-
1.1. Scope
1.2. Background
1.3. Goal of the EUCC attestation
1.4. Key words
1.5. Terminology -
5.1. Trust requirements on the EUCC attestation from the perspective of company registration offices as authentic sources for the EUCC
5.2. Trust a signature or seal over a EUCC
5.3. EUCC Provider Trusted List
5.4. SD-JWT-compliant
Disclaimer: This document is a draft and needs to be commented on and completed to be published as EWC WP3 T3.2.3 deliverable. The definitions (part 1.5) have been generated by AI and are only a base for Business Registries to discuss with their legal departments which terminology is the most suitable in our context.
This document is the EU Company Certificate Data (referred to as EUCC) Rulebook. It contains requirements specific to the EUCC and its issuance process. This EUCC Rulebook covers the following topics: background of EUCC, a reference to EUCC attributes, a reference to the generic EUCC issuance and verification process, and Trust Infrastructure details.
Topic 10/23 in the ARF 1.4 specifies that attestation must be issued in the [SD-JWT VC] format, among others. This rulebook supports the [SD-JWT VC] requirements.
The need for an EUCC is explained in the EU Company Law (EU) 2023/0089: "companies should be able to prove that their company is legally incorporated in a Member State through simple and reliable means, which are recognized cross-border by other Member States. Therefore, a harmonised EU Company Certificate should be established."
In this Directive proposal, the mandatory and optional data elements are listed. Thanks to the work of Business Registers participating in EWC, we were able to adapt this attributes list to the data availability in the registries and the reality of national usages and requirements.
The EUCC attestation will be used by companies in the EWC pilots, and some modifications to this rulebook might be made.
The goal of the EUCC attestation is to have a common standard for European legal entities to exchange instead of their actual national extract when doing business or in public administrative processes. Today, national extracts are shared by legal entities and translated by certified service providers. This attestation allows companies to share, with a high level of security, information about their companies. This is also a way for relying parties to ensure that they only verify one standard attestation, which allows machine automation and simplifies human comprehension.
This document uses the capitalized key words 'SHALL', 'SHOULD', and 'MAY' as specified in [RFC 2119], i.e., to indicate requirements, recommendations, and options specified in this document.
In addition, 'must' (non-capitalized) is used to indicate an external constraint, i.e., a requirement that is not mandated by this document, but, for instance, by an external document. The word 'can' indicates a capability, whereas other words, such as 'will', and 'is' or 'are' are intended as statements of fact.
This document uses terminology specified in Regulation (EU) 2024/1183.
In addition to the attributes definition necessary to understand the data schema, it’s important to understand:
- Natural person: an individual human being who has legal rights and obligations. Unlike a legal person (which refers to an organization or entity), a natural person is a human with the capacity to engage in legal relationships, enter into contracts, own property, and be subject to legal actions. Natural persons are distinct from artificial entities (like corporations or governments). In legal terms, a natural person is someone who exists as a human being, as opposed to a corporate or fictional entity.
- Legal person: an entity that has legal rights and obligations, similar to a natural person (an individual). It is an organization or group recognized by law as having the capacity to enter into contracts, sue, and be sued, and own property. Legal persons are distinct from the individuals who may own, manage, or be part of them. Examples of legal persons include Corporations, Government agencies, public entities (that are granted legal recognition to act on behalf of the state), Nonprofit organizations A legal person exists as a separate legal entity, meaning it can perform legal actions in its own name, distinct from the actions of its members.
- Legal entity: an organization or structure that is recognized by law as having legal rights and responsibilities distinct from those of its members or owners. A legal entity can enter into contracts, own property, incur debts, and be held liable for legal actions in its own name. Legal entities include various forms of organizations such as Corporations, Limited liability companies (LLCs), Nonprofit organizations, Partnerships The key characteristic of a legal entity is that it has its own legal existence, allowing it to perform actions independently of the individuals who are involved with it.
- Legal representative: Natural or legal person authorized to act on behalf of another person or organization in legal matters. This person has the legal authority to represent the interests of the entity, such as a company, in dealings with other parties, including signing contracts, making decisions, and appearing in legal proceedings. For businesses, a legal representative can be a director, officer, or another person designated by the company’s governing body (like the board of directors) to represent the company in legal matters. In the case of individuals, a legal representative might include a guardian, power of attorney holder, or someone with similar legal authority to act on behalf of the person.
- Signatory rights: the authority or power granted to an individual or entity to legally bind an organization or company by signing contracts, agreements, or other formal documents. This authority can be granted to a specific person, such as an executive, director, or authorized representative, and can be either individual (where one person alone can sign) or joint (where multiple individuals are required to sign together). Signatory rights are important because they ensure that any commitments made by the organization are legally valid and enforceable. The terms and scope of signatory rights are usually outlined in the organization's internal governance documents, such as its bylaws, and can vary based on the level of responsibility and the nature of the agreements being signed.
The Regulation specifies who is able to issue the EUCC to companies: “Companies could apply for such an EU Company Certificate, with national business registers or through the system of interconnection of registers […] Such an EU Company Certificate should be issued and certified by the national business registers.”
To comply with the Regulation, only Business Registries are allowed to be the authentic source of the EUCC attestation, and they can decide to use a Pub-EAAs provider to issue it on their behalf.
In the EWC context, a generic attestation issuance process has been described by wallet providers in the pilots. Those controls and generic steps are described in RFC-001.
While different business registries have national processes, there is an agreement that the EUCC attestation can only be requested by companies having a valid LPID in their wallet. Therefore, this attestation can only be issued to an EUDI valid organizational wallet.
In the EWC context, a generic attestation verification process has been described by wallet providers in the pilots. Those controls and generic steps are described in RFC-002.
EWC participating Business Registries don’t impose any data or attributes specific verification at this stage of the pilot; it is up to the Relying Party needs and requirements in the business or administrative process to decide.
EUCC attributes have been decided together by business registries in the EWC pilot in accordance with the EU Company Law proposal.
This table contains the name of the attribute, its description, and whether the attribute is required or not.
| Property Name | Description | Required |
|---|---|---|
| legal_person | Information regarding the legal entity, including name, ID, legal form, etc. | Yes |
| legal_person_name | Official current legal entity name as registered in the business register. | Yes |
| legal_person_id | Unique ID for the legal entity in the EUID structure. | Yes |
| legal_form_type | Legal form of the company. | Yes |
| registration_member_state | The member state where the company is registered (Alpha-2 country code according to ISO 3166-1). | Yes |
| registered_address | The official address of the company. | Yes |
| care_of | Used when the address is at the address of another person or legal entity. | No |
| full_address | Complete address of the company, written as a string, separated by semicolons. | Yes |
| thorough_fare | The name of a passage or way through from one location to another. | No |
| locator_designator | A number or sequence of characters that uniquely identifies the locator within the relevant scope. | No |
| post_code | The code created and maintained for postal purposes to identify a subdivision of addresses and postal delivery points. | No |
| post_name | A name created and maintained for postal purposes to identify a subdivision of addresses and postal delivery points. | No |
| post_office_box | A location designator for a postal delivery point at a post office, usually a number. | No |
| locator_name | Proper noun(s) applied to the real-world entity identified by the locator. | No |
| admin_unit_level_1 | The uppermost administrative unit for the address, almost always a country. | No |
| admin_unit_level_2 | The name of a secondary level/region of the address, typically a county, state, or other area that encompasses localities. | No |
| registration_date | Date of company registration. | Yes |
| share_capital | Amount of the subscribed capital with currency. | No |
| legal_entity_status | Status of the company as defined in national law and recorded in the national register. | Yes |
| legal_entity_activity | Main activity or activities of the company, expressed using the NACE (Statistical Classification of Economic Activities). | Yes |
| legal_entity_duration | Duration of the company, if limited. | No |
| contact_point | Correspondence address of the company, such as email or postal address (full or partial). | No |
| contact_email | Details of the company email address. | No |
| contact_telephone | Details of the company phone number. | No |
| contact_page | Details of the company website. | No |
| legal_representative | Information about the person(s) authorized to represent the company, either individually or jointly. | Yes |
| legal_representative.natural_person | Details about the natural person representing the company. | No |
| full_name | Full name of the natural person representing the company. | Yes |
| date_of_birth | Date of birth of the natural person representing the company. | Yes |
| nationality | Nationality of the natural person representing the company. | No |
| signatory_rule | Information on whether the representative can engage the company alone or jointly. | Yes |
| legal_representative.legal_person | Details about the legal person representing the company. | No |
| legal_person_name | Official current legal person name as registered in the business register. | Yes |
| legal_person_id | Unique ID for the legal entity in the EUID structure. | Yes |
| legal_form_type | Legal form of the legal person representing the company. | Yes |
The EUCC schema is available in the EWC schemas and rulebooks repository: EUCC data schema.
Note: The EUCC attestation metadata are aligned with the LPID. The necessary information about those can be found in the LPID Rulebook.
This document defines the following attributes related to the registered address of the EUCC holder:
- full_address
- care_of
- thorough_fare
- locator_designator
- post_code
- post_name
- post_office_box
- locator_name
- admin_unit_level_1
- admin_unit_level_2
The detailed attributes allow the EUCC attestation to represent the granularity of the elements describing a registered address as defined in the EU Core Business Vocabulary..
This document defines the following attributes related to the legal representation of a company. This list of attributes allows EUCC issuers to use either or both list in order to describe a legal representative who is a natural person or a legal person.
Attributes to define a natural person holding a legal representative right:
- full_name
- date_of_birth
- nationality
- signatory_rule
Attributes to define a legal person holding a legal representative right:
- legal_person_name
- legal_person_id
- legal_form_type
- signatory_rule
It is the responsibility of Business Registries to include as many legal_representative objects as present in their registry.
There is no minimum number of optional attributes for the EUCC. Each Business Registry will have the responsibility to fill in the attributes when registered in their national registry.
In this chapter, trust requirements and general considerations regarding the EUCC attestation itself are described.
5.1 Trust requirements on the EUCC attestation from the perspective of company registration offices as authentic sources for the EUCC
In the ARF 1.4, the following information for Pub-EAAs and QEAAs Providers is given.
Pub-EAAs and QEAAs Providers are trusted entities responsible to:
- Verify the identity of the EUDI Wallet User in compliance with LoA high requirements.
- Issue attestations to the EUDI Wallet in a harmonized common format.
- Make available information for Relying Parties to verify the validity of the attestation.
The EUCC SHALL contain the qualified electronic signature or qualified electronic seal of the issuing body and adhere to the legal requirements defined in Annex VII of the Regulation (EU) 2024/1183.
The EUCC SHALL follow the SD-JWT format.
It SHALL not be possible to log into company registers solely with the EUCC, since procedures legally require an individual person to act.
EUCC Issuers SHALL follow the EUCC requirements and trust mechanisms defined by Authentic Sources on a national level. Authentic Sources that are company registration offices need to accept each other's PUB-EAA attestations according to the regulation. Therefore, common legal trust mechanisms need to be established ifor the trust ecosystem to be trustworthy:
- The EUCC unique identifier SHALL be unique and agreed upon on EU and EES level.
- There SHALL be one common schema for the EUCC which is accepted by all company registries offices.
- Only mandatory metadata and attributes SHALL be present in the EUCC attestations.
- The EUCC SHALL be in a machine-readable format defined in the ARF during its whole lifecycle.
- The EUCC SHALL be in a format that can scale to additional/new legal forms.
- The EUCC SHALL apply for all legal persons.
- The issuer of the EUCC SHALL be responsible for its revocation.
To trust a signature or seal over an EUCC, the Relying Party needs a mechanism to validate that the public key it uses to verify that signature or seal is trusted. OpenID4VP provides such mechanisms. However, additional details need to be analyzed to fully specify these mechanisms for EUCCs within the EUDI Wallet ecosystem and the trust anchor for it. It is assumed that this will be part of a detailed specification from a standardization authority.
For authenticating EUCCs, trust anchors will be used that are present in an EUCC issuer Provider Trusted List.
EUCC is fully compliant with [OpenID4VP] and [SD-JWT VC].
- RFC-001: Issue Verifiable Credential
- RFC-002: Present Verifiable Credentials
- SD-JWT VC: SD-JWT VC Specification
- OpenID4VP: OpenID4VP Specification