Understanding eIDAS 2.0: The European digital identity wallet’s architecture in a nutshell

May 6, 2024

Beyond Products


Imagine a world in which your phone doesn’t just pay for your coffee, but also confirms who you are with absolute certainty. Within just a few taps on your screen, you will be able to access your digital wallet, which holds everything – from your credit cards to your driver’s license.

With the new eIDAS 2.0 framework, this will soon be a reality. eIDAS 2.0 is a set of standards that aim to promote the use of electronic identification and trust services within the European Union. Within this framework, many different roles, entities and definitions exist that might need explanation to understand what we are talking about.

In this article, we will talk about:

  1. users
  2. authentic sources
  3. wallets
  4. wallet providers
  5. attributes & data
  6. relying parties
  7. trust
  8. TSPs
  9. QTSPs
  10. QEAAs
  11. selective disclosure

Finally we will discuss the role of the Netherlands. To get an overview of how these different roles interact with each other, see the image below.

Users

A user is any natural or legal person who uses a digital wallet or similar service. Although the use of a wallet will not be made mandatory, in the next few years, the EU expects 80 percent of citizens to use digital identity wallets for public services.

You will sometimes see users be called end users, as we are the persons that are intended to ultimately use the product.

Authentic sources

An authentic source is the organization that owns ‘the truth’ about someone or something, such as a government database like the Chamber of Commerce. Authentic sources can be public or private organizations or systems: they can basically be any organization that holds information (attributes) about you. These can be attributes such as your address or your age, but also things such as diplomas, licenses, or mortgage documents.

Wallets

When we speak about the European Digital Identity (EUDI) wallet solution, we talk about the whole package of services offered by an EUDI wallet provider. When we talk about an EUDI wallet instance, we mean the version of a digital wallet that belongs to and is controlled by an EU citizen. Basically, this is a wallet similar to the Apple wallet that you might have on your phone already – just more elaborate. It will not only contain your bank cards, but also contain attributes that can prove your identity.

The software in the wallet is called Wallet Secure Cryptographic Application (WSCA) and ensures that your sensitive information remains secure. The Wallet Secure Cryptographic Device (WSCD) can also be used: this is a secure hardware device in which you store your personal information. It is similar to a random reader of a bank, or the chip in your bank card.

Wallet providers

The EUDI wallet provider is the organization that runs a digital wallet service that meets certain standards. We know that the Dutch government, the ministry of internal affairs specifically, will provide EUDI wallets to their citizens. However, the possibility is open for companies to jump in and offer their own wallet. This way, you might be able to have more than one wallet, or pick which one you would like to use.

Attributes

Attributes are things that describe a person or thing, like their name or age, but in electronic form.

Person Identification Data (PID)

Person Identification Data (PID) is information that proves who someone is, such as a name or ID number. With PID, you can prove your identity. With other attributes, you can prove that you are allowed to drive, or have a diploma from a specific university.

Person Identification Data (PID) provider

The organization that ‘owns’ the data about residents in a country is called the Person Identification Data (PID) provider. Often the ministry of internal affairs, they give out information to prove digitally that you are who you say you are.

The PID provider is responsible for verifying the identity of the EUDI wallet user, issuing the PID to the EUDI wallet, and making information available for relying parties.

Relying parties

A relying party is an organization that can interact with EUDI wallets and can provide non-qualified digital services to users. This could be an online retailer, but it can also be a bank, a municipality, or a police unit.

Trust

In eIDAS 2.0, you will see the word trust mentioned a lot, but what does it mean in the context of a digital identity wallet?

Trust is when you rely on someone or something to do what it’s supposed to do. A trust framework is a set of rules and agreements that everyone agrees to follow when using a system together. A trust model is a set of rules that make sure everything in a digital system is legitimate and safe to use.

Trust service providers (TSP)

A trust service is a digital service that helps keep things secure: think about electronic signatures or seals. These are made possible by Trust Service Providers (TSP), groups or companies that offer digital services to make sure things are secure and trustworthy.

Qualified Trust Service Providers (QTSP)

QTSP’s are organizations that have been audited and are on the official list of the EU to provide services related to digital security. For example, they can issue digital driving licenses or sign documents.

Trusted lists

Lastly, we also talk about trusted lists: lists of groups or organizations that are considered reliable or trustworthy in a certain context.

QEAA

Qualified Electronic Attestations of Attributes (QEAA) are digital documents that confirm certain details about a person or thing. An Authentic source is a QEAA provider that can issue these digital documents.

Non-Qualified Electronic Attestations of Attributes (EAA) providers also exist: non-qualified EAAs can be issued by any trust service provider. However, they will be supervised under eIDAS and the national legal or contractual frameworks.

Selective Disclosure

The digital identity wallet relies on selective disclosure. This means that you only share some of your information, not everything. For example, when you want to buy alcohol, you can share with your retailer that you’re above the legal drinking age. You do not need to share your entire date of birth in order to provide that you’re 18+.

eIDAS 2.0 and the role of the Netherlands

Although the Netherlands has made significant steps with the introduction of DigiD, the digital identity wallet will completely change the way we think about digital identity.

All government agencies are going to have to play a role in eIDAS 2.0. Not only should all governmental services be available to accept the wallet, the government must also issue a wallet, provide an identity to the wallet, and guarantee the authenticity of the issued data.

To read more about the timeline, preparations, and Ubiqu’s role, read our introductory article on eIDAS 2.0 here.

Related Blog

What’s in your wallet? Everything you need to know about eIDAS 2.0

Read More

Webinar: The impact of eIDAS 2.0 on government organizations

Read More