Annexes to COM(2023)538 - Report pursuant to Regulation 2019/1157 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2023)538 - Report pursuant to Regulation 2019/1157 on strengthening the security of identity cards of Union citizens and of residence ...
document COM(2023)538
date September 20, 2023
Annex to Regulation (EC) No 1030/200216 as amended by Regulation (EU) 2017/195417, with certain limitations due to Frontex technical capabilities18. Frontex examined the latest models of identity cards issued by Member States.

Except for the Greek identity card (see Section 2.4.2), all identity cards analysed were found to be compliant with the Regulation for those parts that Frontex was able to check. Nevertheless, Frontex identified the following issues regarding some other identity cards19:

- some of the examined identity cards did not meet minimum portrait size requirements;

- some of the examined identity cards did not contain all security features to protect against photo substitution;

- some of the examined identity cards contain deviations from the general layout specifications established by ICAO (e.g. information is indicated in a different zone).

The Commission is in contact with the Member States whose identity cards are concerned by Frontex’ findings.

Based on its analyses, Frontex made the following operational remarks:

- “Rainbow printing, being a special printing method, increases robustness of offset printing and facilitates checks at the front line. The gradual merge of the colours should be identifiable and distinguishable.

- “[The] requirement for the size for the portrait is relevant for facilitating identity checks and detecting document frauds such as impostor fraud and portrait overprinting, two types of fraud have that have been among the most common types of document/identity fraud in recent years. Therefore, a larger size of the holder portrait is crucial to identity and document authenticity checks. In cases where the portrait is the only biographical identifiers available to support an identity check, the portrait size becomes even more significant.

- “The introduction of an additional portrait of a holder is a measure to increase ID cards’ robustness against photo substitution and make it more resistant to portrait manipulations. The additional portrait shall be of sufficient quality to ensure comparison with the main portrait and shall be easily verifiable at the front line.



2. Other aspects linked to the technical implementation regarding identity cards

As allowed by Article 3(3) of the Regulation, two Member States use, instead of ‘identity card’, another well-established national designation in the official language20. Five Member States include braille text on the card21.

13 Member States currently make use of the possibility provided by Article 3(9) of the Regulation to incorporate a dual interface or a separate storage medium. In accordance with Article 3(10) of the Regulation, 14 Member States store data for electronic services such as e-government and e-business in their identity cards, in a way that is physically or logically separated from the biometric data stored in the chip of the card.



3. Collection of biometric identifiers

Pursuant to the first subparagraph of Article 3(7) of the Regulation, Member States may decide to exempt children between the age of 6 to 12 years from the requirement to give fingerprints when issuing their identity cards22. Currently, 19 Member States make use of this possibility. Member States have also put in place various measures for the collection of biometric identifiers in relation to the specific needs of children and of vulnerable persons, such as dedicated handbooks or opening hours23.

In their answers to the Commission’s questionnaire, only few Member States reported difficulties with the collection of biometric identifiers, mainly linked to the quality of the facial image or the fingerprints captured. 22 Member States use or are exploring the use of mobile registration devices for the issuance of identity cards to persons incapable of visiting the authorities responsible for issuing such cards24. 12 Member States collect the facial image by means of live enrolment, although some of those also accept that the applicant provides a photograph instead.



4. Document fraud

Most Member States report that they continue being confronted with cases of fraudulent identity cards and residence documents issued in accordance with the Regulation. However, it is not possible to provide a detailed overview of the situation relevant to the Regulation, as Member States do not specifically monitor the number of reported imposters (both lookalike25 fraud and fraudsters in general26) using identity cards or residence documents issued in accordance with the requirements of the Regulation, or the number of people who self-report being victims of identity theft. In the five Member States that provided the number of reported imposters since the entry into application of the Regulation, numbers varied between 22 and 57 reported fraudulent documents.



5. Reporting obligation under the Regulation

The sections below summarise different reporting obligations provided for by the Regulation. The Commission continue its contacts with the Member States that have not yet provided information pursuant to the different provisions.




1. Reporting pursuant to Article 9

Pursuant to Article 9 of the Regulation, Member States are to designate at least one central authority as a contact point for the implementation of the Regulation and to communicate the name of that authority to the Commission and other Member States.

By June 2023, 19 Member States communicated that name to the Commission.




2. Reporting pursuant to Article 11(7)

Pursuant to Article 11(7) of the Regulation, Member States are to maintain a list of the competent authorities with access to the biometric data stored on the storage medium in identity cards and to communicate such lists to the Commission once a year. The Commission is to publish online a compilation of such national lists.

By June 2023, 22 Member States communicated the list of their competent authorities to the Commission, which the Commission has made publicly available27.




3. Reporting pursuant to Article 14(3)

Pursuant to Article 14(3) of the Regulation, Member States are to designate responsible bodies for printing identity cards and residence cards of family members of EU citizens and to communicate the names of such bodies to the Commission and other Member States.

By June 2023, 22 Member States communicated the responsible bodies for printing the documents under the Regulation to the Commission.



6. Number of documents issued in a format compliant with the Regulation

By April 2023, Member States reported having issued more than 53 million identity cards, almost 900 000 residence documents for EU citizens and more than 950 000 residence cards for third-country nationals who are family members of EU citizens in a format compliant with the Regulation.


2. Phasing-out periods for identity cards and residence cards for family members who are not nationals of a Member State

1. Identity cards

Article 5 of the Regulation provides that identity cards that do not meet the requirements set out in the Regulation cease to be valid at their expiry or by 3 August 2031, whichever is earlier. Identity cards that do not meet certain minimum security standards or which do not include a functional machine-readable zone cease to be valid at their expiry or by 3 August 2026.

In the replies to the questionnaire, ten Member States indicated that the 10-year phasing-out period applies to their previously issued identity cards, five Member States indicated that the 5-year phasing-out period applies to their previously issued identity cards and seven Member States indicated the applicability of both periods due to different formats currently in circulation.



2. Residence cards for family members who are not nationals of a Member State

Article 8 of the Regulation provides that residence cards that do not meet the requirements set out in the Regulation will cease to be valid at their expiry or by 3 August 2026 (5-year phasing-out period), whichever is earlier. Residence cards that do not meet certain minimum security standards or which do not include a functional machine-readable zone will cease to be valid at their expiry or by 3 August 2023 (2-year phasing-out period), whichever is earlier.

In their replies to the questionnaire, 11 Member States indicated that the 5-year phasing-out period applies to their previously issued residence cards, six Member States indicated that the 2-year phasing-out period applies to their previously issued residence cards and six Member States indicated the applicability of both periods due to different formats currently in circulation.


3. Protection of fundamental rights and personal data

1. Freedom of movement and of residence

The Regulation positively affects the fundamental right of freedom of movement and of residence under Article 45 of the Charter of Fundamental Rights of the European Union (the ‘Charter’) by addressing difficulties of security and recognition of both identity cards and residence documents. Through the inclusion of biometric data (facial image and two fingerprints), documents issued in accordance with the Regulation allow for a more reliable verification of the document and a better identification of individuals.

Since the start of the issuance of identity cards in a format that complies with the requirements of the Regulation, Member States have not reported on any issues that their nationals would experience with the acceptance of such documents in other Member States.

In most Member States, the fees for the issuance of the documents covered by the Regulation did not increase following its entry into application. Where the fees did increase, the increase was reported to be minor and in line with the costs of the improved security features of the documents.



2. Respect for private life and protection of personal data

Limitations to the right to privacy and personal data (Articles 7 and 8 of the Charter) must be provided for by law, respect the essence of those rights and be proportionate to the attainment of a legitimate objective28. In this context, the Regulation provides for processing of personal data of the holder of the document, including biometric data. The storage of a facial image and two fingerprints on identity and residence cards, as already provided for in respect of biometric passports29 and residence permits for third-country nationals30, represents an appropriate combination of reliable identification and authentication with a reduced risk of fraud, for the purpose of strengthening the security of identity and residence cards31.

Amendments to the Commission proposal introduced by the European Parliament and the Council during the legislative process added the possibility to store such biometric data on residence documents issued to EU citizens32. According to the information provided by Member States in the questionnaire, 13 Member States currently include a secure storage medium with the biometric identifiers of the holder (facial image and possibly two fingerprints) in residence documents issued to EU citizens.

As far as the justification of the processing of the biometric data is concerned, it must be noted that it is provided for by law, namely Article 3(5) of the Regulation. That limitation to the right to privacy and personal data satisfies an objective of general interest, namely the prevention of falsification and document fraud, which is increased by a lack of homogeneity regarding the formats and security features of national identity cards prior to the entry into application of the Regulation. Preventing falsification and fraud promotes the acceptance of identity cards in Member States other than the one issuing them, facilitating the right of free movement of EU citizens33. The risk of fraud must be taken seriously, in particular by means of falsified identity cards or abuse of rights34.

Article 3(5) is the subject of two ongoing preliminary reference procedures (see Section 2.4.3). As regards the suitability of the storage of biometric data in identity cards, the Court has already recognised that the storage of fingerprints on a highly secure storage medium could reduce the risk of counterfeiting of passports and facilitate the work of the authorities responsible for verifying the authenticity of such documents35. According to Advocate General Medina, this also applies to the use of identity cards in connection with the exercise of free movement36.

The Court has already examined the proportionality of the acceptance and storage of fingerprints. It found that this process is neither intimate in nature, since the two fingerprints are characteristics that can be seen by others, nor does it cause particular physical or mental inconvenience to the person concerned37. In addition, the Court found no indication that the recording of fingerprints and the taking of the facial image would result in a more serious interference with those rights because they were carried out at the same time38. It further concluded that there does not exist an equally suitable but less intrusive method, as compared to the taking and storage of fingerprints, for achieving, in a similarly effective manner, the aim of the Regulation39.

Finally, the Regulation provides for enhanced guarantees for the collection and storage of fingerprints40. Regulation (EU) 2016/679 of the European Parliament and of the Council41 applies with regard to processing of personal data, including biometric data, in the context of the application of the Regulation. As a rule, Member States must check the facial image, and fingerprints may only be checked in case of doubt. Fingerprints may only be taken by qualified and duly authorised personnel and checked by duly authorised staff and only where required by law. In addition, biometric data stored for the purpose of personalising identity cards or residence documents must be kept in a highly secure manner and only until the document is collected. Moreover, Recital 21 states explicitly that the Regulation cannot constitute a legal basis for the establishment or maintenance of databases of biometric data at national or European level.

Since the date of application of the Regulation, the Commission has not been made aware of any successful attacks or breaches of the secured storage medium included in the documents covered.

In Landeshauptstadt Wiesbaden, Advocate General Medina concluded that the Regulation and in particular Article 3(5) thereof does not constitute an unjustified limitation of Articles 7 and 8 of the Charter42.


4. Other information on the implementation of the Regulation

1. Impact of the COVID-19 pandemic

The date of application of the Regulation, 2 August 2021, took place during the COVID-19 pandemic. In view of that fact, the Commission had sought feedback from the Member States as to the impact of the pandemic on the relevant preparations of the Member States in March 2021. In their replies, seven Member States proposed to consider postponing the date of application of the Regulation.

Based on the feedback received, the Commission informed the Member States in July 202143 that it had decided not to propose to postpone the entry into application of the Regulation in order not to jeopardise the planned rollout of Member States that were ready to issue documents compliant with the requirements of the Regulation by 2 August 2021.

The Commission suggested that those Member States that had indicated potential delays take mitigating measures to make sure that the validity period indicated on the document duly corresponds to the phasing-out periods established by Articles 5 and 8 of the Regulation (see Section 2.2).

This would mean, for example, that non-compliant identity cards issued after 2 August 2021 and covered by the longer phasing-out period should indicate 3 August 2031 at the latest as their validity end date, even if a Member State normally issues such identity cards with a validity period of 10 years. Otherwise, the identity cards concerned would cease to be valid by operation of Article 5 of the Regulation while still appearing to be valid due to a later date indicated on the document. Similarly, non-compliant identity cards issued after 2 August 2021 and covered by the shorter phasing-out period should indicate 3 August 2026 at the latest, as their validity end date.

At the same time, the Commission strongly encouraged all Member States to ensure that they issued documents compliant with the Regulation as of its entry into application.

In terms of mitigating measures, the Member States concerned indicated that they had limited the validity of the documents concerned and/or notified the holders accordingly.



2. Infringement procedures opened by the Commission

On 14 July 2023, the Commission opened infringement procedures against Bulgaria, Greece and Portugal for failing to implement the Regulation44. The infringement procedures concern failures by those Member States to issue documents covered by the scope of the Regulation in a format that complies with its requirements.

In the case of Bulgaria, this concerns the failure to issue compliant identity cards, residence documents of EU citizens and residence cards for family members of EU citizens who are not nationals of a Member State.

In the case of Greece, this concerns the failure to issue compliant identity cards.

In the case of Portugal, this concerns the failure to issue compliant identity cards and residence documents of EU citizens.



3. Court cases with relevance for the Regulation

Since its entry into application, there have been two requests for preliminary rulings concerning the Regulation, and in particular the legality of the inclusion of fingerprints in the identity cards. Both cases are currently pending.

The first pending request for a preliminary ruling, Landeshauptstadt Wiesbaden45, concerns the validity of Article 3(5) of the Regulation, which provides that identity cards issued by Member States are to be equipped with a highly secure storage medium with the holder’s facial image and two fingerprints in interoperable formats.

The referring national court asked whether Article 21(2) TFEU is the correct legal basis for the Regulation, whether the obligation to take fingerprints complies with the fundamental rights to respect private life and data protection, and whether the alleged lack of a data protection impact assessment can have an impact on the validity of Article 3(5) of the Regulation.

In her Opinion of 29 June 202346, Advocate General Medina concluded that the Regulation had been correctly adopted on the basis of Article 21(2) TFEU with a view to facilitating the exercise of the right of EU citizens to move and reside freely within the Member States. In that regard, the Advocate General pointed out that that right allows EU citizens to immerse themselves in the daily life of the other residents of the host Member State. National identity cards thus display the same functions as they do for those residents, which entails that only a reliable and authentic proof of identity facilitates full enjoyment of free movement.

Advocate General Medina also considered that Article 3(5) does not constitute an unjustified limitation of Articles 7 and 8 of the Charter (see also Section 2.3.2). Finally, the Advocate General took the view that the European Parliament and the Council had not been obliged to conduct an impact assessment during the legislative process leading to adoption of the Regulation.

The second pending request for a preliminary ruling, Kinderrechtencoalitie Vlaanderen and Liga voor Mensenrechten47, concerns Article 3(5) and (6) and Article 14 of the Regulation, and their compatibility with, among others, the right to privacy and personal data and the right to free movement. No Opinion has been published in this case yet.



4. Information received from citizens

Since the entry into application of the Regulation, the Commission has received a number of complaints and letters from citizens concerning the documents covered by the Regulation. Most of that correspondence concerned issues unrelated to the implementation the Regulation, notably national administrative procedures linked to the issuance of identity cards and residence documents in the Member States and delays in these procedures. The letters and complaints concerning the implementation of the Regulation mainly concerned the mandatory inclusion of fingerprints (in this context, see Section 2.3.2).



5. Other relevant developments

1. Digitalisation of travel documents and travel facilitation

On 2 June 2021, the Commission adopted a Communication on a strategy towards a fully functioning and resilient Schengen area48. The strategy noted that once global travel recovers from the COVID-19 pandemic, strong increases in passenger flows can be expected. This will give a new impetus to the digitalisation process that already started before the pandemic and will require innovative ways to facilitate and accelerate border controls at international ports of entry. Digital documentation is both more efficient and secure. The Commission announced that, following an in-depth assessment and the necessary consultations, it intends to present a proposal for a Regulation on digitalisation of travel documents and facilitation of travel.

By introducing digital travel documents for EU citizens, the Commission aims to facilitate travel across external borders, to relieve pressure and bottlenecks at border-crossing points and to shorten waiting times as well as increase the security and efficiency of border checks. It also aims to facilitate the exercise of free movement for EU citizens and their family members.

A standard for digital travel documents (so-called Digital Travel Credentials) has been established by ICAO, as done historically for the physical ePassport document and the electronic data contained in its chip49. Digital Travel Credentials can be derived from an existing passport or identity card. Travellers would have a copy of the data stored on the storage medium of the physical travel document replicated into an application hosted on a device, such as a mobile phone (fingerprints not included). Travellers would be able to send travel information up-front, giving authorities the time to filter the information and speed up any applicable border checks.

The Commission is currently carrying out the evidence-gathering and assessments necessary for the preparation of such a proposal.



2. European Digital Identity

On 3 June 2021, the Commission proposed a framework for a European Digital Identity50, which will be available to EU citizens, residents, and businesses to identify themselves online and offline for public and private services. The proposed Regulation seeks to establish a secure framework where citizens can link their national digital identities with digital attributes and credentials that will enable them to replace a variety of physical cards and passes thus simplifying their everyday lives.

The proposal for a European Digital Identity, currently under negotiations, is aligned with the objectives of the Regulation. Identity cards issued in accordance with the requirements of the Regulation contain secure information in a storage medium that can be used by Member States to securely identify a person, allowing it to be used to create a European Digital Identity. Member States can also make use of the secure storage medium of the identity cards issued under the Regulation to equip the cards with eID functionality.

On 29 June 2023, the European Parliament and the Council reached a provisional political agreement on the key elements of the proposal51.

3. Conclusion

The right to free movement is an EU citizenship right particularly cherished by EU citizens, and secure and reliable identity cards and residence documents play a crucial role in avoiding obstacles to the exercise of this right. The possibility for EU citizens to travel within the EU without a passport and using only an identity card is one of the concrete benefits of the right of free movement. In addition, the visa-exempting nature of residence cards issued to family members who are not nationals of a Member State facilitates family life with the EU citizen they accompany. To ensure that these benefits are not abused by malign actors, a high level of security for such documents remains necessary.

The Commission will continue monitoring the implementation of the Regulation in line with its role as guardian of the treaties.


1 OJ L 188, 12.7.2019, p. 67.

2 On 17 March 2023, the Joint Committee of the European Economic Area adopted Decision No 50/2023 incorporating the Regulation into the Agreement on the European Economic Area. The decision will be binding on Iceland, Liechtenstein and Norway after the fulfilment of constitutional requirements.

3Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of Member States (OJ L 158, 30.4.2004, p. 77).

4Article 4(3) of the Free Movement Directive.

5 Article 4(1) of the Free Movement Directive.

6 Article 5(1) of the Free Movement Directive.

7 Article 8(3) of the Free Movement Directive.

8 Denmark and Ireland do not issue identity cards.

9Article 8(1) and (2) of the Free Movement Directive.

10Article 10(1) of the Free Movement Directive.

11Article 19(1) of the Free Movement Directive.

12Article 20(1) of the Free Movement Directive.

13Article 5(2) of the Free Movement Directive.

14Pursuant to Article 7(1) of the Regulation, Member States are to use, for residence cards, the same format as established by Regulation (EC) No 1030/2002 as amended by Regulation (EU) 2017/1954. Given the use of an established format, the Commission did not request Frontex to carry out a similar assessment as for identity cards. In addition, no technical assessment was requested regarding residence documents issued to EU citizens, given that Article 6 of the Regulation does not provide for specific security features regarding such documents.

15 ICAO Doc 9303, Machine Readable Travel Documents, Eighth Edition, 2021.

16 Council Regulation (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals (OJ L 157, 15.6.2002, p. 1).

17 Regulation (EU) 2017/1954 of the European Parliament and of the Council of 25 October 2017 amending Council Regulation (EC) No 1030/2002 (OJ L 286, 1.11.2017, p. 9).

18 In particular, compliance of the storage medium was out of the scope of the check carried out by Frontex.

19 For reasons of security, the Commission does not disclose which identity cards are affected.

20Czechia (občanský průkaz) and Portugal (Cartão de Cidadão).

21See Recital 35 of the Regulation.

22 Children under the age of 6 years are exempt from the requirement to give fingerprints.

23 See Recital 27 of the Regulation.

24 See Recital 35 of the Regulation.

25 Using someone else’s valid document.

26 Someone who uses a counterfeit or forged cards.

27 https://commission.europa.eu/strategy-and-policy/policies/justice-and-fundamental-rights/eu-citizenship/movement-and-residence_en

28For example, judgment of 20 March 2018, Menci, C-524/15, EU:C:2018:197, paragraph 41.

29Article 1(2) of Council Regulation (EC) No 2252/2004.

30Article 4a of Council Regulation (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals (OJ L 157, 15.6.2002, p. 1).

31Recital 18 of the Regulation.

32Second subparagraph of Article 6 of the Regulation.

33 Opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520, paragraph 75.

34Article 35 of Free Movement Directive allows for restrictions to the law to freedom of movement in cases of fraud and abuse of rights.

35Judgment of 17 October 2013, Schwarz, C-291/12, EU:C:2013:670, paragraph 41.

36 Opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520, paragraph 82.

37Judgment of 17 October 2013, Schwarz, C-291/12, EU:C:2013:670, paragraph 48; see also the judgment of 3 October 2019, Staatssecretaris van Justitie en Veiligheid v A and Others, C-70/18, EU:C:2019:823, paragraph 58 and opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520, paragraph 79.

38Judgment of 17 October 2013, Schwarz, C-291/12, EU:C:2013:670, paragraph 50. See also Opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520, paragraph 89.

39 Judgment of 17 October 2013, Schwarz, C-291/12, EU:C:2013:670, paragraph 51. See also Opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520, paragraph 95.

40See Articles 10 and 11 of the Regulation and Recitals 19 to 22 and 40 and Opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520, paragraphs 98-103.

41 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

42 Opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520, paragraph 108.

43 Ares(2021)4724281.

44 https://ec.europa.eu/commission/presscorner/detail/en/inf_23_3445

45 Case C-61/22.

46 Opinion of 29 June 2023, Landeshauptstadt Wiesbaden, C‑61/22, EU:C:2023:520.

47 Case C-280/22.

48 COM(2021) 277 final.

49 Guiding Core Principles for the Development of Digital Travel Credential (DTC), available at: https://www.icao.int/Security/FAL/TRIP/PublishingImages/Pages/Publications/Guiding%20core%20principles%20for%20the%20development%20of%20a%20Digital%20Travel%20Credential%20%20%28DTC%29.PDF

50 Proposal for a Regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (COM (2021) 281 final).

51 https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3556

EN EN