Attribute Issuers in the European Digital Identity Wallet (EUDI) – Role, Requirements and Importance for KYC/AML

Every credential in the European Digital Identity Wallet (EUDI Wallet) originates from a specific issuer. These issuers include both public and private entities: a government authority signs core identity data, a university issues a diploma in a machine-readable format, and a qualified trust service provider certifies a professional license. These organizations, collectively referred to as credential issuers or attestation providers, form the foundation on which the entire EUDI ecosystem is built. The trust model of the EUDI Wallet relies on the access certificate – a crucial credential issued by a trusted registrar that enables relying parties to authenticate themselves and securely access the EUDI Wallet ecosystem, serving as proof of trustworthiness for secure data exchange and verification.

By the end of December 2026, all EU Member States must provide citizens with access to a European Digital Identity Wallet. The EUDI Wallet is a digital wallet provided to EU citizens, residents, and businesses, enabling secure access to digital services across the EU. It will include a ‘starter set’ of government-issued credentials, such as personal ID and driving licenses, and can also hold certificates from private bodies. The EUDI Wallet is designed to give users complete control over their personal data, allowing them to decide what information to share. At the center of this ecosystem are attribute issuers—entities responsible for issuing electronic attribute attestations that will transform the way identity verification works across the European Union. For regulated institutions such as banks, fintech companies, and insurers, understanding this concept is essential to preparing KYC/AML processes for the changes ahead. The regulatory framework and technical specifications for EU digital identity wallets are being shaped to ensure secure and seamless adoption across both public and private sectors.

This article explains what credential issuers are in the EUDI ecosystem, what categories of credentials they can issue, what eIDAS 2.0 requires of them from both a technical and legal perspective, and what steps organizations should take if they are considering taking on the role of an issuer. The European Digital Identity Framework and the European Digital Identity Regulation provide the foundation for the reference framework that underpins the EUDI Wallet, defining the architecture, standards, and protocols for secure, privacy-preserving digital identity solutions across the EU. Large scale pilot projects across Europe have tested and refined the EUDI Wallet, demonstrating its scalability and practical effectiveness in real-world scenarios. The EUDI Wallet also facilitates secure digital services for businesses, streamlining onboarding and compliance processes and empowering organizations with reliable digital credentials.

Key takeaways

Below is the essence of this article – the key information every compliance and digital identity professional should know.

• Attribute issuers are trusted entities that issue electronic attribute attestations (EAA) in accordance with the eIDAS Regulation and its amendment, eIDAS 2.0, forming the foundation of the EUDI ecosystem.
• By the end of December 2026, Member States must provide citizens with digital identity wallets containing qualified EAA. By the end of 2027, banks, credit institutions, and payment service providers will be required to accept wallets as a method of customer identity verification.
• The proper functioning of attribute issuers directly impacts the efficiency of KYC/AML processes by eliminating the need for manual document submission and reducing the risk of fraud.
• Users of the EUDI Wallet will have user control over their personal data, including the ability to share only necessary attributes through mechanisms like selective disclosure.
• Attributes such as age, citizenship, tax residency, or professional status can significantly streamline remote customer onboarding.

Who are attribute issuers and what do they do?

In the EUDI Wallet architecture, an issuer, formally referred to as an attestation provider or PID provider depending on what is being issued, is any public or private entity authorized to create, cryptographically sign, and deliver digital credentials to a user’s wallet. The user’s wallet is a secure digital container for verified credentials, attestations, and personal identification data, serving as the central component in establishing trust and authenticity within the digital trust ecosystem. The issuer is responsible for the accuracy and authenticity of the data contained in the credential, for maintaining its validity or revoking it when circumstances change, and for compliance with technical standards that ensure the credential is readable, trustworthy, and legally valid across the EU.

Unlike verifiers, who consume credentials to make decisions, issuers produce them. A credential issued by an authorized issuer carries a cryptographic signature that can be verified by any compliant wallet or relying party without direct contact with the issuer. The identity and authorization of the issuer are recorded in EU trust lists – publicly available registries that form the foundation of the trust framework across all Member States. These trust lists register trust anchors, which are foundational entities such as trusted list providers, wallet providers, and issuers. Trust anchors establish the trustworthiness and authenticity of attestations, wallets, and data sources, serving as authoritative references that validate identities, attestations, and system integrity.

In practice, issuers include national government authorities responsible for core identity documents, universities issuing digital diplomas, professional licensing bodies certifying membership, as well as private companies issuing lower-assurance credentials such as loyalty cards or event passes. The applicable rules and the level of legal effect carried by a credential depend entirely on the category of the credential issued.

Attribute issuers are trusted entities responsible for issuing electronic attestations linked to a specific person or organization. Within the digital identity ecosystem, they act as intermediaries that transform verified information into cryptographically secured digital credentials. Attribute issuers validate the user’s identity and enable users to securely present verified personal information within the European Digital Identity ecosystem. They also enable users to share only the necessary attributes of their data, supporting privacy through selective disclosure. When a user requests data from their wallet, they can choose to share only the necessary attributes rather than full sensitive documents, maintaining control and consent over which data is presented to verifiers and enhancing privacy and security.

Key characteristics and responsibilities of attribute issuers include:

• They may include various types of entities: public administration (population registers, vehicle registries, professional registers), universities, banks, professional chambers, and in the future selected private entities.
• They are responsible for the accuracy, timeliness, security, and authenticity of issued attributes—from age verification, through confirmation of citizenship, to professional licenses or driving entitlements.
• They must operate in accordance with Regulation (EU) No 910/2014 (eIDAS) and its amendment—Regulation (EU) 2024/1183, known as eIDAS 2.0 or EUDI.
• They are subject to national sectoral regulations and supervisory requirements, ensuring a high level of trust in issued credentials.
• They must implement mechanisms for revoking credentials when attributes become invalid (e.g., withdrawal of professional rights).

Attribute-based Access Control (ABAC) allows systems to grant access based on dynamic, granular policies rather than static user IDs. Attribute issuers create a dynamic security model by validating specific aspects of the user’s identity, enabling more flexible and secure access control without revealing unnecessary sensitive documents. In a federated system, attribute issuers provide attributes to a service provider only when needed, allowing access decisions without storing personal data. Attribute-based systems also support anonymous credentials, enabling users to prove they satisfy a policy without revealing specific data, further protecting user privacy.

In Poland, an important step toward the practical use of attributes is the mObywatel ecosystem. This application (especially in version 2.0) already enables the presentation of many attributes and may in the future serve as a primary data source for EAA issuers at the national level.

Legal framework for attribute issuers: eIDAS, eIDAS 2.0 and EUDI

The operation of attribute issuers is based on multi-layered EU regulations that create a coherent legal framework for electronic transactions and trust services across the European Union. Within this framework, qualified electronic attestations play a crucial role in trusted digital identity verification, providing high legal assurance and strict compliance standards. These attestations are essential for establishing trust in secure digital ecosystems, such as the EU Digital Identity Wallet, and rely on electronic signatures to guarantee authenticity and legal effect.

There are three main types of Electronic Attestations of Attributes (EAA):

• Qualified Electronic Attestations of Attributes (QEAA): Issued by Qualified Trust Service Providers, QEAA offer the highest level of legal assurance and are subject to rigorous audits and certification by conformity assessment bodies to ensure compliance with eIDAS and related regulations.
• Non-Qualified Electronic Attestations of Attributes (EAA): Issued by non-qualified Trust Service Providers, these do not guarantee the same level of legal assurance as QEAA but are still subject to oversight by conformity assessment bodies for compliance.
• Public Electronic Attestations of Attributes (PuB-EAA): Issued on behalf of public authorities, PuB-EAA are considered official documents and can include attestations of professional qualifications. They hold legal equivalence to paper-based documents and are recognized for formal verification purposes.

A comprehensive list of qualified and non-qualified trust service providers is maintained, such as the EU Trust List, to ensure legal compliance and provide up-to-date information about providers authorized to issue various types of electronic attestations.

The significance of legal acts, such as the European Digital Identity Regulation, is that personal documents and official documents are now recognized in digital form, ensuring their legal validity and equivalence to traditional paper-based versions.

Key legal acts and their significance

Legal act	Significance for attribute issuers
Regulation (EU) No 910/2014 (eIDAS)	Established the foundations for electronic identification and trust services, introducing security standards for qualified signatures and certificates
Regulation (EU) 2024/1183 (eIDAS 2.0)	Extends the framework to include the European Digital Identity Wallet (EUDI Wallet) and defines the role of attribute issuers
National regulations (e.g., electronic identification acts)	Adapt EU requirements to the specific context of each Member State

Obligations and timelines

The European regulation imposes a number of requirements on attribute issuers:

• Use of strong authentication mechanisms for users requesting attributes
• Protection of privacy through data minimization and selective disclosure
• Implementation of credential revocation mechanisms
• Ensuring technical interoperability enabling cross-border recognition of credentials and supporting secure cross border services
• Compliance with EU cybersecurity standards

Electronic Attestations of Attributes enhance interoperability and robust data protection, making them integral to the future of digital identity management across Europe.

The European Commission, together with relevant stakeholders and the European Digital Identity Cooperation Group, is working on unified attribute catalogues and certification schemes. The goal is to standardize issuer practices across the EU and ensure that an electronic credential issued in one country is recognizable and verifiable in other Member States.

Issuers vs. verifiers: division of roles in the ecosystem

The EUDI ecosystem is built on a clear separation of roles: issuers create and sign credentials, while verifiers (relying parties) request and validate them. This separation is fundamental both for the trust model and for the system’s privacy architecture. Secure, compliant, and interoperable software is essential for attribute issuers to generate cryptographically signed, tamper-proof attributes and for verifiers to reliably check them within the EUDI ecosystem. Digital wallets can also be used to electronically sign documents as part of onboarding and verification processes, streamlining electronic onboarding and identity verification. An organization may perform both roles simultaneously—for example, a hospital may issue patient-related credentials while also acting as a verifier when checking a patient’s identity—but the obligations for each role are regulated separately.

For issuers, the primary responsibility is data accuracy and lifecycle management of the credential: it must reflect truthful information at the time of issuance, and the issuer must revoke it if the underlying facts change. A licensing authority issuing a QEAA confirming a medical license must revoke that credential if the license is suspended or withdrawn—and must do so in a way that is immediately detectable by any verifier checking the credential’s status.

Organizations planning to operate in both roles should treat each as a separate compliance stream, even if underlying systems overlap.

How does an attribute issuer work in practice?

Understanding the lifecycle of an attribute makes it easier to prepare for integration with the EUDI ecosystem. Attributes commonly used in credentials include personal information such as name, address, and date-related data like date of birth or start date of employment. In addition, digital documents such as travel documents, driver’s licenses, and bank account attestations can be issued and managed within the EUDI Wallet. The process consists of five main stages. The technical protocol for issuing credentials in the EUDI ecosystem is OpenID for Verifiable Credential Issuance (OpenID4VCI), defined in Implementing Regulation (EU) 2024/2982.

After an attribute is issued, the EUDI Wallet allows users to request data from their wallet and share only the necessary attributes, such as a bank account balance, a specific travel document, or selected information from a driver’s license, without revealing full personal documents. This selective disclosure enhances privacy and reduces the risk of oversharing during identity verification.

Attribute lifecycle stages

1. Issuance

Before issuing a credential, the issuer must verify the identity of the individual. The process begins with a user request, followed by identity verification using high-assurance methods (e.g., eID, passport, certified electronic identification). The issuer then verifies data against authoritative sources and generates a cryptographically signed credential, such as a driver’s license, which can be issued and stored in the EUDI Wallet.

2. Storage

The credential is signed with the issuer’s cryptographic key and delivered to the user’s wallet in interoperable formats such as W3C Verifiable Credentials (SD-JWT) or ISO mdoc. The user retains full control over their data.

3. Presentation

The user can selectively present attributes when accessing services. The verifier checks their validity, integrity, and issuer.

4. Update

The issuer maintains the validity status and updates credentials when underlying data changes.

5. Revocation

If a credential becomes invalid, it is revoked and this status is detectable by verifiers.

Attribute issuers and KYC/AML processes

Scenario	Traditional approach	With EAA
Age verification	ID scan and manual review	Automated attribute verification
Proof of address	Utility bill or bank statement	Electronic attestation from a registry
PEP status	Manual screening	Integrated attribute-based screening
Tax residency	Official certificate	Verified digital attribute

Benefits for regulated institutions

• Reduction of manual document processing
• Lower fraud risk through cryptographic security
• Faster onboarding decisions
• Auditable data trails
• Compliance with regulatory requirements

What does becoming a Qualified Trust Service Provider (QTSP) mean?

Issuing QEAA requires QTSP status, which involves formal conformity assessment, supervisory approval, and inclusion in national trust lists. QTSPs must meet strict requirements related to infrastructure, key management, and operational procedures.

Issuing EAA without QTSP status

Organizations may issue non-qualified EAA without QTSP status, but such credentials carry limited legal effect and rely solely on the issuer’s trustworthiness.

Security, trust and responsibility

• Advanced cryptographic mechanisms
• Strong authentication
• Secure infrastructure
• Regular audits

Future of attribute issuers

The EUDI ecosystem will expand to include new attribute categories and increased interoperability across the EU.

FAQ

What is the difference between an issuer and an identity provider?

An identity provider confirms identity, while an issuer provides specific attributes.

Can private entities become issuers?

Only if they meet strict regulatory and technical requirements.

Does the issuer know where data is shared?

In most implementations, no.

What happens when an attribute is revoked?

It becomes invalid and is automatically detected during verification.