Eidas 2.0 Advances Self-Sovereign Identity, Addressing 1999/93/EC Limitations

Researchers are increasingly focused on the complex interplay between emerging digital identity technologies and evolving European regulations. Nacereddine Sitouah, Marco Esposito, and Francesco Bruschi, all from the Polytechnic University of Milan, investigate how Self-Sovereign Identity (SSI) models can be accommodated within the forthcoming eIDAS 2.0 framework, building upon the foundations of earlier legislation like the 1999/93/EC directive. This analysis is significant because current eIDAS 1.0 has faced criticism for its limitations, and SSI offers a potentially transformative, decentralised approach to digital identity , but successful integration requires careful consideration of control, privacy, and legal implications. Their work identifies legislative gaps and assesses the alignment of the European Digital Identity Architecture and Reference Framework with core SSI principles, offering crucial insights for policymakers and technologists alike.

The research team identified both opportunities and challenges for integrating decentralized identity paradigms into a traditionally centralized system, revealing a critical need to reconcile the objectives of eIDAS 2.0 with the core principles of SSI, particularly concerning user control, privacy, and legal accountability. Researchers consolidated diverse sources of SSI properties into coherent evaluation categories, then concretized these into criteria for systematic assessment and compliance studies.

This rigorous approach enabled a detailed comparative analysis of both centralized and decentralized technologies, providing a clear benchmark for evaluating the alignment of eIDAS 2.0 with SSI ideals. Current digital identities broadly fall into two categories: self-generated online accounts lacking legal weight, and formally recognised regulated identities like bank accounts and government-issued eIDs. The existing infrastructure presents inherent risks, including data exploitation and a power imbalance favouring identity providers.
The European Commission’s response, including the General Data Protection Regulation (GDPR) and the initial eIDAS 1.0 framework, aimed to address these concerns, but limitations remained. The subsequent eIDAS 2.0 regulation, amending the original framework in 2024, sought to enhance interoperability and security across member states. The emergence of Blockchain networks and Distributed Ledger Technologies (DLTs) offered a potential solution, paving the way for decentralized applications and SSI models, which empower individuals with complete control over their digital identities. However, the team discovered inherent conflicts between SSI objectives and certain aspects of eIDAS 2.0, necessitating a thorough investigation into compatibility and potential adjustments. This research meticulously consolidated contextually relevant SSI properties from diverse sources, categorising them to establish a coherent evaluation framework for assessing alignment. The team concretized these properties into specific criteria, enabling a systematic assessment and compliance study of digital identity systems. This approach enabled a detailed examination of how various technologies align with both eIDAS 2.0 and SSI principles, revealing areas of synergy and conflict.

The study then applied this evaluation framework directly to eIDAS 2.0 and its ARF, systematically assessing the regulation against the established SSI criteria. This rigorous evaluation identified potential tensions and conflicts between the two approaches, pinpointing specific areas requiring attention. Furthermore, the work pioneered a guidelines framework designed to facilitate the integration of SSI concepts into regulated European digital identity systems. This involved identifying specific adjustments to enhance alignment and address identified conflicts, offering practical solutions for policymakers and practitioners. Initial screening revealed 18 duplicate records, reducing the dataset to 254 entries. Further analysis excluded 148 records due to format or relevancy issues, and an additional 79 records failed to meet established inclusion criteria. This rigorous process ultimately yielded a final dataset of 33 records for full-text analysis. Of these, 19 records critically evaluated eIDAS 2.0 compatibility with SSI, while 14 records proposed solutions or interpretations of the regulation.

Experiments revealed a significant inconsistency within the existing literature regarding SSI compatibility with the amended eIDAS 2.0 framework. Prior to the amendment, researchers frequently assumed SSI would be recognized under eIDAS 2.0, a prediction stemming from ambiguities in both eIDAS 1.0 and early drafts of eIDAS 2.0. Their work indicates that while the EUDIW represents a step towards SSI, it does not fully meet existing privacy commitments. Researchers suggest prioritizing Privacy Enhancing Techniques (PETs), such as Zero-Knowledge (ZK) proofs, network layer anonymization, and anonymous credentials, for EUDIW implementation.

Measurements confirm that regulatory bodies should enforce the use of PETs, as conventional cryptographic methods may conflict with General Data Protection Regulation (GDPR) requirements. Kutylowski et al. assessed the importance of PETs, particularly in cases involving whistleblowers, finding that current ARF-suggested pseudonymisation techniques are traceable and could lead to unjust retaliation. Moser et al. proposed a bridging solution leveraging ZK proofs to achieve eIDAS-compliant, GDPR-preserving digital signatures for blockchain-based SSI systems. This regulation builds upon earlier directives, notably the Electronic Signatures Directive 1999/93/EC and the initial eIDAS 1.0, aiming to establish a more comprehensive and interoperable system for digital identification across the European Union. The study employed a combination of conceptual, analytical, comparative, systematic, and normative analysis to evaluate eIDAS 2.0 against the principles of SSI.

A detailed examination of the regulation and its accompanying documentation revealed legislative gaps and potential implementation challenges, particularly concerning the alignment with user-centric identity models. The analysis highlights the importance of balancing security and privacy within digital identity management systems, emphasizing the need for robust access control, identification, authentication, and authorization procedures. Acknowledging the current prevalence of centralized and federated identity models, the authors note their inherent limitations, such as single points of failure and restricted attribute verification. The research suggests that SSI offers a potential pathway towards greater user control and reduced reliance on intermediaries, although practical implementation requires careful consideration.