Failover: Automatic System Switching for EUDI Wallet Availability

Failover is an automated operational process in which a backup system component (server, database, network path, or entire data center) takes over when the primary component fails, becomes unavailable, or performs below acceptable thresholds. The transition happens automatically and rapidly -- typically within seconds to minutes -- minimizing service disruption. For the EUDI Wallet ecosystem, failover mechanisms are essential because digital identity services must be available around the clock for credential verification at border crossings, healthcare access, financial transactions, and government services across the entire European Union.

EUDI Wallet backend services implement failover at every infrastructure layer to eliminate single points of failure:

• •Application tier: Multiple instances of each service run behind a load balancer. Health check probes continuously verify instance availability. If an instance fails health checks, the load balancer stops sending traffic to it and distributes requests among remaining healthy instances. New instances are automatically provisioned to replace failed ones (self-healing).
• •Database tier: Primary databases replicate data synchronously to standby replicas. If the primary fails, the standby is promoted to primary automatically. For read-heavy services like Trusted List lookups, read replicas distribute query load and provide redundancy. Connection poolers manage the transition transparently to application servers.
• •Network tier: Multiple network paths, redundant switches, and diverse internet transit providers ensure no single network failure isolates a data center. BGP anycast routing enables automatic traffic redirection at the network level.
• •Regional tier: Services are deployed across multiple EU regions (e.g., Frankfurt and Amsterdam). DNS-based global load balancing directs users to the nearest healthy region. If an entire region becomes unavailable, traffic automatically routes to surviving regions within minutes.

Failover is not limited to server infrastructure. The EUDI Wallet mobile application itself implements client-side failover mechanisms:

The wallet maintains a list of backend endpoint URLs for each service (credential issuance, revocation checking, backup). If the primary endpoint is unreachable, the wallet automatically tries secondary endpoints. Request retry logic with exponential backoff prevents overwhelming recovering servers. For credential presentation, the wallet falls back to offline verification data (cached Trusted Lists and CRLs) if online services are temporarily unavailable.

This client-side resilience means that even during a significant backend outage, the wallet continues to function for most use cases. New credential issuance may be temporarily unavailable, but existing credentials can still be presented and verified using cached trust data. The user experience degrades gracefully rather than failing completely, which is essential for an infrastructure serving hundreds of millions of citizens.

Effective failover requires complete monitoring to detect failures and trigger responses quickly:

EUDI service operators deploy multi-layer monitoring: infrastructure monitoring tracks CPU, memory, disk, and network metrics; application monitoring tracks request latency, error rates, and throughput; synthetic monitoring simulates real user interactions to detect issues before users are affected; and distributed tracing tracks requests across microservices to identify bottlenecks and failures in complex call chains.

When failover events occur, automated alerts notify the operations team with full context: what failed, when it failed, what failover action was taken, and whether the failover succeeded. Post-incident reviews analyze root causes and improve both the primary system reliability and the failover mechanisms. Key metrics tracked include Mean Time To Detect (MTTD), Mean Time To Failover (MTTF), and Mean Time To Recovery (MTTR).