As the European Union moves towards a unified digital identity framework under eIDAS 2.0, organizations across the EU have to prepare to integrate with the European Digital Identity (EUDI) Wallet. A difficult-to-time transition, as the legal and technical framework for the EU digital identity still seems to be forming and changing, while heading towards its very definite deadline.
Parties that want to issue and or verify (Q)EAAs (Qualified Electronic Attestations of Attributes) will be dependent on understanding both the EU and national legislation, while also navigating the technical framework setup to ensure interoperability between countries, services, and wallets. A daunting task, as can be seen from following the Large Scale Pilot projects (where government and commercial stakeholders from different member states collaborate to pilot different international use-cases). The big question that's emerging under relying parties seems to be 'to build or to buy', when it comes to complying with eIDAS 2.0.
To build
Any organization with a development team, might be considering to extend their infrastructure themselves. In the end, although it currently might seem like a lot of complexity, what is actually changing with eIDAS 2.0 is not that groundbreaking from the relying parties perspective. Assuming your current software handles verification in a certain way, to align with EUDI you would only have to add this secondary method of verification, the EUDI Wallet. An EUDI Wallet will be provided by each member state, and will adhere to specific standards and protocols to ensure a pan-european identity layer. Certain relying parties will need to be able to verify the identity documents from the EUDI wallet (for example government agencies and banks) while others may choose to do so for the benefits it brings.
There are resources to assist with this. The EU commission has provided a guideline on standards and protocols through the Architecture Reference Framework (ARF). The EU Commission also provided a number of public reference code repositories, including libraries for issuance and verification, and a reference wallet. Most work that is being done on the national and international level is being done out in the open, so there are plenty of resources and working groups for interested parties to stay informed of the progress.
Unfortunately in that last point also lies the difficulty in choosing to develop a solution yourself. The definition and implementation of EUDI is all happening in parallel. To start building, it will require either patience until all has been figured out, or dedication in following all new developments and a flexible approach in supporting different draft specifications, and a lot of interoperability testing.
The Architecture Reference Framework is not legally binding, and although anyone working on EUDI solutions likes to think they know what will happen, in actuality a lot is still being iterated on. For example, the first version of the implementing acts mention W3C credentials and mDOC, while the ARF mentions SD-JWT VCs and mDOC, many builders choose to follow the latter in the assumption the former will be updated. Another example is that there is still no final say on what trust methods will be accepted, and whether something like the European Blockchain Services Infrastructure (EBSI) will play a part within the impelementation of eIDAS 2.0 or not. Building your own solution will feature many of these questions, and a constant iteration to support, not to support, or to wait.
Therefore, while definitely an option, the biggest obstacle for institutions to build their new identity components themselves is the projected instability of the coming years. If an organization has the time and the desire to grow expertise on the identity standards, building is a solid option. The 2026/2027 deadline to support the EUDI Wallet will be too early for some organizations to simply wait it out or dedicate the needed resources.
To buy
Several organizations already provide services and solutions for integrating with the EUDI Wallet. Many of these tech partners, including Paradym, have been active in decentralized digital identity long before eIDAS 2.0 regulations and implementing acts were established. Paradym, for example, offers an API and dashboard solution for issuing and verifying (Q)EAAs. Our team is involved with several EUDI Wallets, standards and protocol feedback and definition, and open-source implementation of standards. Staying on top of every development and change is not a daunting task or obstacle for us, it's our core business.
One of the biggest challenges of a DIY approach is navigating the evolving regulatory landscape, where ongoing changes can create instability. This is where a SaaS solution or tech partner becomes invaluable. A well-designed service continuously adapts to new regulatory updates and technical standards behind the scenes, ensuring compliance without disrupting your core functionality. This allows your organization to focus on EUDI integration while staying future-proof. Topics like ZKPs and post-quantum crypto will likely not be solved in time for the launch of the EUDI wallet, so to achieve ongoing alignment using a third party can be a way to reduce your ongoing investment in the standards. It is unusual with EU legislation but we already know there will be updates in the eIDAS 2 legislation, so ongoing alignment will be an important factor in determining wheter to build or to buy.
There are, of course, also downsides of using a SaaS to integrate with EUDI. The market is new and evolving, meaning it is important to ensure any intermediate service is mature enough to handle your infrastructure needs. Here are some elements to look out for:
- Feature completeness. A young market means many products that might seem to have it all, but are actually laying the tracks as they drive. Make sure you discuss your use case and requirements in depth beforehand.
- Experience. Standards are helpful, but in practice a lot of mistakes are being made in adhering to them and testing interoperability. If you are outsourcing your identity infrastructure, the team behind that needs to be experts on the standards and systems in place.
- Suitable for enterprise. Make sure any service you use can handle the load you are expecting, and offers different deployment options (like on-premise deployment) to make sure they are mature enough to handle your scaling long term.
Keeping everything in-house definitely has its benefits. However, if you want to get ahead in eIDAS 2.0, without dedicating a full team to understanding the topic, using a service might be the way to go.
Conclusion
Whether you build or you buy, it's important to remember that eIDAS 2.0 is more than an obstacle or deadline to get past, if handled right it's a revolutionary step in security, user-experience, and user-control. Using verifiable credentials will enable relying parties to finally update and automate identity verification to match modern business processes. It will enable governments to lift the stigma of cumbersome forms and unclear registrations. It will enable people to handle crucial moments in their lives with ease, instead of with effort. In the end, each institution will have to figure out their strategy for complying with, or making an opportunity out of, eIDAS 2.0.
