Digital wallet and eIDAS 2.0: a boost for Estonian companies

In November 2023, the European Commission agreed upon the new eIDAS regulation that will change Europe’s digital identity and digital wallet landscape and beyond. Estonia has been the leading country in digital identity proliferation and use, and Estonian IT companies have always been part and parcel of its development. Now, these companies are at the forefront of domestic and international engagement with the new direction that eIDAS proposes: the digital identity wallet.

---

Building on Estonian e-ID track record

Cybernetica is an Estonian cybersecurity company with a special place in the development of e-Estonia, as it provided the baseline cybersecurity knowledge necessary for creating the foundations of digital identity in Estonia in the early 1990s.

Now, Cybernetica, in a strategic collaboration with the Estonian Information System Authority (RIA), has embarked on a pivotal analysis of the technical architecture of the forthcoming Estonian digital identity wallet that has the potential to influence the entire European market.

The new eIDAS regulation makes use of a digital identity wallet — a mobile application designed to serve as an alternative to conventional physical documents such as ID cards and driver’s licenses — mandatory for European countries. However, eIDAS allows member states to direct their citizens to whichever wallet they deem proper. This kind of regulation creates a market for developers such as Cybernetica. Since Estonian digital identity has a long and trusted track record, Cybernetica has a good starting position.

“Together with RIA, Cybernetica aims to craft a wallet solution tailored to Estonia’s needs and aligned with existing information systems. This wallet should seamlessly integrate with national information systems, ensuring compatibility and adherence to EU standards for authentication, citizen data submission, and creating digital signatures,” said Aivo Kalu, Cybernetica’s lead security engineer.

Technology-agnostic security solution for the digital wallet

Cybernetica is actively working on the SplitKey CSP product destined for the future digital wallet in tandem with the wallet development.

“Wallets will contain documents that can be used to access critical information systems such as online banks and public sector portals. Therefore, it is extremely important that these documents remain in the possession of the wallet user and that no one else can present your credentials under their name,” Cybernetica’s software architect Mattias Lass elaborated. “SplitKey CSP offers a solution by linking documents in the wallet to cryptographic keys utilising SplitKey technology. The other part of the key remains in the possession of the owner. In this way, copying becomes impossible. It is special because this approach does not require high-end phone hardware, and the technology behind the solution is transparent and certified.”

Despite these advanced and proven technological solutions, what makes the development of the digital wallet complicated is the ongoing policy development of the European Union. According to Yuliia Kravchenko, Risk and Compliance Expert at Cybernetica, the final technological solutions for the identity wallet depend on many simultaneous implementation acts.

„For example, the European Cyber Security Certification Scheme has just been adopted. Previously, the protection profiles were nation-specific, but to make the wallet interoperable in all European countries, there needs to be a unified cyber security protocol, its definitions and requirements,” says Ms Kravchenko. “However, to create one that is technology agnostic is quite complicated, and if it is unskilfully done, it may lead to poorer implementation of the wallet by technology lock-ins or extreme bureaucracy.”

Making international recognition easier

European Union’s digital policies are known to have a global influence, and the new eIDAS is a good case in point. Proud Engineers, a high-level consultancy that advises countries in digital development, sees the critical value of eIDAS in their work.

“We see how countries that we consult want their digital identity systems built based on eIDAS, or at least want their frameworks to be recognized in the European Union,” says Laura Kask, CEO of Proud Engineers. “The new eIDAS creates a clearer basis for mutual recognition of digital identity frameworks.”

“Hence, the new eIDAS directly influences our work. Ukraine was the first to achieve partial recognition under the old eIDAS, but this will have a strong legal basis.”

In our portfolio, Egypt and Armenia, whom we advise on their trust services framework, aim to base their upcoming digital identity services on eIDAS. Ideally, a document – such as a driver’s license or a university diploma — issued in Armenia, which is stored in its digital identity wallet, will be accepted by European Union’s countries.”

The critical question of Big Tech vs Digital Nations

While member states are now obliged and eager to start implementing eIDAS, the critical question is the relationship between government-issued and Big Tech-issued wallets. According to Laura Kask, since the market for wallets is theoretically open for everyone, it may be that the identity business is slipping from nation-states to technology companies. This may have detrimental consequences.

On the one hand, it is the question of user comfort. While states need to retain certain control over the issue of identity, they still need to value the ease of use. Otherwise, private providers who might not be keen to safeguard transparency but prioritize user comfort will have the upper hand.

On the other hand, it is the question of introducing the state-provided digital wallet into the big tech platforms and social media.

“In the case of eIDAS, what is interesting now is that this wallet should be mandatory for use on large platforms such as Facebook, Google and so on,” says Ms Kask. “In the future, we should be able to enable authentication to log in using this EU identity wallet. However, we have not seen their reaction yet. Hopefully, this won’t change the paradigm to the point where we end up using Apple Wallet instead, which isn’t actually audited or controlled by member states. I hope the basic principle will remain: the state issues the first basic identity, and a chain of trust can be built on it for the private sector to use it, too.”

Hence, the eIDAS is definitely a step in the right direction, but it opens up opportunities for different developments. A supportive but critical attitude is surely advisable.