During the COVID-19 pandemic, as remote work and online interactions became more common, there was a greater need for secure digital identities. Applications like digital vaccination certificates helped popularize the idea of Self-Sovereign Identity (SSI) and verifiable credentials on the internet. This trend aligned with the pre-requirements of public and private organizations worldwide, enabling them to incorporate security by design and by default into their digital transformation efforts. This resulted in highly automated and secure processes and services for citizens and customers, leading to effective cost reductions and promoting socially inclusive and environmentally sustainable growth.

This all takes place in a context of increasingly complex digital ecosystems. Notable instances include collaborative networks of identity schemes, exemplified by Europe’s eIDAS Regulation, and data spaces. In this landscape, achieving digital (data and technological) sovereignty emerges as a strategic objective, addressing growing and legitimate concerns. These concerns encompass worries about the loss of control over data, including identity and person-related attributes, and the imperative to uphold satisfactory levels of technological autonomy and innovation capacity in line with deeply ingrained values and principles. Moreover, public opinion reflects a growing apprehension about identity-related cybercrime, with two out of three EU citizens expressing concern about identity theft and nearly half of them worried about the misuse of personal data [2].

In 2020, identity fraud incidents increased by 45% according to the US Federal Trade Commission (FTC) resulting in massive financial losses. Given the increasing use of digital identities, legal compliance requirements such as GDPR, Anti-Money Laundering (AML) and Know-Your-Customer obligations, and this rise in cyberattacks and identity fraud, there is a clear need for a new trust model and fabric for digital identities.

Furthermore, it is increasingly evident that individual users struggle to keep track of multiple accounts and the services and platforms with which they have shared data. Simultaneously, organizations face challenges in securing vast amounts of personal data accumulated from their customers, rendering them vulnerable to ever-increasing, sophisticated cyberattacks.

Businesses, in fact, must implement effective Zero Trust approaches to better navigate the blurring of security perimeters caused by factors such as an increasingly mobile workforce (including the adoption of Bring-Your-Own-Device) and the embrace of multi-cloud and Edge computing strategies. Identity management represents the initial and crucial step for Zero Trust strategies. SSI Decentralized Identifiers (DIDs) are inherently designed to facilitate cryptographically secure password-less authentication for both individuals and non-person entities. This is coupled with dynamic and context-based access control, continuously assessing users’ access in accordance with the least privilege principle.

The virtuous circle is completed when these approaches are integrated with Verifiable Credentials (VCs) to actualize the Zero Trust principle, emphasizing strict and explicit verification of every identity—identifying the issuer, the timestamp, cryptographic challenge-response protocols for the identity holder to prove control, and verification against tampering or revocation through decentralized infrastructures like blockchain or ledgers (also known as Verifiable Data Registries). It is estimated that by 2025, 20% of total digital ID will rely on DLT/Blockchain technology, up from 5% in 2020 [3].

Given the aforementioned considerations, users, governments, and businesses are actively seeking cutting-edge identity solutions for identification, authentication, and access control that can:

• Be effectively controlled (through consent for use) and owned by legitimate users (individuals or organizations), supporting higher levels of identity assurance.
• Be fundamentally secure, facilitating robust password-less authentication to mitigate risks associated with weak authentication methods [4]. It should also be compatible with Multi-Factor Authentication to provide access to wallet data.
• Be portable, interoperable, and based on open standards for transparency.
• Be convenient and easy to use (i.e., mobile-first) while enabling instantaneous verification, thereby simplifying and expediting numerous identity-based processes through a reliable, decentralized trust model.
• Enable data disclosure minimization (as seen in age-proofing scenarios).
• Protect privacy rights, including preventing the tracking of activities across unrelated services and allowing for anonymous or pseudonymous interactions with sector-specific identifiers in certain cases.

These are indeed fundamental principles of Self-Sovereign Identity, explaining how this new paradigm can significantly enhance security and privacy in practice. SSI holds genuine potential to bridge the identity layer gap that exists on the Internet, emerging as a transformative toolset that returns control to individuals over what others need to verify on a need-to-know basis.

Relying on a web-of-trust model and modern Web3 standards such as Decentralized Identifiers and Verifiable Credentials, SSI is rapidly maturing and gaining traction. Initiatives like EBSI – European Blockchain Services Infrastructure (part of the European Blockchain Partnership) are contributing to its development. SSI extends beyond secure management of personal identity data, simplifying processes and opening new business models around electronic attestations of attributes. This allows for the generation of fully digital versions of documents, which users can carry and present from their digital wallets. Examples include education diplomas and professional licenses, digital travel credentials, health patient summaries/electronic

Conceptually disruptive and representing the next phase in the evolution of the digital identity management landscape, SSI can coexist and integrate seamlessly with both existing PKI-based systems and federated identity/single sign-on, as well as mobile identity systems (e.g., OpenID Connect, FIDO2, WebAuthn, etc.). This integration is facilitated through protocols such as Self-Issued OpenID Provider (SIOP) v2, OpenID4VCI, and OpenID4VP. These protocols are outlined in technical guidelines and specifications released under the aegis of key initiatives that are driving widespread and cross-sector adoption of SSI technologies across Europe:

Revision of eIDAS Regulation and the EU Digital Identity Wallets Toolbox Process, cf. drafts of Architecture and Reference Framework (see further details below) and the Data Spaces Business Alliance uniting over 1,000 leading industry players (in almost 90 Hubs in 34 countries) to accelerate transformation in the EU’s data-driven economy where an investment of €4-6 billion is expected in at least nine strategic sectoral common data spaces and a European federation of cloud infrastructure and services aligned with the European strategy for data, cf. Technical Convergence Discussion Document that proposes a decentralised Identity and Access Management Framework. These data spaces support the vision of a genuine single market for data where personal and non-personal data, including sensitive business data, are secure and businesses have easy access to high-quality industrial data, boosting growth and creating value. Identity technologies are a cornerstone for achieving sovereign, interoperable and trustworthy data sharing.

For the EUDI Wallets initiative, the social and business impact is huge:

• All EU 27 MS will need to provide EU Digital Identity wallets and to notify an eID scheme for a population of more than 400 million citizens that may use it on a voluntary basis to prove their identity where necessary to access services online, to share digital documents, or simply to prove a specific personal attribute, such as age, without revealing their identity or other personal details (more information here). Estimated total benefits across Europe are in the range of € 3.9 – 9.6 billion, related to positive impacts on innovation, international trade and competitiveness, contribution to economic growth and the lead to additional investment in digital identity solutions.
• Through this new European Digital Identity framework, also known as eIDAS 2.0, at least 80% of citizens should be able to use a digital ID solution to access key public services by 2030, extending to the private sector the benefits of the framework e.g. identifying users without having to use private platforms or unnecessarily sharing personal data.
• Private services will be obliged to accept the EU Digital Identity Wallet for identification where strong assurance of the identity of their customers is needed (e.g. in the areas of transport, energy, banking and financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications). The same applies to Very Large Online Platforms such as provided by Meta, Amazon, Apple or Alphabet/Google.

These initiatives, together with large-tech firms support of SSI (e.g. Microsoft Entra and Avast) decisively contribute to very significant growth prospects for decentralised identity market: a 78% CAGR to reach 8.9 billion USD by 2028 and 1.1 billion USD in annual revenue from 2024 [5].

Several challenges lie ahead for SSI, particularly for EUDI Wallets. These challenges include wallet security certification, encompassing secure storage of cryptographic material and leveraging existing Cybersecurity Act certification schemes. There is also a need for defining a hardware-secure environment for keys and data, relying on technologies such as Trusted Execution Environments, Secure Elements, and Hardware Security Modules.

Additionally, challenges involve further standardization work in digital identity, conducted by Standards Definition Organizations like ISO, CEN/CENELEC, ETSI, and industrial bodies such as W3C, OpenID, FIDO, OASIS, etc. Other challenges include the adoption of quantum-resistant cryptography for secrets and biometric templates, wallet recovery and backup, and addressing multiple governance aspects with an impact on ecosystem stakeholders.

Despite these challenges, significant progress is underway at both legislative and political levels, with advancements towards the adoption of eIDAS 2.0, exemplified by the recent political agreement reached between the European Council and Parliament. On the technical front, progress is being made towards a more comprehensive version of EUDI wallet specifications, with the first reference implementation expected by Autumn 2023.

We are fully ready to accompany our partners and customers in this exciting journey towards SSI adoption, leveraging our product lines and the experience from Blockchain, Identity and Privacy team within Research & Innovation hub. Such experience is cumulative since 2019 in multiple projects and serves to mature SSI innovation assets (including mobile wallet prototype and other server-side components), already piloted in realistic conditions in some cases and being aligned with technological roadmaps of current and future cybersecurity (IAM and digital identity) products. In particular, two projects are highly relevant to bring to the market SSI solutions based on EU-wide initiatives:

1 – OT Platform as a Service (OTPaaS) is a major R&D project in the French government’s cloud strategy and a key action in the Solution Industry of the Future sector contract, brings together 14 partners, technology providers and users: SMEs/ETIs, large groups and research organizations. It is financed within the framework of a call for projects from Bpifrance on the “Development and reinforcement of the French and European cloud sector.” The objective is to develop a complete sovereign offer for massive digitization, mastering the data continuum from the shop-floor to the cloud, and compatible with Gaia-X. In OTPaaS, Evidian is the coordinator of the work package dedicated to the compatibility with Gaia-X. Gaia-X strives for innovation through digital sovereignty. The goal is to set up an ecosystem, whereby data is shared and made available in a trustworthy environment. Following Gaia-X IAM Federation Service technical specifications and extending accordingly our SSI solutions suite, we implement the key Gaia-X Services enabling organisations to easily onboard and interact in federated and secure data sharing infrastructure:

Figure 1: Gaia-X Flows being implemented in OTPaaS

The trust model fostered by Gaia-X leverages the emerging approach of Self-Sovereign Identity: control on credentials is given back to individuals. This innovative technology of Self-Sovereign Identity and Verifiable Credentials will be supported by Evidian, as stated by Thierry Winter, CTO and Head of R&D of Evidian IAM products: “The Evidian IAM offer will be extended to support all standards and practices that are needed to interoperate with the GAIA-X data sharing architecture. We will not take a Big Bang approach, but rather an extension to existing access governance and identity federation mechanisms. The cornerstone of our work is the adaption of IAM concepts and processes to comply with Self-Sovereign Identity and Verifiable Credentials”.

2 – Digital Credentials for Europe (DC4EU) is one of the 4 “large-scale pilots” co-funded under Digital Europe’s Programme, comprising 80 organizations from 22 countries, that launched in April 2023 with the goal to test in two real-life scenarios (educational credentials and professional qualifications and social security entitlement documents like European Health Insurance Card) the technical specifications and software reference implementation of the EU Digital Identity Wallet (EUDIW), iteratively providing feedback to the European Commission and Member States for subsequent updates. Having direct access to the latest specifications and guidelines of the wallet ecosystem, we provide our large industry perspective and a major contribution for technical level implementation of open source components for integrating providers and verifiers of electronic attestations of attributes with the EUDI wallet and follows our successful integration with EBSI Early Adopters programme of SSI Framework Agent components in DE4A project.

Figure 2: DC4EU functional scope for cross-border pilots