Trust Framework: Digital Identity Trust Framework

Definition

Components of the EUDI Wallet Trust Framework

The EUDI Wallet trust framework comprises several interlocking components that together create a complete governance system. The legal foundation is provided by the eIDAS 2.0 Regulation and its implementing acts, which define the legal status of digital identity credentials, the obligations of ecosystem participants, and the rights of citizens. These legal instruments establish that qualified electronic attestations of attributes (QEAAs) issued under the trust framework have the same legal effect as their paper equivalents across all EU member states, creating the legal certainty necessary for widespread adoption.

The technical standards component defines the protocols, data formats, and security requirements that all participants must implement. This includes the credential formats (SD-JWT and ISO 18013-5 mDoc), the issuance protocol (OpenID4VCI), the presentation protocol (OpenID4VP), the trust registry query mechanisms, and the minimum security requirements for wallet implementations (including TEE-based key storage and biometric authentication). By mandating common technical standards, the trust framework ensures that any compliant wallet can interact with any compliant issuer or verifier, regardless of vendor or national implementation differences.

The certification and supervision component establishes the process by which participants demonstrate compliance with trust framework requirements before they are allowed to participate in the ecosystem. Wallet providers must undergo security certification (evaluated against Common Criteria protection profiles), credential issuers must demonstrate their authorization and technical compliance, and QTSPs must meet the stringent requirements for qualified trust services. National supervisory bodies monitor ongoing compliance, and the EU Trusted Lists are updated to reflect the current certification status of all participants.

Trust Framework Governance and the EU Trusted Lists

The EU Trusted Lists are the operational core of the trust framework, serving as the authoritative source of truth about which entities are authorized to participate in the EUDI Wallet ecosystem. Each member state maintains its own Trusted List, which is a digitally signed, machine-readable document listing all qualified trust service providers, certified wallet providers, and authorized credential issuers operating under that member state's supervision. These national lists are aggregated into an EU-wide Trusted List that any participant can query.

When a verifier receives a credential presentation, the trust chain validation process begins by checking the credential issuer's certificate against the EU Trusted Lists. If the issuer appears on the list with an active certification status, the verifier can trust that the issuer has been properly vetted, meets the required security standards, and is authorized to issue that type of credential. This automated trust chain eliminates the need for bilateral trust agreements between every pair of participants, scaling the system from point-to-point trust to ecosystem-wide trust through a common reference point.

The governance of the Trusted Lists follows a federated model where national supervisory bodies are responsible for maintaining the accuracy of their national lists, while the European Commission provides coordination and the common technical framework for list publication and discovery. Updates to the lists (adding new participants, revoking certifications, changing status) propagate through a defined timeline to ensure that all ecosystem participants have access to current trust information. The lists are protected by digital signatures from the publishing authority, preventing tampering.

Cross-Border Trust and Interoperability

The primary achievement of the EUDI Wallet trust framework is enabling cross-border trust at scale. Under the trust framework, a driving licence credential issued by the German government is automatically recognized when presented to a car rental service in Spain, because both the German issuer and the Spanish verifier operate within the same trust framework and can validate each other's authorization through the EU Trusted Lists. This cross-border recognition was the central challenge that eIDAS 2.0 was designed to solve, as previous eIDAS infrastructure (the eIDAS node network) had limited adoption and could only handle authentication, not attribute sharing.

Interoperability within the trust framework extends beyond government credentials to the private sector. The eIDAS 2.0 trust framework allows private-sector entities to become credential issuers (issuing electronic attestations of attributes such as diplomas, professional qualifications, or membership certificates) and requires very large online platforms (VLOPs) and public services to accept EUDI Wallet presentations. This creates a common identity infrastructure that spans both the public and private sectors across all 27 member states, something that no previous identity framework has achieved.

The trust framework also addresses the governance challenge of mutual recognition by defining common assurance levels. Credentials issued under the trust framework carry defined levels of assurance (based on the identity proofing process, credential security, and issuer certification level) that allow verifiers to make informed trust decisions. A verifier requiring high assurance (such as a financial institution for anti-money-laundering compliance) can verify that a credential meets the appropriate assurance level, while a verifier requiring lower assurance (such as an age verification for online content) can accept credentials with a broader range of assurance levels.

Trust Framework Evolution and Future Development

The EUDI Wallet trust framework is designed to evolve as the ecosystem matures and new requirements emerge. The eIDAS 2.0 Regulation provides for implementing acts and delegated acts that can update technical standards, add new credential types, and refine governance procedures without requiring a full legislative revision. This flexibility is essential for a technology-dependent framework that must adapt to evolving security threats, new cryptographic standards, and changing societal needs.

International interoperability is a key area of future development. While the current trust framework focuses on the EU and EEA, discussions are underway to establish mutual recognition agreements with non-EU countries and regions developing similar digital identity frameworks (such as the UK, Canada, Australia, and various ASEAN nations). These agreements would extend the trust framework beyond EU borders, allowing EUDI Wallet holders to use their credentials internationally and non-EU credential holders to participate in the EU ecosystem under defined conditions.

The trust framework will also need to address emerging challenges such as post-quantum cryptography migration (ensuring the trust infrastructure remains secure as quantum computing advances), AI-generated identity fraud (strengthening identity proofing requirements to counter deepfake and synthetic identity attacks), and the governance of new credential types (such as health credentials, professional certifications, and corporate identity attributes) as the ecosystem expands beyond the initial set of government-issued credentials.

Related Terms