

TO THE MINISTRY OF ELECTRONIC GOVERNANCE
For the attention of: Mr Georgi Sharkov, Minister of Electronic Governance
OPINION ON THE DRAFT LAW ON THE EUROPEAN DIGITAL IDENTITY WALLET
FROM
The "BULGARIAN ENTREPRENEURIAL ASSOCIATION" (BESCO)
DEAR MR SHARKOV, DEAR SIRS AND MADAMS,
I hereby submit the opinion of the "Bulgarian Entrepreneurial Association" (BESCO) on the Draft Law on the European Digital Identity Wallet, Consultation No. 12172-K.
The Bulgarian Entrepreneurial Association brings together more than 1,000 companies from dozens of industries. The organisation's core mission is to improve the business environment in Bulgaria through effective policies, the promotion of innovation, and the introduction of modern mechanisms for economic development.
First and foremost, we express our support in principle for the logic of the proposed provisions. It is particularly significant that provision is made for multiple wallet providers, including private ones and not only a State provider. This approach should be preserved and further developed, since it is precisely the ability to choose between different solutions that is a prerequisite for innovation and better quality of services.
In this context, the requirement that the State wallet ensure integration with all qualified trust service providers under equal, transparent, and non-discriminatory conditions is also assessed positively.
Likewise, the use of RegiX as a centralised environment for accessing public-sector data is a sound solution that should be supported, as it creates an effective infrastructure and minimises the administrative burden of numerous bilateral integrations with the various institutions.
Another important element is the establishment of a predictable and swift registration procedure for wallet providers, which is key to the entry of new participants and to avoiding administrative barriers to the market.
The envisaged model for the free use of a qualified electronic signature for non-professional purposes is also consistent with European policy on the accessibility of digital services. This model should, however, be applied in a manner that does not create hidden advantages for particular participants.
It is especially important to emphasise the significance of recognising certificates and conformity assessments issued by bodies in other Member States. Limiting this to purely national certification would create a real barrier to the entry of providers and would jeopardise the practical functioning of the system.
In summary, the draft lays the right foundation, but its success will depend on whether the principles of competition, technological neutrality, and equal access are genuinely guaranteed and not merely formally declared.
Alongside the positive aspects noted above, it should be pointed out that, in its current wording, the draft law also contains a number of issues that require further refinement. Some of the envisaged solutions create a risk of practical inapplicability, technological limitations, or an uneven impact on the participants in the ecosystem. In certain cases, there are also grounds for difficulties in the cross-border use of the wallet or for departure from the principles of technological neutrality and equal treatment. In view of this, the main problematic aspects identified are set out below, together with proposals for addressing them, with a view to achieving a more sustainable, effective framework that is compatible with the European framework.
1. Lack of a compensation mechanism for electronic identification and risk of distorting the competitive environment
The draft law correctly allows for the possibility of having not only a State digital identity wallet but also private ones, i.e. wallets created and maintained by private providers, thereby creating the conditions for consumer choice, which is consistent with the principles of the European digital identity framework. Nevertheless, a risk of imbalance between the various providers is created. In the draft law, a compensation mechanism is provided solely in respect of the activation of free signing with a QES for non-professional purposes, whereas there is no analogous approach for compensating the costs of electronic identification and authentication services provided through private eID schemes (PID providers) and/or private wallets when used for the public sector and/or for the provision of services that by law depend on strong authentication.
This is a significant omission, since it is precisely identification that constitutes the basic functionality on which all other services within the wallet are built. In the absence of a mechanism for compensating the costs of identification/authentication, private providers of eID schemes and wallets will be placed in a less favourable economic position than the State as a wallet provider. This may lead to a situation in which choice formally exists but, in practice, the market consolidates around the State solution owing to its better economic backing. It should also be taken into account that the requirements imposed on identity data providers — including the provision of data in real time and the maintenance of high standards of security and compliance — entail ongoing costs. Without a mechanism to cover them, there is a risk that the participation of private entities will be restricted.
In view of the above, consideration should be given to introducing a balanced, proportionate, and transparent compensation mechanism for electronic identification services as well, at least in cases where they are used for public services or where a high level of authentication is required by law.
In connection with the foregoing, we propose the creation of a new paragraph 10 in Article 5:
(5) The State shall pay private providers of person identification data compensation for each identification carried out for the purposes of the wallet, in accordance with the methodology under Article 4(8).
2. On the compensation model for remote signing with a QES for non-professional purposes
Pursuant to Article 4(6) of the draft law:
"In order to enable the creation of a qualified electronic signature for non-professional purposes through the wallet under Article 4(1), the user shall be issued a single qualified certificate for a qualified electronic signature valid for one year, which allows an unlimited number of signings within its period of validity."
Pursuant to Article 4(7) of the draft law:
"The State shall pay qualified trust service providers integrated into the wallet under Article 4(1) fixed compensation for each qualified certificate issued under paragraph 6, regardless of the number of signings performed with it."
The draft law provides for a mechanism whereby, through the State wallet, the user is issued a single qualified certificate valid for one year, allowing an unlimited number of signings, with the compensation from the State being tied to the issuance of the certificate rather than to its actual use, i.e. the number of signings.
This model, however, does not reflect the current technological solutions used in remote signing. There is currently a shift towards dynamic processes in which, for each specific signing operation, one-time cryptographic keys are generated and short-lived certificates are issued in real time. Such approaches are applied precisely because of the higher requirements for security and personal data protection. Moreover, in Europe there is no technological certification of a smart device whose crypto module is certified as a qualified device for creating qualified electronic signatures such that long-lived qualified certificates for a qualified electronic signature could be issued with the private key stored on such a qualified device.
In this sense, regulating one specific model - based on a long-lived certificate with one-year validity - creates a risk of restricting the possible technological solutions and of non-compliance with the prevailing practices, namely short-lived/one-time certificates and keys adopted for reasons of security and/or confidentiality. Such an approach may prove inapplicable or may require the artificial adaptation of solutions to the regulatory framework.
It should be borne in mind that the European regulatory framework does not impose a specific model for authentication or compensation but leaves it to the Member States to determine an approach that is technologically neutral and economically justified. In this connection, it is appropriate for the national framework to allow for different models of remote signing, including those based on short-lived certificates and a transactional principle.
In connection with the above, we propose:
(7) The State shall pay qualified trust service providers integrated into the wallet under Article 4(1) fixed compensation for each remote-signing activation carried out with the relevant integrated qualified trust service provider.
3. Change of the supervisory authority
The draft law assigns two roles simultaneously to the Minister of Electronic Governance — on the one hand, to create and maintain the State wallet, and on the other, to exercise control over all wallet providers. This creates a risk of a conflict of interest, since one and the same authority supervises its own service, while private providers are also admitted to the market. In such a situation, full equal treatment between participants cannot be guaranteed. We propose that the powers of supervisory authority be assigned to the Communications Regulation Commission, which already supervises trust service providers. Such a change would ensure continuity in the regulatory framework and consistency with the regulatory practice already established in Bulgaria.
4. Amendment of the legal definition of "non-professional purpose"
The Regulation gives Member States the option of determining the scope of the non-professional purposes for which free signing is provided. It is justified for this scope to be limited to cases relating to access to electronic administrative services. Extending it to private-law relationships, including those involving a material interest, would lead to the unjustified subsidisation of private activities at the expense of public resources, which is inconsistent with the objectives of the Regulation.
We propose amending § 1, point 2 of the Additional Provisions as follows:
"non-professional purpose" means the activation of the functionality for remote signing of the EDIW with a qualified electronic signature for the use of electronic administrative services provided by the administrative authorities.
5. Defining identity data providers
The draft lacks a clear definition of which persons may perform the role of identity data providers. It is logical that these should be the providers of notified electronic identification schemes with a "high" level of assurance, which have undergone the verification procedure at European level and are entered in the Official Journal of the European Union. In addition to these, providers under schemes that are not notified but have been verified as part of the cybersecurity certification of a specific wallet should also be admitted. In such cases, a conformity assessment body must have attested that the scheme in question meets the requirement of a "high" level of assurance.
This ensures both compliance with the European framework and the possibility of flexibility and the development of additional solutions within the wallet ecosystem.
It is proposed to create a new point 11 in the Additional Provisions:
6. Other proposals:
With a view to refining the provisions of the draft law, we propose:
6.1. That Article 3(4) be amended as follows:
(4) Providers of European Digital Identity Wallets shall provide natural persons with a free-of-charge option to activate remote signing with a qualified electronic signature when acting for a non-professional purpose.
The provision should be directed at wallet providers, since it is they who build and maintain the wallets and bear the corresponding obligations under the law. The wallet is not in itself a legal entity and cannot be the addressee of obligations. Wallet providers do not issue qualified certificates for electronic signatures and cannot guarantee the signing itself. They merely provide the technical capability to activate remote signing through integration with qualified trust service providers.
6.2. That Article 10(4) be amended as follows:
(4) At the request of wallet users, providers of person identification data shall be obliged to provide wallet providers, in real time and in a machine-readable format, with all of the users' personal data that are necessary for the wallet in accordance with the reference standards.
Under the current wording, the provision is formulated too broadly, creating the impression of an obligation to provide all of the persons' personal data. The provision of data should take place solely upon the express request of the user, expressed through a wallet functionality that attests to their consent. This ensures that only the necessary data are exchanged and that the personal data protection requirements are observed.
6.3. That new points 5 and 6 be created in Article 13(1), as follows:
"5. a list of access certificate providers; 6. a list of registration certificate providers."
It follows from the provisions of the Regulation and from point 3.5 of the EU Architecture Reference Framework that these two types of lists are an essential element of the wallets' infrastructure.
6.4. That Article 11(7) be repealed:
The regime for entering qualified providers of electronic attestations of attributes is regulated at the level of European law and in the Law on Electronic Document and Electronic Trust Services. Although it does not create a conflict, such duplication is unnecessary and creates a risk of future inconsistencies when amendments are made to the applicable legal framework. The provision may therefore be dropped for the sake of better legislative drafting.
7. On the proposed amendments to the Law on Electronic Governance introduced by the Transitional and Final Provisions (TFP) of the draft law
7.1. Repeal of § 3, point 2 of the TFP of the draft law
Identification in the use of electronic administrative services has a function different from the signing of declarations of intent, in respect of which their integrity, authenticity, and legal binding force must be guaranteed. These characteristics are ensured precisely through the electronic signature. Therefore, a rule under which identification is equated with signing should not be introduced by law.
7.2. Repeal of § 3, point 3 of the TFP of the draft law
§ 3, point 3 of the TFP of the draft law proposes an amendment to the Law on Electronic Governance introducing a requirement that electronic signature certificates expressly contain the holder's name and a unique identifier in order to be usable for electronic administrative services. This gives rise to several significant practical and legal questions.
First, the concept of a "unique identifier" in Bulgaria is usually associated with the Unified Civil Number (EGN) or the Personal Number of a Foreigner (LNCh). Under such an interpretation, a real obstacle would be created for citizens of other Member States, who do not have such an identifier, to use their qualified electronic signature to access services in Bulgaria.
Second, the electronic signature certificate itself does not, as a rule, contain all the data necessary for reliable identification in a cross-border context. The European framework for electronic identification requires a minimum set of data, comprising not only a name but also a date of birth and a persistent identifier assigned by the country of origin. For this reason, the electronic signature cannot be regarded as a full substitute for electronic identification, and conflating these two functions may lead to identification errors or to the refusal of services.
In addition, the electronic signature certificate is a static element with a fixed period of validity, whereas modern models of electronic identification, including within the wallet, rely on access to up-to-date data in real time. This is of essential importance, since some identification data may change.
In this context, it should also be taken into account that the European framework places emphasis on the use of the wallet as the primary means of electronic identification, with access to services through it taking place on the user's initiative and the public sector being obliged to accept it. Therefore, the introduction of additional national requirements for electronic signature certificates creates a risk of new barriers to the cross-border use of services and of departure from the objectives of European legislation.
Consequently, we propose the repeal of § 3, point 3 of the Transitional and Final Provisions of the draft law.
We hope that the proposals made will be taken into account.
Yours sincerely:
Alexander Nutsov
Executive Director
Leadership & Advocacy Academy doesn’t only develop individual participants. For BESCO, it is a long-term investment in a stronger ecosystem - building capacity where it matters most: within the organizations, institutions, and communities that shape the public environment.
.png%3F2026-05-02T12%3A49%3A40.449Z&w=2560&q=75)
POSITION of the Association for Innovation, Business Services and Technologies (AIBEST) Regarding Draft Concept for Building a School STEM Environment
4 min read
Read article
In this opinion, BESCO objects to the proposed requirement that insurance contracts be signed mandatorily with a qualified electronic signature (QES), as this raises costs and hinders access to insurance services and duplicates the framework already in place in the LEDETS (Law on Electronic Document and Electronic Trust Services).
4 min read
Read article
The proposal constitutes a substantial departure from the current legal framework. At present, the maximum pecuniary sanction under Article 210b of the Consumer Protection Act is BGN 70,000.
4 min read
Read article