A cover note from the Council of the European Union, dated 10 July 2026, transmits a Commission Delegated Regulation that sets the technical specifications for QR codes on the physical versions of the European Disability Card (EDC) and the European Parking Card for persons with disabilities (EPC). The regulation supplements Directive (EU) 2024/2841 and establishes common security and interoperability standards for the two cards.
The delegated regulation mandates that both cards use QR Code Model 2 (ISO/IEC 18004:2024) with Error Correction Level M (15% redundancy) and a maximum Version 20 (97x97 modules). The EDC QR code measures 26.25mm x 26.25mm, placed on the reverse side bottom-right, with a minimum module size of 0.25mm and a prefix "ED1:MDOC:". The EPC QR code is larger at 37mm x 37mm, on the front side slightly off-centre right towards the bottom, with a minimum module size of 0.35mm and prefix "EP1:MDOC:". Payloads are encoded as CBOR/COSE objects, compressed with zlib/deflate, and signed with a qualified electronic seal (QSeal) using ES256 (ECDSA P-256) and SHA-256.
the EDC includes the holder's name, surname, card serial number, expiry date, and a revocation identifier (RID); the EPC includes card serial number, expiry date, and RID. No optional data is allowed. The RID is a 16-byte (128-bit) value, unique per issuer, not printed on the card, not human-readable, and cryptographically bound to the payload. Revocation lists reference only the RID, never the card serial number. Certificate chains are not embedded in the QR code; verifiers use the x5t thumbprint to locate the QSeal certificate in a locally cached trust store built from Trusted Lists, validated under the eIDAS framework. Cryptographic mechanisms must comply with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA.
The regulation impacts several stakeholders. For EU citizens with disabilities, the standardised QR codes enable offline verification of card authenticity across member states, reducing fraud and simplifying cross-border recognition. National authorities issuing the cards must adapt their production systems to meet the precise QR code dimensions, data fields, and cryptographic requirements, incurring implementation costs. Verifiers such as transport operators and service providers benefit from a uniform, secure verification process without needing online access. Cardholders' privacy is enhanced through data minimisation and the use of non-human-readable RIDs for revocation, though the inclusion of name and surname on the EDC may raise minor data protection considerations.
The delegated regulation will enter into force following its adoption by the Commission and publication in the Official Journal of the European Union. Member states will need to transpose the technical specifications into national law and ensure their issuing authorities comply within the timelines set by Directive (EU) 2024/2841.