In the graphic above we reorganised and regrouped the stakeholders to map the requirements for the eIDAS toolbox architecture. An earlier version of the graphic was used by the European Union agency for cybersecurity ENISA in a paper titled “Digital Identity: Leveraging the SSI Concept to Build trust”.
There are different types of issuers of four main categories of verifiable data. There is one PID-provider per member state providing the Person Identification Data to activate an EUDI-Wallet and enable identification of a natural or legal person.
Additionally there are qualified trust service providers (QTSP), which provide qualified electronic attestations of Attributes (QEAA), such as tax data, a mobile driver licence or an IBAN credential. Qualified trust service providers depend on authentic sources to ensure a high level of assurance.
Authentic sources are repositories or systems under the responsibility of public or private entities that deliver authentic attributes about persons or objects and are recognized according to EU or national law as primary or acknowledged sources of information.
Additionally, there are providers of non-qualified electronic attestations of attributes (EAA) such as membership or customer cards or employee passes. Every organisation can be an issuer of these credentials and the variety of credentials is unlimited.
Finally, the qualified trust services providers enable qualified electronic signatures (QES) with the European Identity Wallet.
The wallet itself acts as a holder of information. The holder can be a natural or a legal person. Depending on the nature of the holder (citizen / organisation) the application itself can be on a smartphone, a cloud infrastructure or in an on-premise IT-environment.
The different types of verifiable data can be presented to a relying party, also referred to as a verifier. These are legal entities requesting data from an EU Wallet to provide access to digital services such as a bank account or public services. Depending on the use case they might ask for the PID, an QEAA, an EAA and a QES or a subset of these.
Trusted lists are directories maintained by EU member states listing qualified trust service providers, including details about the services they offer, recognized according to EU standards for security and trustworthiness.
Schema providers for (Q)EAAS provide schemes for (qualified) electronic attestations of attributes for credentials that can be used in EUDI-Wallets. The sum of all attributes of a credential is referred to as schema and is used to ensure a standardised way of expressing the content of a credential.
We used the graphic below as the basis for our infographic, which was published as part of the eIDAS toolbox / architecture reference framework. We intentionally left out the different accreditation, assessment and supervisory bodies, since these are not relevant for parties, which just want to implement use cases.
One stakeholder we haven’t mentioned yet are technology providers. These are actors that offer EUDI-Wallet Connector services for connecting EUDI-Wallets to existing IT-systems, enabling organisations to interact with the EUDI-Wallets.