eID Card: Electronic Identity Cards as the Foundation for EUDI Wallets

An eID card is a physical identity document with an embedded chip containing digital certificates for electronic identification and authentication. eID cards serve as the foundation for EUDI Wallet activation in many EU Member States, enabling citizens to prove their identity and receive digital credentials.

The chip embedded in eID cards is a sophisticated secure element that implements multiple security layers to protect the stored identity data:

• •PACE (Password Authenticated Connection Establishment): Before any data exchange, the reader (smartphone) and chip establish an encrypted channel using a shared secret derived from the card's CAN (Card Access Number) or MRZ (Machine Readable Zone). This prevents unauthorized reading of the chip by requiring physical access to the card.
• •Active Authentication: The chip proves it is genuine (not a clone) by performing a cryptographic operation with its private key, which cannot be extracted from the hardware. This prevents chip cloning attacks.
• •Passive Authentication: All data on the chip is digitally signed by the issuing country using a Document Signer Certificate. This allows any reader to verify that the data has not been tampered with since issuance.
• •Extended Access Control (EAC): Sensitive data like fingerprints and iris scans is protected by additional access control requiring the reader to present a certificate authorized by the issuing country. Only authorized terminals (border control, law enforcement) can access biometric data.

The process of converting a physical eID card into a digital EUDI Wallet credential represents a critical trust bridge between the physical and digital identity worlds. The activation flow typically follows these steps:

The citizen downloads the EUDI Wallet app and initiates activation. The app instructs them to hold their eID card against the phone's NFC reader. The PACE protocol establishes a secure channel. The app reads the identity data from the chip and verifies the document signer signature (passive authentication). The chip performs active authentication to prove it is not cloned. The verified identity data is sent to the national PID provider over a secure TLS connection.

The PID provider validates the identity data, cross-references it with the national population register, and issues a PID credential via OpenID4VCI bound to the wallet's device keys. The citizen now has a digital credential in their wallet that is as trustworthy as the physical eID card it was derived from, but far more versatile -- it supports selective disclosure, cross-border recognition, and remote presentation.

• •German Personalausweis (nPA): Issued since 2010 with eID function. The AusweisApp2 enables smartphone-based reading. Supports online identification for government and private-sector services. Over 60 million cards issued with eID capability.
• •Belgian eID: One of Europe's earliest national eID systems (2003). Contains two certificates: one for authentication and one for digital signatures. Integrated with Belgian government services and banking.
• •Estonian ID-kaart: The foundation of Estonia's digital society. Used for online voting, healthcare access, tax filing, and business registration. Contains two 2048-bit RSA certificates (migrating to ECC). Over 99% of banking transactions in Estonia use eID.
• •Italian CIE (Carta d'Identità Elettronica): Polycarbonate card with contactless chip issued since 2016. Supports CIE authentication protocol for Italian government services and EUDI Wallet activation.