EUDI Wallet struggling with standardization and regulatory changes

Europe is just 15 months away from the December 2026 deadline for offering a digital ID wallet to all EU citizens. Organizations such as the EU Agency for Cybersecurity (ENISA) are now rushing to establish the standards and protocols for the upcoming European Digital Identity (EUDI) Wallet – and many challenges remain, according to Eric Vetillard, ENISA’s lead certification expert.

ENISA has been focusing on areas that can be used by all national digital ID schemes. With standards, the agency already has “a good idea” about where they stand.

“We’re now looking into much more of the details and really mapping, one by one, the lines and the requirements of the [Architecture and reference framework] ARF to see the precise gaps that we have,” Vetillard said at the 11th Trust Services and eID Forum.

The Forum, organized by ENISA in collaboration with the European Commission, was held in Split, Croatia, on September 24th and 25th, inviting trust services providers, conformity assessment bodies, policy makers and other stakeholders.

“We know that member states are, at the same time, developing national schemes that they need to put in place. We’re trying to do a few things that will help them,” says Vetillard.

One of ENISA’s main tasks is cybersecurity certifications, including certifying key components within the EUDI Wallet scheme. This area is yet to be clarified, with questions arising on whether “sub-certificates” should exist for each component.

“I’m afraid it’s not going to be that smooth,” says Vetillard.

Another issue that needs to be dealt with is assurance levels. A “high-level” assurance in the EU Cybersecurity Act and the eIDAS, the regulation governing digital IDs, are completely different things.

“That’s going to be kind of the ghost that keeps on coming on our back all the time,” says Vetillard.

The Trust Services and eID Forum discussed many other topics, including the interplay between eIDAS 2.0 and other legislative frameworks, including the Cyber Resilience Act (CRA), EU Chips Act and NIS2 Directive (NISD2). The regulatory landscape affecting trust services and eID has been changing, inviting new challenges for the EU Digital Identity Framework.

Boryana Uri of TÜV Austria presented changes brought by the eIDAS Amendment and the challenges facing Conformity Assessment Bodies (CABs) which audit and certify services to Qualified Trust Service Providers (QTSPs).

As a CAB, TÜV is now dealing with missing implementing regulations and a lack of clarity on details and timelines, says Uri. But amendments of eIDAS have also brought positive impacts.

One of them updated the requirements for a qualified trust service provider (QTSP) under Article 24.

“The big change is actually for the alternative identification methods, like video identification methods, like video identification or identification based on AI and so on, where, until now, we had the need or the requirement that such methods has to be recognized on a national level,” says Uri. “This requirement is no longer there.”

This is good news for QTSPs and identification service providers to work together if they are from different countries. The different national requirements meant that pages of documentation would have to be submitted before collaboration could commence.

The changes are bringing new opportunities for businesses as they can immediately issue qualified certificates to a person identified through video identification and AI-based identification, allowing them to access different services from banking to insurance.

“I think that’s a really big opportunity for identification service providers and also for QTSPs to work all around the Member States,” says Uri.

Article Topics

digital ID  |  digital wallets  |  ENISA  |  EU  |  EU Digital Identity Wallet  |  Identity Service Providers (IDSP)  |  Qualified Trust Service Provider (QTSP)  |  standards