European digital identity risks reinforcing control instead of empowerment

The European Digital Identity, an initiative designed to give people control over how they identify themselves online, is intended to streamline access to public and private services across borders while reducing dependence on large technology platforms. However, new academic research suggests that the current design of Europe’s digital identity framework risks achieving the opposite, reinforcing central control, weakening internet security norms, and limiting user choice instead of expanding it.

Titled European digital identity: A missed opportunity? and published as a SolidLab white paper on arXiv, the paper delivers a detailed technical and legal critique of the European Digital Identity (EUDI) framework and its reliance on OpenID specifications. The authors argue that the EU’s approach is built on a narrow and poorly defined understanding of digital identity, resulting in technical limitations and political risks that undermine the promise of a user-centric, self-sovereign system.

A narrow definition of identity limits the entire framework

The study finds that neither the EUDI regulation nor the technical standards chosen to implement it clearly define what digital identity actually means. In legal and technical documents alike, identity is treated as an assumed concept rather than a carefully specified one. According to the authors, this omission has practical consequences because identity systems shape how personal data is issued, shared, verified, and controlled.

Drawing on international standards and prior research, the study adopts a broader and more grounded definition of identity as a context-dependent set of attributes that distinguishes an entity within a specific situation. Under this view, full identification of a person is rarely required. In many real-world interactions, it is sufficient to prove a role, a qualification, or a single attribute, such as being over a certain age or holding a valid license. These partial identities support anonymity, pseudonymity, and data minimization, which are core goals of modern privacy regulation.

The authors argue that the EUDI framework does not reflect this reality. Instead, it assumes a static, subject-bound model of credentials, where most digital attestations are tightly linked to a specific individual and exchanged through predefined formats. This design choice limits flexibility and blocks more dynamic or automated use cases. As a result, the system struggles to support scenarios where credentials relate to assets, roles, or organizations rather than to a single identified person.

This narrow model also shapes how authentication is handled. In the study’s analysis, authentication is best understood as verifying the origin and integrity of information based on trust in an authority, not as proving a fixed identity. Credentials are, in essence, certificates attesting to certain facts. By failing to embrace this broader view, the EUDI architecture locks itself into outdated patterns that reduce interoperability and future adaptability.

OpenID and the limits of technical innovation

The paper focuses on the technical architecture chosen for EUDI, particularly its dependence on OpenID Connect and its extensions for verifiable credentials and presentations. These specifications are presented by their proponents as a major step forward in privacy, control, and portability. The study, however, concludes that these claims do not withstand close scrutiny.

According to the authors, OpenID-based systems inherit long-standing design problems from earlier identity protocols. One key issue is the lack of separation between different technical roles, such as authorization servers and resource servers. This mixing of concerns increases complexity and creates room for insecure practices. It also constrains how identity data can be requested and exchanged, forcing all interactions through narrowly defined endpoints and flows.

Another limitation lies in how credentials are defined and queried. Under the OpenID model adopted by EUDI, issuers offer a limited set of preset credential types, each tied to a specific format. Clients can only request credentials that match these predefined bundles. While selective disclosure allows users to hide certain claims, the overall structure remains rigid. The semantics of a credential are reduced to a single label, making it difficult to express complex or evolving information needs.

The study finds that this rigidity prevents the system from supporting dynamic, asynchronous, or automated interactions. Many modern digital services require credentials to be issued or verified without direct user interaction, or to adapt to changing conditions in real time. The EUDI framework, as currently designed, is largely confined to classic, synchronous exchanges that resemble older federated login systems.

Crucially, the authors challenge the idea that OpenID introduces a new trust model. They argue that portability of identity data, often described as a breakthrough feature, already exists in established federated systems. Offline availability through digital wallets is acknowledged as a practical improvement, but it does not amount to true independence from issuers. Issuers still decide what credentials to issue, when to revoke them, and under what conditions they are trusted.

Similarly, claims of increased user control are found to be overstated. Informed consent and selective disclosure are important safeguards, but they do not fundamentally change power relations within the system. In many cases, these features compensate for architectural decisions that make credentials overly broad in the first place. Other identity models avoid these issues by issuing tailored assertions per transaction rather than reusable credentials stored in wallets.

On privacy, the paper argues that the OpenID approach shifts, rather than removes, surveillance risks. While issuers may learn less about where credentials are used, wallet providers gain a central role and visibility into user behavior. Verifiers still need to interact with issuers to validate credentials, especially when revocation and trust status must be checked. Taken together, the authors conclude that the privacy gains promised by the architecture are limited and, in some cases, illusory.

Trusted lists and the risk of re-centralizing identity

The study raises serious concerns about the political and economic structure of the EUDI framework. Key to this structure is the use of trusted lists, which determine which service providers are allowed to issue, store, and verify digital credentials within the ecosystem. These lists are maintained by national authorities and coordinated at the European level.

The authors acknowledge that some form of trust anchoring is unavoidable in any identity system. However, they warn that institutionalized trusted lists concentrate power in the hands of governments and approved providers. Participation in the digital identity ecosystem becomes conditional on regulatory approval, compliance costs, and ongoing oversight. This creates barriers to entry that favor large, well-funded organizations and discourage competition.

The paper highlights the economic consequences of this approach. Providers included on trusted lists gain a privileged position, while those excluded face structural disadvantages, even if they offer technically sound solutions. Over time, this can lead to vendor lock-in and reduced innovation. Rather than fostering a diverse and decentralized ecosystem, the framework risks reproducing centralized control under a different name.

Political risks are equally prominent. Trusted lists give authorities the ability to shape which actors can operate in sensitive areas such as authentication, certification, and digital signatures. In the context of website authentication, the study points to strong opposition from browser vendors and security experts who argue that government-mandated trust anchors weaken established security practices. By forcing browsers to recognize certain certificates regardless of independent security assessments, the regulation undermines long-standing, multi-stakeholder models of internet trust.

The authors also raise concerns about surveillance and linkability. The EUDI regulations impose extensive logging and reporting obligations on trust service providers. In some cases, this includes recording interactions involving end users. Combined with a centralized ecosystem and limited user choice, these requirements increase the risk that digital identity systems could be used to monitor behavior, correlate transactions, or profile citizens.

From the user’s perspective, the promise of self-sovereign identity appears hollow. While individuals can choose which attributes to disclose within a given interaction, they have little influence over which issuers and verifiers they are allowed to use. The system dictates the acceptable participants, leaving users with limited agency. According to the study, this falls far short of a model where individuals are genuinely in control of their digital identities.