The European Union is taking digital identity to new heights with the updated eIDAS (Electronic Identification, Authentication, and Trust Services). Effective from May 20, 2024, the new EU Regulation 2024/1183, known as eIDAS 2, marks a significant advancement in managing digital identities and trust services across member states. The push for this framework came in 2020 from European Commission President Ursula von der Leyen, who raised concerns about the then-current practices of technology providers in handling users' online data. She emphasized, "Every time an app or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality." Therefore, unlike its predecessor (eIDAS), which had limitations in interoperability and user adoption, eIDAS 2 aims to ensure that all EU citizens can access highly secure digital trust services and digital identities usable throughout Europe. In this context, technological neutrality is a key principle of the new regulation. In particular, this approach allows all member states to adopt the regulation without being tied to a specific technological framework, facilitating seamless cooperation among EU countries. Therefore, by promoting a cohesive digital ecosystem, technological neutrality enables different systems and technologies to work together seamlessly while adhering to consistent regulatory standards.

Introducing the European Digital Identity Wallet

The central focus of eIDAS 2 is the European Digital Identity Wallet (EDIW), which involves the establishment of a framework for community digital identity. In particular, this initiative enables individuals to connect their national identity documents and other electronic credentials to their mobile devices. This capability allows them to verify their identity and digitally sign documents using qualified electronic signatures. With the EDIW, citizens can seamlessly link various forms of identification and credentials to a single, secure digital platform. This integration reduces the need to remember multiple passwords and manage different accounts. In addition to functioning for identity verification, the EDIW serves as a secure repository for personal attributes, such as education certificates, birth certificates, and bank cards. This capability allows personal documents to be stored safely in digital form, making it easier for individuals to access and share them when needed, whether for educational purposes, employment, or other services. The EDIW also promises to enhance convenience and efficiency by streamlining interactions with public and private services, eliminating the need for physical documents, and reducing bureaucratic hurdles.

Security Dynamics of the European Digital Identity Wallet

The EDIW offers significant cybersecurity benefits, such as enhanced security through advanced encryption and controlled data sharing, which reduce unnecessary exposure. However, there are also potential drawbacks to consider. For example, one critical aspect is the problem of risk aggregation, which refers to the consolidation of various risks into a single point or system. In the context of the EDIW, risk aggregation may occur when multiple pieces of personal information and credentials are stored in one digital wallet. This configuration raises concerns regarding compliance with privacy regulations and the legal responsibilities of entities managing such aggregated data. Furthermore, centralizing data in the EDIW can potentially make it a lucrative target for attackers; a breach could expose vast amounts of sensitive data, potentially leading to consequences, such as fraud, identity theft, and unauthorized access to services. Finally, storing personal data in digital ID wallets requires a high level of trust in service providers and wallet providers to maintain stringent data protection and privacy standards. To address these issues, eIDAS 2 requires providers to adhere to strict security and operational protocols. For instance, Article 45k mandates maintaining data integrity and chronological order in electronic ledgers, which is crucial for reliable digital identity data. Additionally, the regulation calls for consistent audits and compliance checks to ensure providers meet all data protection requirements. As a result, eIDAS 2 presents a promising regulatory structure for managing digital identities. However, ongoing refinement of the regulatory framework may be necessary to balance the benefits of a centralized digital identity system with effective risk management.