The European Digital Wallet is set to revolutionize digital identity management in Europe, offering all citizens a secure and recognized way to use their identity across Member States. Millions of people will be able to store and present electronic attestations of identity attributes, while public and private institutions can reliably utilize this information.
To ensure the adoption and security of this digital wallet, all stakeholders—citizens, public organizations, businesses, and more—must have confidence that the system is built on strong principles of trust and security.
With this in mind, standardization efforts are underway, and iDAKTO is actively contributing to their development. Below is an overview of how the future EUDI Wallet will function and the trust mechanisms that underpin it.
The different entities and their role in the trust ecosystem
| PID Providers These entities are responsible for verifying and validating an individual’s identity, playing a key role in establishing trust between physical and digital identities. They must adhere to a high level of assurance (LoA High) and comply with European regulations and their implementing acts. Additionally, they publish lists of compatible wallets. | Wallet Providers Whether Member States or authorized actors, wallet providers must ensure that at least one PID provider can issue identifiers compatible with their solution. They may also publish lists of compatible identity and attestation providers, allowing users to verify that their data will be recognized by a given wallet. |
| Electronic Attestation Providers These entities issue electronic attestations that certify specific user attributes, such as rights, qualifications, or personal characteristics. For example, they can validate a driver’s license, eligibility for public services, or any other verifiable proof needed in the digital ecosystem. | Relying Parties (Service Providers) Service providers leverage the wallet to offer secure access to their platforms. Acceptance of the wallet may be voluntary or mandated by regulation. Entities required to support it include: Member States for their online services Banks and businesses requiring strong authentication Large online platforms (VLOPs) that need verified identification for access |
Entities participating in this ecosystem and interacting with the European Digital Wallet must meet several prerequisites:
✅ Be registered in Trust Lists
✅ Be identified/authenticated using electronic certificates
Figure 1: Trust Model Schema – Source: ARF
Trust Lists: The pillars of the European Digital Wallet’s trust model
Introduced by the eIDAS Regulation in 2014, the concept of Trust Lists requires Member States to establish, maintain, and publish “trusted lists of qualified trust service providers and the services they provide.”
At the heart of the EUDI Wallet ecosystem, this trust list model has been expanded to include all actors in the system, ensuring reliability and interoperability. Any entity operating within this environment must be registered, enhancing transparency and security at the European level.
Trust lists include:
- Entities and the services they provide
- Associated information, such as electronic certificates, allowing authentication of these entities
The registration process and entity obligations are governed by eIDAS and its implementing regulations, requiring strict management and audit practices, particularly for qualified providers.
Registration and Requirements for Trust List Entities
For Wallet Providers
Every wallet provider must register on a dedicated trust list, managed at the national level. This includes:
- The provider itself
- Its certified wallet solution, listed in its home Member State’s trust list
Once validated, the Member State notifies the European Commission. If the registration and notification processes are successful, the provider’s Trust Anchor (root certificate) is added to a dedicated wallet trust list.
When issuing a PID or attestation, the PID provider or attestation provider can rely on these trust anchors to verify the authenticity of a Wallet Unit Attestation (WUA) signed by the wallet provider.
Once registered, the wallet provider can activate wallet units for end-users.
🔹 Prerequisites & Requirements:
- Certification ensuring secure design
- Functional certification ensuring interoperability with entities
- Continuous monitoring & incident management
- Technical support for users
For Qualified & Public Sector Attestation Providers (Pub/Q-EAA Providers)
These entities must register on a specific trust list, managed nationally, and obtain an access certificate issued by a Certificate Authority (CA).
This access certificate authenticates attestation providers to wallets, ensuring their legitimacy.
To enable third parties to validate electronic attestations, the provider’s Trust Anchor (root certificate) is also registered on a dedicated attestation trust list.
Certificate Authorities responsible for issuing access certificates must also be registered in a specific trust list, ensuring transparency and security.
🔹 Requirements:
- Publish terms of service and policies
- Conduct risk assessments
- Comply with security & management standards
Public sector attestation providers must undergo audits—likely based on existing standards—to match the reliability level of qualified providers in identity and attribute verification.
PID Providers follow a similar process to Electronic Attribute Attestation Providers.
For Relying Parties (Service Providers)
Any service provider that wants to interact with digital wallets must also register on a specific trust list at the national level and obtain an access certificate.
As with other entities, an access certificate is issued by a Certificate Authority, allowing authentication with wallets.
A dedicated Relying Party Instance Access CA trust list ensures the reliability of this process.
Additionally, a specific registration certificate is issued to service providers, specifying which user data they are authorized to request.
🔹 Prerequisites & Requirements:
- Registration via the European Commission’s procedures
- Submission of company details & intended wallet use
- Full transparency on the types of data requested from users
| Two key questions remain about Trust Lists Who will manage current and future trust lists? Member States must designate a national authority responsible for creating, updating, and publishing these lists. New trust lists will also be required for the EUDI Wallet ecosystem. What will be the formats of the new trusted lists? Current ETSI TS 119 612 standards do not account for wallet providers, PID providers, or certificate authorities. Work is underway to adapt and define new standards for these entities. |
In summary
The success and adoption of the European Digital Wallet largely depend on the trust users have in managing their digital identity independently. Trust List mechanisms, ensure reliability, transparency, and interoperability. However, updates are needed to accommodate the wallet ecosystem’s unique requirements, particularly regarding trust list management and format.
As we move towards the EUDI Wallet’s implementation, collaboration and standardization efforts will be critical in establishing a robust trust framework. Through active participation in standardization bodies such as ETSI, iDAKTO remains committed to enhancing trust and security in this ecosystem.
