IDEMIA France
Le Groupe IDEMIA permet de payer, de se connecter, de sécuriser les accès, de s’identifier, de voyager et de protéger les espaces publics de manière plus simple et plus sûre.
ID: 444020250248-87
Lobbying Activity
Response to Digital package – digital omnibus
10 Oct 2025
As a premium provider of trusted AI solutions globally, IDEMIA supports the European Commissions initiative to seek simplification in the implementation of the AI Act. With full implementation of the Act scheduled for in less than a year, industry needs consistent application of the rules throughout the EU and legal clarity, in particular when it comes to high-risk AI systems. IDEMIA understands that with the Digital Omnibus, the Commission seeks in part to ensure the optimal application of the AI Act, and provide legal predictability aligned with the availability of all the necessary support and enforcement structures. In addition, IDEMIA understands that the Digital Omnibus seeks to facilitate the much needed smooth interplay between the AI Act and other legislation. In order to meet these objectives, the European Commission should take into account the following elements: 1) The possible impact of the late adoption of harmonized standards on the overall implementation of the AI Act 2) The need to determine an adequate criteria to categorize entities which could benefit from alternative measures as part of the implementation process 3) The consistent implementation of the AI Act across Member States 4) The EUs ability to evaluate and benchmark AI solutions developed in Europe 5) The interplay between the AI Act and the GDPR See attachment for our analysis and propositions on those five elements.
Read full responseMeeting with Alexandra Cupsan-Catalin (Cabinet of Executive Vice-President Henna Virkkunen)
26 Sept 2025 · Implementation of the AI act in relation to law enforcement
Response to Qualified electronic attestation of attributes under the EDIF
2 Jan 2025
Dear all, Please find in the attached document the comments from IDEMIA on this implementing regulation. Regards
Read full responseResponse to Security breaches of European Digital Identity Wallets
2 Jan 2025
Dear all, Please find in the attached document the comments from IDEMIA on this implementing regulation. Regards
Read full responseResponse to Registration of relying parties of European Digital Identity Wallets
2 Jan 2025
Dear all, Please find in the attached document the comments from IDEMIA on this implementing regulation. Regards
Read full responseResponse to List of certified European Digital Identity Wallets
2 Jan 2025
Dear all, Please find in the attached document the comments from IDEMIA on this implementing regulation. Regards
Read full responseResponse to Cross-border identity matching under the European Digital Identity Framework
2 Jan 2025
Dear all, Please find in the attached document the comments from IDEMIA on this implementing regulation. Regards
Read full responseResponse to Functionalities and integrity of European Digital Identity Wallets
9 Sept 2024
IDEMIA very much welcomes these five draft Implementing Regulations of the eIDAS regulation. They will be instrumental for the large deployment and successful uptake of the digital identity wallet throughout Europe. IDEMIA would like however to share some comments on these five draft Implementing Regulations. The present document, accompanied by the detailed list of comments (classified per Implementing Regulations and articles), is the IDEMIAs feedback on the five draft Implementing Regulations. Legal definitions Some legal definitions seem incomplete or may create confusion, as they miss key aspects. Some others raise questions which should be clarified. For examples (but not limitative): the proposed definition of Wallet User if retained - will have very important impacts on the wallet ecosystem, by forbidding representation of person (legal person and natural person). We therefore suggest to remove it the proposed definition of wallet unit attestation seems to not include one technical structure which is instrumental for the operation of a wallet unit. This definition should therefore be updated, and the related provisions should be modified accordingly The criteria of the Level of Assurance (LoA) The criteria of the Level of Assurance (LoA) which should be considered for enrolling user shall not be limited to enrolment, but shall also include the Electronic identification means management and Management and organization which are also relevant when enrolling (on-boarding) a user. This should be duly considered in the Implementing Regulations. In addition, it shall be indicated that these criteria shall be the one applicable for the Level of Assurance (LoA) High. Currently, the Implementing Regulations do not indicate that the Level of Assurance (LoA) which shall be targeted. Trust model When referring to the security properties which should be met, the draft Implementing Regulations seem to either miss some key security properties (e.g. authentication of relying party), or not define clearly which security properties are expected (e.g. secure channel). The draft Implementing regulations should be reviewed accordingly to bring clarity on these aspects. In addition, the Implementing Regulations only require the wallet to authenticate and validate the wallet relying party access certificates of wallet relying parties, including providers of person identification data or providers of electronic attestations of attributes. According to us, this is not sufficient to ensure a high level of security of trust. We therefore suggest to also require the wallet to authenticate at least providers of person identification data or providers of electronic attestations of attributes. Certification The draft Implementing Regulation dealing with the certification raises several questions which should be clarified: Scope of national certification scheme: o does it apply to products, to processes or both? o does it apply to (1) wallet solution only, or (2) the wallet solution and the electronic identification scheme under which the wallet solution is provided? A clear interplay with the Cyber Resilience Act (CRA) is missing, creating confusion and possibly leading to supplemental burden for conformity National security certification scheme should require WSCD to be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5 for all the cryptographic and security functions which are used by the wallet unit. Alternative approach for certification if needed should be limited to well identified cases (type of WSCD...), with well identified methodology, and the same level of security should be demonstrated It is unclear whether the WSCA should be evaluated under the national certification scheme We suggest that WSCA be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5
Read full response9 Sept 2024
IDEMIA very much welcomes these five draft Implementing Regulations of the eIDAS regulation. They will be instrumental for the large deployment and successful uptake of the digital identity wallet throughout Europe. IDEMIA would like however to share some comments on these five draft Implementing Regulations. The present document, accompanied by the detailed list of comments (classified per Implementing Regulations and articles), is the IDEMIAs feedback on the five draft Implementing Regulations. Legal definitions Some legal definitions seem incomplete or may create confusion, as they miss key aspects. Some others raise questions which should be clarified. For examples (but not limitative): the proposed definition of Wallet User if retained - will have very important impacts on the wallet ecosystem, by forbidding representation of person (legal person and natural person). We therefore suggest to remove it the proposed definition of wallet unit attestation seems to not include one technical structure which is instrumental for the operation of a wallet unit. This definition should therefore be updated, and the related provisions should be modified accordingly The criteria of the Level of Assurance (LoA) The criteria of the Level of Assurance (LoA) which should be considered for enrolling user shall not be limited to enrolment, but shall also include the Electronic identification means management and Management and organization which are also relevant when enrolling (on-boarding) a user. This should be duly considered in the Implementing Regulations. In addition, it shall be indicated that these criteria shall be the one applicable for the Level of Assurance (LoA) High. Currently, the Implementing Regulations do not indicate that the Level of Assurance (LoA) which shall be targeted. Trust model When referring to the security properties which should be met, the draft Implementing Regulations seem to either miss some key security properties (e.g. authentication of relying party), or not define clearly which security properties are expected (e.g. secure channel). The draft Implementing regulations should be reviewed accordingly to bring clarity on these aspects. In addition, the Implementing Regulations only require the wallet to authenticate and validate the wallet relying party access certificates of wallet relying parties, including providers of person identification data or providers of electronic attestations of attributes. According to us, this is not sufficient to ensure a high level of security of trust. We therefore suggest to also require the wallet to authenticate at least providers of person identification data or providers of electronic attestations of attributes. Certification The draft Implementing Regulation dealing with the certification raises several questions which should be clarified: Scope of national certification scheme: o does it apply to products, to processes or both? o does it apply to (1) wallet solution only, or (2) the wallet solution and the electronic identification scheme under which the wallet solution is provided? A clear interplay with the Cyber Resilience Act (CRA) is missing, creating confusion and possibly leading to supplemental burden for conformity National security certification scheme should require WSCD to be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5 for all the cryptographic and security functions which are used by the wallet unit. Alternative approach for certification if needed should be limited to well identified cases (type of WSCD...), with well identified methodology, and the same level of security should be demonstrated It is unclear whether the WSCA should be evaluated under the national certification scheme We suggest that WSCA be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5
Read full responseResponse to Protocols and interfaces to be supported by the European Digital Identity Wallets
9 Sept 2024
IDEMIA very much welcomes these five draft Implementing Regulations of the eIDAS regulation. They will be instrumental for the large deployment and successful uptake of the digital identity wallet throughout Europe. IDEMIA would like however to share some comments on these five draft Implementing Regulations. The present document, accompanied by the detailed list of comments (classified per Implementing Regulations and articles), is the IDEMIAs feedback on the five draft Implementing Regulations. Legal definitions Some legal definitions seem incomplete or may create confusion, as they miss key aspects. Some others raise questions which should be clarified. For examples (but not limitative): the proposed definition of Wallet User if retained - will have very important impacts on the wallet ecosystem, by forbidding representation of person (legal person and natural person). We therefore suggest to remove it the proposed definition of wallet unit attestation seems to not include one technical structure which is instrumental for the operation of a wallet unit. This definition should therefore be updated, and the related provisions should be modified accordingly The criteria of the Level of Assurance (LoA) The criteria of the Level of Assurance (LoA) which should be considered for enrolling user shall not be limited to enrolment, but shall also include the Electronic identification means management and Management and organization which are also relevant when enrolling (on-boarding) a user. This should be duly considered in the Implementing Regulations. In addition, it shall be indicated that these criteria shall be the one applicable for the Level of Assurance (LoA) High. Currently, the Implementing Regulations do not indicate that the Level of Assurance (LoA) which shall be targeted. Trust model When referring to the security properties which should be met, the draft Implementing Regulations seem to either miss some key security properties (e.g. authentication of relying party), or not define clearly which security properties are expected (e.g. secure channel). The draft Implementing regulations should be reviewed accordingly to bring clarity on these aspects. In addition, the Implementing Regulations only require the wallet to authenticate and validate the wallet relying party access certificates of wallet relying parties, including providers of person identification data or providers of electronic attestations of attributes. According to us, this is not sufficient to ensure a high level of security of trust. We therefore suggest to also require the wallet to authenticate at least providers of person identification data or providers of electronic attestations of attributes. Certification The draft Implementing Regulation dealing with the certification raises several questions which should be clarified: Scope of national certification scheme: o does it apply to products, to processes or both? o does it apply to (1) wallet solution only, or (2) the wallet solution and the electronic identification scheme under which the wallet solution is provided? A clear interplay with the Cyber Resilience Act (CRA) is missing, creating confusion and possibly leading to supplemental burden for conformity National security certification scheme should require WSCD to be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5 for all the cryptographic and security functions which are used by the wallet unit. Alternative approach for certification if needed should be limited to well identified cases (type of WSCD...), with well identified methodology, and the same level of security should be demonstrated It is unclear whether the WSCA should be evaluated under the national certification scheme We suggest that WSCA be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5
Read full responseResponse to Trust framework
9 Sept 2024
IDEMIA very much welcomes these five draft Implementing Regulations of the eIDAS regulation. They will be instrumental for the large deployment and successful uptake of the digital identity wallet throughout Europe. IDEMIA would like however to share some comments on these five draft Implementing Regulations. The present document, accompanied by the detailed list of comments (classified per Implementing Regulations and articles), is the IDEMIAs feedback on the five draft Implementing Regulations. Legal definitions Some legal definitions seem incomplete or may create confusion, as they miss key aspects. Some others raise questions which should be clarified. For examples (but not limitative): the proposed definition of Wallet User if retained - will have very important impacts on the wallet ecosystem, by forbidding representation of person (legal person and natural person). We therefore suggest to remove it the proposed definition of wallet unit attestation seems to not include one technical structure which is instrumental for the operation of a wallet unit. This definition should therefore be updated, and the related provisions should be modified accordingly The criteria of the Level of Assurance (LoA) The criteria of the Level of Assurance (LoA) which should be considered for enrolling user shall not be limited to enrolment, but shall also include the Electronic identification means management and Management and organization which are also relevant when enrolling (on-boarding) a user. This should be duly considered in the Implementing Regulations. In addition, it shall be indicated that these criteria shall be the one applicable for the Level of Assurance (LoA) High. Currently, the Implementing Regulations do not indicate that the Level of Assurance (LoA) which shall be targeted. Trust model When referring to the security properties which should be met, the draft Implementing Regulations seem to either miss some key security properties (e.g. authentication of relying party), or not define clearly which security properties are expected (e.g. secure channel). The draft Implementing regulations should be reviewed accordingly to bring clarity on these aspects. In addition, the Implementing Regulations only require the wallet to authenticate and validate the wallet relying party access certificates of wallet relying parties, including providers of person identification data or providers of electronic attestations of attributes. According to us, this is not sufficient to ensure a high level of security of trust. We therefore suggest to also require the wallet to authenticate at least providers of person identification data or providers of electronic attestations of attributes. Certification The draft Implementing Regulation dealing with the certification raises several questions which should be clarified: Scope of national certification scheme: o does it apply to products, to processes or both? o does it apply to (1) wallet solution only, or (2) the wallet solution and the electronic identification scheme under which the wallet solution is provided? A clear interplay with the Cyber Resilience Act (CRA) is missing, creating confusion and possibly leading to supplemental burden for conformity National security certification scheme should require WSCD to be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5 for all the cryptographic and security functions which are used by the wallet unit. Alternative approach for certification if needed should be limited to well identified cases (type of WSCD...), with well identified methodology, and the same level of security should be demonstrated It is unclear whether the WSCA should be evaluated under the national certification scheme We suggest that WSCA be security certified in accordance with the EUCC scheme or the SOG-IS recognition agreement at least at level EAL4+AVA_VAN.5
Read full responseResponse to Standard Essential Patents
8 Aug 2023
IDEMIA very much welcomes this proposal of regulation which will harmonize conditions upon which standard essential patents (SEP) may be exploited within EU (and EEA) and provide enhanced transparency and legal security for all stakeholders using standards for business. Therefore, it will foster the single market. This text brings very positive aspects such as: -Mechanism to clarify whether a patent is essential to a standard, and to which extent; -Organize transparency regarding standard essential patents by providing strong incentive to make public all necessary information; -Mechanism to determine FRAND terms and conditions, before initiating any court proceeding; In addition, IDEMIA would like to raise the following concerns (included in the attaches document)
Read full responseResponse to Compulsory licensing of patents
31 Jul 2023
IDEMIA very much welcomes this proposal of regulation, which provides for harmonized rules for the compulsory licensing of patents in case of crisis. IDEMIA believes it will ensure a better resilience of the EU and the single market in case of crisis by ensuring swift and efficient mitigation measures are put in place. However, IDEMIA has some concerns about this proposal it would like to share. Concerns about Additional measures Recital 32, as well as article 14(2) indicate that the Commission should be entitled to take additional measures complementing the Union compulsory licence to ensure it achieves its objective as well as to facilitate and ensure the good collaboration between the rights-holder and the licensee. Unfortunately, the scope of additional measures is undefined, and thus may appear as a carte blanche which could be used to require absolutely anything from the rights-holder. This risk is even strengthened by the purposes for such additional measures which are very broad, especially to facilitate and ensure the good collaboration between the rights-holder and the licensee, which could be interpreted in a very large manner. In order to protect the rights and assets of the rights-holder, it is absolutely necessary to provide a clear definition of additional measures, as well as a clear description of the scope of additional measures. Moreover, this scope should abide by the two following principles: (1) proportionality and (2) restriction to the minimum necessary to tackle the crisis. In addition, the provisions of article 14(2) regarding the additional measures could imply in some cases to transfer to the licensee some critical assets, such as (1) industrial inputs, (2) industrial machines, (3) technology or (4) know-how. Yet, Member States laws about technology transfer, sensitive technologies or protection of national technological estate may limit the transfer of such assets. Therefore, the proposal of regulation should clearly highlight this fact, and reaffirm that the provisions of article 14(2) may only be exercised in the limit of Member States laws about technology transfer, sensitive technologies or protection of national technological estate. Therefore, IDEMIA would like to make the following recommendations: provide a clear definition of additional measures in article 3, as well as a description of the scope of the additional measures; provide a description of the scope of the additional measures, which should abide by the two following key principles (1) proportionality and (2) restriction to the minimum necessary to tackle the crisis; Complete recital 32 with the following : additional measures shall comply with Member States laws about technology transfer, sensitive technologies or protection of national technological estate; Complete article 2 as follows : This Regulation is without prejudice to the Member States laws about technology transfer, sensitive technologies or protection of national technological estate;
Read full response