Gataca logo
Gataca Studio
Gataca Wallet
Gataca Vouch
All Use Cases & Industries

Industries

Public Sector
iGaming
Media & Content
Banking
Higher Education

Use Cases

Client Onboarding
User Authentication
Age Verification
Physical Access Control
Credentials Issuance
About
Careers
Contact Us
Become a Partner
Blog
Certifications
eIDAS 2.0
Demo
Open menu

Regulations

11 min read

The impact of the new eIDAS proposal on the SSI community

July 21, 2021

eIDAS

In June 2021, the European Commission announced the launch of a European Digital Identity in an improved proposal to the current eIDAS regulation.

eIDAS stands for "electronic IDentification, Authentication and trust Services" and refers to a European regulatory framework introduced in 2014 that establishes rules and standards to ensure secure and seamless electronic transactions between businesses, citizens, and public authorities in the internal market.

In the new proposal, not only will all Member States be obliged to provide certified digital wallets to citizens, but businesses will also have to accept them as forms of identification, opening up the applications of government-issued digital identities to the private sector.

In this article, Gataca dives deeper into the key points relevant to the Self-Sovereign Identity (SSI) community as its principles are all over the new eIDAS proposal and explores the opportunities and challenges present in the Parliament draft from March 2023.

Please note the new eIDAS regulation proposal is currently under revision by the Member States and is subject to change. To understand the implications of eIDAS 2.0 for organizations, please visit our Steps to ensure eIDAS 2.0 compliance article.

Key point #1: All EU Member States must provide a digital wallet to their citizens

Where: Article 6a

"Each Member State shall issue at least one European Digital Identity Wallet by 18 months after the date of entry into force of this amending Regulation. European Digital Identity Wallets shall be issued and managed in any of the following ways:

(a) directly by a Member State;

(b) under a mandate from a Member State;

(c) independently from a Member State but recognised by that Member State."

Member States have the flexibility to choose whether to develop their own Wallet in-house, mandate a specific Wallet provider, or create an open market for private Wallet providers while certifying selected solutions.

The third option, creating an open market, is the preferred path for the Decentralized Identity community, as this approach empowers citizens to select their preferred ID Wallet from an open market and fosters competition among providers, spanning from specialized technology firms to industry-leading giants, to offer the best user experience, privacy protection, and security features.

This dynamic landscape also paves the way for additional market opportunities, particularly for identity credential providers incentivized to innovate and introduce new services linked to the European Digital Identity Wallet.

The first option, namely a Member State developing only its proprietary wallet, may present formidable challenges. Underperforming market dynamics would exist should governments focus efforts and invest heavily on promoting their own wallet, leaving little space for citizen choice and market flourishing.

The second option, mandating the wallet's development to a specific provider, whether public or private, represents a middle-ground approach. However, it may only favor large, resource-rich companies with established connections that enjoy benefits over smaller innovators in securing public contracts.

Currently, each Member State is pursuing its own strategy, but the prevailing trend leans towards establishing an open market for certified wallets in addition to a government-provided wallet.

Key point #2: The use of VCs and the registry of electronic data in a DLT are considered Trust Services

Where: (11) | Article 3 (16)

"(11) EDIWs should ensure the highest level of security for the personal data used for identification and authentication irrespective of whether such data is stored locally, in decentralised ledgers or on cloud-based solutions, and taking into account the different levels of risk.

(16) trust service means an electronic service normally provided against payment which consists of:

(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services, electronic attestation of attributes and certificates related to those services; […]

*(f) the recording of electronic data into an electronic ledger."

*Re-introduced in June 2023

On the one hand, the text recognizes the possible use of decentralized ledgers for identity verification, reflecting the sentiment of many countries in favor of using decentralized technologies to implement digital identities.

On the other hand, by categorizing the issuance of electronic attestation of attributes (eIDAS name for Verifiable Credentials) and the recording of data in electronic ledgers both as Trust Services, Europe instills legal recognition and hence trust in the market for using VCs and blockchain networks.

As a result, Verifiable Credentials and blockchain networks can no longer be denied legal validity.

It is worth noting the decoupling of the EUDI provisioning, the issuance of electronic attestations, and the recording of data on electronic ledgers as three independent concepts.

Key point #3: The wallet will be mandatory for private relying parties requiring strong user authentication

Where: Article 12b

“Where private relying parties providing services are required, by Union or national law, to use strong user authentication for online identification, […] shall also offer and accept the use of European Digital Identity Wallets and notified electronic identification means with assurance level ‘high’ issued in accordance with this Regulation for identification and authentication.

Where very large online platforms as defined in Article 25(1) Regulation (EU) 2022/2065 require users to authenticate to access online services, they shall also accept, though not exclusively, and facilitate the use of European Digital Identity Wallets issued in accordance with Article 6a strictly upon voluntary request of the user and in respect of the right to pseudonyms provided for in this Regulation.”

Self-sovereign identity and the EUDI Wallet represent a transformative force in the management and control of digital identities for individuals and organizations. However, to fully harness their potential, widespread adoption beyond the public sector is critical.

Ensuring that the EUDI Wallets are not only mandated for Member States to provide but also required for important private sector industries to embrace is undoubtedly a catalyst for adoption. In fact, one of the key success factors for Estonia’s eID system was the involvement of the private sector early on, particularly the banking industry.

This provision holds substantial promise for decentralized identity providers, as it guarantees a viable market.

Diverse organizations and industries will accept the use of digital wallets for authentication and may also seize an opportunity to offer the issuance of Verifiable Credentials as a new revenue stream.

For those purposes, they’ll demand technology and/or services currently provided by decentralized identity technology companies. This increased demand is poised to grow these companies, potentially leading to mergers and acquisitions and offering investors a clearer and more promising exit strategy. It's a win-win scenario that fuels innovation and growth while enhancing security and privacy for all.

Key point #4: European countries can accept Credentials from abroad without needing peer agreements

Where: Article 12c, 14

“Where electronic identification using an electronic identification means and authentication is required under national law or by administrative practice to access an online service provided by a public sector body in a Member State, the electronic identification means, issued in another Member State shall be recognised in the first Member State for the purposes of cross-border authentication for that online service, and ensuring mutual recognition provided that the following conditions are met […]”

“[…] trust services provided by providers established in the third country concerned shall be considered equivalent to qualified trust services provided by qualified trust service providers established in the Union."

Member States no longer need to establish a lengthy bilateral process to enable mutual recognition between two or more countries, a hurdle that impeded the widespread adoption of the current eIDAS regulation in cross-border scenarios.

Under the new provisions, a certified wallet and qualified Trust Services for electronic attestations will be enough for a Member State to accept identity attributes from abroad, including non-EU countries, provided the required assurance levels for electronic identification are met.

Moreover, the harmonization of remote identification methods eliminates the national barriers that had previously complicated cross-border interoperability.

What does this mean for the decentralized identity community? It translates to smoother interoperability and a more expansive market. SSI technology providers no longer need to build complex, country-specific solutions but can focus on compliance with the regulation, opening their solutions for all Member States at once.

Key point #5: All wallets must technically enable selective disclosure of attributes to relying parties

Where: (29)

“The European Digital Identity Wallet should technically enable the selective disclosure of attributes to relying parties in a secure and user-friendly manner as one of its key features and advantages. It should also ensure that no attributes are disclosed to parties that are not registered to receive such attributes. This feature should become a basic design feature thereby reinforcing convenience and personal data protection including minimisation of processing of personal data in particular privacy by design and by default.[...]”

Selective disclosure is the ability of an individual or entity to decide what personal information or attributes they share with others when verifying their identity or providing proof of claims while keeping the rest of their personal data confidential.

This development is excellent news for the community, as selective disclosure is a fundamental design principle in Self-Sovereign Identity, and this provision strengthens the case for selecting ESSIF as the technical framework for eIDAS 2.0.

The latest EUDI Wallet Architecture and Reference Framework specifies Selective Disclosure for JSON Web Tokens (SD-JWTs) as the selected method for selective disclosure.

SD-JWT is a mechanism that allows a user to selectively disclose the contents of a JSON Web Token (JWT) to a service provider/verifier without revealing all of the information within the JWT.

It's worth noting that while SD-JWTs offer advantages and promote interoperability, they also present challenges related to user complexity and have experienced limited adoption within the ecosystem compared to other standards. We have a detailed article on SD-JWT and other methods for implementing selective disclosure on Verifiable Credentials to dive deep into this topic.

Key point #6: Wallets must enable the storage of credentials and allow Qualified Electronic Signature

Where: Article 6a (3)

"European Digital Identity Wallets shall, in a user-friendly manner, enable the user to:

(a) securely request and obtain, store, select, combine and share, in a manner that is transparent to, traceable by and under the sole control of the user, the necessary identification data to identify and authenticate the user online and offline in order to use online public and private services; [..]

(b) sign by means of qualified electronic signatures; […]"

The Self-Sovereign Identity industry, up until this point, had primarily focused on creating standards and technology for generating, verifying, and storing Verifiable Credentials.

The mandatory inclusion of qualified electronic signatures has rapidly expanded the scope of value-added services and the practicality of digital wallets in daily tasks, such as signing documents.

This development simplifies the lives of citizens who lack reliable electronic signature options for various legal procedures within their jurisdictions and transforms the ID Wallet concept into more than a mere vault for personal data. It aspires to create a powerful tool, a personal key for navigating the Internet.

As a result, the logical next step in evolution would involve enhancing wallet functionality to include managing and storing digital assets and payments. This opens up exciting diversification opportunities for wallet providers.

However, introducing a product with more features than is strictly necessary can add complexity to an already intricate solution. The challenge, therefore, is to avoid overwhelming users and ensure the user experience (UX) remains as simple as possible to encourage adoption.

Finally, another notable consequence in the market due to the need to have qualified electronic signatures to offer a certified EU Wallet is the emergence of increased partnerships between e-signature technology and ID wallet providers.

A Promising Future: Optimism in the Self-Sovereign Identity Market

The eIDAS 2.0 proposal has breathed fresh life into the Decentralized Identity community, banishing the veil of uncertainty that once hung over the market.

Projections suggest that the revamped eIDAS regulation will generate numerous benefits for citizens, governments, and entities in both the public and private sectors, generating a profoundly positive impact on both the European and global economies.

We're already witnessing remarkable growth in the market, with an increasing market demand for digital credentials proving attributes. In fact, the Europe Decentralized Identity Market is projected to experience substantial growth, with a forecasted CAGR of 77.8% during the period from 2022 to 2028.

In the beginning of December 2023, the negotiated text will be presented to the Committee of Permanent Representatives (Coreper) for endorsement, and its official entry into force is expected in the first quarter of 2024.

Member States will have to provide EU Digital Identity Wallets to their citizens 24 months after adoption of Implementing Acts setting out the technical specifications for the EU Digital Identity Wallet and the technical specifications for certification.

Exciting times are undoubtedly on the horizon for the SSI community and Gataca is ready to assist in achieving trusted digital identities that comply with eIDAS with our solutions, Gataca Wallet and Gataca Studio.