The European Union is moving forward in the work with a digital european identity, making it possible to use your mobile phone for identity verification and authentication. Recently, the European Commission announced an update of the electronic identification and trust services regulation (eIDAS 2). It stipulates the creation of a toolbox for member states, including among other things a technical Architecture and Reference Framework (ARF) for the future EU digital identity wallet ecosystem. An update to the technical specifications in the ARF was published February 22. In this article, we highlight key aspects of this update and its impact on the development of the EU digital id wallet.
In a conference hosted by the Swedish Agency for Digital Government (DIGG) early February, several presentations were held outlining the current status and hypotheses on what the future European digital identity wallet will become. there are different goals and objectives of different stakeholders that currently are being negotiated and many questions are still unanswered.
It is for example likely that the EU digital ID wallet will be based on new technology that is not yet developed. There is therefore uncertainty as to how prescriptive the regulation will be in terms of technology vs functionality.
All EU member states will be tasked by the European Commission with ensuring that EU citizens have access to a digital ID wallet and that the digital ID wallet is interoperable with other member states' digital wallets. Each member state can choose to develop the digital identity wallet as a state project, run a procurement process to pick a vendor that builds it or let several private companies develop competing EU digital identity wallets.
One example of how an EU country might act is Sweden. This member state made it clear that it wants to see several private companies building digital identity wallets, whereas the Swedish authorities will retain the responsibility of ensuring a digital identity document (eID) with High Identity Assurance Level (currently Sweden has no eID with this assurance level).
There are several functional requirements that the digital identity wallet must comply with, although all of them are not decided. Here, we list likely requirements, based on the information received from Swedish authorities:
The requirements in the Architecture Reference Framework have a very clear focus on user integrity, anonymity and privacy. However, other EU initiatives in Anti Money Laundering (AML) and crime prevention point towards the need for more, not less access to data on sensitive transactions, e.g. money transfers to and from the bank account of the user.
How to balance the stringent privacy requirements with these data transparency and monitoring requirements is still an open question. It is not unlikely that services engaging with EUDIW holders will be required to store and share sensitive data with authorities, even though the purpose of the EUDIW is to make this monitoring impossible.
Based on the presentation and following discussion by DIGG, it is likely that blockchain technology will become an important part of the EUDIW framework, and that ideas within Decentralized Identity and Self-sovereign Identity will have a significant impact on the EUDIW. However, since there are still many aspects of these technologies that are yet to be developed, it is clear that uncertainty will remain for technology providers as to how viable the requirements are in practice.
The update of the European digital identity framework will now be followed by four Large Scale Pilots running over two years, with an estimated beginning spring 2023. These will test key aspects of the planned technology and infrastructure for the European digital wallet in different use cases and EU member states, including cross border testing. Given that they are public-private partnerships with stakeholders in several countries, it is not unlikely that there will be coordination challenges.
DIGG expects the final eIDAS2 regulation and framework to come into law some time after the completion of the Large Scale Pilots, which would point towards a date in 2025 at the earliest. There is a very high interest on EU level, both from member states and the EU Commission, to develop the EUDIW.
However, the coordination and stakeholder management process challenges are considerable, and it is probably more likely than not that there will be further delays. Also, the technical risk remains high, given that technology that is yet to be developed will be part of the requirements.
The EUDIW project is very ambitious and has the potential to create clear value, both in terms of integrity and efficiency. For Truid, the overall objective is exactly the right one. The main risk is likely political and technical, but the timeline makes it possible for private companies to learn and stay ahead of the official regulatory developments to make sure that it is possible to deliver a product compatible with the EUDIW certification if and when it comes.