Disaster Recovery: Ensuring EUDI Wallet Service Continuity

Disaster recovery (DR) is a complete framework of strategies, policies, tools, and procedures designed to enable the recovery or continuation of vital technology infrastructure and systems after a natural or human-induced disaster. For EUDI Wallet services, disaster recovery is a critical requirement because the digital identity infrastructure serves as foundational infrastructure for hundreds of millions of EU citizens. A prolonged outage of credential verification or issuance services could disrupt government services, healthcare access, financial transactions, and cross-border travel across the entire European Union.

EUDI Wallet backend services implement disaster recovery at multiple architectural levels:

Multi-region deployment: Critical services are deployed across at least two geographically separated EU data center regions (e.g., Frankfurt and Amsterdam, or Paris and Dublin). Active-active configurations serve traffic from both regions simultaneously, while active-passive configurations maintain a warm standby that can be promoted within minutes. Geographic separation ensures that a regional disaster (flood, power grid failure) affects only one deployment.

Data replication: Databases storing credential metadata, Trusted Lists, revocation status, and audit logs use synchronous or asynchronous replication depending on the RPO requirement. Trusted List data uses synchronous replication (zero data loss) because inconsistency could lead to incorrect credential verification decisions. Audit logs may use asynchronous replication with a few minutes of acceptable lag.

Infrastructure as Code: All EUDI service infrastructure is defined in version-controlled templates (Terraform, Kubernetes manifests). If an entire deployment must be rebuilt from scratch in a new region, the infrastructure can be provisioned automatically in minutes rather than days. Combined with data backups, this enables full environment reconstruction as a last-resort DR strategy.

Disaster recovery also applies at the individual user level. When a user loses their device, their credentials are lost because the device-bound private keys cannot be recovered. The EUDI Wallet addresses this through a structured recovery process:

• •Wallet backup: The wallet periodically backs up an encrypted inventory of held credentials, issuer information, and user preferences to a secure cloud storage location. This backup does not contain private keys or actual credential data -- only the metadata needed to reconstruct the wallet state.
• •Account recovery: The user authenticates to their wallet provider (using backup authentication methods like email, phone, or in-person verification) to restore their wallet profile on a new device.
• •Credential re-issuance: Using the restored backup metadata, the wallet contacts each credential issuer via OpenID4VCI to request re-issuance. The user authenticates to each issuer (potentially using their national eID as the initial credential), and fresh credentials are issued bound to the new device's secure element keys.
• •Old device revocation: The wallet provider revokes the old wallet instance, ensuring any credentials on the lost device are flagged as invalid if someone attempts to use them.

DR plans are only reliable if they are regularly tested. EUDI Wallet service operators are expected to conduct disaster recovery exercises including: tabletop exercises simulating various disaster scenarios, planned failover tests where traffic is deliberately switched to backup regions, chaos engineering practices that introduce controlled failures to verify resilience, and full DR drills that simulate complete regional loss. Results are documented and used to improve DR procedures.

The eIDAS 2.0 implementing acts and ENISA guidelines require wallet providers to maintain and demonstrate disaster recovery capabilities as part of their certification. This includes documented DR plans, defined RTO/RPO targets for each service component, evidence of regular DR testing, and third-party audit results. Providers that cannot demonstrate adequate DR capabilities cannot obtain or maintain their EUDI Wallet provider certification.