The RECITALS project is a three-year Horizon Europe Innovation Action that pioneers the development of a privacy-by-design, open-source platform for secure digital identity and data sharing. By integrating logic-based reasoning for compliance automation, explainable AI, and privacy-preserving technologies, RECITALS advances legal, secure, and transparent data exploitation across sectors. It leverages a Knowledge Graph approach combined with logic-based reasoning to ensure that decisions regarding identity lifecycle management and data governance are aligned with European regulations such as GDPR, eIDAS, NIS2, and the AI Act. Central to RECITALS is the implementation of self-sovereign identity solutions that place control in the hands of the user, enhanced by compliance and explainability mechanisms. The platform's deployment in real-world use cases -- from the energy, telecommunications, and healthcare sector - demonstrates its ability to reason over complex policies, explain automated decisions, and enforce compliance through interoperable infrastructures. RECITALS started on January, 2025 and will be concluded on December 2027, bringing together a consortium of 10 partners from 8 EU countries, with the aim of delivering a comprehensive open-source platform for resilient secure digital identities.
The RECITALS project1 stands at the forefront of advancing and implementing cutting-edge
privacypreserving technologies aimed at enabling secure and legally compliant data exploitation. It incorporates
a suite of state-of-the-art tools, including cryptographic anonymous credentials, homomorphic
encryption, secure multiparty computation, and diferential privacy [
RECITALS underscores the paramount significance of trusted digital identities, aligned with the
European eID and forthcoming eIDAS regulations [
RECITALS addresses the complexity of privacy-preserving data management across three use cases
with diverse organizational models in the energy, telecommunications, and healthcare sectors. The
proposed solutions are not only innovative but also practical, undergoing rigorous validation and pilot
testing in real-world, federated data infrastructures to ensure their efectiveness and adaptability. To
enhance user trust in AI-driven processes, RECITALS provides the explAIner component, a library
of state-of-the-art xAI methods [
In this context, RECITALS aims to deliver a highly eficient and scalable open-source platform tailored for both industrial and scientific applications that require privacy-preserving data sharing and identity management. With a robust privacy-by-design architecture, the platform is engineered to resist advanced and AI-driven cyber threats, comply with EU regulations, and provide value-added services for a broad spectrum of use cases.
In the following, we delve into the main objectives of RECITALS, the architecture of its open-source platform and the partners comprising its consortium.
The RECITALS project is driven by a vision to enable secure, privacy-preserving, and regulationcompliant data sharing and identity management across critical sectors. The primary goal of RECITALS is to design an open-source, privacy-by-design platform that supports next-generation data sharing and identity management. This platform is tailored for resilience and full compliance with evolving European regulations, such as GDPR, NIS2, and the AI Act. RECITALS integrates fundamental but common operations for privacy-preserving data sharing and identity management into modules that facilitate the development of diverse applications through a library of state-of-the-art techniques. On top of these modules, the project aims to develop advanced services that support industrial-strength applications with automated compliance capabilities. These services are specifically designed to meet the requirements of domain-specific EU regulations and ensure seamless deployment across varied operational contexts. Special care is taken to identify and mitigate common and AI-powered threats against these services through the cybersecurity component. This component protects the platform’s core infrastructure as well as its value-added services, guaranteeing security across the data lifecycle.
To validate these developments, RECITALS demonstrates the platform’s potential in real-world business scenarios within the energy, telecommunications, and healthcare sectors. These use cases are not only critical from a cybersecurity perspective but also serve to test the platform’s usability, interoperability, and efectiveness in diverse data-sharing environments.
RECITALS aligns with the European Commission’s Increased Cybersecurity Destination of the Strategic Plan 2021–2024, contributing to enhanced data protection, network security, and technological sovereignty across the EU. The project aims to achieve tangible impacts, including improved software, hardware, and supply chain security, and the creation of a cybersecurity culture through interdisciplinary collaboration and stakeholder engagement. RECITALS envisions a strengthened EU cybersecurity posture and sovereignty in digital technologies. It promotes privacy-by-design architectures and interoperable standards to ensure that infrastructures and processes remain resilient against emerging threats. By aligning its goals with the European cybersecurity initiatives and engaging with a wide range of stakeholders, RECITALS lays the foundation for smart and qualified security assurance and certification that is shared across the EU.
This is the backbone of the RECITALS platform, with its modules providing the fundamental operations
that lay the ground for the more complex services. At its heart lies the Distributed Ledger, which
establishes a decentralized and immutable foundation for all transactions and records [
Complementing the ledger is the Identity Lifecycle Manager, which governs digital identities throughout their entire lifecycle, from creation to deactivation. It ensures regulatory and organizational compliance via audit and reporting functionalities and enforces policy alignment through automated checks. Self-service capabilities empower users to manage their identities autonomously, while administrative tools centralize control. Notifications and approval workflows enhance user engagement and oversight, whereas built-in password and compliance management mechanisms mitigate security risks and promote adherence to EU standards.
Privacy and security are further strengthened through the Cryptography Manager, which incorporates state-of-the-art techniques such as diferential privacy, homomorphic encryption, secure multi-party computation, zero-knowledge proofs, and verifiable credentials. These tools enable secure computations on encrypted data, privacy-preserving authentication, and trusted identity assertions without compromising sensitive information.
In parallel, the Anonymization Manager applies rigorous data anonymization algorithms (e.g., kanonymity, l-diversity, t-closeness) to manage controlled data publishing, limiting disclosure through selective access and attribute generalization.
Ensuring that all operations conform to legal and regulatory expectations, the Compliance Manager
leverages knowledge graphs and logic-based reasoning, drawing on prior EU projects. It extends beyond
GDPR to encompass emerging frameworks like the DGA and NIS2, supported by extensible vocabularies
such as the Data Privacy Vocabulary [
To operationalize and extend RECITALS into real-world applications, a range of Value-Added Services will be developed on top of RECITALS Core. The main service is the intuitive user interface, which supports natural language interactions through LLMs, i.e., ChatBots. The LLM-based Interface is powered by a Retrieval-Augmented Generation framework, which ensures that outputs are grounded in factual and updated documentation. Thus, it bypasses the limitations of static LLM training by dynamically incorporating evolving RECITALS platform knowledge.
The Self-Sovereign Wallet gives users complete control over their identities and data through decentralized identifiers and verifiable credentials. This wallet enhances privacy and user autonomy while ensuring interoperability and ease of use with the LLM-based Interface.
The Privacy-Preserving Record Linkage enables secure identification of duplicate records across datasets
without revealing underlying sensitive data [
The Privacy-Preserving Federated Learning facilitates collaborative model training without
centralizing data [
Transparency in automated decisions is achieved through the explAIner component, which integrates explainable AI techniques such as Local Interpretable Model-agnostic Explanations, SHapley Additive exPlanations, Partial Dependence Plots, and Individual Conditional Expectation. These tools provide post-hoc interpretations of model behavior, supporting compliance with transparency mandates and enhancing user trust.
Domain-specific compliance is addressed through an extension of the Compliance Manager, targeting the energy, telecommunications, and healthcare sectors. This extension adapts the core compliance infrastructure with tailored vocabularies and validation rules for domain-specific use cases, facilitating operational deployment and reducing compliance overhead.
Finally, Privacy-Preserving Data Analytics enables the extraction of insights from sensitive data using
methods that combine encryption, aggregation, and quasi-identifier handling [
The responsibility for safeguarding the RECITALS platform against cyber threats lies with the Security Manager. This component performs two interlinked functions that are based on Cyber-Threat Analysis, i.e., an systematic overview of the most likely attacks for the RECITALS platform (e.g., AI-powered attacks, threats to identity). First, the Cyber-Threat Detector identifies threats through anomaly detection, signature-based recognition, behavioral analysis, endpoint monitoring, and centralized event correlation. These mechanisms can operate independently or in combination, often enhanced by machine learning for real-time threat identification.
Second, once threats are detected, the Cyber-Threat Orchestration, Automation, and Response module coordinates the necessary countermeasures. It leverages threat intelligence from standards and opensource sources, such as SIGMA rules and the MITRE framework, to automate response workflows and dynamically adapt defenses. This enables RECITALS to maintain operational integrity and proactively manage evolving security risks.
The RECITALS project brings together a carefully selected consortium of 10 partners from 8 EU countries: Greece, The Netherlands, France, Portugal, Romania, Germany, Ireland, and Cyprus. The composition of the consortium was strategically designed to address the multifaceted challenges associated with the development of the RECITALS platform, combining expertise, diversity, and cohesion.
A critical design consideration was the balance between academic and industrial perspectives. The consortium comprises five well-established academic institutions and five industrial organizations, creating an ideal synergy between theoretical innovation and real-world applicability. The academic partners include the National and Kapodistrian University of Athens (NKUA), the Delft University of Technology (TUD), the Université Paris Cité (UPC), the Leibniz University of Hannover (LUH), and the Dublin City University (DCU). They are renowned universities with significant contributions to research in fields such as AI, cybersecurity, data management, and privacy preservation On the industrial side, the consortium includes two large companies, Public Power Corporation SA (PPC) and Orange Romania SA (ORO), the SMEs Projecto Desenvolvimento Manutencao Formacao e Consultadorialda (PDM) and the Center for Technology Research and Innovation (CETRI), as well as a major public-sector organization, the Hospital Do Espirito Santo de Evora EPE (HES).
This diversity ensures that the RECITALS platform is validated across a range of sectors, making the project highly adaptable and future-proof. In fact, each partner brings a distinct area of specialization, as shown in Table1, contributing to a comprehensive skill set that spans both research excellence and market-oriented implementation. The complementary backgrounds of the consortium members are a key strength of the project, ensuring that collectively, the consortium covers the full spectrum of competencies required for building a secure, privacy-respecting, and AI-enhanced identity management and data-sharing platform.
This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No.101168490. The European Commision authority managing RECITALS project is the European Cybersecurity Compentence Center2. 2https://cybersecurity-centre.europa.eu/index_en
TUD
X X X X X
PDM
X X X
X X X
X X
X X
X X
X
During the preparation of this work, the authors used OpenAI GPT-4o for grammar and spelling check. After using this tool/service, the authors reviewed and edited the content as needed and take full responsibility for the publication’s content.