The European Commission has now published its first version of a common EU Toolbox in order to implement the European Digital Identity Wallet (EUDI Wallet). This Toolbox includes the core technical Architecture and Reference Framework - a set of common standards and technical specifications as well as guidelines and best practices
This outcome leads to a planned and determined drive for secure digital identification for all European people, which may perhaps set the benchmark for the rest of the world.
The Framework can be found here: European Digital Identity Architecture and Reference Framework – Outline.
You can read an introduction to eIDAS 2.0 in our previous article.
Roles in the EUDI Wallet Ecosystem
The underlying illustration sets out the architecture of the EUDI Wallet ecosystem and details the various roles and process flows:
The potential roles are:
1. End Users of EUDI Wallets
End users are defined as natural or legal persons that will be using the wallets to send, receive, store and share attestations and personal attributes about themselves which would be used to prove identity. End users will be able to produce qualified electronic signatures and seals (QES) using an EUDI Wallet.
Who can be a User of an EUDI Wallet by citizens depends on national law and will not be mandatory.
2. EUDI Wallet Providers
They are Member States or organizations mandated or recognized by Member States that make the EUDI Wallet available to End Users. The terms and conditions of the mandate or recognition would be determined by each Member State.
EUDI Wallet Providers are responsible for ensuring compliance with the requirements.
3. Person Identification Data Providers (PID)
PID providers are trusted entities and are responsible for verifying the identity of the EUDI Wallet user, maintaining an interface to securely provide PID to the EUDI Wallet, and making information available for Relying Parties to verify the validity of the PID, without receiving any information about the PID's use.
PID Providers are trusted entities responsible for:
- Verifying the identity of the EUDI Wallet User in compliance with LoA high requirements,
- Issuing PID to the EUDI Wallet in a harmonized common format,
- Making available information for Relying Parties to verify the validity of the PID.
4. Trusted List Providers
The specific status of a role in the EUDI Wallet ecosystem needs to be verified. Such roles are:
- EUDI Wallet Providers
- Person Identification Data Providers
- Qualified Electronic Attestation of Attributes (QEAA) providers
- Qualified certificate for electronic signature/seal (QC) providers
- Relying Parties
- Non-qualified Electronic Attestation of Attributes (EAA) providers
- Non-qualified certificate for electronic signature/seal providers
- Providers of other Trust Services
- Catalogue of attributes and schemes for the attestations of attribute providers
5. Qualified Electronic Attestation of Attributes (QEAA) Providers
Qualified EAA are provided by QTSPs. QEAA providers maintain an interface for requesting and providing QEAAs, including a mutual authentication interface with EUDI Wallets and potentially an interface towards Authentic Sources to verify attributes.
QEAA Providers provide information or the location of the services that can be used to enquire about the validity status of the QEAAs, without having an ability to receive any information about the use of the attestations.
6. Non-Qualified Electronic Attestation of Attributes (EAA) Providers
Non-qualified EAA can be provided by any Trust Service Provider. While they are supervised under eIDAS, it can be assumed that other legal or contractual frameworks than eIDAS mostly govern the rules for provision, use and recognition of EAA.
7. Qualified and Non-Qualified Certificate for Electronic Signature/Seal Providers
The EUDI Wallet enables the user to create qualified electronic signatures or seals. This can be achieved in two ways:
- The EUDI Wallet is certified as a qualified signature/seal creation device (QSCD),
- It implements secure authentication as a part of a local or remote QSCD managed by a QTSP.
8. Providers of other Trust Services
Providers of other qualified or non-qualified Trust Services such as timestamps may be further expanded in future versions of the ARF.
9. Authentic Sources
Authentic Sources are the public or private repositories or systems recognized or required by law containing attributes about a natural or legal persons. Authentic sources are sources for attributes on address, age, gender, civil status, family composition, nationality, education and training qualifications titles and licenses, professional qualifications titles and licenses, public permits and licenses, financial and company data.
Authentic Sources are required to provide interfaces to QEAA Providers to verify the authenticity of the above attributes, either directly or via designated intermediaries recognized at a national level.
10. Relying Parties
Relying Parties are natural or legal persons that rely upon an electronic identification or a Trust Service. Relying Parties need to maintain an interface with the EUDI Wallet to request the necessary attributes within the PID dataset with mutual authentication. Relying parties are responsible for carrying out the procedure for authenticating PID and (Q)EAA.
11. Conformity Assessment Bodies (CAB)
The EUDI Wallets must be certified by accredited public or private bodies designated by Member States. QTSPs need to be audited regularly by Conformity Assessment Bodies (CABs).
12. Supervisory Bodies
The supervisory bodies are notified to the Commission by the Member States, which supervise QTSPs and take action, if necessary, in relation to non-qualified Trust Service Providers.
13. Device Manufacturers and Related Entities
EUDI Wallets will have a number of interfaces with the devices they are based on, which may be for purposes such as local storage, online Internet access, sensors such as smartphone cameras, IR sensors, microphones, etc, offline communication channels such as Bluetooth Low Energy (BLE), WIFI Aware, Near Field Communication (NFC) as well as emitters such as screens, flashlights, speakers etc, and smart cards and secure elements.
14. Qualified and Non-Qualified Electronic Attestation of Attributes Schema Providers
(Q)EAA Schema Providers publish schemas and vocabularies describing (Q)EAA structure and semantics. It may enable other entities such as Relying Parties to discover and validate (Q)EAA. Common schemas, including by sector-specific organizations are critical for widespread adoption of (Q)EAAs.
15. National Accreditation Bodies
National Accreditation Bodies (NAB) under Regulation (EC) No 765/2008 are the bodies in Member States that perform accreditation with authority derived from the Member State. NABs accredit CABs as competent, independent, and supervised professional certification bodies in charge of certifying products/services/processes against normative document(s) establishing the requirements (e.g., legislations, specifications, protection profiles). NABs monitor the CABs to which they have issued an accreditation certificate.
IMPORTANT: Please note that the above-mentioned information provides only a brief summary of the possible roles within the EUDI Wallet ecosystem. For more detailed information, it is strongly advised that you refer to the European Digital Identity Wallet Architecture and Reference Framework.
The eIDAS 2.0 Roadmap & Toolbox
The initial planning of the European Commission is detailed in the following Roadmap:
Now that the Toolbox European Digital Identity Framework and Toolbox has been published by the EU Commission, EU States now need to prepare their versions of EUDI wallets to be built to common standards in preparation for launch in 2024.
The Toolbox explains everything the Member States need to construct the proper technological infrastructure to support the EDIW and implement it. It will include a collection of common standards, technical references, practices, and recommendations. It shall also describe everything the Member States need to construct the appropriate technical infrastructure to support the EUDI Wallet and to implement it. The collection of common standards, technical references, practices, and guidelines has now been provided.
The following illustration details the eIDAS toolbox mapped into SSI architecture:
The illustration details how the Wallet should have 4 functions:
- Identification and authentication,
- Verifiability of the validity of the evidence by third parties throughout Europe,
- Secure storage and presentation of verified identities and their data and
- Generation of qualified electronic signatures and seals.
Building the Toolbox - How can you prepare for eIDAS 2.0?
In preparation for development and final rollout of the European Digital Identity (EUDI) Wallet, speak to Utimaco about the range of solutions that your organization requires as a part of your toolbox. An example of some of the services and solutions that Utimaco provides for the purpose of fulfilling EU Toolbox compliance requirements are:
• Qualified Trust Services for secure digital identity wallets
- Qualified certificates for electronic signatures & seals
- Remote Qualified Signature/ Seal Creation Devices (QSCD)
- Enhancing log-on security with strong authentication, alongside regulations such as PSD2 SCA
- Mutual authentication between the EUDI Wallet and external entities
- Payment authentication with a high degree of security
• Data Encryption
- Data may need to be stored or moved between different storage components, local or remote. Therefore, sensitive personal data requires secure storage and encryption
• EUDI Wallet Secure Cryptographic Device
- The EUDI wallet should support cryptographic algorithms and processes and provide a secure environment for those. This can be a Hardware Security Module.
Please speak to us for further information in order to discuss your requirements.