Skip to main content
Verification| Digital Identity| 9 min

12 Requirements on the New EU Digital Identity Wallet

12

The European Union is moving forward in the work with a digital european identity, making it possible to use your mobile phone for identity verification and authentication. Recently, the European Commission announced an update of the electronic identification and trust services regulation (eIDAS 2). It stipulates the creation of a toolbox for member states, including among other things a technical Architecture and Reference Framework (ARF) for the future EU digital identity wallet ecosystem. An update to the technical specifications in the ARF was published February 22. In this article, we highlight key aspects of this update and its impact on the development of the EU digital id wallet.

 

The European Digital Identity Wallet - Still in it's Infancy

 

In a conference hosted by the Swedish Agency for Digital Government (DIGG) early February, several presentations were held outlining the current status and hypotheses on what the future European digital identity wallet will become. there are different goals and objectives of different stakeholders that currently are being negotiated and many questions are still unanswered.

It is for example likely that the EU digital ID wallet will be based on new technology that is not yet developed. There is therefore uncertainty as to how prescriptive the regulation will be in terms of technology vs functionality. 

 

All EU member states will be tasked by the European Commission with ensuring that EU citizens have access to an interoperable digital ID wallet.

European Digital Identity Wallets and Member States' Obligations

 

All EU member states will be tasked by the European Commission with ensuring that EU citizens have access to a digital ID wallet and that the digital ID wallet is interoperable with other member states' digital wallets. Each member state can choose to develop the digital identity wallet as a state project, run a procurement process to pick a vendor that builds it or let several private companies develop competing EU digital identity wallets.

One example of how an EU country might act is Sweden. This member state made it clear that it wants to see several private companies building digital identity wallets, whereas the Swedish authorities will retain the responsibility of ensuring a digital identity document (eID) with High Identity Assurance Level (currently Sweden has no eID with this assurance level). 

 

Requirements on the European Digital Identity Wallet

 

There are several functional requirements that the digital identity wallet must comply with, although all of them are not decided. Here, we list likely requirements, based on the information received from Swedish authorities:

  1. Users (European citizens) retain full control of their digital identity.
  2. A party receiving personal information should not be able to combine data from different data delivery sessions and digital services unless the user consents to this.
  3. A European Digital Identity Wallet (EUDIW) issuer is not allowed to collect data on user behavior unless the user consents to this.
  4. The EUDIW should support adding Personal Identification Data (PID) and other verifiable credentials (e.g. bank account) that eu citizens wants to add to their wallet for digital identification purposes.
  5. All EUDIWs should be interoperable within a common architectural and infrastructural framework.
  6. The EUDIWs should allow for High Identity Assurance Level and interfaces should be unified.
  7. The EUDIWs should be certified according to a shared framework.
  8. EUDIW issuers and PID issuers should not have an active role in single transactions.
  9. Electronic identification using the EUDIW should be free of charge for private individuals, but it should be possible to charge for other attributes.
  10. Requirement that private services should gain access to the EUDIW framework and that requirements on private sector usage could be in scope for both public and private services.
  11. Users should be able to sign with remote Qualified Electronic Signature (QES) using the EUDIW.
  12. The EUDIW should support both online and offline use cases.

 

The EU Digital ID Wallet is Not only About Identity Verification

 

The requirements in the Architecture Reference Framework have a very clear focus on user integrity, anonymity and privacy. However, other EU initiatives in Anti Money Laundering (AML) and crime prevention point towards the need for more, not less access to data on sensitive transactions, e.g. money transfers to and from the bank account of the user.

How to balance the stringent privacy requirements with these data transparency and monitoring requirements is still an open question. It is not unlikely that services engaging with EUDIW holders will be required to store and share sensitive data with authorities, even though the purpose of the EUDIW is to make this monitoring impossible. 

 

The Technology for the Digital Wallet is Yet to be Developed

 

Based on the presentation and following discussion by DIGG, it is likely that blockchain technology will become an important part of the EUDIW framework, and that ideas within Decentralized Identity and Self-sovereign Identity will have a significant impact on the EUDIW. However, since there are still many aspects of these technologies that are yet to be developed, it is clear that uncertainty will remain for technology providers as to how viable the requirements are in practice.

Pilot Testing of the EU Digital Identity Framework will begin spring 2023

Next Step - Pilot Testing of the EU Digital Identity Framework

 

The update of the European digital identity framework will now be followed by four Large Scale Pilots running over two years, with an estimated beginning spring 2023. These will test key aspects of the planned technology and infrastructure for the European digital wallet in different use cases and EU member states, including cross border testing. Given that they are public-private partnerships with stakeholders in several countries, it is not unlikely that there will be coordination challenges. 

 

Still Many Uncertainties

 

DIGG expects the final eIDAS2 regulation and framework to come into law some time after the completion of the Large Scale Pilots, which would point towards a date in 2025 at the earliest. There is a very high interest on EU level, both from member states and the EU Commission, to develop the EUDIW.

However, the coordination and stakeholder management process challenges are considerable, and it is probably more likely than not that there will be further delays. Also, the technical risk remains high, given that technology that is yet to be developed will be part of the requirements.

 

Build Compliant European Digital Identity Wallets

 

The EUDIW project is very ambitious and has the potential to create clear value, both in terms of integrity and efficiency. For Truid, the overall objective is exactly the right one. The main risk is likely political and technical, but the timeline makes it possible for private companies to learn and stay ahead of the official regulatory developments to make sure that it is possible to deliver a product compatible with the EUDIW certification if and when it comes.