Seminar on the European Digital Identity Framework – report

On 2 June, the Personal Data Protection Office organised an online seminar entitled "The European Digital Identity Framework (eIDAS2) in practice – new possibilities for identification and authentication in the service of data protection. Benefits and development potential for business and the public sector". The meeting provided an opportunity to highlight the directions set by the European Union regulation in terms of increasing security in the field of electronic identification.

The seminar was opened by Mirosław Wróblewski, President of the Personal Data Protection Office, who pointed out that the full implementation of eIDAS2 is a great opportunity for all areas of everyday activity, whether in the public or private sector. He added: ‘Today, the digital sphere is the most important in terms of providing all kinds of services.’

The President of the Personal Data Protection Office also drew attention to the issue of age verification in eIDAS2, which is important from the Office's point of view, as it concerns the protection of minors' personal data, which is crucial for the current activities of the Personal Data Protection Office.

President Mirosław Wróblewski also thanked the representative of the Ministry of Digital Affairs present at the seminar for her interest in the topics discussed.

The first panel of the meeting focused on the issue of personal data protection in the context of eIDAS2 and on the significance of this legal act itself.

What lies ahead?

Michał Tabor, a member of the management board of the consulting company Obserwatorium.biz, noted in his speech that eIDAS2 is a collection of solutions that we already know, but also includes many new regulations (the legal basis for eIDAS2 is the eIDAS Regulation of 2014), which came into force in May 2024 and are gradually being introduced in Poland. According to the expert, however, the most important moment in the full implementation of eIDAS2 will be the implementation of the European Digital Identity Wallet (December 2026), which can be considered the flagship element of the regulation. An important aspect in the context of eIDAS2 will also be the clarification of the issue of electronic signatures, as some of them are frequently used, but there are also types of signatures that are not readily used, especially in Poland.

As Michał Tabor pointed out, the functional solutions of the European Digital Identity Wallet will probably be based in Poland on solutions already known today from the mObywatel application (by the end of 2027, the European Digital Identity Wallet is also to be introduced for companies).

Tomasz Izydorczyk member of the Social Team of Experts to the President of the Personal Data Protection Office presented the issue of identification, authentication and attributes in eIDAS2. He pointed out that the provisions of the European Digital Identity Wallet are consistent with the principle of data minimisation and directly result from Article 20 of the GDPR, which refers to the transfer of data at the request of its owner. This applies in particular to one of the main elements of the European Digital Identity Wallet, namely attributes, i.e. sets of data to which their owner assigns a unique rank (this may be information concerning many areas of life), and it is the owner who decides how to select them when they want to pass them on.

As all participants in the discussion emphasised, it is extremely important that all components of the European Digital Identity Wallet will have to be certified, and everyone who uses such a wallet within the EU will be recognised in the same way.

During the second panel, experts discussed the issue of trust in electronic services.

Digital identity and verification

Barbara Sawina from the Polish Chamber of Information Technology and Telecommunications said in this context that the EU's goal is to provide citizens with a fully trusted digital identity by 2030, which will also lead to digital harmonisation, i.e. reducing the risks and costs associated with the existence of many separate digital solutions similar to the European Digital Identity Wallet.

Krzysztof Król, Deputy Director of the International Cooperation Department at the Personal Data Protection Office, discussed the issue of age verification for the youngest internet users. He explained that, for the benefit of all, more and more regulations are being adopted to restrict access to content for selected age groups. What is more, these restrictions should now be understood – also in relation to eIDAS2 – in a slightly different way: it is important to ensure that the users of websites intended for children are only children (i.e. that only persons of a given age group visit websites for minors), Therefore, it is more appropriate to talk about the concept of age assurance (e.g. checking the number of years of age in various ways for websites with a specific age range, rather than asking for a date of birth selected from a calendar template). In addition, the verification system must be simple for both parties. As pointed out by the Personal Data Protection Office expert, the European Data Protection Board has also adopted a statement on age verification. An additional tool for this procedure may be parental consent (the legal guardian confirms the age of the minor).

In this context, another panellist, Maciej Groń from Dyżurnet – a contact point within the Research and Academic Computer Network (NASK) – elaborated on the topic of online threats to minors and reminded us that today we no longer talk about child pornography, but about content that exploits children.

During the third panel, the participants discussed the elements that make up the trust ecosystem in eIDAS2.

Grzegorz Wójcik from the Autenti platform mentioned such useful features as a time stamp (every document stored in our electronic wallet has its own validity period, and some documents can be updated if necessary and within the framework of regulations) or a data validator (which hides certain data from both parties to an online transaction, based on the principle that, in principle, more data are collected than are shown). It is also important that all trust services in eIDAS2 are to be based on common technical standards, which is particularly important for cross-border data processing operations.

Robert Podpłoński from the National Clearing House once again referred to the issue of data minimisation in relation to electronic certificates provided for in eIDAS2.

During the discussion, Rafał Prabucki from the Social Team of Experts by the President of the Personal Data Protection Office also discussed issues related to consistent electronic organisational solutions and reminded that, in addition to eIDAS2 itself, the implementing regulations for this act should also be considered.

Services compliant with GDPR and under control

In the fourth panel, Monika Krasińska, Director of the Law and New Technologies Department at the Personal Data Protection Office, focused on the obligations of controllers and trust service providers in the context of personal data protection. She emphasised that for the implementation of eIDAS2 to be effective, it must include an appropriate framework of national regulations, as the EU has been explaining in its documents for several years that it is very important to ensure full access to digital products for EU citizens, but also to accept that this access is secure and takes risks into account. Therefore, EU citizens should have the right to a digital identity that is a project based on human decision and subject to human control.

In this sense, Director Krasińska noted, it must be explained that eIDAS2 is intended to create economic value while reducing operating costs, and thanks to the new regulations, data controllers also gain a larger area for their activities and gain trust, as do data subjects.

Summing up her speech, the Personal Data Protection Office’s expert emphasised that the European Digital Identity Framework also streamlines the reporting of incidents to supervisory authorities, and thanks to this, among other things, we can say that eIDAS2 maintains personal data protection standards and even raises the bar higher in this regard.

Improving cybersecurity

In his closing speech, Prof. Dariusz Szostek from the University of Silesia recalled the reasons and objectives behind the creation of eIDAS2 and referred to the challenges and opportunities facing EU citizens. He stated that the main objective was to give network users control over their data and, above all, to expand the area of cybersecurity (in Poland, the mObywatel system is a pilot project for this strategy). However, he pointed out the problems that need to be solved. One of them is that only 43% of Poles have basic digital skills.

‘There is also a noticeable problem of poor digital awareness among management staff,’ he added.

Therefore, according to Prof. Szostek, the ultimate challenge will be the final launch of the European Digital Identity Wallet in our country by 24 December 2026, especially since the lack of legislation for digital solutions for public administration seems to pose a serious risk (the process of adapting to new regulations is going better in the business sector, which is naturally faster).

‘In the situation we find ourselves in today, cybersecurity is crucial because we are in the midst of a digital war,’ emphasised Prof. Szostek, concluding: ‘EIDAS2 forces us to think about data component analysis, just as GDPR forced us to think about personal data.’

Video recordings of the seminar are available below (in Polish).