EUDI Wallet is kicking off its pilots
The European Digital Identity (EUDI) Wallet, an application that will allow European citizens to access public and private digital services and create a European digital identity accepted by all member states, is shifting gears towards large-scale pilots. Here is a roundup of the latest news from the field.
Potential Consortium says it’s ready for European digital wallet pilots
Potential Consortium, which has been selected by the European Commission to run large-scale pilots for the upcoming EUDI Wallet, announced it is ready to start deployment after a series of meetings concluded this June.
The consortium, which includes companies such as Idemia, Intesa and Namirial, entered the deployment phase in April while in May it officially kicked off the cross-border pilots after signing a grant agreement with the European Union. The Commission earmarked €46 million (roughly US$49 million) for the pilot programs, involving more than 250 private and public organizations across Europe.
The large-scale pilots, known in the digital wallet space lingo as LSPs, are designed to prepare the EU for the rollout of the EUDI Wallet. Potential Consortium is in charge of pilots covering six areas, including Electronic Government services, Account opening, SIM registration, Mobile Driving Licence, Remote Qualified Electronic Signature, and Electronic Prescription. It is one of four consortiums that the Commission has chosen to conduct the large-scale pilots.
In June, European Commission revealed that the EUDI technical specifications will be released in the coming weeks. At the end of this month, the Council and Parliament of the European Union reached a tentative agreement on updating the eIDAS regulation, which governs EU public service access and transactions, and the EUDI Wallet.
NXP experts pitches SESIP for certification standards
While some are building pilots, others are working on making the EUDI Wallet interoperable across EU countries and, more importantly, safe.
NXP security certification expert, Fabien Deboyser, argues in an article for Identity Week that one way to ensure its safety is the Security Evaluation Standard for IoT Platforms (SESIP) methodology, an internationally standardized for security.
EUDI Wallet is facing a raft of challenges: Thanks to its wealth of data it is a new attractive target for cyberattacks. It has to ensure user privacy and consent according to GDPR rules while setting up security certification standards and guidelines that cover the entire lifecycle of the EUDI wallet, from manufacturing to updates and all the way to product retirement.
The wallet needs to maintain its resistance even in the future when attacks using quantum computing are expected. At the same time, it will be based on a smartphone, meaning it will have to take into account things like software updates, drained batteries and poor connection.
Deboyser says SESIP is a good fit for the EUDI Wallet ecosystem because it is accessible and usable. SESIP Protection Profiles are easy to create.
It is also reusable: The SESIP evaluation methodology enables the reuse of certifications for individual parts, to allow certification by composition approach, says Debosyer. This will simplify the certification process and bypass the need for individual testing and evaluation of previously certified parts.
Do not make the same mistakes as Covid certificates, says Innopay
As work heats up on the pan-European digital wallet some are warning against repeating the mistakes of the Digital COVID Certificate, which became a part of the UN World Health Organization’s Global Digital Health Certification Network on July 1st.
Vincent Jansen, partner at Innopay, and Eefje van der Harst, former Innopay employee and current member of the Dutch Association of Healthcare Providers for Healthcare Communication (VZVZ), say they have a solution – involving more private companies.
Because of time pressures, hasty decisions were made in the COVID Certificate system saddling it with privacy, security and usability weaknesses. With the EUDI Wallet, the main concern is that the development would take a “very public-led and centralized approach, and will not take into account the needs and also the capabilities of the private sector,” they write.
One area in which Jansen and van der Hast see room for improvement is digital identity verification. The eIDAS Regulation already enables public sector services to digitally verify citizens’ identities in many countries. Digital identity verification across borders should be extended to the private sector, they argue.
According to the EU’s plans, only data that is necessary for a specific service or transaction will be obtained by the EUDI Wallet. But the duo sees room to introduce an accreditation process for specific types of verifiers.
“If we don’t learn the lessons from the shortcomings of the EU’s Digital COVID Certificate, the proposed European Digital Identity Wallet will fail to achieve its full potential,” the duo writes. “We must involve the private sector to help to deliver a better-balanced design – with regards to privacy, security, interoperability and usability – that works for all ecosystem players.”