by Evangelia Papadaki, Legal Consultant and Compliance Officer at ADACOM with extensive expertise in the EU trust services framework
Under EU Regulation 910/2014, commonly referred to as eIDAS, identity verification or identity proofing has traditionally been an integral component of existing Qualified Trust Services (QTS), such as Qualified Electronic Signatures (QES), rather than a standalone service. While identity verification plays a critical role in enabling trust and security in digital interactions, it has always operated as a prerequisite step embedded within other qualified services.
With the advent of eIDAS 2.0 and the introduction of the European Digital Identity Wallet (EUDI Wallet), many observers saw an opportunity to elevate identity proofing to the status of a separate QTS. Such a move could have standardized and formalized identity verification across the EU, potentially increasing trust and interoperability among Member States and private sector actors alike. However, identity proofing was ultimately not designated as a standalone QTS in the revised Regulation.
Why was Identity Proofing not made a standalone QTS?
Several reasons likely contributed to this decision:
a) Flexibility for Member States. One of the core principles behind eIDAS is mutual recognition while respecting subsidiarity, the idea that decisions should be taken as closely as possible to the citizen. By not locking identity proofing into a rigid qualified trust framework, Member States retain the flexibility to recognize and regulate electronic attestation of attributes and other identity proofing methods based on their domestic laws, use cases, and technological infrastructure. Countries with well-established systems can continue to leverage their models without needing to conform to a central standard.
b) Avoiding over-regulation and complexity. The trust services market in the EU is already considered by many to be heavily regulated. Creating a standalone QTS for identity proofing would add another layer of complexity and might risk stifling innovation, especially in the private sector. Today, numerous entities, including banks, telecom providers, and even fintech startups, carry out robust identity verification under sector-specific frameworks. Imposing QTS-level obligations across the board could discourage participation or innovation in the digital identity ecosystem. Moreover, agreeing on a harmonized, pan-European identity proofing model is an inherently difficult task. Each Member State has different identification mechanisms in place. Politically, handing over the authority to the Commission to define "qualified identity proofing" might have met resistance from national governments keen to maintain control over their own identity frameworks.
c) Identity v. Identity verification. The current approach to identification and mutual recognition among Member States is fundamentally based on the concept of identity, not identity verification. In this model, it is the identity itself, particularly one with a high Level of Assurance that establishes the individual’s identity, rather than the specific method by which that identity was verified. Consequently, it might be argued that identity proofing as a standalone trust service may offer limited added value within the eIDAS ecosystem, since its function is already embedded in the broader identity framework.
Consequences of not establishing a Qualified Identity Proofing Service
The absence of a dedicated QTS for identity proofing means that divergence in practices across the EU will likely continue. What constitutes a trustworthy identity proofing process may vary from one country to another, leading to potential uncertainties for wallet providers, attribute issuers, and cross-border digital service providers. This lack of harmonization may complicate efforts to ensure mutual recognition of identity credentials, especially in cross-border contexts.
Was this the right moment to establish a pan-European trust list for identity proofing providers, a centralized public directory of trustworthy identity verification entities? Maybe such a trust list could have offered clarity to both regulators and market participants while preserving some national flexibility. However, this idea has not yet materialized under eIDAS 2.0.
Was it a missed opportunity? Not entirely. While eIDAS 2.0 did not create a standalone identity proofing QTS, it did take significant steps toward harmonizing identity verification requirements. The European Commission is currently issuing implementing acts, i.e. secondary legislation that provides detailed guidance and technical standards applicable to all Member States.
Most recently, the third batch of implementing acts, which is currently open for public consultation, includes a draft implementing act on the verification of identity and attributes at qualified certificate or qualified attestation of attributes issuance. This draft act specifies that identity verification processes must adhere to standards included in its annex, such as the ETSI TS 119 461.
The public consultation on the third batch of implementing acts remains open until 13 May 2025, offering stakeholders an opportunity to provide feedback.
You can access the consultation on the verification of identity here.