How the Digital Omnibus affects Digital identity and Trust services?

The Digital Omnibus is a proposal from the Commission designed to simplify and align Europe’s digital rules. Rather than creating an entirely new legal regime, it acts as a horizontal amendment that updates existing frameworks — including GDPR, NIS2 and others.[1]

Although the eIDAS Regulation is not explicitly listed within the scope of the Digital Omnibus, the proposal still affects the digital identity framework and introduces several targeted changes to eIDAS Regulation. This article highlights these updates.

A clearer legal basis for using biometric verification

One of the changes in the Digital Omnibus is an amendment to Article 9 of GDPR. It introduces a new exception allowing the processing of biometric data for identity verification, provided that the biometric data or the means for verification remain under the sole control of the data subject. This exception applies only to one-to-one verification (authentication); biometric identification (one-to-many search in a database) remains restricted. In practice, this reflects a broader shift in EU digital law towards distinguishing biometric verification from biometric identification. A similar distinction can be observed in the AI Act.

This approach is also consistent with the design principles of the European Digital Identity Wallets (EUDIW). Recital 5 of the amended eIDAS Regulation emphasises that the EUDIW should ensure a high level of user control over identity data. Where biometric verification is performed locally on the user’s device, or in a way that preserves the user’s exclusive control over biometric templates or cryptographic keys, such setups may meet the “sole control of the data subject” condition.

For context, the European Data Protection Supervisor has repeatedly warned about the risks associated with biometric processing, especially when it comes to biometric identification.[2] Even in areas closer to one-to-one verification, supervisory authorities have been cautious. For example, in Czechia, the data protection authority sanctioned the use of biometric electronic signatures because the processing did not meet GDPR principles.[3]

These examples show that, although the Digital Omnibus introduces a clearer legal basis for biometric verification, it should not be understood as a broad relaxation of the rules on biometrics. The exception is narrow, applies only under strict conditions, and biometric processing will continue to be subject to high regulatory oversight.

Why this matters:

• Clearer rules for biometric verification.

• Strict limits on biometric processing remain in place.

Incident reporting for eIDAS entities

The Digital Omnibus amends Articles 19a, 24 and 45a of the eIDAS Regulation to require that all incident notifications from TSPs, QTSPs and EUDI Wallet providers be submitted through the NIS2 single-entry point to be developed by ENISA. These changes are introduced in Article 7 of the proposal.

By extending the NIS2 notification mechanism to eIDAS, the proposal aims to establish a more consistent and coordinated reporting structure across the EU (applicable also for GDPR or DORA). For TSPs, QTSPs and EUDI Wallet providers, this should result in more predictable and streamlined incident handling — nationally and across borders — while also increasing expectations regarding standardisation, reporting quality and timeliness.

Why this matters:

• One unified channel can simplify notification obligations.

Amendment to Article 5a of eIDAS

As part of the broader legislative package presented alongside the Digital Omnibus, the Commission also introduced a proposal for the European Business Wallet Regulation.[4] The European Business Wallet is intended to serve as the primary digital identity for legal persons (economic operators) when accessing public and private services. In this relation, the regulation amends Article 5a of the eIDAS. The changes are introduced in Article 20. The new proposed wording of the Article 5a(1) of eIDAS Regulation is the following:

Why this matters:

• The proposal introduces the European Business Wallet for economic operators.

Conclusion

Although eIDAS is not formally within the scope of the Digital Omnibus, the legislative package still proposes several changes that directly affect digital identity and trust services. It is important to keep in mind that these are Commission proposals at an early stage. The legislative process will now continue, and further adjustments may arise during negotiations.

[1] Digital Omnibus proposal, available at: https://digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal.

[2] EDPB, Opinion 11/2024 on the use of facial recognition to streamline airport pre-boarding checks adopted 17 April 2024. Available at: https://www.edpb.europa.eu/our-work-tools/our-documents/opinion-board-art-64/opinion-112024-use-facial-recognition-streamline_en

[3] Czech DPA (ÚOOÚ), Decision on the use of biometric electronic signatures, issued as Decision No. UOOU-09654/18-10. Available at: https://uoou.gov.cz/media/poskytnute-informace/1932021/24-uoou-0965418-10.pdf

[4] Business Wallet proposal, available at: https://digital-strategy.ec.europa.eu/en/library/proposal-regulation-establishment-european-business-wallets