Reality Check: Opportunities and Uncertainties for Trust Services and Electronic Identification in EU – Status September 2024

Joerg Lenz Avatar
Head of Marketing & Communication at Namirial

Four months after the entry into force of EU Regulation 2024/1183 amending EU Regulation 910/2014 on electronic identification and trust services (eIDAS) , which introduces a framework for the European Digital Identity (EUDI) and corresponding digital identity wallets, as well as new qualified trust services, two events in Heraklion (Greece) provided a holistic overview of the legal, technical, operational and communication challenges.

The Trust Services and eID Forum on 25 September, followed by CA-Day the next day, provided valuable insights into the rapidly evolving landscape of digital identity and trust services in Europe. The Forum was the tenth edition of an annual series of events organised by the European Union Agency for Cyber Security (ENISA) with the support of the European Commission, while CA-Day, was held for the sixteenth time. Heraklion was chosen as the host city as ENISA was established there in 2004.

About 250 participants gathered on site and many hundreds more online. The audience consisted of a wide range of experts, industry leaders, policy makers and representatives from data protection organisations, consumer protection associations, supervisory authorities and conformity assessment bodies. Namirial contributed with its expertise in having compliance, technology and business development experts on site to engage in many conversations and provide insights on how artificial intelligence can be used responsibly in combination with digital trust services for various purposes to create reliable intelligent trust services.

Namirial contributed its expertise by having compliance, technology and business development experts on site to engage in many conversations and provide insights on how artificial intelligence can be used responsibly in combination with digital trust services for various purposes to create reliable intelligent trust services. We shared insights on use cases for artificial intelligence in fraud prevention, providing evidence, improving user experience while reducing operational costs. The presentation slides are available here.

Convenient market overview: eIDAS dashboard

The eIDAS Dashboard proposes a centralized platform that enables interested parties and Digital Single Market players to easily and transparently access information and tools for trust services and electronic identification. The dashboard is listing 247 active Qualified Trust Service Providers in 29 countries as of October 7, 2024 It is continuously improved with new services being added.

In the next months the EU/EEA Trusted List Browser is expected for example to display listings of trust services providers for Qualified Electronic Attribute Attestations (QEEA).

EU as a global model for Trust services

Some speakers and attendees at the two events flew in from the Americas, Asia, Africa and the Middle East, as these events demonstrated how Europe is setting the standard for trust services on the global stage. As other regions increasingly look to the EU model for digital identity and trust frameworks, European providers are finding opportunities to expand beyond the continent. Markets in Africa, Asia and the Americas are beginning to adopt similar frameworks, creating fertile ground for European qualified trust service providers to enter and establish themselves.

European Digital Identity Wallet: A Game Changer with Conditions

The European Digital Identity Wallet (EUDI-Wallet) is set to transform how citizens and businesses engage with digital services, providing secure, cross-border access. Despite its enormous potential, the current landscape is marked by uncertainty, with ongoing debates about the pace of implementation and the long-term impact.

A significant development is the creation of the European Digital Identity Cooperation Group (EIDIC), which will replace the existing eIDAS expert group, playing a pivotal role in managing the transition to the EUDI-Wallet. However, for the Wallet to truly thrive, it must be embraced not only by private companies but also by individual users. The key to widespread adoption will be whether the Wallet delivers clear benefits and proves to be both useful and user-friendly. Without addressing these real-world needs, its adoption may lag, limiting the full realization of its transformative potential across Europe.

Business is Global, Trust is Local

A major theme emerging from presentations and panel discussions was the delicate balance between global business opportunities and the local nature of trust. While Europe is positioning itself as a global leader in digital identity standards, trust remains deeply tied to national frameworks. This dichotomy continues to shape the future of eIDAS and the EUDI-Wallet as member states adapt to new requirements.

Implementation Acts: Standards Lag Behind

The implementation of EU Regulation 2024/1183 (sometimes referred to as “eIDAS2”), in particular the first set of implementing acts for 21 November 2024, continues to face challenges, as evidenced by the many comments received during the consultation period that ended on 9 September. One of the key issues is the lack of available standards, which means that these acts will not yet lead to a fully standardised framework. As a result, participants at the forum and CA-Day recommended maximising the use of tools already created under EU Regulation 910/2014, such as qualified electronic seals, to bridge the gap while standards are developed. Namirial contributed comments to Drafts on Implementing Acts on Certification, Protocols and Interfaces, Person Identification Data (PID) and electronic Attestation of Attributes (EAA), Integrity and Core Functionalities  Namirial recently participated in the ETSI / CEN Workshop on EU Digital Identity Framework Standards in Sophia Antipolis in mid-September 2024.

EUDI-Wallet Certification: National Differences Expected
 

ENISA’s announcement to prepare the certification scheme for the EUDI-Wallet was seen as a positive step towards ensuring trust and security. This scheme is expected to harmonise certification standards for the EUDI wallet, allowing EU Member States to adopt a standardised framework for their national digital identity systems. A call for experts to contribute to this working group is expected to be published soon, opening the door for collaboration on this important initiative. However, the national application of these certifications may vary, resulting in different rules and approaches across Member States. This could be a significant barrier to cross-border interoperability and user acceptance.

Electronic Attribute Attestation could be new revenue driver

Attribute attestation, also known as verifiable credentials, could become a major revenue driver in the coming years, further reshaping the digital identity business landscape. Several market surveys of qualified trust service providers have shown that this is one of the segments many are betting on. However, there are some unknown unknowns in creating sustainable business cases, such as access to authentic sources, which will be regulated on a national basis, allowing for some protectionist approaches in some countries. Other hurdles in this segment could be a lack of digitisation of such sources and granulated responsibilities in some EU countries with a strong focus on federalism.

Wallet Security: Is Phishing the Real Issue?

Security concerns around the EUDI-Wallet were widely discussed, but an important takeaway emerged from the experiences of current eID apps like itsme in Belgium and MitID in Denmark. The representative of the national electronic identification schemes claimed that their apps have proven to be secure, with the biggest risk stemming from phishing attacks targeting end users, rather than flaws in hardware or app security. This raises questions about whether excessive focus on hardware security might hinder market adoption without addressing the real threats, which lie in user behavior. Stronger user education, guidance, and protection are considered as vital in addressing these risks. In Germany the Smart-eID project which had a strong focus on a secure element in smartphones was stopped end of 2023. Learnings from that project are being transferred into the Large Scale Pilot Potential.

Large Scale Pilots deliver Proofs of Readiness

Namirial is in the Large Scale Pilot Potential. One week prior to the events in Heraklion Namirial digital signature experts engaged in a hackathon in The Hague to work on the use case about qualified electronic signatures where participants successfully demonstrated that the existing market for Qualified Electronic Signatures and Qualified Signature Creation Devices is ready to support eIDAS 2.0 for both non-professional and professional usage.

Data Centralisation vs. Decentralisation: A Risk for End-Users?

Another crucial debate centred around where sensitive data should be stored. With the highest risk of identity theft tied to the end-user’s behavior, some experts questioned whether it makes sense to let users store their sensitive ID data on their own devices. Decentralised storage could increase risks, especially if users are tricked into handing over their credentials. This issue remains unresolved, but it highlights the delicate balance between user convenience and security.

Harnessing Synergy: Government and Private Sector Collaboration for a Stronger Digital Ecosystem

A key topic raised was the potential for governmental institutions to collaborate with, rather than compete against, private sector services. For instance, Germany’s recent decision to open the market to private digital wallet providers showcases how governments can empower innovation while ensuring security and compliance. As more nations develop their own public key infrastructure (PKI) environments, there’s an exciting opportunity to complement private offerings, creating a more robust and secure eSignature ecosystem. With eSignatures in the EUDI-Wallet potentially provided by national institutions, the goal should be to leverage state-led initiatives to drive private sector innovation, ensuring competition and innovation thrive under a shared vision.

Clarifying Future Directions for Greater Opportunity

The discussion also highlighted the need for clearer definitions, particularly regarding “eSignatures for non-commercial use.” By addressing these ambiguities, stakeholders can ensure that businesses, governments, and individuals alike benefit from the advancements set forth in EU Regulation 2024/1183. This presents an excellent opportunity for shaping a cohesive and inclusive future for the eSignature business across Europe.

Cross-Border Interoperability: Challenges Ahead

A recurring theme was the challenge of cross-border interoperability, which remains critical to the success of eIDAS2 and the EUDI-Wallet. While making eID and QES available across Europe is an essential first step, member states are expected to apply different rules on their usage, particularly in sectors like human resources. This could limit the potential of the EUDI-Wallet to serve as a truly pan-European solution.

Future Outlook: Dual Citizenship, Foreign ID Integration, and Onboarding

Several complex issues were raised regarding the practicalities of using the EUDI-Wallet. For instance, how will wallets handle dual citizenships? Will foreign nationals be allowed to use their own national wallets while residing in other EU member states, or will they be forced to onboard their foreign IDs into local wallets? Additionally, the process of remote onboarding remains a critical question, with some member states likely to require in-person administration, while others may opt for more flexible solutions.

Regional differences remain: Both a challenge and an opportunity

EU and EEA Member States will continue to operate in different regulatory environments with different service offerings. This heterogeneity creates a complex landscape where a ‘one-size-fits-all’ solution may not be feasible. However, these differences also create opportunities for innovation and bespoke solutions – as was the case with EU Regulation 910/2014, where a sound understanding of the complex regulatory landscape in different countries enabled many organisations to benefit from being able to choose from qualified trust service providers across the EU and EEA, and to benefit from solutions that enable compliance to be achieved simply and deliver significant competitive advantages.

In Conclusion: Opportunities and Uncertainties

eIDAS2 undoubtedly presents a wealth of new opportunities, but key details still need to be clarified to ensure its wider adoption. Concerns over hardware security certification, unclear access to authentic governmental sources, and varying national rules all threaten to slow down its implementation. These challenges must be addressed if Europe is to successfully transition to the EUDI-Wallet and unlock the full potential of trust services across the continent. As the forum demonstrated, collaboration between public and private sectors will be essential in navigating this complex landscape. Namirial is fully committed to engage in such collaboration and we are working on it.

Joerg Lenz Avatar
Head of Marketing & Communication at Namirial