Thought Leadership
5. The European Digital Wallet, eIDAS 2.0 and the ARF
We now have the great good fortune – and at the same time the curse – that this paradigm has now penetrated so far that it is seen as a relevant approach at all regulatory levels. There are currently efforts to raise the eID law for Europe, the so-called eIDAS regulation, to a new level 2.0. Inherently linked to this is that there should be a European Digital Identity Wallet. This means that eIDAS 2.0 should not only enable personal identification and regulatory signatures, but also the management of precisely those non-sovereign documents that I have just listed. Ideally, both the proofs issued by the administration itself and the proofs issued by private-sector companies (employee ID cards, admission tickets) should be managed in the EU Digital Identity Wallet.
However, some complexities still need to be resolved: it is not ideal for lawyers or political decision-makers to write technical specifications. This has led to a group of experts drafting the Architecture and Reference Framework (ARF) for the EU. This sets out technical framework parameters that will later ensure interoperability. Whether this will actually succeed is another matter, and I will come back to this in a moment. But in principle, it would be possible to use this ARF to create an architectural basis for the use of interoperable EU wallets. Version 1.2 was announced a long time ago, but is now massively delayed. This provides an indication of the speeds that can be expected here.
The trust ecosystem is fundamentally not a simple matter, as many different relevant roles are required. I am only mentioning the trust service providers here, which can play a major role based on eIDAS 1.0 so that they can issue certificates. Anyone wishing to delve deeper into this highly complex model is welcome to read about it in the publicly accessible ARF. It is important to understand: we are not starting from scratch, there are already eIDAS 1.0 and existing services that run under it. This includes the electronic ID card in Germany, which has not yet become a successful model because it is neither useful nor easy to use, i.e. it cannot be used almost anywhere. Basically, the aim is to make everything very simple for an EU Digital ID Wallet and to maintain the highest level of security.
It should also be mentioned that there are two technological strands that are more or less hard-coded and represent a very simple model for issuing credentials: the so-called Jason Web Token or selective disclosure Jason Web Token. There is also an approach that follows the ISO standard 18013/5, the so-called Mobile Driving License Standard, which can of course also be used for issuing other types of credentials. These can be described as the cornerstones for credentials. Other solutions can also be pursued, but not in the sovereign area. It is obvious that there is a lively debate about what can and should be used. The identity community is sometimes somewhat dogmatic when it comes to the various credential formats. A lot of work has been done over the last 18 months to objectify the discussion and avoid exaggerating the religious wars.
The so-called NIScy consortium (NetCompany Intrasoft and Scytales AG) is currently tasked with developing a reference implementation of such a wallet, but this has already been delayed. It is interesting to note that the four large-scale pilots (LSPs) launched by the EU are already underway. These are, of course, intended to implement the architectural specifications, but they are neither ready nor is there a reference implementation in the wallet. In terms of sequence, this is more of a “back through the chest into the eye”, but overall a very welcome commitment.
6. Time frame
The eIDAS 2.0 law does not yet exist, the trilogue negotiations are currently underway and it is not foreseeable whether the law can be passed this year. Even then, we cannot expect anything next year. Once the law is in place, will the implementing acts follow, which will determine what the individual member states actually have to do to implement the law? These negotiations are likely to take 12 months, and then another 24 months until the law has actually been examined. Just think of the General Data Protection Regulation – there was also a so-called burn-in phase here. The law was actually passed, but there were still 24 months to apply it.
If we get something that becomes part of the reality of life for EU citizens in 3+ years, we can be happy. That’s why I’m cautiously optimistic that this regulatory measure will achieve something quickly. The industry is waiting in the wings, but is still holding back on investment due to the current lack of clarity.
