Electronic Attestations of Attributes under EU eIDAS

An electronic attestation of attributes, or EAA, is an attestation in electronic form that allows attributes to be authenticated. It can cover lower-risk or less sensitive documents where qualified status or a public-sector authentic source is not the point of the use case.

A qualified electronic attestation of attributes, or QEAA, is a qualified trust service: it is issued by a qualified trust service provider and must meet the eIDAS Annex V requirements. A separate category covers attestations issued by or on behalf of a public sector body responsible for an authentic source. An authentic source is the repository or system treated as the primary or legally recognised source for the attribute.

For wallet issuance, Commission Implementing Regulation (EU) 2024/2977 requires electronic attestations of attributes issued to wallet units to use at least one of the standards listed under the wallet core-functionality implementing regulation. Providers of electronic attestations of attributes must identify themselves to wallet units using a wallet-relying party access certificate and include the information needed to authenticate and validate the attestation.

The issuer record should therefore identify the attestation type, the issuer category, the wallet unit, the format or standard used, the authentication material presented by the issuer, and the validation information embedded in or referenced by the attestation. For qualified issuance, record the qualified trust service provider and the basis for treating the service as qualified rather than merely electronic.

A wallet user can request, obtain, store, manage, share, and present person identification data and electronic attestations of attributes under the user control model described in the wallet rules. In a service-provider flow, the provider requests specific data, the wallet shows the requested data to the user, and the user confirms before presentation.

Relying parties are not passive recipients. The amended eIDAS text makes relying parties responsible for authenticating and validating person identification data and electronic attestations of attributes requested from European Digital Identity Wallets. Commission guidance for service providers also says they must register in the Member State where established, state the data they intend to request, avoid requesting extra data beyond registration, identify themselves to users, and accept pseudonyms where identification is not legally required.

Validation should prove more than possession of a file. For EAAs and QEAAs, evidence should show that the issuer was authenticated, the wallet unit or presentation was valid for the transaction, the attestation carried information needed for authentication and validation, and revocation status was checked where the workflow relies on continued validity.

The eIDAS trust model makes trusted lists important for qualified trust service providers, and the wallet ecosystem extends the same operational habit to wallet providers, PID providers, QEAA providers, and service providers in Commission wallet guidance. The Architecture and Reference Framework also describes registry and certificate checks for attestation-provider authorisation and relying-party requests.

The amended eIDAS text gives all electronic attestations of attributes baseline evidentiary protection: they cannot be denied legal effect or admissibility as evidence solely because they are electronic or because they are not qualified. That does not make every EAA equivalent to a paper attestation.

The stronger paper-equivalence rule is limited to QEAAs and attestations issued by or on behalf of a public sector body responsible for an authentic source. For wallet privacy, relying parties should also account for selective disclosure, registered requested attributes, user approval, and the linkability risk described in the Architecture and Reference Framework.