Eurosmart’s position on the future European Digital Identity (EUid)

Eurosmart’s position on the future European Digital Identity (EUid)

How to ensure that identity services in Europe are preserving Europe’s sovereignty?


The European Commission will soon present a proposal for a European Digital Identity (EUid). Different options are currently envisaged. One of these options is to create a new trust service, pursuant to the eIDAS Regulation, for (private) electronic (or digital) identity providers. This paper highlights the position of Eurosmart on this topic. Eurosmart sees many potential pitfalls in this approach that should be carefully assessed by policymakers. Eurosmart drew recommendations to prevent these pitfalls.

Digital sovereignty as a guiding principle

Eurosmart’s recommendations aim to preserve Europe’s digital sovereignty, in a context where big tech is more and more involved in providing digital identities.

First, digital identity providers are too important to be ruled like any other trust services. Additional requirements should apply to ensure that EU values are respected. These requirements include non-discrimination, privacy-by-design and security-by-design.

Secondly, digital identity providers should be effectively governed by national and European laws. Eurosmart recommends introducing a condition of “Europeanity”, meaning that digital identity providers should be European registered companies or European public entities.

Thirdly, the European Commission should legislate on the security of identification and authentication means. This is particularly needed in the case of server signing (remote identification and authentication). There are currently no clear security requirements or criteria in the legislation to ensure the security of the local component performing the remote identification and authentication of the signatory.

Last but not least, Eurosmart believes that the Cybersecurity Act provides a relevant framework for the certification of digital identity solutions. An alignment between the Levels of Assurance of eIDAS and the Levels of Assurance of the Cybersecurity Act is needed.

Please see below the full position paper.