What types of organizations can be credential issuers for EUDI Wallets?

The eIDAS 2.0 framework distinguishes between Person Identification Data (PID) issuers and qualified/non-qualified electronic attestation issuers. PID issuers are exclusively government agencies that issue core identity credentials (name, date of birth, nationality). Qualified Electronic Attestation of Attributes (QEAA) issuers are organizations certified to issue high-assurance credentials like diplomas, professional licenses, or health certificates. Non-qualified attestation issuers can provide lower-assurance credentials like loyalty cards or membership attestations. All issuers must be registered and comply with the applicable trust framework requirements.

How does the credential issuance process work technically?

Credential issuance follows the OpenID for Verifiable Credential Issuance (OpenID4VCI) protocol. The user authenticates with the issuer (e.g., via eID card or existing identity verification), the issuer verifies the user identity and prepares the credential data, the EUDI Wallet generates a key pair and sends the public key to the issuer, the issuer creates the credential (in SD-JWT or mdoc format), signs it with the issuer private key, and delivers it to the wallet. The credential is then bound to the wallet device through the embedded public key, preventing unauthorized transfer.

How are credential issuers trusted across EU borders?

Cross-border trust is established through the EU Trusted Lists. Each member state maintains a list of authorized issuers and their certificates. These national lists are aggregated at the EU level. When a verifier in one country receives a credential issued in another country, it checks the issuer certificate against the EU Trusted Lists. If the issuer is listed, the credential is accepted. This mechanism ensures that a French driving license issued to an EUDI Wallet is recognized at a German car rental agency.

Credential Issuer (Attester) - EUDI Wallet Glossary

Credential Issuer

core

Full Name: Credential Issuer (Attester)

Definition

A credential issuer, also known as an attester in the eIDAS 2.0 terminology, is an authorized organization that creates, cryptographically signs, and delivers verifiable credentials to EUDI Wallets. The issuer attests to the truthfulness of the claims within the credential -- for example, that a person was born on a certain date, holds a specific degree, or is licensed to practice a profession. Credential issuers are one of the three core roles in the EUDI trust triangle, alongside wallet holders and relying parties (verifiers).

Types of Credential Issuers

The eIDAS 2.0 framework defines a hierarchy of issuer types based on the assurance level of the credentials they produce:

•PID Providers: Government agencies authorized to issue Person Identification Data -- the core identity credential containing name, date of birth, nationality, and a unique identifier. Each member state designates one or more PID providers. Examples include the Bundesdruckerei in Germany, ANTS in France, and the RvIG in the Netherlands.
•QEAA Issuers: Organizations certified to issue Qualified Electronic Attestations of Attributes. These carry the highest trust level for non-PID credentials and have legal equivalence to their physical counterparts. Examples include driving license authorities, universities issuing diplomas under the European Learning Model, and healthcare authorities issuing European Health Insurance Cards.
•EAA Issuers: Providers of non-qualified Electronic Attestations of Attributes. These have lower regulatory requirements but still participate in the trust framework. Examples include employers issuing employee badges, membership organizations, and commercial service providers.

The Issuance Protocol (OpenID4VCI)

The EUDI Wallet uses the OpenID for Verifiable Credential Issuance (OpenID4VCI) protocol for all credential issuance. The protocol supports two flows:

Authorization Code Flow: The most common flow, where the user initiates issuance through the wallet. The wallet directs the user to the issuer's authentication page, where they verify their identity (using eID card, biometrics, or existing credentials). After authentication, the issuer provides an authorization code that the wallet exchanges for the credential. This flow ensures the user actively consents to receiving the credential.

Pre-authorized Code Flow: Used when the issuer initiates the issuance -- for example, when a university wants to push a diploma to a graduate's wallet. The issuer generates a pre-authorized code (often as a QR code or deep link) that the user scans with their wallet. The wallet then retrieves the credential using this code without a separate authentication step.

In both flows, the wallet generates a cryptographic key pair and includes the public key in the credential request. The issuer embeds this public key in the credential, binding it to the wallet's device. The credential is signed with the issuer's private key, creating a verifiable chain from the credential content through the issuer to the EU Trusted List.

Examples of Credential Issuers

•Ministry of Interior (ID cards): Issues the Person Identification Data credential containing the citizen's legal identity
•Universities (diplomas): Issue academic credential attestations under the European Learning Model standard
•Healthcare authorities (vaccination records): Issue health credentials following EU Digital COVID Certificate-style standards
•Driving license authorities: Issue mobile driving licenses (mDL) in ISO 18013-5 mdoc format

What is a credential issuer in the EUDI Wallet ecosystem?

Credential Issuer: Who Issues EUDI Wallet Credentials

Credential Issuer

Definition

Types of Credential Issuers

The Issuance Protocol (OpenID4VCI)

Examples of Credential Issuers

Related Terms

Verifiable Credentials

Attestation

Frequently Asked Questions

Verwandte Leitfäden

→ Glossary Index

→ Verifiable Credentials

→ Attestation

Quellen

⚠️ Independent Information