Self-Sovereign Identity and eIDAS 2.0: An Analysis of Control, Privacy, and Legal Implications
Nacereddine Sitouah, Marco Esposito, Francesco Bruschi
TL;DR
The paper analyzes how Self-Sovereign Identity (SSI) concepts can align with the EU's eIDAS 2.0 and the Architecture Reference Framework (ARF). It employs a normative-analytical approach to map SSI properties to eIDAS 2.0 requirements, revealing substantial centralization and PID-dependency that constrain true user sovereignty. Key contributions include a property-based compliance framework, a detailed property-by-property analysis, and practical recommendations (e.g., autonomous DIDs, SD-JWT/VC, open governance) to improve interoperability with GDPR while preserving SSI principles. The findings highlight regulatory and technical tensions, particularly around recoverability, persistence, and ownership, and argue for EU-governed, decentralized, privacy-preserving infrastructures to realize SSI within Europe. The work informs policymakers and researchers about necessary adjustments and pathways for more resilient, private, and user-controlled digital identities in the European Digital Identity ecosystem.
Abstract
European digital identity initiatives are grounded in regulatory frameworks designed to ensure interoperability and robust, harmonized security standards. The evolution of these frameworks culminates in eIDAS 2.0, whose origins trace back to the Electronic Signatures Directive 1999/93/EC, the first EU-wide legal foundation for the use of electronic signatures in cross-border electronic transactions. As technological capabilities advanced, the initial eIDAS 1.0 framework was increasingly criticized for its limitations and lack of comprehensiveness. Emerging decentralized approaches further exposed these shortcomings and introduced the possibility of integrating innovative identity paradigms, such as Self-Sovereign Identity (SSI) models. In this article, we analyse key provisions of the eIDAS 2.0 Regulation and its accompanying recitals, drawing on existing literature to identify legislative gaps and implementation challenges. Furthermore, we examine the European Digital Identity Architecture and Reference Framework (ARF), assessing its proposed guidelines and evaluating the extent to which its emerging implementations align with SSI principles.
