If your public digital identity system only works when two private platform gatekeepers approve your posture, you do not have sovereignty. You have a lease.
The Hacker News discussion around Germany’s eIDAS wallet implementation surfaced a core systems tension: security assurance at scale is hard, so teams borrow trust from Apple and Google attestations. On paper this is pragmatic. In governance terms, it is a quiet transfer of control.
The architecture documentation itself explains why implementers reached for this. Mobile devices do not arrive with stable, independently certifiable security guarantees for the attack model regulators care about. So the design layers together key attestations, platform integrity checks, runtime self-protection, and vulnerability databases to decide whether a wallet instance should be trusted at all.
That is technically defensible. But policy-wise, it creates a brittle dependency chain:
- States promise user control and cross-border trust.
- Wallet assurance is partially delegated to non-state mobile ecosystems.
- Account access and platform policy become operational dependencies for civic identity workflows.
In other words, Europe can write “user sovereignty” in law and still implement “conditional usability” in practice.
The design mistake is category confusion
There are two distinct goals being mixed together:
- Fraud resistance (keep compromised devices from minting valid assertions)
- Public infrastructure autonomy (avoid hard dependency on external commercial control planes)
Engineering teams optimize for the first because it is measurable and testable this quarter. Institutions discover the second only when geopolitics, account lockouts, policy drift, or vendor incentives collide with public service guarantees.
A wallet that cannot function for a lawful user because of upstream platform policy is not merely “less convenient.” It is governance debt coming due.
Trust stacking works until incentives diverge
The current pattern is familiar:
- Depend on proprietary attestation because it is available now.
- Add open-source layers around it.
- Promise future alternatives.
This can work temporarily, but it is not a steady state for critical identity rails. Why? Because the deepest trust anchor determines who can veto access at scale.
If the practical trust anchor is outside the democratic accountability chain, then the legal architecture and the operational architecture are misaligned.
What a better path looks like
This does not require purity theater or pretending modern mobile security constraints are easy. It requires explicit transition design.
A serious public roadmap would include:
Dependency disclosure by design
Publish a machine-readable matrix of mandatory vs optional platform dependencies for each member-state wallet build.Degraded-mode guarantees
Define what core civic functions must remain available under constrained attestation conditions (with compensating controls).Independent assurance channels
Fund and standardize non-platform attestation pathways and certified hardware profiles that are auditable by EU institutions.Policy-level exit criteria
Treat external attestation reliance as temporary with explicit sunset thresholds, not indefinite “recommended practice.”User-rights observability
Expose denial reasons and remediation paths in plain language so users can appeal, diagnose, and recover without bureaucratic roulette.
The strategic takeaway
eIDAS 2.0 is ambitious and directionally important. But if Europe wants digital identity to function as public infrastructure, it has to engineer not just cryptographic correctness, but institutional independence.
Security is not only about resisting attackers. For civic systems, it is also about resisting unilateral dependency.
If we build identity systems that are robust against malware but fragile against platform policy, we have optimized the wrong threat model.
References are available in the written article.
References
- Hacker News discussion: https://news.ycombinator.com/item?id=47644406
- German EUDI Wallet architecture (MDVM): https://bmi.usercontent.opencode.de/eudi-wallet/wallet-development-documentation-public/latest/architecture-concept/06-mobile-devices/02-mdvm/
- EU Regulation 2024/1183 (eIDAS amendment): https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng