent legal effect to actions and transactions carried out through a European Business Wallet as to actions and transactions lawfully carried out in person, in paper form, or via any other means or processes that would be deemed compliant with applicable legal, administrative, or procedural requirements;

(3)establishes rules for the issuance of European Business Wallet owner identification data for the identification of economic operators and public sector bodies;

(4)establishes the European Digital Directory;

(5)designates the European unique identifier (EUID), as established and governed by Directive (EU) 2017/1132, as the unique identifier for European Business Wallet owners, and establishes a similar unique identifier for European Business Wallets owners to whom the European Unique Identifier is not available;

(6)lays down the notification mechanism under which providers of European Business Wallets shall be established;

(7)lays down obligations for public sector bodies concerning European Business Wallets;

(8)provides a framework for the supervision of Union entities, where such public sector bodies provide European Business Wallets;

(9)provides a framework for the recognition of third-country systems similar to the European Business Wallets and the issuance of European Business Wallets to third country economic operators.

Article 2

Scope

1.This Regulation applies to the provision and acceptance of European Business Wallets and the issuance and acceptance of European Business Wallet owner identification data, and to the use of European Business Wallets by economic operators and public sector bodies.

2.This Regulation is without prejudice to the existing systems and procedures mandated by Union law governing the exchange of documents and data between competent authorities.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)‘European Business Wallet’ means a digital solution that allows European Business Wallet owners to securely store, manage, and present European Business Wallet owner identification data and electronic attestations of attributes to Business Wallet-relying parties and other entities using European Business Wallets and European Digital Identity Wallets for the following purposes:

(a)to authenticate and provide the verified proofs required by a relying party;

(b)to access and use electronic attestations of attributes, electronic signatures, electronic seals, electronic registered delivery services, and electronic time stamps;

(c)to enable the creation, management and delegation of mandates to authorised representatives;

and that may support additional functionalities in accordance with this Regulation;

(2)‘European Business Wallet owner identification data’ means a set of data that enables the establishment of the identity of a European Business Wallet owner and that is issued by a provider of European Business Wallet owner identification data;

(3)‘provider of European Business Wallet owner identification data’ means a qualified trust service provider or public sector body or the Commission issuing European Business Wallet owner identification data;

(4)‘economic operator’ means any natural or legal person, or a group of such persons, including temporary associations of undertakings, acting in a commercial or professional capacity for purposes related to their trade, business, craft or profession;

(5)‘public sector body’ means a Union entity, a national, state, regional or local authority, a body governed by public law or an association formed by one or several such entities or bodies , or a private entity mandated by at least one such entities, authorities, bodies or associations to provide public services, when acting under such a mandate;

(6)‘Union entity’ means a Union institution, body, office and agency set up by or pursuant to the Treaty on European Union, the Treaty on the Functioning of European Union or the Treaty establishing the European Atomic Energy Community;

(7)‘European Business Wallet owner’ means an economic operator or public sector body that owns or has a right of use of a European Business Wallet;

(8)‘trust service’ means trust service as defined in Article 3, point (16) of Regulation (EU) 910/2014;

(9)‘attribute’ means attribute as defined in Article 3, point (43) of Regulation (EU) 910/2014;

(10)‘electronic attestations of attributes’ means electronic attestations of attributes as defined in Article 3, point (44) of Regulation (EU) No 910/2014;

(11)‘qualified attestation of attributes’ means qualified attestation of attributes as defined in Article 3, point (45) of Regulation (EU) No 910/2014;

(12)‘European Digital Identity Wallet’ means European Digital Identity Wallet as defined in Article 3, point (42) of Regulation (EU) No 910/2014; 

(13)‘electronic signature’ means an electronic signature as defined in Article 3, point (10) of Regulation (EU) No 910/2014;

(14)‘qualified electronic signature’ means a qualified electronic signature as defined in Article 3, point (12) of Regulation (EU) No 910/2014;

(15)‘electronic seal’ means an electronic seal as defined in Article 3, point (25) of Regulation (EU) No 910/2014;

(16)‘qualified electronic seal’ means qualified electronic seal as defined in Article 3, point (27) of Regulation (EU) No 910/2014;

(17)‘qualified electronic stamp’ means a qualified electronic stamp as defined in Article 3, point (34) of Regulation (EU) No 910/2014;

(18)‘authorised representative’ means a natural or legal person acting on behalf of the European Business Wallet owner in executing and operating functions of a designated European Business Wallet on the basis of an authorisation granted by a European Business Wallet owner;

(19)‘mandate’ means the authorisation granted by a European Business Wallet owner to an authorised representative, enabling that representative to act on behalf of the owner in executing and operating functions of a designated European Business Wallet;

(20)‘electronic document’ means an electronic document as defined in Article 3, point (35) of Regulation (EU) No 910/2014;

(21)‘qualified electronic registered delivery service’ means a qualified electronic registered delivery service as defined in Article 3, point (37) of Regulation (EU) No 910/2014;

(22)‘user’ means a natural or legal person, or a natural person representing another natural person or a legal person, that uses European Business Wallets or European Business Wallet electronic identification means provided in accordance with this Regulation;

(23)‘European Business Wallet-relying party’ means a natural person, an economic operator or public sector body that relies upon European Business Wallets;

(24)‘wallet unit attestation’ means a data object that describes the components of the European Business Wallet unit or allows authentication and validation of those components;

(25)‘European Business Wallet unit’ means a unique configuration of a European Business Wallet solution that includes European Business Wallet front-end and European Business Wallet back-end, wallet secure cryptographic applications and wallet secure cryptographic devices provided by a provider to a European Business Wallet to a specific European Business Wallet owner;

(26)‘European Business Wallet solution’ means a combination of software, hardware, services, settings, and configurations, including European Business Wallet front-end and back-end, one or more wallet secure cryptographic applications and one or more wallet secure cryptographic devices;

(27)‘critical assets’ means assets within or in relation to a European Business Wallet unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, that would have a very serious, debilitating effect on the ability to rely on the European Business Wallet unit;

(28)‘wallet secure cryptographic application’ means an application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the wallet secure cryptographic device;

(29)‘wallet secure cryptographic device’ means a tamper-resistant device that provides an environment that is linked to and used by the wallet secure cryptographic application to protect critical assets and provide cryptographic functions for the secure execution of critical operations;

(30)‘trust service provider’ means a trust service provider as defined in Article 3, point (19) of Regulation (EU) No 910/2014;

(31)‘qualified trust service provider’ means qualified trust service provider as defined in Article 3, point (20) of Regulation (EU) No 910/2014;

(32)‘electronic attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source’; means a electronic attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source as defined in Article 3, point (46) of Regulation (EU) No 910/2014;

(33)‘authentic source’ means authentic source as defined in Article 3, point (47) of Regulation (EU) No 910/2014;

(34)‘attestation scheme’ means a set of rules applicable to one or more types of electronic attestation of attributes;

(35)‘catalogue of schemes means a digital repository listing schemes for the attestation of attributes registered in accordance with this Regulation and that is maintained and published online by the Commission; 

(36)‘European unique identifier’ means the European Unique Identifier referred to in Directive (EU) 2017/1132;

(37)‘national register’ means an official database or system established and maintained by or on behalf of a national government or its designated authority, which records, stores, and manages information pertaining to legal entities, including but not limited to companies, partnerships, foundations, associations as well as businesses as natural persons such as sole-traders and self-employed persons or other registrable persons or organisations;

(38)‘API’ or ‘Application Programming Interface’ means a set of definitions and protocols for building and integrating application software to share data;

(39)‘submission’ or ‘submit 'means any transmission of structured or unstructured data, files, forms, or records by between a public sector body and an economic operator or between economic operators or between public sector bodies, where such transmission is required, requested, or permitted under Union or national law, and is intended to support a legal, administrative, or procedural purpose;

(40)‘notification’ means any transmission of information, decisions, requests, or acknowledgements between a public sector body and an economic operator or between economic operators or between public sector bodies, which is required, requested, or permitted under Union or national law, and which is intended to produce legal effects or inform the recipient of rights, obligations, or procedural developments;

(41)‘administrative procedure’ means a sequence of actions, defined by Union or national law, that must be taken by economic operators or public sector bodies to comply with obligations, provide information, or obtain a decision, authorisation, or benefit from a public sector body in the exercise of administrative functions;

(42)'European Business Wallet front-end' means the user interface component, regardless of platform or form factor, that interacts with users acting on behalf of the owner, and is part of the European Business Wallet unit;

(43)'European Business Wallet back-end' means the server-side components, including software, services, and infrastructure, that provide the necessary functionality and support for the European Business Wallet Frontend, and form part of the European Business Wallet unit.

Chapter II – European Business Wallets

Article 4

Principle of equivalence

Where a European Business Wallet owner makes use of any of the core functionalities of a European Business Wallet referred to in Article 5(1), the resulting action shall have the same legal effect as if the action had been lawfully carried out in person, in paper form, or via any other means or processes that would be deemed compliant with applicable legal, administrative, or procedural requirements.

Where a self-employed person or a sole trader makes use of the qualified electronic registered delivery service in the circumstances set out in Article 5(3), the resulting action shall have the same legal effect as if the action had been lawfully carried out in person, in paper form, or via any other means or processes that would be deemed compliant with applicable legal, administrative, or procedural requirements.

Article 5

Core functionalities of European Business Wallets

1.Providers of European Business Wallets shall ensure that the European Business Wallets they provide enable European Business Wallet owners to make use of the following core functionalities:

(a)securely issue, request, obtain, select, combine, store, delete, share and present electronic attestations of attributes;

(b)selectively disclose European Business Wallet owner identification data and attributes contained in electronic attestations of attributes, in the context of the functionalities listed in point a;

(c)request and share European Business Wallet owner identification data and electronic attestations of attributes in a secured way between European Business Wallets and European Digital Identity Wallets and with European Business Wallet-relying parties;

(d)sign by means of qualified electronic signatures and seal by means of qualified electronic seals, as applicable;

(e)bind data in electronic form to a particular time by means of qualified electronic time stamps;

(f)issue electronic attestations of attributes to European Business Wallets and European Digital Identity Wallets; 

(g)issue electronic attestations of attributes through the European Business Wallet of the owner, allowing the issued attestation to be linked to other relevant attestations forming part of a chain;

(h)enable the use of qualified and non-qualified electronic attestations of attributes to allow European Business Wallet owners and their authorised representatives to authenticate themselves; 

(i)transmit and receive electronic documents and data by means of a qualified electronic registered delivery service capable of supporting confidentiality and integrity;

(j)authorise multiple users to access and operate the European Business Wallet of the owner, and for the European Business Wallet owner to manage and revoke such authorisations;

(k)authorise European Business Wallet-relying parties to request electronic attestations of attributes issued to the European Business Wallet owner, and for the European Business Wallet owner to manage and revoke such authorisations;

(l)export their data, including issued European Business Wallet owner identification data, electronic attestations of attributes, communication logs, and interaction records, in a structured, commonly used and machine-readable format, at the request of the owner or in the event of termination of service or revocation of the notification of the provider of the European Business Wallet;

(m)access a log of all transactions;

(n)access a common dashboard for accessing, storing and verifying communications exchanged through the qualified electronic registered delivery service referred to in point (i).

2.Providers of European Business Wallets may offer additional functionalities beyond those listed in paragraph 1 provided that such functionalities do not interfere with or compromise the confidentiality, availability, or integrity of the minimum core functionalities, and the reliability and interoperability of the European Business Wallets they provide.

3.Providers of European Business Wallets shall enable the provision of the qualified electronic registered delivery service referred to in paragraph 1, point (i) as a standalone service to users of European Digital Identity Wallets.

4.Providers of European Business Wallets shall implement the functionalities referred to in paragraph 1 in accordance with requirements set out in the Annex.

5.The Commission shall, by means of implementing acts, establish a list of reference standards and where necessary, establish specifications and procedures for the core functionalities of European Business Wallets referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19.

Article 6

Technical features for European Business Wallets

1.Providers of European Business Wallets shall ensure that the European Business Wallets they provide support common protocols and interfaces:

(a)for the issuance of European Business Wallet owner identification data, qualified and non-qualified electronic attestations of attributes and qualified and non-qualified certificates to European Business Wallets;

(b)for European Business Wallet-relying parties to request and validate European Business Wallet owner identification data and electronic attestations of attributes;

(c)for the sharing and presenting to European Business Wallet-relying parties of European Business Wallet owner identification data, electronic attestation of attributes and of selectively disclosed data;

(d)to allow interaction with the European Business Wallets automatically without manual intervention or through direct user action;

(e)to securely onboard the European Business Wallet owner remotely via an authorised representative with an electronic identification means of that authorised representative which meets the requirements of Regulation (EU) No 910/2014 with regard to the assurance levels ‘substantial’ or ‘high’;

(f)for interaction between European Business Wallets, and between European Business Wallets and European Digital Identity Wallets for the purpose of receiving, validating and sharing European Business Wallet owner identification data and electronic attestations of attributes in a secure manner;

(g)for authenticating European Business Wallet-relying parties by implementing authentication mechanisms, where authentication is required;

(h)for European Business Wallet-relying parties to verify the authenticity and validity of European Business Wallets, where the verification of the authenticity and validity is required;

(i)for the provision of the qualified electronic registered delivery service referred to in Article 5(1), point (i), including an interface to the European Digital Directory established pursuant to Article 10;

(j)for the assigning to each European Business Wallet owner, for the purposes of the qualified electronic registered delivery service referred to in Article 5(1), point (i) and the European Digital Directory referred to in Article 10, at least one unique digital address;

(k)for the provision of wallet unit attestations to all European Business Wallet units, containing public keys and corresponding private keys protected by a wallet secure cryptographic device;

(l)for the management of critical assets, for the use of at least one wallet secure cryptographic application and wallet secure cryptographic device and, where critical assets relate to performing electronic identification at assurance level substantial, for ensuring that such cryptographic operators or other operations processing critical assets are performed in accordance with the requirements for the characteristics and design of electronic identification means at assurance level substantial as set out in Commission Implementing Regulation (EU) 2015/1502.

2.Providers of European Business Wallets shall also:

(a)ensure that the European Business Wallet owner identification data is digitally associated with the European Business Wallet of the owner;

(b)ensure that, for the purposes of the functionality referred to in Article 5(1), point (j):

–mappings between roles and attributes are verifiable, auditable, revocable and traceable to their legitimate issuers;

–conflicts of roles, over-delegation, or expired authorisations are automatically detected and prevented in real time;

–all authorisation logic is interoperable across Member States.

(c)ensure security-by-design;

(d)provide validation mechanisms, in order to ensure that the authenticity and validity of European Business Wallets can be verified;

(e)provide a mechanism enabling European Business Wallet owners to easily request technical support and report technical problems or any other incidents having a negative impact on the use of European Business Wallets;

(f)ensure that the validity of the European Business Wallets can be revoked in the following circumstances:

–upon the explicit request of the European Business Wallet owner;

–where the security of the European Business Wallet has been compromised;

–upon the permanent or temporary cessation of activity of the European Business Wallet owner;

–where the provider of the European Business Wallet is not included in the list referred to in Article 12(5).

(g)without undue delay, notify to the Commission:

–the mechanism allowing for the validation of the European Business Wallet owner identification data;

–the mechanism by which to validate the authenticity and validity of European Business Wallets.

3.The Commission shall make available the information notified pursuant to paragraph 2, point (g) of this Article to the public through a secure channel, in electronically signed or sealed form suitable for automated processing.

4.Providers of European Business Wallets shall implement the technical features provided for in paragraphs 1 and 2 in accordance with the requirements set out in the Annex.

5.The Commission shall, by means of implementing acts, establish a list of reference standards and where necessary, establish specifications and procedures for the technical features of European Business Wallets provided for in paragraphs 1, 2 and 3 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19.

Article 7

Requirements and obligations for providers of European Business Wallets

1.European Business Wallets shall be provided by providers of European Business Wallets that are included in the list established pursuant to Article 12(5). 

2.Given the role of European Business Wallets in the Unions digital infrastructure, providers of European Business Wallets shall be established in the Union, have their principal place of business and main operations in the Union and not present a risk to the security of the Union. In particular they shall not be subject to control by a third country or by a third-country entity.

3.Providers of European Business Wallets shall comply with the requirements set out in Article 19a of Regulation (EU) 910/2014. That obligation shall not apply to providers of European Business Wallets that are qualified trust service providers.

4.Providers of European Business Wallets shall comply with the requirements set out in Directive (EU) 2022/2555 of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union.

5.Providers of European Business Wallets shall comply with applicable cybersecurity requirements laid down in Union and national law, including those relating to the identification of high-risk suppliers. Providers shall also ensure that their suppliers of software and security solutions comply with these requirements and conform to the relevant security standards and requirements.

6.Providers of European Business Wallets shall:

(a)implement appropriate technical and organisational measures to ensure the confidentiality, integrity, authenticity, interoperability, and availability of the European Business Wallets they provide with other European Business Wallets and European Digital Identity Wallets;

(b)ensure that European Business Wallet owners are clearly informed, in a user-friendly, concise and accessible manner, about the terms and conditions of use of the European Business Wallet, including the scope and limitations of core and additional functionalities, cybersecurity standards, and the European Business Wallet owner’s rights with regard to data portability, redress, and termination of service;

(c)ensure that authorised representatives of European Business Wallet owners are clearly informed, in a user-friendly, concise and accessible manner, about their rights and obligations in relation to their European Business Wallet unit, in particular, the right to request revocation of their wallet unit attestation, using the authentication mechanism provided in point 1 of the Annex;

(d)cooperate with the competent supervisory bodies referred to in Article 13(1), or with the Commission in the cases referred to in Article 13(10) and 14(1) and respond without undue delay to any request for information or documentation necessary to verify compliance with this Regulation;

(e)notify the relevant national supervisory bodies, or the Commission in the cases referred to in Article 14(1), of any substantive changes to their services or overall structure which may impact the compliance of the provider with this Regulation;

(f)notify European Business Wallet owners in the event of suspension, revocation or voluntary termination of the providers of European Business Wallet`s services and of the removal of the provider of European Business Wallet from the list established pursuant to Article 12(5) and ensure the transfer or deletion of the European Business Wallet owner data in accordance with the European Business Wallet owners instructions, including European Business Wallet owner identification data;

(g)ensure that the information on European Business Wallet owners, pursuant to Article 10(2), is notified to the Commission and that the information initially submitted to the Commission is kept up to date and corroborated using the providers of the European Business Wallet owner identification data issuing the unique identifiers referred to in Article 8(5), point (b).

Article 8

European Business Wallet owner identification data

1.Providers of European Business Wallet owner identification data shall issue European Business Wallet owner identification data to European Business Wallets of European Business Wallet owners. Where European Business Wallet owners are Union entities, the Commission shall issue European Business Wallet owner identification data to the European Business Wallets of those Union entities.

2.Member States shall notify to the Commission the relevant authentic sources for the verification of the required attributes for the issuance of the European Business Wallet owner identification data. On the basis of the information received pursuant to this paragraph, the Commission shall make available on the Commission’s website, in a machine-readable format, a list of the notified relevant authentic sources.

3.European Business Wallet owner identification data shall be issued in a format compliant with one of the standards listed in Annex II of Commission Implementing Regulation (EU) 2024/2979 and as:

(a)qualified electronic attestations of attributes, when provided by qualified trust service providers;

(b)electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source, when provided by a public sector body so responsible;

(c)electronic attestations of attributes, when provided by the Commission.

4.European Business Wallet owner identification data issued by the Commission shall have the same legal effect as qualified electronic attestations of attributes and attestations of attributes issued by, or on behalf of, a public sector body responsible for an authentic source.

5.European Business Wallet owner identification data shall contain at least the following attributes:

(a)the official name of the economic operator or public sector body, as recorded in the relevant register or official record;

(b)the relevant unique identifier attributed in accordance with Article 9. 

6.The Commission shall establish and maintain an attestation scheme for European Business Wallet owner identification data. That scheme shall be listed in the catalogue of schemes for the attestation of attributes referred to in Article 8 of Implementing Regulation (EU) 2025/1569.

7.The Commission may, by means of implementing acts, set out requirements for European Business Wallet owner identification data issued pursuant to this Article, including procedures for Member States to notify to the Commission the relevant authentic sources. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19.

Article 9

Unique identifiers

1.Where an economic operator has been attributed a European Unique Identifier, that identifier shall be used as the unique identifier referred to in Article 8(4), point (b) of this Regulation.

2.Where an economic operator or public sector body has not been attributed a European Unique Identifier, a unique identifier shall be created in accordance with the implementing act referred to in paragraph 4.

3.Where a public sector body is a Union entity, the Commission shall create and attribute a unique identifier to that Union entity in accordance with paragraph 4 of this Article.

4.The Commission shall, by means of implementing acts, establish specifications, requirements and procedures relating to the unique identifier referred to in paragraph 2 of this Article, including measures to ensure that European Business Wallet owners are not attributed more than one unique identifier. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19.

Article 10

European Digital Directory

1.The Commission shall establish, operate and maintain a European Digital Directory which shall act as the trusted source of information for European Business Wallet owners and shall take the form of a web application comprising of two interfaces:

(a)a machine-readable interface exposed through an API for automated system-to-system communication;

(b)a secure, web-based platform that provides access to authenticated and authorised users and system online portal for European Business Wallet users.

2.For the purpose of maintaining the European Digital Directory, providers of European Business Wallets shall, upon the provision of a European Business Wallet, provide to the Commission the categories of information set out in the implementing act referred to in paragraph 6

3.The Commission shall ensure that the relevant information shall be included in the European Digital Directory.

4.The Commission shall make the European Digital Directory only accessible to European Business Wallet owners and their authorised representatives and providers of European Business Wallets.

5.Any modification or revocation concerning the information referred to in paragraph 2 shall, without undue delay and in any event within one working day, be communicated by the providers of European Business Wallet directly to the Commission for the purpose of maintaining the European Digital Directory.

6.The Commission shall, by means of implementing acts, establish standards and technical specifications for the unique digital addresses and the categories of information to be communicated to the Commission for the purpose of the European Digital Directory. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19.

Article 11

Notification of providers of European Business Wallets

1.Entities that intend to provide European Business Wallets shall notify that intention together with the information listed in paragraph 2 to the competent supervisory body.

2.The notification referred to in paragraph 1 shall include the following information:

(a)the entity’s legal name, any commercial names used, website URL, contact email, telephone number, and physical address;

(b)the entity’s register number issued by a national register, where available

(c)a description of how the core functionalities, set out in Article 5(1) shall be offered by the European Business Wallets the entity intends to provide;

(d)a description of any additional functionalities supported by the European Business Wallets the entity intends to provide;

(e)a declaration of conformity with the requirements of this Regulation.

3.Qualified trust service providers shall not be subject to the review and verification procedure set out in paragraphs 4 to 6. Upon submitting the information listed in paragraph 2, the competent supervisory body shall inform the Commission within two working days with a view to the addition of that provider to the list referred to in Article 12(5) and it may immediately offer European Business Wallets.

4.Upon receipt of a notification, the supervisory body shall have 30 days to review the information submitted. 

When that review leads the supervisory body to conclude that the information is complete and the description referred to in paragraph 2 point (c) appears to correspond to the requirements laid down in Article 5(1), it shall inform the Commission within two working days with a view to the addition of that provider to the list referred to in Article 12(5).

5.When that review leads the supervisory body to conclude that the information is not complete or the description referred to in paragraph 2 point (c) appears not to correspond to the requirements laid down in Article 5(1), it shall request additional information or explanations from the notifying entity and set a reasonable deadline, not exceeding 15 calendar days, for response. If that information or those explanations allow the supervisory body to conclude that the information is complete and the description referred to in paragraph 2 point (c) appears to correspond to the requirements laid down in Article 5(1), it shall inform the Commission within two working days with a view to the addition of that provider to the list referred to in Article 12(5). If not, or no response is received, the supervisory body shall inform the notifying entity that it will not be added to the list referred to in Article 12(5).

6.Where the supervisory body has not provided the notifying entity with a substantive response on the outcome of the review referred to in paragraph 4 within 30 calendar days of receiving the notification, the information shall be considered as complete and the description referred to in paragraph 2 point (c) shall be considered as appearing to correspond to the requirements laid down in Article 5(1), and the supervisory body shall inform the Commission within two working days with a view to the addition of that provider to the list referred to in Article 12(5)

7.Member States shall ensure that notifying entities have the right to an effective judicial remedy against a decision of the supervisory authority, without prejudice to any other administrative or non-judicial remedy, in cases where the supervisory authority refuses to list them as a provider of European Business Wallets or takes no decision within a reasonable timeframe. 

Article 12

List of notified providers of European Business Wallets

1.Supervisory bodies shall inform the Commission of any changes to the information provided pursuant to Article 11, within 24 hours of having become aware of any changes.

2.The information provided by the supervisory bodies referred to in Article 11 and Article 12(1) shall include the following:

(a)the purpose of the submission, which may be one of the following:

–the registration of a notified provider of European Business Wallets not previously present on the list referred to in paragraph 5;

–a change to previously submitted information regarding providers of European Business Wallets currently present on the list referred to in paragraph 5;

–a request to remove a provider of European Business Wallets from the list referred to in paragraph 5;

(b)name and, where applicable, the commercial name of the provider of European Business Wallets;

(c)the Member State in which the provider of European Business Wallets has its principal place of establishment;

(d)the name of the competent supervisory body;

(e)an indication whether the provider of European Business Wallets is a qualified trust service provider.

3.On the basis of the information received pursuant to this Article, the Commission shall establish and maintain on the Commission’s website, in a machine-readable format, a list of providers of European Business Wallets.

Article 13

Governance and supervision

1.In each Member State, the supervisory bodies designated pursuant to Article 46a of Regulation (EU) No 910/2014 shall also be the supervisory bodies for the purposes of this Regulation.

2.Those supervisory bodies shall be responsible for supervisory tasks as regards providers of European Business Wallets having their principal place of establishment in that Member State.

3.Member States shall ensure that the supervisory bodies referred to in paragraph 1 have the necessary powers and adequate resources for the exercise of their tasks in an effective, efficient and independent manner.

4.The role of national supervisory bodies referred to in paragraph 1 shall be to:

(a)monitor compliance with the requirements laid down in this Regulation and take action, if necessary, in relation to providers of European Business Wallets, by means of ex post supervisory activities;

(b)act as the main liaison office for providers of European Business Wallet owner identification data, facilitating access to information from relevant national authorities and registries, where necessary, for the issuance of European Business Wallet owner identification data and unique identifiers.

5.The tasks of the supervisory bodies referred to in paragraph 1 shall include the following:

(a)review and assess the notifications submitted in accordance with Article 11;

(b)investigate substantiated claims, particularly those made by European Business Wallets owners, that a provider of European Business Wallets fails to comply with any of its obligations under this Regulation and to take action if necessary;

(c)verify the existence and correct application of termination plans where a provider of European Business Wallets ceases its activities, including how information is kept accessible;

(d)ensure that providers of European Business Wallets remedy any failure to fulfil the requirements laid down in this Regulation;

(e)impose penalties in accordance with paragraphs 6 to 9;

(f)inform the relevant competent authorities designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555 of the Member States concerned of any significant security breach or loss of integrity of which it becomes aware in the performance of its tasks and, in the case of a significant security breach or loss of integrity which concerns other Member States, to inform the single point of contact designated or established pursuant to Article 8(3) Directive (EU) 2022/2555 of the Member State concerned and the single points of contact designated pursuant to Article 46c(1) of Regulation (EU) No 910/2014 in the other Member States concerned, and to inform the public or require the provider of European Business Wallets to do so where the supervisory body determines that disclosure of the breach of security or loss of integrity would be in the public interest;

(g)cooperate with supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679, in particular, by informing them, without undue delay, where personal data protection rules appear to have been breached and about security breaches which appear to constitute personal data breaches;

(h)cooperate, as appropriate, with other national supervisory bodies;

(i)set up and ensure clear publicity of a complaint mechanism whereby complaints can be filed by providers of European Business Wallets in accordance with Article 11(7);

(j)report to the Commission on its main activities;

(k)revoke the inclusion in the list established pursuant to Article 12(5) of a provider of European Business Wallets if the supervisory body determines that the provider no longer meets the requirements laid down in this Regulation or that the provider has failed to comply with the obligations imposed by this Regulation;

(l)cooperate with the supervisory authorities designated pursuant to Article 46b of Regulation (EU) No 910/2014 by the Member States, in particular, to ensure that economic operators established outside the Union are issued only one set of European Business Wallet owner identification data and European business Wallet unique identifier.

6.Member States shall lay down the rules allowing the supervisory body referred to in paragraph 1 of this Article to impose penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. Those penalties shall be effective, proportionate and dissuasive. Those rules shall not affect Article 31 of Directive (EU) 2022/2555 and Article 83 of Regulation (EU) 2016/679.

7.By [Publications Office, insert the date 12 months after the entry into force of this Regulation] Member States shall notify the Commission of the rules laid down by Member States in accordance with paragraph 6 and shall notify the Commission without delay of any subsequent amendments to the rules. The Commission shall regularly update and maintain an easily accessible public register of those rules.

8.Member States shall take into account the following non-exhaustive and indicative criteria for the imposition of penalties in accordance with paragraph 6: 

(a)the nature, gravity, scale and duration of the infringement;

(b)any action taken by the infringing party to mitigate or remedy the damage caused by the infringement;

(c)any previous infringements by the infringing party;

(d)the financial benefits gained or losses avoided by the infringing party due to the infringement, insofar as such benefits or losses can be reliably established;

(e)any other aggravating or mitigating factor applicable to the circumstances of the case;

(f)the infringing party’s total annual turnover in the preceding financial year in the Union.

Member States shall ensure that infringements of this Regulation committed by providers of European Business Wallets be subject to administrative fines of a maximum of 2% of the total worldwide annual turnover in the preceding financial year.

9.Where the legal system of a Member State does not provide for administrative fines being imposed by administrative authorities, fines initiated by the supervisory body and imposed by competent national courts, which have an equivalent effect to the administrative fines imposed by supervisory bodies, shall be considered to comply with the requirements laid down in paragraph 6. In any event, the fines imposed shall be effective, proportionate and dissuasive. That Member State shall notify to the Commission the provisions of the laws which it adopts pursuant to this paragraph by [Publications Office, insert the date 12 months after the entry into force of this Regulation] and, without delay, any subsequent amendment law or amendment affecting them.

10.In circumstances which justify an immediate intervention to preserve the proper functioning of the internal market and where the Commission has sufficient reason to consider that the European Business Wallets provided by a provider are non-compliant with the requirements laid down in this Regulation and no effective measures have been taken by the competent supervisory authority, the Commission shall carry out an evaluation of compliance. The Commission shall inform the relevant authorities accordingly and the provider shall cooperate as necessary.

11.Based on the evaluation, the Commission may decide that a corrective or restrictive measure is necessary, and after consulting the Member States concerned and the provider, the Commission may determine the appropriate course of action. The Commission shall take into account the nature and severity of the non-compliance, as well as the potential impact on the internal market and the rights of economic operators.

12.On the basis of the consultation, the Commission may adopt implementing acts to provide for corrective or restrictive measures, including temporarily suspending the provider from the list of notified providers or requiring the provider to take specific actions to bring the European Business Wallets into compliance with the Regulation. Those implementing acts shall be adopted in accordance with the examination procedure.

13.The Commission shall immediately communicate the implementing acts to the provider and Member States shall implement those implementing acts without delay and inform the Commission accordingly. These measures shall be applicable for the duration of the exceptional situation that justified the Commission’s intervention, provided that the European Business Wallets concerned are not brought into compliance with this Regulation.

Article 14

European Digital Identity Cooperation Group

The European Digital Identity Cooperation Group established pursuant to Article 46e of Regulation (EU) No 910/2014 shall be responsible for facilitating cooperation and information sharing among Member States and the Commission on matters related to the European Business Wallets. This shall include sharing best practices, discussing technical and operational issues, and coordinating efforts to ensure the proper implementation and functioning of the European Business Wallets.

Article 15

Governance and supervision of Union entities that are providers of European Business Wallets

1.Where a Union entity is a provider of European Business Wallets the Commission shall be its supervisory body.

2.The role of the Commission acting as a supervisory body in accordance with paragraph 1 shall be to monitor compliance with the requirements laid down in this Regulation and take action, if necessary, in relation to providers of European Business Wallets, by means of ex post supervisory activities.

3.When acting as a supervisory body in accordance with paragraph 1, the Commission shall perform the tasks referred to in Article 13(5) points a, b, c, d, h and k.

The Commission shall prepare a report on its main activities in this respect.

Chapter III – Acceptance of the European Business Wallets

Article 16

Obligations on public sector bodies

4.By [Publications Office, please insert the date 24 months after the entry into force of this Regulation] public sector bodies shall enable economic operators to take the following actions by using the core functionalities of European Business Wallets as set out in Article 5(1):

(a)identify and authenticate;

(b)sign or seal;

(c)submit documents;

(d)send or receive notifications.

The actions listed in points (a) to (d) of the first subparagraph shall take place for the purpose of meeting a reporting obligation or fulfilling an administrative procedure.

5.For the purposes of paragraph 1, points (c) and (d), public sector bodies shall have European Business Wallets, including the qualified electronic registered delivery service referred to in Article 5(1), point (i).

6.By way of derogation from paragraph 2 and until [Publications Office, insert the date 36 months after entry into force of this Regulation], public sector bodies may choose not to offer the qualified electronic registered delivery service referred to in Article 5(1), point (i), and support instead other existing alternative solutions which enable economic operators to take the actions listed in paragraph 1, points (c) and (d), provided those solutions:

(a)comply with the requirements applicable to qualified electronic registered delivery services set out in Regulation (EU) No 910/2014;

(b)offer a gateway that enables European Business Wallet owners to submit documents and send and receive notifications using the qualified electronic registered delivery service referred to in Article 5(1), point (i).

After the expiry of the derogation period laid down in this paragraph, public sector bodies may continue to support the alternative solutions referred to in that subparagraph but shall, in accordance with paragraph 2, have European Business Wallets, including the qualified electronic registered delivery service referred to in paragraph 1 of Article 5(1), point (i).

Chapter IV - International aspects

Article 17

Business wallets and other similar instruments and frameworks offered in third countries

1.The Commission may adopt implementing acts establishing that business wallets or systems offering similar functions that are issued by providers established in third countries are to be considered as offering assurances that are equivalent to European Business Wallets issued in accordance with this Regulation, provided that such business wallets or systems are interoperable with the trust framework laid down in Regulation (EU) 910/2014 and allow for the support of at least an identification and authentication functionality and the exchange of electronic attestations of attributes. Such implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19.

2.The Commission may adopt implementing acts establishing that third country frameworks for systems offering similar functions as the European Business Wallets are to be considered as offering assurances that are equivalent to European Business Wallets issued in accordance with this Regulation, provided that the systems provided under that framework are interoperable with the trust framework laid down in Regulation (EU) 910/2014 and allow for the support of at least an identification and authentication functionality and the exchange of electronic attestations of attributes. Such implementing acts shall be adopted in accordance with the examination procedure referred to in Article 19.

3.Prior to the adoption of the implementing acts referred to in paragraphs 1 and 2, the Commission shall assess whether the assurances can be considered as equivalent to the requirements under this Regulation.

4.The Commission shall, where available information reveals that those assurances can no longer be considered as equivalent to the requirements under this Regulation, to the extent necessary, repeal, amend or suspend the act referred to in paragraphs 1 and 2 by means of an implementing act.

5.The Commission shall publish on its website a list of frameworks, business wallets or systems offering similar functions that are issued by providers established in third countries in relation to which the Commission has adopted an implementing act pursuant to this Article.

Article 18

Issuing of European Business Wallets to economic operators established outside the Union

1.Providers of European Business Wallets may provide European Business Wallets to economic operators established in a third country under the condition that such economic operators have been issued European Business Wallet owner identification data and a unique identifier in accordance with this Article.

2.For the purposes of this Article, economic operators shall request only one set of European Business Wallet owner identification data from one provider of European Business Wallet owner identification data.

3.Where an economic operator established outside the Union requests a European Business Wallet, the provider of European Business Wallets shall notify this request to the supervisory body of the Member State in which the provider is notified.

4.Providers of European Business Wallets shall request European Business Wallet owner identification data from a provider of European Business Wallet owner identification data on behalf of the economic operator established in a third country.

5.Providers of European Business Wallet owner identification data may issue European Business Wallet owner identification data and unique identifiers pursuant to Articles 8 and 9 to economic operators established outside the Union, provided that:

(a)the identity proofing and verification of those economic operators fulfils one or, when needed, a combination, of the methods for verification of identity set out in Article 24 (1a) of Regulation (EU) No 910/2014;

(b)the economic operator has not been issued another set of European Business Wallet owner identification data.

6.Member States shall cooperate to ensure that providers of European Business Wallet owner identification data can verify that an economic operator established outside the Union has not yet been issued European Business Wallet owner identification data.

Chapter V – Final provisions

Article 19

Committee procedure

The Commission shall be assisted by the committee established by Article 48 of Regulation (EU) No 910/2014. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

Article 20

Amendment to Regulation (EU) No 910/2014

In Regulation (EU) No 910/2014, Article 5a is amended as follows:

(1) paragraph 1 is replaced by the following:

‘1. For the purpose of ensuring that all natural persons in the Union have secure, trusted and seamless cross-border access to public and private services, while having full control over their data, each Member State shall provide at least one European Digital Identity Wallet within 24 months of the date of entry into force of the implementing acts referred to in paragraph 23 of this Article and in Article 5c(6).’

(2) in paragraph 5 point (f) is replaced by the following:

‘(f) ensure that the person identification data, which is available from the electronic identification scheme under which the European Digital Identity Wallet is provided, uniquely represents the natural person or the natural person representing the natural or legal person, and is associated with that European Digital Identity Wallet;’;

(3) in paragraph 9 point c) is replaced by the following:

‘(c) upon the death of the user.’;

(4) Paragraph 15 is replaced by the following:

’15. The use of European Digital Identity Wallets shall be voluntary. Access to public and private services, access to the labour market and freedom to conduct business shall not in any way be restricted or made disadvantageous to natural persons that do not use European Digital Identity Wallets. It shall remain possible to access public and private services by other existing identification and authentication means.’. 

Article 21

Evaluation and review

7.The Commission shall review the application of this Regulation and shall, by [Publications Office, insert the date – 3 years after entry into force], submit a report to the European Parliament and to the Council. The report shall evaluate the effectiveness of the provisions of this Regulation with regard to facilitating the submission of electronic documents and electronic attestations to public sector bodies, by the usage of the European Business Wallets, as well as technological, market, and legal developments. The report shall also assess whether it is necessary to modify the scope of this Regulation or its specific provisions to set out an obligation for the use of the European Business Wallets to address the risks of legal fragmentation.

8.The report referred to in paragraph 1 shall include the following aspects:

(a)the minimum core functionalities of European Business Wallets;

(b)the level of compliance of providers of European Business Wallets and the notification procedure and criteria established in Article 11;

(c)the application and functioning of the rules on penalties laid down by the Member States pursuant to Article 13;

(d)the detailed requirements and technical specifications for the qualified electronic registered delivery service referred to in Article 5(1) point I;

No later than one year before the report referred to in paragraph 1 is due, Member States shall provide the Commission with the information necessary for the preparation of the reports.

Article 22

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from [Publications Office, insert the date – 1 year after entry into force].

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

LEGISLATIVE FINANCIAL AND DIGITAL STATEMENT

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE3

1.1.Title of the proposal/initiative3

1.2.Policy area(s) concerned3

1.3.Objective(s)3

1.3.1.General objective(s)3

1.3.2.Specific objective(s)3

1.3.3.Expected result(s) and impact3

1.3.4.Indicators of performance3

1.4.The proposal/initiative relates to:4

1.5.Grounds for the proposal/initiative4

1.5.1.Requirement(s) to be met in the short or long term including a detailed timeline for roll-out of the implementation of the initiative4

1.5.2.Added value of EU involvement (it may result from different factors, e.g. coordination gains, legal certainty, greater effectiveness or complementarities). For the purposes of this section 'added value of EU involvement' is the value resulting from EU action, that is additional to the value that would have been otherwise created by Member States alone.4

1.5.3.Lessons learned from similar experiences in the past4

1.5.4.Compatibility with the multiannual financial framework and possible synergies with other appropriate instruments5

1.5.5.Assessment of the different available financing options, including scope for redeployment5

1.6.Duration of the proposal/initiative and of its financial impact6

1.7.Method(s) of budget implementation planned6

2.MANAGEMENT MEASURES8

2.1.Monitoring and reporting rules8

2.2.Management and control system(s)8

2.2.1.Justification of the budget implementation method(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed8

2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them8

2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio between the control costs and the value of the related funds managed), and assessment of the expected levels of risk of error (at payment & at closure)8

2.3.Measures to prevent fraud and irregularities9

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE10

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected10

3.2.Estimated financial impact of the proposal on appropriations12

3.2.1.Summary of estimated impact on operational appropriations12

3.2.1.1.Appropriations from voted budget12

3.2.1.2.Appropriations from external assigned revenues17

3.2.2.Estimated output funded from operational appropriations22

3.2.3.Summary of estimated impact on administrative appropriations24

3.2.3.1. Appropriations from voted budget24

3.2.3.2.Appropriations from external assigned revenues24

3.2.3.3.Total appropriations24

3.2.4.Estimated requirements of human resources25

3.2.4.1.Financed from voted budget25

3.2.4.2.Financed from external assigned revenues26

3.2.4.3.Total requirements of human resources26

3.2.5.Overview of estimated impact on digital technology-related investments28

3.2.6.Compatibility with the current multiannual financial framework28

3.2.7.Third-party contributions28

3.3.Estimated impact on revenue29

4.Digital dimensions29

4.1.Requirements of digital relevance30

4.2.Data30

4.3.Digital solutions31

4.4.Interoperability assessment31

4.5.Measures to support digital implementation32

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE 

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned 

1.3.Objective(s)

1.3.1.General objective(s)

1.3.2.Specific objective(s)

1.3.3.Expected result(s) and impact

Specify the effects which the proposal/initiative should have on the beneficiaries/groups targeted.

1.3.4.Indicators of performance

Specify the indicators for monitoring progress and achievements.

To ensure consistency and proportionality, the monitoring framework draws on the three-pillar structure referenced in the impact assessment for the revision of the eIDAS Regulation, implementation, application, and contextual indicators, and adapts it to the specific scope of the European Business Wallets. This ensures alignment while avoiding duplication of monitoring obligations and respecting Better Regulation principles, including proportionality and re-use of existing data streams. Additionally, a set of additinal indicators, specifically linked to the Specific Objectives will be leveraged to assess the outcomes of the initiative via proxy-indicators. These broader macro-economic and administrative-burden trends remain contextual and will be interpreted alongside eIDAS data to support statistical inference rather than implying direct causality.

The new set of indicators linked to the Specific Objectives is reported underneath:

Monitoring and evaluation aspect and relevant objectives	Indicator(s)	Responsibility for collection	Source(s)
SO1: Reduce administrative burdens, streamline compliance processes, and improve service delivery.
To reduce the administrative burden of regulatory compliance and reporting requirements on businesses through demonstrable economic benefits	Quantifiable reduction in the burden of government regulation indicator	European Commission	Single Market and Competitiveness Scoreboard 14
To improve public service delivery	Measured improvements in Digital Public Services for Business indicators under the eGov benchmark, particularly in respect of online service delivery and interoperability signifiers (specific indicators: (cross-border) online availability; (cross-border) eID; pre-filled forms; OOTS)	European Commission	eGovernment benchmark study feeding the Digital Decade Policy Programme
To enhance European competitiveness	Measurable improvements in the exports of goods to other EU countries by SMEs in the industrial sector (% of SMEs)	European Commission	Single Market and Competitiveness Scoreboard
SO2: To ensure economic operators and public sector bodies have access to secure and trusted digital identification across borders, meeting user needs and market demand.
To develop a market for secure digital identification and trust services between economic operators and public sector bodies	Number of compliant and notified European Business Wallet providers, including Qualified Trust Service Providers	Supervisory bodies	Data reported to European Commission European Digital Directory
To ensure that available solutions are trusted and secure and comply with all requirements to provide European Business Wallets	Number of withdrawn authorisations of notified European Business Wallet providers, excluding any providers who have voluntarily ceased their commercial provision of business wallets and related services Number and level of penalties imposed on European Business Wallet providers	Supervisory bodies	Data reported to European Commission
To stimulate adoption of the European Business Wallet across all sectors of the economy	Number of European Business Wallets issued to economic operators and public sector bodies and registered in the European Digital Directory 15	European Commission	European Digital Directory

1.4.The proposal/initiative relates to: 

 a new action 

 a new action following a pilot project / preparatory action 16  

 the extension of an existing action 

 a merger or redirection of one or more actions towards another/a new action

1.5.Grounds for the proposal/initiative 

1.5.1.Requirement(s) to be met in the short or long term including a detailed timeline for roll-out of the implementation of the initiative

1.5.2.Added value of EU involvement (it may result from different factors, e.g. coordination gains, legal certainty, greater effectiveness or complementarities). For the purposes of this section 'added value of EU involvement' is the value resulting from EU action, that is additional to the value that would have been otherwise created by Member States alone.

1.5.3.Lessons learned from similar experiences in the past

1.5.4.Compatibility with the multiannual financial framework and possible synergies with other appropriate instruments

1.5.5.Assessment of the different available financing options, including scope for redeployment

1.6.Duration of the proposal/initiative and of its financial impact

 limited duration

–    in effect from [DD/MM]YYYY to [DD/MM]YYYY

–    financial impact from YYYY to YYYY for commitment appropriations and from YYYY to YYYY for payment appropriations.

unlimited duration

–Implementation with a start-up period from 2028 to 2029,

–followed by full-scale operation.

1.7.Method(s) of budget implementation planned 

 Direct management by the Commission

–by its departments, including by its staff in the Union delegations;

–by the executive agencies

 Shared management with the Member States

 Indirect management by entrusting budget implementation tasks to:

– third countries or the bodies they have designated

– international organisations and their agencies (to be specified)

– the European Investment Bank and the European Investment Fund

– bodies referred to in Articles 70 and 71 of the Financial Regulation

– public law bodies

– bodies governed by private law with a public service mission to the extent that they are provided with adequate financial guarantees

– bodies governed by the private law of a Member State that are entrusted with the implementation of a public-private partnership and that are provided with adequate financial guarantees

– bodies or persons entrusted with the implementation of specific actions in the common foreign and security policy pursuant to Title V of the Treaty on European Union, and identified in the relevant basic act

–bodies established in a Member State, governed by the private law of a Member State or Union law and eligible to be entrusted, in accordance with sector-specific rules, with the implementation of Union funds or budgetary guarantees, to the extent that such bodies are controlled by public law bodies or by bodies governed by private law with a public service mission, and are provided with adequate financial guarantees in the form of joint and several liability by the controlling bodies or equivalent financial guarantees and which may be, for each action, limited to the maximum amount of the Union support.

2.MANAGEMENT MEASURES 

2.1.Monitoring and reporting rules 

2.2.Management and control system(s) 

2.2.1.Justification of the budget implementation method(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed

2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them

2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio between the control costs and the value of the related funds managed), and assessment of the expected levels of risk of error (at payment & at closure) 

2.3.Measures to prevent fraud and irregularities 

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE 

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected 

·Existing budget lines

In order of multiannual financial framework headings and budget lines.

Heading of multiannual financial framework	Budget line	Type of expenditure	Contribution
	Number	Diff./Non-diff. 17	from EFTA countries 18	from candidate countries and potential candidates 19	From other third countries	other assigned revenue
	MFF headings and budget lines to be determined  20	Diff./Non-diff.	YES/NO	YES/NO	YES/NO	YES/NO
	[XX.YY.YY.YY]	Diff./Non-diff.	YES/NO	YES/NO	YES/NO	YES/NO
	[XX.YY.YY.YY]	Diff./Non-diff.	YES/NO	YES/NO	YES/NO	YES/NO

·New budget lines requested

In order of multiannual financial framework headings and budget lines.

Heading of multiannual financial framework	Budget line	Type of expenditure	Contribution
	Number	Diff./Non-diff.	from EFTA countries	from candidate countries and potential candidates	from other third countries	other assigned revenue
	[XX.YY.YY.YY]	Diff./Non-diff.	YES/NO	YES/NO	YES/NO	YES/NO
	[XX.YY.YY.YY]	Diff./Non-diff.	YES/NO	YES/NO	YES/NO	YES/NO
	[XX.YY.YY.YY]	Diff./Non-diff.	YES/NO	YES/NO	YES/NO	YES/NO

3.2.Estimated financial impact of the proposal on appropriations 

3.2.1.Summary of estimated impact on operational appropriations 

–    The proposal/initiative does not require the use of operational appropriations

–    The proposal/initiative requires the use of operational appropriations, as explained below

–The amounts indicated are strictly indicative, pending the final outcome of the MFF negotiations 2028-2034.

–This initiative will be financed by redeployment within the operational programmes of the next MFF, and partially by administrative expenditure. At this stage, it is not possible to indicate accurately the contribution from each MFF heading and programme, while it is expected that a significant contribution will come from programmes under heading 2 of the 2028-2034 MFF (e.g. the European Competitiveness Fund).

–

3.2.1.1.Appropriations from voted budget

EUR million (to three decimal places)

		First Year	Second Year	Following Years (yearly amount)
TOTAL appropriations under HEADINGS 1 to 4	Commitments	45,442	16,867	8,929
of the multiannual financial framework	Payments	45,442	16,867	8,929

The figures as shown in the table above arestrictly indicative pending the outcome of the MFF negotiations.

The figures as shown in the table above are strictly indicative pending the outcome of the MFF negotiations.

3.2.2.Estimated output funded from operational appropriations (not to be completed for decentralised agencies)

Commitment appropriations in EUR million (to three decimal places)

Indicate objectives and outputs 

Year 2028

Year 2029

Year 2030

Year 2031

Enter as many years as necessary to show the duration of the impact (see Section1.6)

TOTAL

OUTPUTS

Type 21

Average cost

No

Cost

No

Cost

No

Cost

No

Cost

No

Cost

No

Cost

No

Cost

Total No

Total cost

SPECIFIC OBJECTIVE No 1 22 …

- Output

- Output

- Output

Subtotal for specific objective No 1

SPECIFIC OBJECTIVE No 2 ...

- Output

Subtotal for specific objective No 2

TOTALS

3.2.3.Summary of estimated impact on administrative appropriations 

–    The proposal/initiative does not require the use of appropriations of an administrative nature

–    The proposal/initiative requires the use of appropriations of an administrative nature, as explained below

3.2.3.1. Appropriations from voted budget

EUR million (to three decimal places)

The figures in the table above are all strictly indicative pending the outcome of the MFF negotiations.

The appropriations required for human resources and other expenditure of an administrative nature will be met by appropriations from the DG that are already assigned to management of the action and/or have been redeployed within the DG, together, if necessary, with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.

3.2.4.Estimated requirements of human resources 

–    The proposal/initiative does not require the use of human resources

–The proposal/initiative requires the use of human resources, as explained below

3.2.4.1.Financed from voted budget

Estimate to be expressed in full-time equivalent units (FTEs)

Considering the overall strained situation in Heading 4, in terms of both staffing and the level of appropriations, the human resources required will be met by staff from the DG who are already assigned to the management of the action and/or have been redeployed within the DG or other Commission services.

The staff required to implement the proposal (in FTEs):

Description of tasks to be carried out by:

3.2.5.Overview of estimated impact on digital technology-related investments

Compulsory: the best estimate of the digital technology-related investments entailed by the proposal/initiative should be included in the table below.

This expenditure refers to the operational budget to be used to re-use/ buy/ develop IT platforms/ tools directly linked to the implementation of the initiative and their associated investments (e.g. licences, studies, data storage etc). The information provided in this table should be consistent with details presented under Section 4 “Digital dimensions”.

3.2.6.Compatibility with the current multiannual financial framework 

The proposal/initiative:

–    can be fully financed through redeployment within the relevant heading of the proposed multiannual financial framework (MFF) 2028-2034

–    requires use of the unallocated margin under the relevant heading of the MFF and/or use of the special instruments as defined in the MFF Regulation

–    requires a revision of the MFF

3.2.7.Third-party contributions 

The proposal/initiative:

–    does not provide for co-financing by third parties

–    provides for the co-financing by third parties estimated below:

Appropriations in EUR million (to three decimal places)

3.3.    Estimated impact on revenue 

–The proposal/initiative has no financial impact on revenue.

–    The proposal/initiative has the following financial impact:

–    on own resources

–    on other revenue

–    please indicate, if the revenue is assigned to expenditure lines

EUR million (to three decimal places)

For assigned revenue, specify the budget expenditure line(s) affected.

Other remarks (e.g. method/formula used for calculating the impact on revenue or any other information).

9.4. DIGITAL DIMENSIONS

4.1. Requirements of digital relevance

If the policy initiative is assessed as having no requirement of digital relevance:

Justification of why digital means cannot be used to enhance policy implementation and why the ‘digital by default’ principle is not applicable

Otherwise:

High-level description of the requirements of digital relevance and related categories (data, process digitalisation & automation, digital solutions and/or digital public services)

4.2. Data

High-level description of the data in scope

Alignment with the European Data Strategy

Explanation of how the requirement(s) are aligned with the European Data Strategy

Alignment with the once-only principle

Explanation of how the once-only principle has been considered and how the possibility to reuse existing data has been explored

Explanation of how newly created data is findable, accessible, interoperable and reusable, and meets high-quality standards

Data flows

High-level description of the data flows

4.3. Digital solutions

High-level description of digital solutions

For each digital solution, explanation of how the digital solution complies with applicable digital policies and legislative enactments

European Business Wallet

European Digital Directory

Signature creation application

4.4. Interoperability assessment

High-level description of the digital public service(s) affected by the requirements

Impact of the requirement(s) as per digital public service on cross-border interoperability

Digital public service #1: European Business Wallet

Digital public service #2: Digital public services in Member States that are mandated to receive evidence through European Business Wallets

4.5. Measures to support digital implementation

High-level description of measures supporting digital implementation

(1)

   OJ C 365, 23.9.2022, p. 18.

(2)    Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions ‘A Competitiveness Compass for the EU’, COM(2025) 30 final.

(3)

   Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj).

(4)    Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012 (OJ L 295, 21.11.2018, pp. 1, ELI: https://eur-lex.europa.eu/eli/reg/2018/1724/oj/eng)

(5)    European Commission, Call for Evidence: 28th regime – a single harmonized set of rules for innovative companies throughout the EU, 8th of July, available at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14674-28th-regime-a-single-harmonized-set-of-rules-for-innovative-companies-throughout-the-EU_en

(6)     Directive (EU) 2025/25 of the European Parliament and of the Council of 19 December 2024 amending Directives 2009/102/EC and (EU) 2017/1132 as regards further expanding and upgrading the use of digital tools and processes in company law (OJ L, 2025/25, 10.1.2025, ELI:  http://data.europa.eu/eli/dir/2025/25/oj ).

(7)    Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by the Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13, ELI: http://data.europa.eu/eli/reg/2011/182/oj ).

(8) Directive (EU) 2017/1132 of the European Parliament and of the Council of 14 June 2017 relating to certain aspects of company law (codification) (OJ L 169, 30.6.2017, pp. 46–127, ELI: http://data.europa.eu/eli/dir/2017/1132/oj

(9)

Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (OJ L, 2024/1624, 19.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1624/oj)

(10) Regulation (EU) 2024/1624 of the European Parliament and of the Council of 31 May 2024 on the prevention of the use of the financial system for the purposes of money-laundering or terrorist financing, and amending Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L …, 19.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1624/oj

(11) Commission Implementing Regulation (EU) 2021/369 of 1 March 2021 establishing the technical specifications and procedures required for the system of interconnection of central registers referred to in Directive (EU) 2015/849 of the European Parliament and of the Council (OJ L 71, 2.3.2021, pp. 11–17, ELI: http://data.europa.eu/eli/reg_impl/2021/369/oj

(12) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (OJ L 333, 27.12.2022, pp. 80–152, ELI: http://data.europa.eu/eli/dir/2022/2555/oj)

(13)     Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data. europa.eu/eli/reg/2018/1725/oj).

(14)    Plus any potential KPI on administrative burden reduction following the review of the Digital Decade Policy Programme

(15)    The number of wallets is not necessarily equivalent to number of owners because one owner attributed with one unique identifier may have multiple wallets registered to them, but it will be a good approximation to determine the levels of usage

(16)    As referred to in Article 58(2), point (a) or (b) of the Financial Regulation.

(17)    Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.

(18)    EFTA: European Free Trade Association.

(19)    Candidate countries and, where applicable, potential candidates from the Western Balkans.

(20)    Budget lines for the new MFF are not yet known.

(21)    Outputs are products and services to be supplied (e.g. number of student exchanges financed, number of km of roads built, etc.).

(22)    As described in Section 1.3.2. ‘Specific objective(s)’

(23)    As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 20% for collection costs.

EUROPEAN COMMISSION

Brussels, 19.11.2025

COM(2025) 838 final

ANNEX

to the

Proposal for a Regulation of the European Parliament and of the Council

on the establishment of European Business Wallets

{SWD(2025) 837 final}

ANNEX

Requirements for minimum functionalities and technical requirements of European Business Wallets

1.European Business Wallets Unit Authentication

Access to the European Business Wallets Unit shall be granted only after the European Business Wallets user has been successfully authenticated by means of either:

(1)a notified electronic identification (eID) means in accordance with Article 6 of Regulation (EU) No 910/2014, fulfilling at least the requirements for a substantial level of assurance as defined in Article 8 of that Regulation and further specified in Commission Implementing Regulation (EU) 2015/1502; or

(2)an alternative authentication mechanism recognised as equivalent and fulfilling at least the requirements for a substantial level of assurance as defined in Article 8 of Regulation (EU) No 910/2014 and further specified in Commission Implementing Regulation (EU) 2015/1502.

Until such authentication has been completed, no functionality of the European Business Wallets Unit or of any other functionalities shall be made accessible to the Wallets user.

2.European Business Wallets Unit integrity

Providers of European Business Wallets shall, for each European Business Wallet unit, generate and sign a European Business Wallet unit attestation in accordance with the requirements laid down in point 5. The certificate used to sign or seal the Business Wallet unit attestation shall be issued under a certificate listed in the trusted list referred to in Commission Implementing Regulation (EU) 2024/2980.

3.European Business Wallets secure communication and critical asset management

(1)European Business Wallet back-end shall use at least one Wallet secure cryptographic application and Wallets secure cryptographic device to manage critical assets.

(2)Providers of the European Business Wallets shall ensure integrity, authenticity and confidentiality of the communication between the Business Wallet’s back-end, front-end and secure cryptographic applications and device.

(3)Where critical assets relate to performing electronic identification at assurance level substantial, the European Business Wallets cryptographic operations or other operations processing critical assets shall be performed in accordance with the requirements for the characteristics and design of electronic identification means at assurance level substantial, as set out in Commission Implementing Regulation (EU) 2015/1502. 

4.Wallets secure cryptographic applications

(1)Providers of European Business Wallets shall ensure that European Business Wallets secure cryptographic applications and devices:

(a)perform the wallet’s cryptographic operations involving critical assets other than those needed for the Wallets unit to authenticate the Wallets owner only in cases where those applications have successfully authenticated Wallets users;

(b)where they authenticate the European Business Wallet owner in the context of performing electronic identification at assurance level substantial as set out in Implementing Regulation (EU) 2015/1502;

(c)are able to securely generate new cryptographic keys;

(d)are able to perform secure erasure of critical assets;

(e)are able to generate a proof of possession of private keys; 

(f)protect the private keys generated by these Wallets secure cryptographic applications and devices during the existence of the keys;

(g)comply with the requirements for the characteristics and design of electronic identification means at assurance level substantial, as set out in Implementing Regulation (EU) 2015/1502.

5.Wallets unit authenticity and validity

(1)Providers of European Business Wallets shall ensure that the European Business Wallets unit attestations referred to in point 1 contain public keys and that the corresponding private keys are protected by a Wallets secure cryptographic device.

(2)Providers of European Business Wallets shall provide mechanisms, independent of Wallets units, for the secure identification and authentication of Wallets users.

6.Revocation of Wallets unit attestations

(1)Providers of European Business Wallets shall establish a publicly available policy specifying the conditions and the timeframe for the revocation of Wallets unit attestations.

(2)In line with Article 6, where the providers of European Business Wallets revoke European Business Wallets unit attestations, they shall inform the affected European Business Wallets users without undue delay and no later than 24 hours from the revocation of their European Business Wallets units, including the reason for the revocation and the consequences for the European Business Wallets user. This information shall be provided in a manner that is concise, easily accessible and using clear and plain language.

(3)Where European Business Wallets providers have revoked a European Business Wallet’s unit attestation, they shall make publicly available the validity status of the European Business Wallet unit attestation and describe the location of that information in the Business Wallet’s unit attestation. 

7.Transaction logs

(1)The providers of European Business Wallets shall provide an appropriate logging policy that shall include, at a minimum, electronic signing, electronic sealing, and notifications of all transactions with Business-Wallet-relying parties, other European Business Wallets units, and European Digital Identity Wallets units, irrespective of whether the transaction is successfully completed.

(2)The logged information shall at least contain:

(a)the time and date of the transaction;

(b)the name, contact details, and unique identifier of the corresponding Business-Wallet-relying party and the Member State in which that Business-Wallet-relying party is established, or in case of other Wallets units, relevant information from the Wallets unit attestation; 

(c)the type or types of data requested and presented in the transaction; 

(d)in the case of non-completed transactions, the reason for such non-completion. 

(3)Providers of European Business Wallets shall ensure integrity, authenticity and confidentiality of the logged information. 

(4)European Business Wallets back-end shall log reports sent by the Wallets user to the competent authorities via the Wallets unit, including interactions related to notifications, regulatory compliance, data sharing, or audit requests.

(5)The logs referred to in subpoints 1 and 2 shall be accessible to the European Business Wallets provider, where it is necessary for the provision of Wallets services.

(6)The logs referred to in subpoints 1 and 2 shall remain accessible for as long as required to be accessible  by Union law or national law.

8.Qualified electronic signatures and seals

(1)In line with Article 6, providers of European Business Wallets shall ensure that Wallets users are able to receive qualified certificates for qualified electronic signatures or seals which are linked to qualified signature or seal creation devices that are either local, external, or remote in relation to the Wallet’s unit.