In the evolving landscape of digital identity, the Italian Digital Wallet (IT-Wallet) stands out as a pioneering initiative that exemplifies a holistic approach to integrating legal requirements with innovative technical solutions. This paper aims to explore the comprehensive strategy behind the IT-Wallet, focusing on how it meets the legal frameworks provided by the new eIDAS regulation. The eIDAS regulation has been instrumental in establishing trust and security for electronic transactions across the European Union. The IT-Wallet project goes a step further by analyzing these legal requirements and translating them into technical solutions that enhance security and privacy. We will delve into a specific example such as Person Identification Data (PID) Issuance, showcasing the technical implementations that address these legal mandates.
In this paper, we have analyzed the delta of changes that the Parliament legislative resolution
made on the eIDAS Regulation, also approved by the European Council considering:
• The European Parliament legislative resolution of 29 February 2024 [
In Section 2 we provide an analysis of the Legislative text and a methodology to classify the Legal text into requirements. Therefore, in Section 3 we focus on the PID Issuance phase extracting a subset of items that are relevant to PID Issuance. Then, we provide an overview of the Italian PID Issuance Flow in Section 4 highlighting how the Italian implementation profile aligns with the relevant regulatory framework. Finally, in Section 5, we summarize the main results.
The new eIDAS 2.0 regulation is composed of three main parts, these are:
Recitals. They provide the background, rationale, and objectives behind the eIDAS Regulation
[
Articles. They outline the obligations, rights, and procedures for Member States, entities, and individuals. We found very important changes (3 Deleted, 10 Replaced, 24 Amended, and 33 Inserted) as summarized in Table 1.
Annexes. They include practical details necessary for compliance with the regulation. Delving into the Annexes we found a few changes in the first four annexes and, in addition to these, four new Annexes (see Table 2). In particular: • “Annex V ”, provides requirements for Qualified Electronic Attestation of Attributes (EAAs). • “Annex VI ”, contains the list of the required user attributes to be implemented. • “Annex VII ”, contains requirements for EAAs issued by or on behalf of a Public Body responsible for an Authentic Source. • “Annex To The Legislative Resolution” contains two statements, one containing considerations for web browser vendors and another one about the untraceability of wallet users, that aims to prevent data collection by wallet providers. 1The distinction between normative and informative elements in EU legislation, including the role of recitals, is a well-established aspect of EU legal doctrine. This understanding is derived from the jurisprudence of the Court of Justice of the European Union (CJEU) and the practices of legal interpretation within the EU. The CJEU often refers to recitals when interpreting the provisions of EU legislation to understand the intentions of the legislature and the context of the laws.
After reviewing all the articles and annexes, we categorized them by items and classified each item according to its related subject and scope. Subjects we identified are: European Commission, EUDI Wallets, Member States, and Relying Parties. The scopes we defined are: Governance, Issuance, Presentation, and Wallet Solution.
In our matrix, we also included additional elements (e.g. requirements currently fulfilled, planned in the roadmap, project constraints, and additional notes) to better manage our national wallet implementation and our national milestones. This work resulted in the analysis of the delta of changes in the eIDAS regulation from an implementation perspective and also a selfassessment matrix that aims to guide us in our developments about the national wallet solution. An extract of this classification matrix is given in Table 3 where for the sake of simplicity we omitted elements related to our national wallet implementation.
The classification of the items has clarified the distribution of normative elements across the distinct domains of the wallet ecosystem. As depicted in the pie chart in Figure 1, a significant proportion is attributed to the governance of the ecosystem. Within the scope of Governance, we have further delineated sub-categories encompassing general aspects related to certification and accreditation procedures and roles, wallet provisioning, and the security framework, among others. Additionally, we have identified items related to the characteristics of the wallet solution, the issuance of digital credentials, and the presentation of digital credentials.
In Appendix A, Tables 6, 7 and 8, we summarize the relevant requirements extracted by the regulation and related to Issuance, Presentation and Wallet Solution, respectively.
European Digital Identity Wallets shall be provided in one or more of the following ways: (a) directly by a Member State; (b) under a mandate from a Member State; (c) independently of a Member State but recognised by that Member State.
Member State shall inform users, without delay, of any security breach that could have entirely or partially compromised their European Digital Identity Wallet or its contents, in particular, if their European Digital Identity Wallet has been suspended or revoked pursuant to Article 5e.
European Digital Identity Wallets shall, in particular: (a) support common protocols and interfaces: [. . . ] (i) for issuance of person identification data, qualified and non qualified electronic attestations of attributes or qualified and non-qualified certificates to the European Digital Identity Wallet; European Digital Identity Wallets shall, in particular: (a) support common protocols and interfaces: [. . . ] (ii) for relying parties to request and validate person identification data and electronic attestations of attributes;
This section delves into the process of identifying and translating legal requirements into technical specifications for the PID issuance phase. The starting point was a comprehensive analysis of the European Digital Identity Wallet regulation, specifically Article 5(a). From this extensive set of provisions, a subset of items directly relevant to PID issuance was carefully extracted.
The identified legal requirements, outlined in Table 4, form the foundation for the technical development of the Italian PID issuance process. These requirements encompass essential aspects such as: • Security and Selective Disclosure: Ensuring user control over personal identification data and enabling selective disclosure. • Protocols and Interfaces: Supporting standardized protocols and interfaces for PID issuance. • User Onboarding: Facilitating secure user onboarding using electronic identification means. • User Identification and Association: Guaranteeing the unique representation of the user and linking their identity to the European Digital Identity Wallet.
By focusing on these core elements, the subsequent Sections aimed to develop technical solutions that efectively address the legal mandates while implementing the PID issuance process for Italian citizens.
This Section examines how the Italian implementation profile of the Wallet [
Selective Disclosure JWT (SD-JWT) [
Requirement R1 mandates that European Digital Identity Wallets enable users to securely request, obtain, and control their personal identification data, allowing for selective disclosure. The SD-JWT-VC format directly supports this by: • Selective Disclosure: The data model allows for granular control over which attributes within the PID are revealed in a given presentation. This ensures that only necessary information is released, protecting sensitive data from unnecessary exposure. European Digital Identity Wallets shall enable the user, [. . . ], Art. 5a(4)(a) to securely request, obtain, [. . . ], under the sole control of the user, person identification data [. . . ], while ensuring that selective disclosure of data is possible European Digital Identity Wallets shall support common protocols and interfaces for issuance of person identification data, qualified and non-qualified electronic attestations of attributes or qualified and non-qualified certificates to the European Digital Identity Wallet; European Digital Identity Wallets shall support common protocols and interfaces to securely onboard the user by using an electronic identification means in accordance with Article 5a(24) European Digital Identity Wallets shall ensure that the person identification data, which is available from the electronic identification scheme under which the European Digital Identity Wallet is provided, uniquely represents the natural person, legal person or the natural person representing the natural or legal person, and is associated with that European Digital Identity Wallet • Cryptographic Key Binding: Each PID is bound to a specific Wallet Instance through a cryptographic key. This binding mechanism provides a strong guarantee of possession, as it ensures that only the rightful holder of the corresponding private key can present the PID. • Data Minimization: The requirement for a minimum dataset reduces the amount of personal data collected and stored, aligning with data protection principles.
Requirement R4 stipulates that the PID data uniquely represents the user and is associated with the European Digital Identity Wallet (EUDIW). The SD-JWT-VC format fulfills this requirement through: • Unique Identification: The data model includes attributes that collectively and uniquely identify the user, ensuring that each individual has a distinct digital identity within the system. • Association with EUDIW: The cryptographic key binding ties the PID to a specific Wallet Instance, efectively linking the user’s identity to their EUDIW. This association is crucial for maintaining data integrity and preventing identity fraud.
In conclusion, the SD-JWT-VC data format for the Italian PID efectively addresses the core aspects of requirements R1 and R4. By providing mechanisms for selective disclosure, cryptographic key binding, and unique user identification, this format contributes to a secure, privacy-preserving, and reliable PID issuance.
1. Registration with Federation API Endpoints [
The Wallet Instance checks that the PID Provider is a trusted entity. 4. User Requests PID: The user initiates the process by requesting a PID. 5. User Authentication: This step ensures that the user’s identity is verified through the national digital identity system. 6. PID Issuance: Finally, this step completes the process by providing the Wallet Instance with a valid user’s PID.
This flowchart highlights the intricate interactions between various systems to provide a streamlined and secure identity verification process. It underscores the importance of user privacy and data integrity at each stage of authentication and registration.
Focusing on steps 4, 5 and 6, we go into more technical details regarding the protocol used
for the issuance of PIDs (see Figure 3). It follows the OpenID for Verifiable Credential Issuance
specification (OID4VCI) [
• OpenID Federation 1.0 [
The process is designed to be secure and eficient, ensuring that users can obtain their digital
identities with minimal friction. Key steps in the PID issuance process can be summarized as:
• Authorization Phase, in which the Wallet sends a Push Authorization Request (PAR) to
the PID Provider. It authenticates the client through the Wallet Attestation and establishes
trust by building the Federation Trust Chain related to the Wallet Provider. These checks
are crucial in preventing fraudulent activities and ensuring the integrity of the digital
identity ecosystem. PKCE [
To do this, it rfist obtains a DPoP sender-constrained Access Token [
The comprehensive mapping of technical solutions to legal requirements, as presented in Table 5, underscores the critical alignment between technological advancements and regulatory frameworks. This alignment is essential for ensuring the security, privacy, and trustworthiness of digital identity systems.
The table highlights several key contexts, such as security and data protection, transparency support, and user onboarding, each associated with specific legal references like the eIDAS Regulation and GDPR. The technical mechanisms demonstrate compliance with these legal requirements, ensuring robust and secure digital identity verification processes.
This paper has presented a detailed examination of the Italian Digital Wallet (IT-Wallet) initiative, showcasing how it successfully bridges the gap between the legal requirements set forth by the eIDAS 2.0 regulation and innovative technical solutions. Through a meticulous analysis of the regulatory framework and its implementation, several key findings emerge: 1. Comprehensive Regulatory Analysis: The study’s classification of legislative text provides valuable insights into the distribution of normative elements across the wallet ecosystem, with a significant proportion attributed to governance. This classification serves as a crucial tool for policymakers and implementers to ensure comprehensive compliance. 2. Efective Technical Implementation : The IT-Wallet’s approach to Personal Identification Data (PID) issuance demonstrates a robust alignment with key regulatory requirements. The adoption of the SD-JWT-VC data format and the implementation of a secure issuance flow, leveraging protocols such as OpenID for Verifiable Credential Issuance (OID4VCI), showcase how technical solutions can efectively address legal mandates. 3. Privacy and Security Focus: The implementation details reveal a strong emphasis on user privacy and data security. Features such as selective disclosure, cryptographic key binding, and user-controlled data management align closely with the eIDAS 2.0 principles of data minimization and user empowerment. 4. Interoperability and Standardization: The IT-Wallet’s adherence to common protocols and interfaces, as mandated by eIDAS 2.0, contributes to the broader goal of creating an interoperable digital identity ecosystem across the European Union.
The IT-Wallet initiative serves as a prime example of how regulatory compliance can drive innovation in digital identity solutions. By carefully mapping technical mechanisms to legal requirements, the project demonstrates the feasibility of creating a secure, privacy-preserving, and user-friendly digital identity wallet that meets the stringent standards set by eIDAS 2.0.
Future research could explore the practical implications of widespread adoption of such wallets, including user acceptance, cross-border interoperability challenges, and the evolving landscape of digital identity threats. Additionally, comparative studies with other national implementations could provide valuable insights into best practices and areas for further harmonization across the EU.
In conclusion, the Italian Digital Wallet project ofers valuable lessons for policymakers, technologists, and identity providers across the EU. It exemplifies how a thoughtful approach to regulatory compliance can result in technical solutions that not only meet legal requirements but also advance the state of the art in digital identity management.
This work was conducted within the framework of the IT-Wallet Government Initiative, a project of national significance aimed at advancing digital identity solutions in Italy. The authors would like to express their sincere gratitude to all the stakeholders involved in this ambitious endeavor. Special acknowledgment goes to our collaborators at Fondazione Bruno Kessler (FBK) for their invaluable technical expertise and research contributions. Their insights have significantly enhanced the robustness and eficacy of the IT-Wallet solution. We also wish to thank PagoPA S.p.A. for their crucial role in this project. The synergy between governmental bodies, research institutions, and public-service companies exemplified in this project demonstrates the power of collaborative eforts in addressing complex challenges in digital identity management. This cooperation has been essential in bridging theoretical concepts with practical implementations, ultimately contributing to the advancement of digital services for Italian citizens.
Wallet shall enable the user to generate pseudonyms and store them encrypted and locally within the Wallet Issuance of person identification data, qualified and non qualified electronic attestations of attributes or qualified and non-qualified certificates to the European Digital Identity Wallet Possibility of implementing electronic attestation of attributes with embedded disclosure policies to be applied when interacting with RPs (the Wallet must support) Person Identification Data (PID) uniquely represents the natural person, legal person or the natural person representing the natural or legal person, and is associated with that European Digital Identity Wallet PID/EAA Providers are not allowed in tracking user behaviour or knowledge of transactions of the user privacy preserving techniques which ensure unlinkability, where the attestation of attributes does not require the identification of the user