EU Wallet – eIDAS 2.0: The New European Identity Framework is a Gamechanger

So today I want to talk about the IDAs two zero regulation and the impact to the digital identity ecosystem. As a co speaker I have with me, Dr. Dominic Damel, founded and and CEO of the community. My name is Director of Digital Identity and I want to talk about the interoperability. Yeah, you can switch it, please. Doesn't work. Doesn't work. Ah, okay. I wanna talk about the inter interoperability framework for digital identities and yeah, it has 2.0 is a framework. A framework which, which consists of the three parts made three main parts. It's the legal framework, it's the governance framework. And from our perspective, very important is the architectural framework, so-called if, and one of the major changes of that new framework is the digital identity wallet. Yeah. So, and this wallet needs to be introduced in all states, use states from next year. And yeah, we want to talk about the impact of that. Yeah. Probably changed ecosystem of the introduction of these Yeah. Wallet technology. Yeah. And change processes, data flows and identity flows.
A very, very important change in the ecosystem is the change trust. Yeah. The trust changes from a today mostly centralized approach to the issue of the data. Yeah. So that means the issue of the data, the identity data of any data that is related to the authentication flow is more important and has more influence in, in that flow as before. And it also means that the management of attributes, reusable attributes is, yeah. Not anymore in a backend system, which is good, but it's brings also more and more complexity in the into that it brings also on, we heard about it the whole day. Yeah. Things like new standards into the play, such very verifiable credentials and, and other protocols. And I think this quite new area, and this is only, these are only three parts of the new changed ecosystem caused by IDAs two zero regulation. So Dominic, do you want to summarize or what do you think what impact that has into the ecosystem from your point of view?
Yes. First of all, hello altogether, and before we speak about technology, let us really think about what's the impact for the market because we have this change and we see at conference here, as a lot of people think about what's really the impact, what's, what's going on in the next years. And we speak about a massive expansion of use cases. Of course we are able to transfer data to relying parties to in, into different use cases. But it means we need to migrate or adapt existing infrastructure as well. Not only from the providing with the issuing site, also on the relying party. And we get really interesting new business models. That means the question is who is issuing data will be relevant not only today for personal ID card or relevance. It is much more data we can issue and need to verify this information and bring it into a trusted process.
And that's at the end, brings a new architecture and implementation of course of identity pro, pro identity provider as well. Issue we think about identity provider on the mobile device. And the reason for that is, let me show you this. In the architecture idea and the approach of AI 2.0 there will be the running party with these different use cases. And it's, it depends on the question, what data they ask for. And the technical question is what they need to do to adapt the existing infrastructure, not only in the open ID connect aspects than more in the interoperability, how to really organize that. And the, as I mentioned before, the question is where the data comes from, how we can organize verification of data. And we so see that this is not only a direct, the the data source. They work together with qualified trust service providers, which are able to, to give the trust to the data of a university, of a hospital, of a insurance company or a doctor.
But at the end it's relevant really to see what ch what is a change for a decentralized architecture. And at the end, it's just not a question of bullet, it's more orchestration. How will we organize the transfer from information from an issue to relying party? And at the end how we organize trust, that is where it really challenges to the market for the providers and all the partners in the ecosystem. We see that the, the, the, the, the frameworks, the standards and everything what we need to really orchestrate this profits are growing up, but it's just they're not in place today. So the question is how long we need to do that. Second one is we discussed very about trust about central and decentralized public infrastructure. It's not a, it's a question to bring both in place because both are valid, the existing infrastructure and new technology. And we need to be clear that the shifting of trust to the issue bring absolutely a new problem with us. Because the question of flexibility will come to this later. But first of all, to give you brief understanding about our teamwork and about challenges in the germ healthcare sector. It's your part. Yeah.
Recently we worked together and we prepared and piloted a solution that bridges exactly that gap. Yeah. In the German healthcare industry, we have the yeah. Matic and high requirements on protection for credentials due to the telematic infrastructure. Yeah. Raised and managed by the geomatic and the existing regulation from matic Yeah. Is more focused on a centralized approach. Yeah. Means we have a central RDC server that issues the credential to any website or a mobile device. And it's a typical federation master infrastructure in a highly secured environment. Centralized, this is the Yeah. Existing way how applications like the electronic patent active will be secured and and integrated in existing environments. So this is the status quo and the way forward Follow the ADAS two zero regulation looks like that. Yeah. So and that means the credentials are mainly stored Yeah. On a mobile device inclu including the credential keys. Yeah. And the new component in that Yeah. Infrastructure in the data flow is the so-called EU trust list for the Yeah. Issuer data. Yeah. And there is no central RDC component anymore. And this is something what we piloted together with with and yeah. I think it's worth to have a more deeper insight into it.
Thank you man. Okay. UMI was founded five years ago and as we started, we think about how to can organize data sharing between a data source and a data using service today we say between the issuer and a verifier and relying party and how we can organize that together with the user. That was the founding idea of community. And we started three years ago to build up a digital infrastructure or the technical infrastructure on the mobile device together with partners like build 38. And what we learned in this three years, that is what I want to give you in this speech because at the end it's a question how you can issue the information on the mobile device. And we created an property protocol for that. And today we are able to support the open ID four verifiable credential as well. So it's relevant to be flexible and flexible in the question how to integrate the data on the mobile device.
The second one is that we, with our infrastructure, we call it Trinity, we bring somebody on the mobile device was not only can store the information. So at the end the question how you can use the issued information and can be flexible in the presentation. That's not only a question of the protocol or my D for verifiable presentation, it's always a question how you can organize data on the mobile device by adapting it on the way the relying party ask for. So flexibility in data management, the mobile device is always relevant without losing the trust. This doesn't magic, but that's the challenge. And at the end, do both be sure that the trust comes from the issue that the 2.0 and also to get the trust from the mobile device for use cases where relying parties ask for. And the third part of flexibility is that we are learned that we are need to be able to support existing open Id connect infrastructure as well.
So that what we as bridge technology brought into the healthcare marketers, that we act as an open my deconnect server as you mentioned in a federation, but proceeds the data like say Jason or creates the ID token on the mobile device and are able to decentralize data storage and proceeding and use a gateway to, for the requests and for the, for the data presentation without any profiling which can be provided in public cloud in regulated markets. That's pretty new. That is absolutely disruptive. But it's interesting because it's bridge the question that we, you can use decentralized technology today and go with your customer, go with the market into the new standardized world in the next couple of years. Sowan, that's our experience in the last three years. But what is the conclusion and learning for the audience.
Yeah. I think with the technology we are, we are quite ahead and it's also a cultural change. Yeah. Let me say because we also talked with a lot of clients about it and it's, yeah. Let me say technology adoption, which we Yeah. Has a, an impact on the market. Yeah. First it's a governance decision. How to use this way of authentication flows is centralized or is this decentralized? Yeah. That's basic decision of organizations, enterprises, and how to work together. This is the first point. The second point is, is yeah, let me say less flexibility because it's not more centralized. Yeah. If something is centralized, it's controlled by one or less organizations. If it's more decentralized, a lot of issue talk about how to integrate in such an infrastructure Third. Yeah. Let me say that's a migration path over years. Yeah. To integrate the existing identity management systems that controls customers might be also devices.
Yeah. Thank you. And to integrate the existing IM systems like systems systems with with that new approach. Yeah. In line with the IDAs regulation because it's the only way to use these standards. Yeah. To have a chance to chance to get the inter-operability in in, in place. Yeah. So last but at least it takes time. Yeah. I think that's clear and we are convinced it's not a question of talking about it. Yeah. And creating only new protocols and standards. It's also only the only way in that path is to simply do it. Yeah. And we started that with community in a, in a pilot and we can encourage you to do the same. Same if you have use cases and similar ideas. Thank you very much.
Do we have any questions in the audience? Please raise your hand. Yeah.
The e i by the EU is supposed to be implemented within one, one and a half year. Yes. So how do you see that?
Yeah. I wouldn't expect that we are really able to make this market change in the next early year. We will be able to, for instance, provide a wallet application for the government that gives you your driver license or your personal ID card in a wallet application in two or three years. Well that's a really interesting time. A roadmap. But but that's not the change that needs, not the challenge. The challenge is to create use cases on these new on bring much more attributes to the relying parties and into digital personalized digital services. That's the reason my, my give you raise is to you be flexible. Yeah. This 2.0 is absolutely standardized with a high governance framework but not so flexible as relying parties need to be or ask for. And that's the reason need to be flexible and be the second one. Be time market, don't wait for for AI 2.0 and then take your opportunities. So go with your customers the way to mobile authentication and go to your with their customers to present the mirror. More data on the mobile and convenience rate.
Thank you. Another question in the audience. Okay.
Hello. I, I read about an ADAS proposal that they force some industries to accept the E I d. So in one and a half years it appears and if they force, what will happen to a small bank who just ignored this? Are there some penalties like gdpr, like 4% of whatever? What, what are the enforcement tools of the eats to enforce this?
That's a little bit of,
I don't know. I dunno
That's that's a regulation aspect. Yeah. I think it's the same in everything. Ticketing and digitalization is not one day and after this day everything is changed. So digitalization means you will be need to, you adapt processes and it will be able to give with your analog personal ID card to bank to open a bank account as well to go with the wallet. And this is what, what, what is relevant is that a bank need to be aware to support these wallet application in three years, I would expect. Yeah. That is what they, and so they have additional process to open a bank account.
Yeah. I think some p later the first client will come with the need to integrate a server that service. And it's not a single person, it's the institution. They say, Hey, we want to integrate with with, with that standard. Yeah. And I think to have concepts on the table to start as, as needed. Yeah. And I think the, the, the pressure comes from the market itself. Yeah.
Thanks Dominic. Ewe for your insights.