eIDAS 2.0 2024/1183, Including EU Digital Identity Wallet
Regarding i) Digital Identity Wallet
A central element to the eIDAS 2.0 regulation is the European Digital Identity Wallet (EUDIW). The EUDIW will be rolled out, in the form of apps, and allow citizens, residents and businesses to digitally identify themselves. By 21 November 2026, each member state must provide at least one EUDIW to its citizens, cf. art. 5a, section 1.
The EUDIW adds enhanced measures regarding security and privacy, where users will be able to securely request, obtain, select, store, delete, share and present personal identification data and, when applicable, in combination with electronic attestations of attributes, authenticate relying parties both online and offline, to access public and private services, cf. art. 5a, section 4 (a). These data may, among other personal identification data, include PoA’s.
In addition, this will also allow for the selective disclosure of data. The EUDIW will enforce the right to pseudonymity, where users can store pseudonyms, adding a layer of privacy.
Regarding ii) Electronic attestation of attributes
Another important element is the electronic attestation of attributes, especially when using PoAs. These are attestations in electronic form allowing the authentication of features, characteristics or qualities for natural and legal persons. According to the regulation member states shall ensure that these electronic attestations have the same legal effect as lawfully issued attestations in paper form, cf. art. 45b.
The following minimum list of attributes is included in eIDAS 2.0, cf. annex VI:
Address
Age
Gender
Civil status
Family composition
Nationality or citizenship
Educational qualifications, titles, and licenses
Professional qualifications, titles, and licenses
Powers and mandates to represent natural or legal persons
Public permits and licenses
For legal persons, financial and company data
Regarding iii) Unequivocal identity matching
The regulation aims to improve cross-border electronic identification between Member States, which ensures interoperability and trust in digital interactions within the EU, e.g. in connection with cross border PoA use. Thus, when acting as a relying party for cross-border services, Member States shall ensure unequivocal identity matching for natural persons using notified electronic identification means or EUDIW, cf. art. 11a.
Single Digital Gateway Regulation 2017/1724, including Once Only Technical System
Regarding i) Your Europe Portal
According to the regulation the Commission and Member States are to establish the SDG. The SDG must consist of a common user interface managed by the Commission and be integrated into the “Your Europe” portal. The Your Europe portal shall give access to relevant Union and national webpages, cf. art. 2.
Regarding ii) Access to information
Member States are responsible for ensuring that users have easy, online access on their national webpages to specific information from a national level, while the Commission is responsible for ensuring that the Your Europe portal provides users with easy online access to specific information from a Union level, cf. art. 4.
The information includes e.g. rights, obligations and rules laid down in Union and national law that are applicable to users exercising or intending to exercise their rights derived from Union law in the field of the internal market in the areas listed in Annex I (e.g. travel, work and retirement within the Union or taking a vehicle to another Member State). It is reasonable to assume that Member States will include information on EU citizens’ abilities to exercise their rights by the use of PoA’s, including for cross-border actions.
For the Member State and the Commission to comply with Article 4, they must follow the quality requirements related to information, cf. art. 9–11.
Regarding iii) Once-Only Technical System
Operating within the SDG Regulation framework, the OOTS enables the sharing of information between public administrations cross-border between EU countries. The OOTS implements the “once-only” principle and is core infrastructure in the implementation of the SDG.
When natural and legal persons complete an online procedure in one Member State, the system will be able to make a request to automatically and securely retrieve official documents or structured data from a public authority’s eGovernment portal in another Member State, cf. art. 14. As shown below in para. Error! Reference source not found., OOTS may be utilized as a platform for cross border PoA use.
Considering the complex nature of the OOTS system, an initial manual process might be necessary to verify the accuracy of data retrieved via OOTS. Over time, these verifications could be automated, enhancing the efficiency of cross-border administrative tasks.
While exploring these possibilities, it's vital to approach the potential applications of the OOTS with a view toward understanding its capabilities, rather than prescribing specific recommendations. Continuing research and analysis will be essential to fully grasp how this technology can be best utilized for streamlined cross-border activities, particularly with respect to PoAs and assignments. The observations here aim to open discussions around the evolution of these systems and their role in facilitating easier, more effective cross-border transactions and administrative processes.
Proposals: European Health Data Space (EHDS) and Upgrading Digital Company Law (UDCL)
EHDS
Regarding i) Primary use of data
Natural persons will have a variety of rights regarding the primary use of their personal electronic health data. These rights include e.g. the access to their personal electronic health data processed in the context of primary use of electronic health data, or the right to receive an electronic copy, cf. (EU) COM/2022/197 art. 3. All these rights may be possible to invoke by the use of PoA’s.
When health professionals are processing data in an electronic format, they shall e.g., have access to the electronic health data of natural persons under their treatment (regardless of the Member State of affiliation/treatment) and ensure that the data of the person they treat are fully updated, cf. art. 4. The Commission shall, by implementing acts, set the technical specifications for the European electronic health record exchange format, cf. art. 6.
Regarding ii) Secondary use of data
The proposal lists a variety of minimum categories for the secondary use of electronic data, e.g. reusing health data for research, innovation or policy making and regulatory activities. Data holders shall make the electronic data available, such as, EHRs (electronic health record), data impacting on health, relevant pathogen genomic data, person generated electronic health data or electronic health data from clinical trials, cf. art. 33.
Additionally, the proposal lists a variety of purposes for which electronic health data can be processed. This includes, to produce national, multi-national and Union level official statistics related to the health/care sectors, for education or teaching activities in the health/care sector or scientific research related to the health/care sectors, cf. art. 34.
Prohibited secondary uses of electronic health data includes, for advertising or marketing activities towards health professionals, organizations in health or natural person, or to give access to health data to third parties not mentioned in the data permit, cf. art. 35.
UDCL
Regarding i) Information about companies
Member States must ensure compulsory disclosure of companies listed in Annex IIB (list of partnerships in the Member States) of at least documents and information, such as, the name of the partnership, legal form of the partnership and the registration number of the partnership, cf. (EU) COM (2003)177 art. 14a. These rules may aid with ensuring sufficient identification when using PoA’s in corporate relations, e.g. agreements involving at least one company
The directive introduces an obligation for Member States to ensure the ultimate parent company governed by the law of a Member State discloses where it is registered and at least information, such as, name and legal form of each subsidiary, cf. art. 14b.
Information about companies that are listed in Annex II and IIB are to be stored in registers referred to in article 16 and kept up to date, cf. art. 15.
Regarding ii) Digital EU PoA
Member states must ensure that, when carrying out procedures in another Member State, companies listed in Annex II and IIB may use a standard model of the digital EU PoA, to authorize a person to represent the company, cf. art. 16c.
The digital EU PoA shall be drawn up and revoked in accordance with national legislation and other formal requirements. The requirements must at least include the verification of identity, legal capacity and authority to represent the company of the assignor.
Additionally, the digital EU PoA must be compatible with EUDIW.