Europe needs decentralized digital identity infrastructure, policy paper argues

Over the past years, European nations have made significant progress in digital identity: The EU has established eIDAS 2.0, Switzerland made its eID Act, while the UK has created its own digital identity framework. Europe, however, still lacks a governance framework to protect the identity layer from both commercial and state capture, according to a new policy brief from the European Decentralization Institute.

The non-profit think tank argues that the answer is in decentralization and digital subsidiarity – a system in which identity credentials are issued by governments but belong to citizens, while verification is provided by IDV service providers. Only the minimum necessary governance sits at the supranational level, according to the paper titled Digital Identity as the Foundation of European Sovereignty.

The analysis compares 19 national and subnational digital ID systems worldwide based on their governance models, revealing two opposing approaches. The first are countries that depend heavily on commercial services, such as the UK and the U.S., whose Login.gov service relies on LexisNexus, a commercial data broker that aggregates personal records from internet sources for identity proofing.

The opposite approach is a centralized state-issued digital ID. This reflex to solve commercialization, however, creates a different concentration of control, this time in the hands of government actors, as shown in the case of India’s Aadhaar system, the paper argues.

An alternative exists in distributed, citizen-controlled, standards-based architecture and Europe, as well as countries such as Switzerland, Bhutan, Canada, Japan, and Australia, have already taken steps towards that model. What is preventing them from achieving this goal is not the lack of technology but the lack of an infrastructure governance model.

“The EUDI Wallet, Swiyu, and the UK trust framework all move in this direction,” the document notes. “The next step is ensuring that the wallet and credential infrastructure itself is not concentrated in a small number of operators, whether public authorities or private organizations, whose governance falls short of adequate democratic accountability.”

The policy paper sets out four priorities for the next 36 months to achieve the goal of decentralized digital ID, including enshrining control over digital ID as a fundamental right and mandating distributed issuance and revocation through local governments.

EU lawmakers would also have to build regulatory protections against identity overreach by mandating unlinkability-by-default, sector-specific credential-scope regulations, and a Digital Identity Ombudsman within national data protection authorities. Finally, countries should adopt a pan-European Identity Trust Framework grounded in open standards, the paper says.

“Decisions taken now about who controls the credential infrastructure, how issuance is administered, what verification may request, and how the governance rules of the system can be changed will be difficult and expensive to undo once infrastructure has hardened and vendor relationships have locked in,” it notes.

The policy paper also explains the reasons for moving to a model that includes decentralization and digital subsidiarity. Identity is the primary interface between citizens and their rights. In other words, if a citizen cannot control how they prove who they are, every other digital right depends on the goodwill of whoever owns the underlying infrastructure.

A decentralized identity infrastructure also offers greater cybersecurity and interoperability through open protocols rather than proprietary systems. Finally, a decentralized architecture ensures that digital identity infrastructures are democratically accountable, according to the authors.

The paper is co-authored by Roman Beck, the institute’s founder and professor at Bentley University, alongside Wessel Reijers, Morshed Mannan, Victoria Citterio-Soelle and Alessandro Malventano.

Article Topics

decentralized ID  |  digital identity  |  Europe  |  open standards  |  tech sovereignty  |  trust framework