Previously, we extensively examined the intricacies of the eIDAS 2.0 regulation, with a special focus on the novel aspect of EUDI-Wallets. In the following sections, we further explore the prospective horizons of Digital ID-Wallets and their pivotal influence on the evolving digital identity landscape within the European Union. Let’s begin by unravelling the journey of the EU and its Member States towards achieving their strategic goal of enabling citizens to access key public services online.
The Evolution of EUDI-Wallets
In 2016, the first eIDAS regulation came into force. Laying out the preliminary ground for electronic identification and trust services for electronic transactions in the internal market, it underlined one main goal — to establish a uniform proof of identity across the EU. In 2021, the draft of a revised version of the regulation was submitted and adopted by the European Commission. Addressing the weakness of its predecessor, eIDAS 2.0 has been extended to include additional types of electronic trust services and contain uniform requirements for them in the EU. Followed up by the vote in ITRE committee and the vote in the plenary, consequently at the beginning of 2024. Furthermore, mandated support for member states, big platform providers, and sector-specific parties will come into the picture no earlier than in 2026.
While there are various improvements to look out for, the key component of the proposed regulation is the Digital Identity (EUDI) Wallet, which we will take an in-depth look at in the following sections.
As previously highlighted, the eIDAS regulation specifies the rules for electronic identification and trust services for electronic transactions in the internal market. As part of its proposed update, the EUDI-Wallet will play a crucial role in enabling the identification of a user within those transactions. With advanced security measures and seamless cross-border adaptability, this tool will be presented in the form of a software-based application, enabling the users to securely store and use their national identities provided by governments, as well as identity credentials throughout Europe, with advanced control over their data. The obvious benefit here is that the EUDI-Wallet will provide access to services from any Member State’s public institutions without the need for additional physical documentation. Additionally, the Wallet is expected to allow users to access private and public services online to facilitate the signing process of documents with qualified electronic signatures (QES) for citizens and qualified electronic seals for organisations.
With selective disclosure, the owner of the EUDI-Wallet would be enabled to digitally identify themselves while potentially limiting the attributes, which are shared. In practice, it implies the possibility to gather and exchange attestations of attributes in a format that is widely understood throughout Europe. For instance, this service may be used to validate the possession of a driver’s licence or a certain academic degree.
In summary, the following functional requirements for the EUDI-Wallet are specified in the European Digital Identity Architecture and Reference Framework Outline:
- requesting and obtaining attestations from providers, QEAAs and EAAs;
- providing or accessing cryptographic functions;
- ensuring mutual authentication between the EUDI-Wallet and external entities;
- selecting, combining and sharing Personal Identification Data (PID), QEAAs and EAAs with relying parties;
- having a user interface supporting user awareness and an explicit authorisation mechanism;
- enabling the signing data by means of qualified electronic signatures/seals (QES);
- providing interfaces with external parties.
As shown in the figure above, internal interfaces enable communication with the components of the Wallet, while external interfaces enable interaction with EUDI-Wallet stakeholders. Those include users, wallet issuers, issuers of the PID, trust service providers, and other relying parties. The PID can be viewed as a citizen’s distinct digital identity because no two PIDs can have the same information. When a citizen is issued a PID, it indicates that they have successfully completed certain restricted and regulated processes to verify their identity. Issue of a PID will be limited to specific regulated bodies.
How the EUDI-Wallet Ecosystem Can Be Trusted
An EUDI-Wallet can exist in many states since its holder may utilise it for a variety of use cases, some of which do not always require a high level of assurance (LoA). As showcased below, there are two stages that the EUDI-Wallet goes through during its instance lifecycle. According to the EUDI Architecture and Reference Framework, the Wallet Instance starts its life based on a valid EUDI-Wallet Solution.
An attestation that contains identity data can be requested by the user. The EUDI-Wallet Instance can also be used for non-EUDI specific purposes, such as keeping track of loyalty cards or any other kind of credential that doesn’t specifically require a link to a valid PID. This is considered an operational state of the EUDI-Wallet Instance.
The EUDI-Wallet-Instance is granted the valid status once it is recognized by a PID Provider and obtains a valid PID. What is implied by a PID provider is essentially a government authority which is allowed to issue identity cards. In Germany, for instance, that is known as the Bundesdruckerei. At this point, it becomes possible for the user to add Qualified Electronic Attestation of Attributes (QEAA) or other credentials, which require a link to the PID. Additionally, in case EEA originates from non-qualified sources, EUDI-Wallet holders can still be confident that the EEA issuer is legitimate. In this context, the term “qualified” implies that a regulated trust service provider is part of the transaction and thus ensures regulatory compliance and liability securities for the process.
Let us consider an example of a rail membership program, where individuals can sign up to access special privileges and services offered by the rail company. In this case, the rail company does not need to be a qualified provider (hence doesn’t require a QEAA) because the security requirements are not crucial, therefore an involvement of a trust service provider is not mandated.
It is worth mentioning that even if the PID expires or is revoked, the EUDI-Wallet is not automatically unusable, its state is merely downgraded back to operational. This may affect the validity of a (Q)EAA or a certificate for electronic signatures and seals (QES). Although, the latter is only relevant and applicable to organizations. The end users of the wallet are defined as natural or legal persons. However, these are totally different applications for totally different needs. Each legal person will be provided with an Organizational Identity Wallet (ODI-Wallet). In addition to representing a legal entity, the ODI-Wallet functions as a secure conduit for business partners, such as suppliers and customers. Verifiable credentials must be exchanged between participants across these connections in order for the business partners to validate the data and import it into their own IT systems. For this article, however, we are solely focusing on the Wallet for citizens.
While the term “digital identity” is used to describe a multitude of different concepts, here we focus on its definition within the context of user accounts, credentialing and relationships as well as governance of identity frameworks. These frameworks aim to provide a foundation for digital trust, and the root trust of digital identity within the EUDI-Wallet ecosystem is the PID.
A PID is defined as a set of mandatory attributes that is unique to each person, according to the eIDAS Regulation. The mandatory data set is by nature limited to what all Member States (MS) can provide for all natural and legal persons. The legal-PID for organizations in Germany, for instance, will be issued by the commercial registers. The optional data can vary, and each MS can select the attributes suitable for them. In this case, the minimum data set is defined by mandatory PID attributes, and goes as following:
While the published ARF does not define how the PID should be issued, it is suggested that MS will rely on their existing national solutions. The important aspect about this state of the credential configuration is that it can only be issued by the trusted issuers. This implies that identity documents may be used by the PID provider as a reliable source for PID attributes. In Germany, the PID will be derived via the online function of the Personalausweis.
After outlining the two primary states of EUDI-Wallet and the ability for both of its instances to function independently, we need to consider how the ecosystem surrounding the EUDI-Wallet will be conveyed into practical application for individuals and organisations.
Empowering Individuals and Businesses
The technical specifications laid down in the EUDI Architecture and Reference Framework (ARF) are already being tested through different use cases within four Large Scale Pilots (LSPs) since April 2023. These LSPs cover different sectors, such as healthcare, financial services, education, and transportation. Under the scope of these programs, over 250 private companies and public authorities across 25 Member States are being engaged in the pilot implementation of the EUDI wallets . They cover eleven particular use cases and paint a more holistic picture of EUDI-Wallet’s development, which will be explored in more depth in the following sections.
Every pilot will utilize elements of the reference implementation formed by the European Commission, contributing towards the improvement of the Wallet’s interoperability, security, and user-friendliness even further. The European Commission is putting €46 million into improving and testing the EUDI wallet as part of the Digital Europe Program .
- POTENTIAL – Pilots for European Digital Identity Wallet Consortium
Following the conclusion of a series of meetings in June 2023, POTENTIAL Consortium —which was chosen by the European Commission to conduct one of the four extensive pilots —announced that it was ready for deployment. With participation from 17 Member States as well as Ukraine, this project is being coordinated by Germany and France. More than 50 public administrations and over 80 private entities are involved, including companies such as Idemia , Intesa, and Namirial. They kicked off the cross-border pilots in May after formally launching the deployment phase in April and signing a grant agreement with the European Union. The project covers six specific use cases, namely government service accessibility, opening a bank account, SIM card registration, mobile driving license, eSignatures and ePrescriptions.
2. EWC – EU Digital Identity Wallet Consortium
When it comes to traveling or moving to a new country within the EU, the EUDI wallet can also be of great help to the European citizens. The tool offers digital travel passes, payment approvals and proof of identity for organizations.
The EU Digital Identity Wallet Consortium (EUWC) focuses on the application of the Wallet for the storage and presentation of Digital Travel Credentials, facilitating unrestricted cross-border travel throughout Europe. The creation of business digital identity wallets, which enable citizens to successfully identify themselves as authorized representatives of an organization wherever in Europe, will also be a key priority. Finally, it will use the EU Digital Identity wallet to authorize card-based, perhaps token-based, and account-to-account transactions in addition to storing payment credentials.
3. NOBID – Nordic-Baltic eID Wallet Consortium
This collaboration , comprising many banks and originating from a group of Nordic and Baltic nations, Italy, and Germany, will test the use of the EU Digital Identity Wallet for a single use case. More specifically, the wallet user authorizing payments for goods and services. It attempts to cover wallet issuance, financial institutions’ provision of payment methods, as well as payment acceptance and processing in a retail setting.
4. DC4EU – Digital Credentials for Europe Consortium
Two main areas of use cases will be put to the test by the Digital Credential for Europe (DC4EU) Consortium . Namely, the fields of education (professional qualifications and credentials) and social security (PDA1 and EHIC). The European Learning Model and ESSPASS will be in line with the experiment. More interestingly, the utilization of the European Blockchain Services Infrastructure within the framework of the EU Digital Identity Wallet distinguishes this LSP from the rest.
The entire ecosystem will be tested, starting with the issuance of the user’s wallet to incorporate personal identity information, continuing through the addition of more documents, and the presentation of this information to service providers. Eleven major use cases will be addressed by the pilot projects in an effort to increase public access to highly trusted and secure electronic services. Below is provided a complete list of the anticipated applications currently developed in the large-scale pilots:
5. Accessing government services
Secure access to digital public services, such as applying for a passport or driver’s license, filing taxes, or accessing social security information.
6. Accessing government services
Verification of a user’s identity when opening an online bank account, eliminating the need for the user to repeatedly provide their personal information.
7. SMS registration
Proof of identity for the purpose of SIM card’s registration and activation, with the benefit of reducing fraud and costs for mobile network operators.
8. Mobile Driving License
The storage and presentation of the mobile driving license in both online and physical interactions.
9. Mobile Driving License
Creating secure digital signatures for signing contracts online, eliminating the need for paper documents and physical signatures.
10. Mobile Driving License
Providing prescription details to pharmacies and initiating the dispensation of medical products.
11. Traveling
Presenting information from travel documents (EG passport or visa), allowing for quick and easy access when going through airport security and customs.
12. Organizational Digital Identities
Proving you are a legitimate representative of an organization, as well as that you exist as a legal entity and present credentials you hold (eg ISO 27001).
13. Payments
Verification of a user’s identity when initiating an online payment and approving it from within the Wallet.
14. Education certification
Proof of possession of educational credentials, such as diplomas, degrees, and certificates, making it easier to apply for jobs or further education.
15. Education certification
An EU Digital Identity Wallet can be used to securely access a user’s social security information and benefits, such as retirement or disability benefits. It can also be used to facilitate freedom of movement by storing documents such as the European Health Insurance Card.
Additional use cases include physical access management, such as when ensuring a secure entry to buildings; online authentication (log-in process), as well as management of employee credentials.
The above-mentioned sample cases demonstrate how the EUDI objective aims to guarantee wallet applications’ broad applicability to a wide range of public and private sector activities. Furthermore, the goal is to facilitate the use of wallet applications for information verification in both online and offline contexts. The legislative proposal from the EU states that wallet applications must be recognized by public sector services as a legitimate means for individual electronic identification. Furthermore, wallet applications would have to be recognized as an acceptable form of electronic identification in some private sector domains of operation. While the pilot implementation suggests the coverage of various sectors, such as healthcare, financial services, education, and transport , further obligations are expected to apply to the eight major sectors. Although the current scope is still relatively unclear, it is projected that the obligation to accept the EUDI-Wallet will apply to Education, Telecommunication, Banking, and Insurance, among others. Additionally, under the scope of the Digital Service Act, the very large online platforms, measured in terms of reaching 45 million monthly active users in the EU , are also expected to support the EUDI-Wallet for authentication.
The Commission and the four pilot projects will collaborate closely with one another. Their findings will be incorporated into the eIDAS expert group’s continuing development of technical requirements for the EUDI wallet. Additionally, the European Commission is developing an open-source EUDI-Wallet prototype in order to facilitate the pilot implementation and continuously improve the technical specifications. Both the large-scale pilots and the Member States will be able to employ these insightful and practical solutions, either fully or in part. Besides these developments, providers from the private market offer ID-Wallet solutions, which are increasingly compliant with the eIDAS 2.0 requirements, such as the Lissi ID-Wallet.
Future Trends and Innovations
Overall, the framework of digital ID-Wallets presents great potential to benefit people, businesses, and governments. To gain the most of its exceptional functionalities, however, some risks and limitations have to be acknowledged. For instance, the digital identity wallet relies on a device. While this is a convenient feature for the most part, it can also present difficulties if the device malfunctions, runs out of battery, or encounters network issues. More sensitive risks associated with the tool deal with data privacy. When data and documents related to personal identification are stored in a digital ID-Wallet provided as a cloud service, service providers and the wallet issuer itself may have access to this information. Fortunately, given the intensive certification schema, which requires Wallet issuers to ensure the highest level of assurance, any arising security-related concerns can be put to rest. While utilising elements of the reference implementation created by the European Commission, each of the deployed LSPs is also focused on helping to improve the security of the system.
With its diverse use cases and electronic attribute attestations (EAAs), the EUDI-Wallet will have a major impact on the way businesses handle digital credentials and access management. But how organisations interact with EUDI-Wallets? They can use specialised ID-Wallet Connectors, which enable them to connect their internal IT-infrastructure to the EUDI-Wallets of their customers. The different components are connected via APIs. Lissi provides such software applications for organisations to receive, organise and issue electronic attribute attestation to and from an EUDI-Wallet.
The software has already made significant strides with 35 successful pilots. In the near future, Lissi will offer productive software that aligns with the current eIDAS Architecture Reference Framework (ARF). With proven pilots and a commitment to compliance with the evolving eIDAS framework, companies can rely on Lissi as a trusted solution to drive efficiency, security, and innovation for businesses in the digital age. Reach out to Lissi to reserve your spot before the wave of mandated providers request access. You can also find more information about eiDAS 2.0 and EUDI wallets there.