Is the UK falling behind Europe on digital identity security?

By Eleanor Burns, Director at IDnow

As the UK accelerates its shift towards digital identity, a crucial question is coming to the fore: is enough being done to secure these new systems against rising cyber threats?

Across Europe, many countries have already embedded powerful cybersecurity and regulatory measures into their national digital identity platforms. 

By championing innovation and ensuring that robust security standards and legal frameworks are in place to protect their citizens, these countries are creating effective digital identity ecosystems. 

The UK is currently navigating a more fragmented and uncertain route to digital identity. 

Though progress is being made, there are concerns that without urgent, coordinated action, the nation risks playing catch-up with its European counterparts – potentially with consequences for data security and public trust.

The UK and digital identity to date

Launched in 2016, GOV.UK Verify provided a single sign-on for government services, but it struggled to gain traction among the public. With low uptake and a lack of support from key governmental departments, it was shut down in 2023.

Its replacement is now being rolled out: GOV.UK One Login has been redesigned to address what went wrong with its predecessor, and to streamline access to public services through a more secure and user-friendly platform. 

However, the full integration of GOV.UK One Login is still underway, and questions remain about how quickly it can be adopted and how comprehensively it will address cybersecurity concerns.

The UK’s regulatory framework also lacks the legal weight that underpins the European Union’s eIDAS 2.0 regulation, which mandates high standards for electronic identification and trust services across the continent. 

Presently, the UK’s Digital Identity and Attributes Trust Framework (DIATF) is largely voluntary, with limited enforcement, which could be limiting consistency across sectors and delaying wider adoption of a much-needed regulatory framework.

Lessons from the EU

Many EU countries typify how a well-regulated, secure approach to digital identity services can facilitate broad adoption while maintaining elevated levels of user trust. Let’s look at two prominent examples, Germany and France. 

Germany’s national ID system is weighty: it is built on a foundation of enforceable federal legislation and uses chip-based technology with end-to-end encryption, giving citizens control over the data they choose to share and with whom.

Digital identity systems in France are supported by strong encryption, stringent state controls, and secure smartcard infrastructure – all backed by government guarantees.

The France Identité Numérique initiative – a secure mobile app that is tied directly to citizens’ national ID cards – is rapidly maturing. The app integrates biometric verification and government-issued credentials, all supported by the eIDAS 2.0 framework. 

Crucially, both countries’ digital identity efforts are coordinated at both a national and European level, which aligns technical standards and security protocols. 

By embracing innovation while embedding vital protections into the foundation of their systems, they embolden their citizens to use these technologies without compromising their trust. 

Dematerialised IDs: a double-edged sword?

The UK can learn a lot from the EU when it comes to digital identity processes, but what are the risks? 

Of course, dematerialised identity documents – wholly digital credentials stored on smartphones or accessed via the cloud – offer convenient and flexible ways for people to verify who they say they are for official purposes. 

However, they also create new avenues for fraud, data breaches, and misuse if not effectively secured.

Cybercriminals are always looking for ways to exploit weaknesses in onboarding processes or in the way attributes are verified and stored. Without physical elements to verify, the risk of synthetic identity fraud increases when we dematerialise documents. 

As the UK looks to catch up with digital identity progress in the EU, the need for multi-factor authentication, biometric verification, and tamper-proof digital credentials will be more critical than ever before.

If the UK does not implement these robust safeguards at the heart of all its digital identity pursuits, the entire shift could present significant challenges rather than being of benefit to all.

Find the digital identity experts

Given that dematerialised identities raise their own security questions, protecting the UK’s first steps into a wider digital identity infrastructure cannot fall solely to the government. 

Fintechs, identity verification providers, and cybersecurity experts will always play a critical role in developing and maintaining robust, user-friendly solutions that can integrate seamlessly with official processes.

In particular, the financial services sector can provide vital insights on managing large-scale digital onboarding and fraud prevention, offering lessons and technologies that could be used in state-wide digital ID verification.

Greater collaboration between the UK government and industry could help catalyse innovation while ensuring that security protocols are never an afterthought. 

Cybersecurity expertise through the UK’s National Cyber Security Centre (NCSC) can also continue to provide invaluable advice and best-practice guidelines as we look to protect our citizens’ identities. 

Whatever we do, the ultimate goal must be to weave all industry expertise into enforceable standards that both public and private sector actors adhere to going forward. 

The cost of inaction

Cybercriminals are already targeting digital identity systems with increasingly sophisticated techniques, especially with the advent of AI and LLMs. 

As the shift to dematerialised identity gathers pace, the UK must address its digital identity security gaps now, or risk more than reputational damage. 

The inordinate financial costs of identity fraud – already rising year-on-year – could increase dramatically. More importantly, if the UK gets off on the wrong foot, all-important public trust in these new systems could be eroded before they are even fully in place, resulting in the sluggish or inconsistent adoption we’ve seen before.

Without strong security measures and a powerful regulatory framework, the significant investment in systems could become the weak link in the UK’s growing digital economy.

A way forward

To avoid falling further behind our European counterparts, the UK must take decisive steps in the pursuit of dematerialised identity adoption.

Here are some calls to action we’d like the UK government to recognise:

• Introduce legally binding standards for digital identity providers, which are aligned with best practices from the EU’s eIDAS 2.0 regulation.
• Invest in an innovative security infrastructure that supports biometric verification, cryptographic processes, and user consent management.
• Generate greater public awareness about the benefits and safeguards of digital identity, to build trust and drive adoption.
  

Ultimately, the UK has an opportunity to learn from the EU – and leap forward. This will only happen if we treat cybersecurity not as an add-on, but as the mainstay of our digital identity future.

Now is the time for bold, coordinated, and concerted action. Anything less and the UK may become a digital identity follower, rather than a leader.

About the author

Ellie Burns joined IDnow in 2023 following more than a decade working in the global fraud and identity space including positions at ThreatMetrix, LexisNexis Risk Solutions and, most recently, Onfido,

Article Topics

digital ID  |  digital identity  |  Europe  |  identity security  |  IDnow  |  UK