PURPOSE: to strengthen the security standards applicable to identity cards and to residence documents issued by Member States to Union citizens and their family members respectively.

LEGISLATIVE ACT: Regulation (EU) 2019/1157 of the European Parliament and of the Council on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement.

CONTENT: the Regulation strengthens the security standards applicable to identity cards issued by Member States to their nationals and to residence documents issued by Member States to Union citizens and their family members when exercising their right to free movement.

This Regulation does not require Member States to introduce identity cards or residence documents where they are not provided for under national law, nor does it affect the competence of the Member States to issue, under national law, other residence documents which fall outside the scope of Union law, for example residence cards issued to all residents on the territory regardless of their nationality.

This Regulation does not prevent Member States from accepting, in a non-discriminatory manner, documents other than travel documents, for identification purposes, such as driving licences.

Security standards/format/specifications

Under the proposed new rules, identity cards shall be produced in a uniform credit card format (ID-1), have a machine-readable zone (MRZ) and comply with the minimum security standards set by ICAO (International Civil Aviation Organisation). The designation of a person's gender shall be optional.

The identity card shall contain, on the front side, the two-letter country code of the Member State issuing the card, printed in negative in a blue rectangle and encircled by 12 yellow stars. It shall include a highly secure storage medium which shall contain a facial image of the holder of the card and two fingerprints in interoperable digital formats.

Children under the age of 12 years may be exempt from the requirement to give fingerprints whereas children under the age of 6 years shall be exempt from this.

When necessary and proportionate to the aim to be achieved, Member States may enter such details and observations for national use as may be required in accordance with national law.

Period of validity

Identity cards shall have a minimum period of validity of five years and a maximum period of validity of ten years. Member States may provide for a period of validity of less than five years, for identity cards issued to minors; in exceptional cases, less than five years, for identity cards issued to persons in special and limited circumstances and where their period of validity is limited in compliance with Union and national law; more than 10 years, for identity cards issued to persons aged 70 and above.

Member States shall issue an identity card having a validity of 12 months or less where it is temporarily physically impossible to take fingerprints of any of the fingers of the applicant.

Phasing out of old cards

Identity cards which do not meet the requirements shall cease to be valid at their expiry or by ten years after the date of application of this Regulation, whichever is earlier.

Identity cards which do not meet the minimum security standards or which do not include a functional MRZ shall cease to be valid at their expiry or by five years after the date of application of this Regulation, whichever is earlier.

Identity cards of persons aged 70 and above, which meet the minimum security standards and which have a functional MRZ shall cease to be valid at their expiry.

Residence cards

The rules also specify the minimum information to be indicated on the residence documents issued to Union citizens and harmonise the format and other characteristics of residence cards issued to family members of Union citizens who are not nationals of a Member State.

Collection of biometric identifiers

The biometric identifiers shall be collected solely by qualified and duly authorised staff designated by the authorities responsible for issuing identity cards or residence cards, for the purpose of being integrated into the highly secure storage medium.

With a view to ensuring the consistency of biometric identifiers with the identity of the applicant, the applicant shall appear in person at least once during the issuance process for each application.

Data protection guarantees

The new rules include data protection safeguards. In particular, national authorities shall ensure the security of the contactless chip and the data stored on it, so that it cannot be hacked or accessed without permission.

Without prejudice to the General Data Protection Regulation (EU Regulation 2016/679), Member States shall ensure the security, integrity, authenticity and confidentiality of data collected and stored for the purposes of the Regulation.

ENTRY INTO FORCE: 1.8.2019.

APPLICATION: from 2.8.2021.

The European Parliament adopted by 335 votes to 269, with 21 abstentions, a legislative resolution on the proposal for a Regulation of the European Parliament and of the Council on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement.

The European Parliament’s position adopted at first reading under the ordinary legislative procedure amended the Commission proposal as follows:

Security standards/format/specifications

Under the proposed new rules, identity cards shall be produced in a uniform credit card format (ID-1), have a machine-readable zone (MRZ) and comply with the minimum security standards set by ICAO (International Civil Aviation Organisation). The designation of a person's gender shall be optional.

The identity card shall contain, on the front side, the two-letter country code of the Member State issuing the card, printed in negative in a blue rectangle and encircled by 12 yellow stars. It shall include a highly secure storage medium which shall contain a facial image of the holder of the card and two fingerprints in interoperable digital formats. For the capture of biometric identifiers, Member States shall apply the technical specifications as established by Commission Decision C(2018) 7767 .

Children under the age of 12 years may be exempt from the requirement to give fingerprints whereas children under the age of 6 years shall be exempt from this.

When necessary and proportionate to the aim to be achieved, Member States may enter such details and observations for national use as may be required in accordance with national law.

Period of validity

Identity cards shall have a minimum period of validity of five years and a maximum period of validity of ten years. Member States may provide for a period of validity of less than five years, for identity cards issued to minors and more than 10 years, for identity cards issued to persons aged 70 and above.

Member States shall issue an identity card having a validity of 12 months or less where it is temporarily physically impossible to take fingerprints of any of the fingers of the applicant.

Phasing out of old cards

Identity cards which do not meet the requirements shall cease to be valid at their expiry or by ten years after the date of application of this Regulation], whichever is earlier.

Identity cards which do not meet the minimum security standards or which do not include a functional MRZ shall cease to be valid at their expiry or by five years after the date of application of this Regulation, whichever is earlier.

Identity cards of persons aged 70 and above, which meet the minimum security standards and which have a functional MRZ shall cease to be valid at their expiry.

Collection of biometric identifiers

The biometric identifiers shall be collected solely by qualified and duly authorised staff designated by the authorities responsible for issuing identity cards or residence cards, for the purpose of being integrated into the highly secure storage medium.

With a view to ensuring the consistency of biometric identifiers with the identity of the applicant, the applicant shall appear in person at least once during the issuance process for each application.

Member States shall ensure that appropriate and effective procedures for the collection of biometric identifiers are in place and that those procedures comply with the rights and principles set out in the Charter, the Convention for the Protection of Human Rights and Fundamental Freedoms and the United Nations Convention on the Rights of the Child.

Without prejudice to Regulation (EU) 2016/679, Member States shall ensure the security, integrity, authenticity and confidentiality of the data collected and stored for the purpose of this Regulation.

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Gérard DEPREZ (ALDE, BE) on the proposal for a Regulation of the European Parliament and of the Council on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement.

The committee recommended that the European Parliament's position adopted at first reading under the ordinary legislative procedure should amend the Commission's proposal.

Subject matter : the proposed Regulation seeks to strengthen the security standards applicable to identity cards issued by Member States to their nationals and to residence documents issued by Member States to Union citizens and their family members in order to facilitate the exercise of their right to freedom of movement within the European Union.

Security standards/format/specifications : national identity cards issued by Member States to citizens of the Union shall be recognised as such by all Member States. Such cards shall function as both identity and travel documents and be recognised as such by all Member States.

Where Member States issue identity cards having a validity period of more than 3 months, these shall be produced in ID-1 format, contain a functional machine-readable zone (MRZ) and shall comply with the minimum standards laid down in the template set out in Annex I to this Regulation. Additional technical specifications shall be established in accordance with international standards, including in particular the recommendations of the International Civil Aviation Organization (ICAO).

The cards shall be made entirely of polycarbonate or an equivalent synthetic polymer with a background colour of blue and contain the EU flag .

Cards shall include a highly secure storage medium which shall contain a facial image of the holder of the card taken live by the relevant authority in the Member State and, in the event a Member State so decides, may also contain a subset of the characteristics, namely minutiae or patterns, extracted from two fingerprints taken flat in interoperable formats.

Period of validity : identity cards should shall have a period of validity of ten years . Identity cards issued to minors may have a period of validity of five years . Where it is temporarily impossible to take fingerprints or a facial image, identity cards shall have a maximum period of validity of 3 months.

Member States may provide for a period of validity of more than 10 years for identity cards issued to persons over 75 years of age.

In the event a Member State decides to take fingerprints, children under the age of 12 years may be exempt from the requirement to give fingerprints. Children under the age of 6 years shall be exempt from the requirement to give fingerprints.

Phasing out : the amended text stated that phasing out previous formats of ID cards shall be done within eight years; cards that are not machine-readable and thus less secure shall be phased out within five years.

Collection of biometric identifiers : the biometric identifiers shall be collected solely by qualified and duly authorised staff designated by the national authorities responsible for issuing identity cards or residence permit, for the sole purpose of being integrated into the highly secure storage medium.

Opinion of the European Data Protection Supervisor on the proposal for a Regulation strengthening the security of identity cards of Union citizens and other documents.

The EDPS supports the objective of the European Commission to enhance the security standards applicable to identity cards and residence documents, thus contributing to security of the Union as a whole. At the same time, the EDPS considers that the proposal does not sufficiently justify the need to process two types of biometric data (facial image and fingerprints) in this context, while the stated purposes could be achieved by a less intrusive approach.

The fact that the proposal shall potentially subject 85 % of EU population to mandatory fingerprinting requirement, combined with the very sensitive data processed (facial images in combination with fingerprints) calls for close scrutiny according to a strict necessity test. In addition, the introduction of security features that may be considered appropriate for passports to identity cards cannot be done automatically, but requires a reflection and a thorough analysis.

The EDPS considers that the impact assessment accompanying the proposal cannot be considered as sufficient for the purposes of compliance with Article 35(10) of the General Data Protection Regulation (GDPR). Therefore, the EDPS recommends reassessing the necessity and the proportionality of the processing of biometric data (facial image in combination with fingerprints) in this context.

In addition, the EDPS recommends:

- adding to the proposal a provision explicitly stating that biometric data processed in its context must be deleted immediately after their inclusion on the chip and may not be further processed for purposes other than those explicitly set out in the proposal;

- restricting the biometric data used to only one (e. g. facial image) as the proposal does not justify the need to store two types of biometric data for the purposes considered;

- limiting the fingerprint data stored on the documents chip to minutiae or patterns, a subset of the characteristics extracted from the fingerprint image;

- setting the age limit for collecting children's fingerprints under the proposal at 14 years, in line with other instruments of EU law.

PURPOSE: to strengthen the security standards applicable to identity cards and to residence documents issued by Member States to Union citizens and their family members respectively.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: the European Parliament decides in accordance with the ordinary legislative procedure on an equal footing with the Council.

BACKGROUND: of twenty-six EU Member States that issue identity cards to their nationals, identity card ownership is compulsory in 15 Member States. Such cards can be used by EU citizens as travel documents, both when travelling within the EU and also to enter the EU from non-EU countries. Moreover, Member States have agreements with a number of third countries allowing EU citizens to travel using their national identity cards.

In line with Directive 2004/38/EC, mobile citizens and their family members, who are not nationals of a Member State, also receive documents proving their residence in their host Member State. While these residence documents are not travel documents, residence cards for those family members of mobile EU citizens, who themselves are not nationals of a Member State, used together with a passport grant the holder the right to enter the EU without a visa when they accompany or join an EU citizen.

Forgery of documents or false representation of material facts concerning the conditions attached to the right of residence have been identified as the most relevant case of fraud in the context of the Directive.

Against this background, it is crucial that the EU and especially the Member States intensify efforts to improve the security of documents issued to EU citizens and their third-country national family members. This is a key element in the fight against terrorism and organised crime and building genuine Security Union.

This proposal for a Regulation is part of the action plan of December 2016 to strengthen the European response to travel document fraud, in the context of recent terrorist attacks in Europe. Council conclusions subsequently endorsed the objectives of that action plan.

IMPACT ASSESSMENT: the impact assessment considered a number of options for identity cards and residence documents compared with the status quo. The preferred option involves setting minimum security standards for identity cards and minimum common requirements for residence documents issued to EU citizens, and to ensure the use of the common uniform format for residence permits for third-country nationals who are family members of EU citizens.

CONTENT: the proposal for a regulation aims at strengthening the security of: (a) identification cards of EU citizens, (b) registration certificates issued to Union citizens residing for more than three months in a host Member State and (c) residence cards issued to family members of Union citizens who are not nationals of a Member State. The main points are as follows:

General requirements : these include minimum security features that national identity cards must meet. They draw on the specifications in ICAO document 9303. These ICAO specifications are common to machine-readable travel documents and ensure global interoperability when these documents are verified using visual inspection and machine-readable means.

Making biometric data mandatory for those countries with ID cards : EU citizens' ID cards (for those older than 12 years) and non-EU family members' residence cards will now include biometric data, namely fingerprints and facial images, stored on a chip in the cards. This will be accompanied with stronger safeguards on who can access the biometrics.

Phasing out period : the proposal provides for a five-year phasing out period of previous formats, except for cards that are not machine-readable, which will have to be phased out within two years from the date of application of the Regulation. These phasing out periods allow the EU and its Member States to fill the existing security gap for identity cards as quickly as possible, while also taking into account interoperability requirements if identity cards do not meet the standards set in ICAO document 9303 part 3 on machine readability.

Common provisions are set out for the three types of documents. In addition, Member States must designate contact points for the implementation of the Regulation. The Commission, for its part, will establish a detailed programme for monitoring the outputs, results and impacts of the regulation.

Lastly, the proposal sets out the data protection framework and specifies data protection safeguards.