The European Digital Identity (EUDI) Wallet aims to offer digital wallets to all EU citizens and businesses for identification purposes and document storage. eIDAS experts have presented an outline for the architecture of an "eIDAS Toolbox" referencing the architecture in recent months. Here we provide an outline of the key players in the EUDI Wallet Ecosystem, from the national bodies to the end users.
End Users of the European Digital Identity Wallet
End Users, whether natural or legal persons, will be the ones actively engaging with and using the EUDI Wallet. For instance, end users would be able to store confidential electronic documents such as passport copies, utility bills and identity cards within their wallet. Additionally, these end users would have access to a secure platform in order to prove their identity and produce qualified electronic signatures (QES) and seals to sign legal documents when needed.
The eligibility criteria regarding who can use an EUDI Wallet is left up the individual countries’ national laws and is not compulsory. This allows for flexibility so that all those interested in utilizing the system are able to do so regardless of where they are from. This could potentially benefit millions of people around the world seeking simpler and safer ways to prove their identity electronically.
EUDI Wallet Providers
The EUDI Wallet Provider is a pivotal part of the EU Digital Identity (EUDI) system, providing end users with access to the wallet and its services. The providers are responsible for ensuring that all EUDI wallet components follow the relevant legal and regulatory requirements in each member state. This includes making sure customer information and personal data is protected, as well as upholding customer privacy rights. Additionally, they are expected to stay up-to-date on technical developments related to the wallet and keep their systems maintained and secure.
EUDI Wallet Providers are expected to provide access to their services in accordance with national laws and regulations. Detailed terms of engagement between each provider and End User must be defined clearly before any service is rendered – this agreement will reflect how funds exchange happens, fees for using wallets or other value-added services, dispute resolution mechanisms, liability provisions etc.
Device Manufacturers and Related Entities
Device Manufacturers are now developing products that offer integrated wallet solutions for convenience and ease-of-use for their customers. EUDI wallets provide users with a secure interface to interact with their devices, allowing them to store money or other data. These wallets can also be used as a payment platform by supporting online access from different merchants and transferring funds from one device to another. Additionally, the wallets could feature sensors such as smartphone cameras, IR cameras, microphones, Bluetooth Low Energy (BLE) connections and Near Field Communication (NFC)-enabled technologies that allow for offline communication between two devices.
Person Identification Data Providers (PID)
PID providers are trusted entities charged with verifying the identity of EUDI wallet users and providing secure PIDs to the EUDI wallet. This typically entails collecting data from sources available in the country, such as a national ID card or driver’s license, to validate the user’s identity. Additionally, a PID provider is responsible for ensuring that information remains confidential and cannot be used for other purposes besides identity verification. Furthermore, the provider must make available relevant information regarding the validity of each PID so that the Relying Parties can verify it accurately.
PID Providers are trusted entities responsible for:
- The identity of the EUDI Wallet User is being verified to meet the high requirements of LoA compliance.
- A PID is being issued to the EUDI Wallet in a standardized and coordinated format.
- Providing information for parties to verify the validity of the PID.
Qualified Electronic Attestation of Attributes (QEAA) Providers
Qualified Electronic Attestation of Attributes (QEAA) is a secure method for issuing and verifying digital identities, ensuring that individuals can maintain their privacy and identity over the internet. QEAAs are provided to individuals through Qualified Trust Service Providers (QTSPs).
QTSPs are responsible for maintaining an interface that offers the requesting and the delivery of secure QEAAs to users with their EUDI Wallets – digital wallets which store multiple elements verifying that person’s identity. The interface also enables other trusted third parties to verify the attributes supplied with each QEAA.
QEAA providers themselves provide information or locations directing users to services that can be used to enquire about the validity status of any given attestations without allowing them to access any information regarding how these attestations were utilized. This ensures that users’ information remain secure but still allows organizations to know the details of those accessing its services from behind a computer screen.
Non-Qualified Electronic Attestation of Attributes (EAA) Providers
Any trust service provider (TSP) may offer non-qualified EAA. It's likely that the rules for provision, use and recognition of EAA are mainly regulated by legal or contractual frameworks different from eIDAS, although the TSPs will be monitored by eIDAS.
Qualified and Non-Qualified Certificate for Electronic Signature/Seal Providers
The EUDI Wallet enables users to easily create qualified electronic signatures or seals, in several configurations, of which the most important option is to have the EUDI Wallet is to implement secure authentication as part of a remote QSCD managed by a Qualified Trust Service Provider (QTSP). This approach ensures that digital documents are firmly linked to the identity of the creator by using digital certificates. As a result, users can confidently use their qualified electronic signatures or seals for secure online transactions and signing or sealing personal documents with legal value.
Providers of other Trust Services
Future versions of the European Digital Identity Architecture and Reference Framework – Outline may include providers offering additional qualified or non-qualified Trust Services, such as timestamps.
In addition to providing timestamps, several other types of trust services could be included in the ARF. These services include encryption measures, identity verification systems, document certification systems, data security protocols, digital certificate policies and more. All these measures can help ensure the authenticity and validity of applications or documents being exchanged via the web or over digital networks in general. As technology advances and newer trust services become available it is likely that providers offering such services will be eligible for inclusion in future versions of the ARF.
Authentic Sources refer to repositories or systems, recognized or mandated by law, that contain information regarding natural or legal persons' attributes. These sources include information on address, age, gender, civil status, family composition, nationality, education and training qualifications, titles and licenses, professional qualifications, titles and licenses, public permits and licenses, financial and company data.
They are also required to provide interfaces to Qualified Electronic Authentication Assurance Providers (QEAA) which enable them to verify the accuracy of these attributes. For existing data sources to qualify as an “authentic source” they must be recognized by law or deemed reliable by the appropriate legal entities.
The purpose of requiring authentication by QEAA Providers is to protect both businesses and customers from fraud or misrepresentation that online services can make vulnerable too. By having access to reliable authority sources of information linked with a compliant digital verification process businesses can ensure that their customers really are who they claim they are while providing increased confidence in digital transactions across a broad range of industries.
Relying Parties are the natural or legal entities that utilize digital identification for the verification of a person's identity. In the European Union, this process is facilitated by the EUDI Wallet, an electronic digital wallet designed to receive, store and access personal data provided voluntarily by users through an online service. The relying party makes use of the stored attributes within the Person ID (PID) dataset to authenticate a user or establish trust.
The Relying Party's role is primarily to facilitate the verification process by establishing a secure interface with and performing mutual authentication against the EUDI Wallet. They must take responsibility for accurately carrying out procedures for authenticating PIDs and Qualified Electronic Audiences (QEAAs). It is important for Relying Parties to implement effective measures to protect their users’ data from security threats and verify that all received information is indeed genuine before allowing access. Furthermore, proper governance must be maintained to ensure that data privacy rights are respected at each point of communication in order to help guarantee a smooth and secure process throughout.
Conformity Assessment Bodies (CAB)
All wallets must be audited through the comprehensive process of certification by accredited public or private bodies designated by the respective Member State. Conformity Assessment Bodies (CABs) are entities that are authorized by different regulatory bodies to assess and certify a product or service's compliance with specific standards or regulations. In particular, CABs are necessary for the EUDI Wallets to become certified for distribution within the European Union.
Additionally, Qualified Trust Service Providers (QTSPs) must undergo regular audits conducted by CABs in order to remain compliant with regulations and ensure ongoing safety and validity of services provided. CABs assume responsibility for enforcing security policy controls and monitoring user access while also ensuring effective privacy and data protection measures.
The Supervisory Bodies are notified to the European Commission by the Member States to supervise QTSPs and take action, if necessary, in relation to non-qualified Trust Service Providers.
Various terms must be followed by European Commission if it wants to approve a Supervisory Body from any Member State. Firstly, it must certify that the proposed Supervisory Body has been established by its home state, as well as has enough expertise and experience in trust services management. Furthermore, this body must also have enough resources to conduct periodic inspections of trust service providers, along with being unbiased towards the industry being overseen. Upon successfully meeting these criteria, authorization will be given by the Commission to supervise QTSPs.
Qualified and Non-Qualified Electronic Attestation of Attributes Schema Providers
Qualified and Non-Qualified Electronic Attestation of Attributes (Q/EAA) Schema Providers are entities responsible for publishing standardized schemas and vocabularies which assist in establishing the structure, meaning, and validity of Q/EAAs. By providing an established format for users to create or evaluate these documents, Q/EAA Schema Providers are essential in promoting the widespread adoption of (Q)EAAs.
National Accreditation Bodies
National Accreditation Bodies (NAB) constituted under Regulation (EC) No 765/2008 are assigned to perform accreditation of Conformity Assessment Bodies (CABs) with authority derived from the respective Member States. In this context, they also act as monitors for CABs that have been issued an accreditation certificate. The role NABs play is to ensure that all regulatory requirements for product certification are fulfilled and any deviations from the chosen standards shall be duly reported.
The CABs themselves serve as competent and independent professionals who certify products through establishing the requirement legislations, specifications and protection profiles. Thus, these documentation files provide necessary guidance to NABs regarding their accreditation process of the CABs. It is therefore imperative that precise records of all prescribed steps within a particular Certification Body must be available and maintained by the respective National Accreditation Body responsible for auditing them at regular intervals.
Get more information
To gain a more thorough understanding of the roles within the EUDI Wallet ecosystem, contact Cryptomathic to discuss your requirements with one of our experts, or consult the European Digital Identity Wallet Architecture and Reference Framework.