The European Digital Identity (EUDI), a cornerstone of the eIDAS regulation, represents a cross-border digital identity initiative set to revolutionise electronic identification in the EU. Available to all EU citizens, residents, and organisations, EUDI is designed to offer a unified, secure, and efficient method for online identity verification. Central to its functionality is the innovative EUDI Wallet, a sophisticated platform for electronic identification that digitally encapsulates individual identities. This wallet integrates various attributes and credentials, ensuring they are stored and managed with utmost security and respect for privacy. As an integral part of the EU digital identity and trust services framework, EUDI extends beyond the wallet, offering a comprehensive solution for digital identity management across the European Union.
Why is EUDI Needed?
Although the majority of countries within the EU have some form of national digital identity solution or eID, only 60% of citizens from 14 member states are able to use their eID in another state (cross-border). That leaves over 150 million people in the EU alone without access to strong cross-border authentication, and with only 14% of public service providers allowing cross-border authentication. Yet, 63% of EU citizens want a single eID for online services across the EU according to the Eurobarometer survey (EU Commission). The EUDI will provide an EU-wide digital identity that will allow for cross-border trust service usage.
Key features of EUDI
At the heart of the EUDI’s design is user-centric control, aligning with eIDAS principles. It empowers both individuals and businesses to manage their electronic identification and digital identity with autonomy. Users have the discretion to select the information they share, the entities they share it with, and the purposes for which it is used. This feature not only enhances user autonomy but also bolsters privacy protection within the digital ecosystem.
EUDI exemplifies interoperability as envisaged in the EU digital identity framework. It offers a harmonised solution across the EU, enabling seamless cross-border access to digital services. An EUDI issued in any member state is recognised across all others, facilitating service access without the need for redundant verification. This interoperability is a significant step towards realising a cohesive digital Europe.
Security is a paramount feature of the EUDI, incorporating state-of-the-art encryption and authentication mechanisms. These technologies protect against identity theft, fraud, and other cyber threats, making EUDI a reliable and secure tool for electronic identification and online transactions.
The EUDI champions digital inclusion, crafted to be accessible to everyone, including those with disabilities or limited access to technology. This inclusive approach is integral to the EU digital identity and trust services ethos, ensuring equal access to online services across all member states.
Designed to be versatile, the EUDI supports a wide array of applications, from basic online authentication to more complex uses like digital licenses and insurance. It even facilitates instant payments using the digital Euro, showcasing its adaptability to various digital identity needs and trust services within the EU framework.
Benefits of EUDI
The EUDI will be available for all EU citizens that are eligible for a national ID card and will be recognised across the EU. It will be a secure way to share information with services, allowing users to control how much information they want to share. The EUDI will be operated via digital wallets on mobile phones and other devices and will enable users to identify themselves both online and offline. The EUDI wallets will allow users to store and exchange government-provided data (i.e. name, date of birth and nationality), information provided by trusted private sources, and to use the information as confirmation of the right to reside, work, or study in a certain member state. It ultimately provides a cross-border digital identity that will benefit citizens across the EU.
Practical Uses of EUDI
There are a variety of key use cases that the EUDI can be used for, including public service applications and requests, opening bank accounts, tax returns and applications to universities, alongside proof of identity, storing medical prescriptions, and securing transactions. There are some use cases that underpin the development of the EUDI Wallet, to support meeting objectives.
Practical Example of EUDI Usage
Currently, opening a bank account involves multiple steps that may involve in-person meetings, signing paperwork and a tedious back and forth if any documents are missing. In addition, any cross-border banking is hampered by the lack of standard document formats, document coverage/accuracy and even simple language barriers. However, with the introduction of the EUDI a user would simply be able to respond to the bank’s request by selecting the required documents that are stored on their EUDI wallet, already in a standard format. These documents will then be sent securely to the bank as verifiable digital documents, for the bank to process and continue with the application.
The interplay between EUDI pilots and eIDAS Regulation
After a six-month delay, the EUDI pilots are now starting and will continue well into 2024. Unusually, the actual eIDAS legislation is still being developed at the same time, even as the pilots are running. In addition, there are two further parallel streams: writing of the standards and documenting the reference implementation. All four of these elements: legislation, standards, reference implementation and the pilots, are dependent on each other. The standards must comply with the law, the reference implementation needs to implement the standards, and the pilots should utilise the reference implementation. Ideally, feedback from the pilots should in turn guide the legislative process, closing the circle.
This loop of interdependencies is caused both by the repeated delays in defining the base architecture and by the aggressive “Swiss knife” approach to the EUDI by the European Commission. What is often missed, however, is that the main hurdles regarding the whole EUDI project are not technical, or legal framework but political. The EUDI is designed to be much more than a simple mobile authenticator and therefore it must forge a compromise between 27 nation states from minute technical details to very profound decisions potentially affecting hundreds of millions of people – for example, whether to force every resident to adopt a persistent unique identifier.
The road to hell is paved with eternal secrets
When we think of strong digital identities, likely the first thing that we visualise is a unique identifier or a “name tag” that is then linked to a natural person for life. That is indeed one possible solution, but perhaps surprisingly there are alternative designs as well. The 27 EU member states have widely varying approaches. In some member states, one is automatically assigned a persistent unique identifier before leaving the maternity hospital. Elsewhere one will be assigned only in specific circumstances, while finally some member states do not assign such identifiers.
On paper, having an identifier can simplify many governmental processes and ease digitalisation. However, its unchanging nature makes it very unwieldy in practice. The identifier will continue to exist, unchanged, for the lifetime of an individual. As the end users are required to use it to identify themselves in both on- and offline transactions, it becomes very challenging to simultaneously keep it secret for their entire lifetimes. The same applies to every private and public organisation who stores or processes it, and sadly it takes just a single data breach to lose control of it forever. In the age of pen and paper perhaps this was deemed a not so omnipresent threat. But as digitalisation marches on and KYC legislation spreads from finance to the hospitality industry and beyond, having copies made of one’s personal documents is turning from an exception to a standard policy. As it stands, the persistence and omnipresent use of the unique identifier leaves the unfortunate victims of identity theft with only bad options: either be on constant lookout for any misuse for life or go through the massive process of changing the identifier (if allowed by national legislation) and then getting every single document from one’s birth certificate to school records to work contracts changed to reflect the new identity.
Nothing is certain until the legislation is finalised, but currently it seems likely that the EUDI will controversially force everyone to adopt such an identifier yet seeks to bypass some of the shortcomings both via the magic of public key cryptography and by optionally allowing the creation of pseudonyms – aliases that only officials are able to link to an individual. For example, there could be a ‘healthcare me’, distinct from a ‘banking me’ and a ‘social media me’. Officials would be able to link all three together, but a cybercriminal or a data breach would be (hopefully) limited to an identity affecting a single sector. Of course, this is not a perfect solution, but it certainly is better than no solution.
Once again it should be emphasised that the 27 member nations have very differing opinions on how to best proceed and marking features as optional – like the pseudonyms mentioned above – is a well-known compromise when the standardising body cannot gather enough support to either include or exclude it from the core standards. Optional features rarely become universal, and worryingly it seems likely that any optional features of the EUDI will not be exceptions to this rule. Any optional features will be adopted by some of the member states, while others will decline to take them into use. This threatens the fragmentation of the whole European digital market from day one… which is exactly how the situation stands after eIDAS version 1, and what the EUDI is seeking to solve.
Controversies around the fundamental design principles highlight both the importance of the whole EUDI project, as well as how politically influenced or even driven any cross-border effort can be. It is wrong to say that international projects would be generally disadvantaged from intense debate though, as having over two dozen interest group opinions and different viewpoints is a tremendous advantage to any undertaking. The varied features and pilots of EUDI would not be possible if a single member state would have to carry all the burden by themselves.
Are you prepared for the EUDI?
Contact Ubisecure to discuss EUDI opportunities with our team of digital identity experts, and how it may affect identity management in your organisation.