Schedule a demo

A different security model for digital identity and trust

The Remote Secure Element is the backbone of EUDI wallets and trust services. It provides a certified, policy-driven foundation for high-assurance identity, aligned with eIDAS 2.0 requirements such as WSCA and QSCD. This allows organisations to build, scale, and evolve digital identity and trust services without vendor lock-in or rigid platforms.

The Remote Secure Element is software running inside a certified Hardware Security Module (HSM), where both the software and hardware are evaluated and certified together.Depending on the use case, this setup aligns with different eIDAS 2.0 components:

  • For EUDI wallets, it functions as a Wallet Secure Cryptographic Application (WSCA) running on a Wallet Secure Cryptographic Device (WSCD), compliant with CIR 2024/2981.
  • For qualified trust services such as QES and eSeals, it operates as a Signature Activation Module (SAM) within a Qualified Signature Creation Device (QSCD), listed under Article 30.

The key shift is this: policy enforcement is executed inside the HSM, not in external application layers. This means the HSM does not just store keys, it enforces when and how they can be used.

  • In a wallet context (WSCA), the HSM verifies that the correct user, wallet instance, and device are involved before allowing credential presentation or signing.
  • In a QES or eSeal context (QSCD), the HSM verifies that the signer has properly authorised the use of the signing key.
  • In an issuer backend, the HSM enforces that the correct issuer, approval flow, and issuance profile are used before a credential is signed.

This model reduces the attack surface and enables compliant operation in public cloud environments, with the HSM hosted in a controlled or sovereign setup. Instead of protecting keys with a PIN, the Remote Secure Element protects keys with policy enforced at the point of execution.

Schedule a demo

Trusted by

  • Xlinq

The problem with existing trust service architectures

Many digital wallet and trust solutions are built on heavy, layered technology stacks that have grown over time to meet security and regulatory demands. The result is infrastructure that is expensive to run, difficult to oversee, and dependent on multiple systems and vendors. That complexity increases operational burden and expands the potential attack surface, making the overall setup harder to control and, in practice, more exposed to risk.

Most wallets and trust services today rely on architectures that are difficult to operate, scale, and certify. While cryptographic keys are typically stored in secure hardware, the decisions about when and how those keys may be used are handled outside of that environment, across application logic, orchestration layers, or custom-built systems. This separation makes compliance with eIDAS 2.0 frameworks such as WSCA and QSCD more complex, as the security boundary is fragmented and harder to assess and certify. It also increases operational overhead, since organisations must build and maintain additional layers for policy enforcement, approval flows, and integration. As usage grows, these architectures do not scale efficiently, because expanding capacity requires scaling the entire surrounding infrastructure rather than just the secure core. The result is either rigid, closed platforms that limit flexibility, or highly customised environments that are costly to run and difficult to maintain, even when they technically meet compliance requirements.

What the Remote Secure Element is

The Remote Secure Element is the secure core that wallets and trust services use to create qualified signatures and protect digital identities in wallets. It is built around a Hardware Security Module, widely regarded as one of the most secure ways to protect sensitive cryptographic material. By concentrating the most critical security functions in this one protected, certified environment, it reduces architectural complexity, lowers operational costs, and limits the components that need to be secured and audited.

The Remote Secure Element is a policy enforcement runtime implemented as code inside certified Hardware Security Modules (HSMs). It combines cryptographic key custody with policy evaluation, so that decisions about key usage are enforced within the same secure boundary as the keys themselves. External systems handle orchestration and lifecycle management, while the RSE ensures that signing, sealing, and authentication operations only occur when all policy conditions are met.

A foundation for multiple identity ecosystems

The Remote Secure Element is used as core infrastructure across digital identity and trust ecosystems. We work with organisations that need high-assurance security at scale, while retaining architectural control and flexibility.

Government organisations

We provide the secure backbone for national and sectoral EUDI wallets, enabling high-assurance identity without device dependency or platform lock-in.

Authentic source

We enable authentic sources to issue and manage verifiable attributes and credentials using a secure, scalable trust foundation.

Trust Service Providers

We deliver the cryptographic core and policy enforcement layer required to operate trust services without adopting a full end-to-end platform.

FinTechs & Banks

We support fintechs in offering secure signing, authentication, and other trust services as part of their own products, without building heavy trust infrastructure themselves.

A secure core for digital identity

The Remote Secure Element acts as the shared secure core in a modular digital identity setup. Instead of relying on one large, closed platform, organisations combine separate components for verification, lifecycle management and auditing around this protected foundation. By enforcing security consistently in one place, it allows wallets and trust services to evolve independently while relying on the same high-assurance base.

Operationalising the Remote Secure Element

The Remote Secure Element acts as a security foundation that can be applied where high-assurance identity, access, or trust services are required.

We provide the backend technology needed to build and run an EUDI wallet. It handles secure identity usage, authentication, and credential operations in line with the EUDI architecture, without depending on specific devices or phone capabilities.

Learn more

The organisational identity wallet enables secure access to applications, systems, and physical environments using a single digital identity. It supports authentication and authorisation based on roles and verified attributes, while keeping the user experience simple and consistent.

Learn more

Our trust-service components enable organisations to issue and operate services such as signatures, seals, timestamps, and attestations. They are designed to integrate into existing architectures without forcing adoption of a full platform. Trust enforcement and scalability are handled by a common security backbone.

Learn more

We enable organisations to build or evolve towards qualified trust services at their own pace. Instead of adopting a monolithic QTSP platform, organisations can assemble the required components and retain control over their architecture. Certified security components provide the foundation when qualification is required.

Learn more

Start building your own wallet with our trusted expertise and technology

Get in touch

Get in touch

This field is for validation purposes and should be left unchanged.