ARF: Architecture Reference Framework

Technical specification (currently version 2.7.3) defining interoperability standards, security requirements, and common technical approaches for EUDI Wallet implementations across all EU member states.

The Architecture Reference Framework has evolved significantly since its inception. Understanding its version history reveals how the technical vision for the EUDI Wallet has matured through iterative refinement.

Version 1.0 (January 2023): The initial release established the foundational concepts of the wallet architecture, including the roles of issuers, holders, and verifiers. It defined the core wallet components (WSCD, WSCA, Wallet Instance) and outlined the basic credential lifecycle. This version drew heavily on existing standards like ISO/IEC 18013-5 for mobile driving licences and the W3C Verifiable Credentials Data Model.

Version 1.2-1.4 (2023): Subsequent releases refined the security architecture, introduced the concept of Wallet Trust Evidence, and clarified the PID issuance flows. These versions incorporated early feedback from the Large Scale Pilots (LSPs) that were running in parallel.

Version 2.0 (2024): A major revision that aligned the ARF with the final text of the eIDAS 2.0 regulation as adopted. It introduced detailed specifications for credential formats (SD-JWT VC and ISO mdoc), proximity and remote presentation protocols, and the trust infrastructure components.

Version 2.7.3 (current): The latest version incorporates lessons learned from all four Large Scale Pilots, addresses interoperability challenges discovered during testing, and provides more detailed implementation guidance. It includes refined specifications for batch issuance (for unlinkability), the wallet attestation mechanism, and the relying party registration framework.

The ARF is developed and maintained through a collaborative governance structure involving multiple stakeholders across the European Union.

European Commission (DG CNECT): The Directorate-General for Communications Networks, Content and Technology leads the overall coordination of the ARF. The Commission sets the strategic direction, manages the publication process, and ensures alignment with the legal framework.

eIDAS Expert Group: A formal group composed of member state representatives and technical experts that reviews and provides input on each ARF version. Each of the 27 member states has appointed experts who participate in the group, ensuring that national perspectives and technical constraints are considered.

Large Scale Pilots (LSPs): Four EU-funded pilot projects, namely the EU Digital Identity Wallet Consortium (EWC), POTENTIAL, NOBID, and DC4EU, test the ARF specifications in real-world scenarios and feed back their findings. These pilots cover use cases ranging from travel and payments to education and health.

Public consultation: Each major ARF version is published on GitHub and undergoes public review. Standardization bodies, industry stakeholders, privacy advocates, and the general public can submit comments and proposals. This open process has resulted in significant improvements to privacy protections, security requirements, and technical specifications.

The ARF is a complete document covering all technical aspects of the EUDI Wallet ecosystem. Its scope includes the following key areas.

Wallet architecture: The internal structure of the wallet application, including the Wallet Instance (the user-facing app), the Wallet Secure Cryptographic Application (WSCA), and the Wallet Secure Cryptographic Device (WSCD). The ARF specifies how these components interact, what security properties they must provide, and how keys are managed.

Credential formats: The ARF specifies two credential formats. SD-JWT VC (Selective Disclosure JSON Web Token Verifiable Credential), based on IETF standards, is the primary format for most attestations. ISO mdoc (ISO/IEC 18013-5), originally designed for mobile driving licences, is used for proximity presentation scenarios. Both formats support selective disclosure.

Protocols: The ARF defines the protocols for credential issuance (based on OpenID4VCI), credential presentation both online (OpenID4VP) and in-person (ISO 18013-5 device engagement), wallet attestation (how a relying party verifies that it is communicating with a genuine certified wallet), and PID issuance flows.

Trust infrastructure: The ARF specifies how trust is established and verified across the ecosystem. This includes trusted lists of issuers, relying party registration and authentication, revocation mechanisms for credentials, and the role of qualified trust service providers.

Security requirements: Detailed security requirements for each component, including cryptographic algorithm specifications, key management practices, secure element requirements, and threat mitigation strategies. The ARF also defines the security evaluation criteria that wallets must meet during certification.

The ARF does not exist in isolation. It deliberately builds upon and references established international standards, creating a coherent standards ecosystem for the EUDI Wallet.

ETSI (European Telecommunications Standards Institute): ETSI's Technical Committee on Electronic Signatures and Infrastructures (TC ESI) develops standards that directly support the ARF. Key ETSI standards include EN 319 411 for trust service provider requirements, EN 319 421 for timestamp policies, TS 119 461 for identity proofing, and the emerging TS 119 476 specifically for EUDI Wallet profiles.

ISO/IEC standards: The ARF references several ISO standards, most notably ISO/IEC 18013-5 for mobile driving licence presentation protocols (particularly for in-person verification), ISO/IEC 23220 for the broader mobile eID framework, and ISO/IEC 15408 (Common Criteria) for security certification of the WSCD.

IETF (Internet Engineering Task Force): For online protocols, the ARF builds on IETF standards including OAuth 2.0, OpenID Connect, SD-JWT (draft standard for selective disclosure), and DPoP (Demonstrating Proof of Possession) for token binding.

W3C (World Wide Web Consortium): The Verifiable Credentials Data Model from W3C provides the conceptual foundation for the credential ecosystem, although the ARF uses SD-JWT VC as the specific format rather than W3C's JSON-LD Verifiable Credentials.

The European Commission launched four Large Scale Pilots (LSPs) to test the ARF specifications in practice before the full rollout. These pilots are essential for validating that the architecture works in real-world conditions.

EU Digital Identity Wallet Consortium (EWC): Focuses on travel and organizational identity use cases. Tests scenarios like digital travel credentials, hotel check-in, and airline boarding using EUDI Wallet credentials.

POTENTIAL: The largest pilot with over 60 partners across 19 countries. Tests use cases including eGovernment services, account opening at banks, SIM registration for mobile operators, and digital payments.

NOBID: A Nordic-Baltic pilot focusing on payment and credential use cases. Tests wallet-based payment authorization and strong customer authentication for PSD2 compliance.

DC4EU: Focuses on education and social security credentials. Tests scenarios like cross-border diploma verification, professional qualification recognition, and social security entitlement portability. Feedback from all four pilots continuously informs ARF updates, ensuring the specification is practically implementable.