In today’s digital era, every online interaction, from a simple click to a purchase or a social media post, contributes to shaping our digital identity. This digital identity is the collection of electronic data that uniquely represents a natural or legal person. It is intrinsically linked to our “digital footprint,” which encompasses all the information we share online: who we are, where we live, where we work, our hobbies, preferences, interests, photos, videos, and more. Managing this vast amount of information is critical: while it enables countless benefits in our daily lives, from online banking to accessing public services or managing work relationships on digital platforms, it also involves inherent risks.
The European Union has recognized the fundamental importance of digital identity and has established the European Digital Identity (EUDI) Framework, aiming to provide citizens and residents with a reliable, voluntary, user-controlled digital identity recognized across the Union. This will take the form of European Digital Identity Wallets (EUDI Wallets), which Member States are required to deliver with high levels of security. Their use will remain voluntary and must not restrict access to public or private services. The framework seeks to empower citizens in a constantly evolving digital environment that increasingly defines our relationship with the world.
Key challenges ahead
Despite Europe’s progress and vision, several complex dilemmas must be addressed to ensure a secure, sovereign, and trustworthy digital future. These include interoperability, balancing privacy with security, common governance, citizen trust, and the role of private actors in public systems.
- Interoperability between national Digital Identities and delivering a sovereign, secure Digital Identity
A major challenge lies in the fragmentation of national implementations and the need for genuine interoperability, given that each Member State may interpret and apply regulation differently. While the EUDI Wallet aims for cross-border recognition, effective integration across Europe requires robust and standardized technical solutions.
This need is especially pressing in the context of data spaces, designed by the European Commission to remove legal and technical barriers and to improve data availability, quality, and interoperability across sectors. The Dataspace Protocol (DSP) provides specifications to enable interoperable data exchange between entities, governed by usage control and based on web technologies. It defines how metadata is provisioned, how data catalogs are deployed, how usage agreements are negotiated electronically, and how data access is managed. Connectors, the software components implementing this protocol, allow participating organizations to define and manage digital processes and data flows while ensuring compliance with data sovereignty policies.
Example: An airline collects weather data through aircraft sensors. A meteorological agency needs this data for forecasts. Through a data space, the agency locates the airline as a data provider, requests access, and both parties agree via a Connector, ensuring that new anonymized data from the airline automatically flows to the agency.
Organizations such as the International Data Spaces Association (IDSA), Gaia-X, the Big Data Value Association (BDVA), and the FIWARE Foundation have created the Data Spaces Business Alliance (DSBA) to establish a common framework. Their Technical Convergence Discussion Paper sets out a cohesive vision to align technical aspects and enable true interoperability.
- Balancing Privacy and Security in data use: the AI Act and data ownership
The rapid growth of digital technology increases our exposure to threats such as data theft, cyberattacks, and privacy breaches. Maintaining a delicate balance between the benefits of personal exposure and the inherent risks of digital life is essential. The European Commission has identified the difficulty of finding, securely publishing, and sharing data, as well as maintaining control over it once shared, as key issues that data spaces seek to address.
To safeguard the confidentiality, integrity, and privacy of data, various Privacy-Enhancing Technologies (PETs) come into play, enabling information to be processed securely without unnecessary exposure. These technologies can be divided into two main groups.
The first group encompasses PETs linked to Federated Learning, which facilitates the training of artificial intelligence models without the need to centralize data. This group includes Functional Encryption and Multi-Key Homomorphic Encryption, which allow operations on encrypted data; Secure Multi-Party Computation, which distributes computation among different participants while preserving privacy; Differential Privacy, which introduces controlled noise to prevent the identification of individual records; and Secure Aggregation, which combines partial results while ensuring the protection of information. In addition, TEEs are secure, isolated areas within the main processor that guarantee the confidentiality and integrity of both data and code, even if the system is compromised. They operate by enabling applications to communicate directly with hardware and thus protect information from unauthorized access through an enhanced access control system and a RAM memory encryption component. Initially designed for high-security local environments, TEEs are now the foundation of secure cloud infrastructures. They also offer remote attestation, allowing users to verify the authenticity of a TEE and check firmware versions to rule out insecure services.
The second group relates to selective disclosure of information and Zero-Knowledge Proofs (ZKPs). In this field, technologies such as BBS stand out, which allow attributes or credentials to be demonstrated in a verifiable way while sharing only the strictly necessary information.
Along these lines, the AI Act introduces specific requirements for high-risk AI systems that process personal data. It mandates the use of high-quality, representative, complete datasets with minimized errors, as well as the implementation of robust data governance practices. It also allows the exceptional processing of sensitive data to correct bias, always under strict safeguards, such as the subsequent deletion of data and the guarantee that it is not transmitted to third parties. This reinforces the need for technological solutions such as TEEs and Privacy-Enhancing Technologies (PETs), which enable ethical and secure data processing. For example, in Federated Learning, the coordinating node can be deployed in a TEE to strengthen the system.
Initiatives such as TrustED, led by Gradiant, are committed to exceeding the privacy standards established by GDPR and the eIDAS regulation. It focuses on developing scalable and reliable self-sovereign identity management and federated learning services that preserve privacy through the use of PETs. This enables AI-based studies on securely isolated datasets that implicitly address concerns related to data use in Artificial Intelligence and align with the risk-based approach promoted by the AI Act.
- Common governance of the European Data Space
A coherent European data space requires harmonized governance. By definition, data spaces are infrastructures and governance frameworks that enable pooling and exchange of data under transparent, fair structures that comply with EU law.
Four organizations, BDVA, FIWARE Foundation, Gaia-X, and IDSA, are driving this vision through the DSBA. Gaia-X focuses on global governance rooted in European values, offering functional and technical specifications for Gaia-X-compliant spaces. IDSA provides the IDS Reference Architecture Model (IDS RAM), the IDSA Rulebook, and the Dataspace Protocol, forming a blueprint for building secure and open data ecosystems.
However, the diversity of protocols among vendors hinders standardization, making interoperability across systems a challenge. Industry collaboration, adaptability, and trust are essential to overcome these barriers. Contributions such as the iSHARE Foundation’s “Cookbook for Data Spaces” also provide practical guidance for building functional spaces.
- Citizen trust in digital platforms: preventing social rejection and distrust
Citizen trust is essential for the widespread adoption of digital solutions. Poor privacy management in the digital environment can have serious and irreversible consequences, feeding distrust. Some common risks include:
- Identity theft or impersonation: criminals use exposed information for fraudulent purchases, opening bank accounts, or applying for credit in the victim’s name.
- Non-consensual surveillance: companies or cybercriminals collect and analyze personal data for profit or manipulation.
- Extortion, harassment, or defamation: misuse of private information to threaten or humiliate on social media.
- Misuse of personal data for discrimination: based on gender, race, sexual orientation, ideology, etc.
- Sexting and doxing: sharing content without permission or publishing personal information online without consent, exposing victims to harm.
- Highly personalized fraud: massive data collection through OSINT tools enables more credible fraud schemes.
The work carried out in TrustED is essential to address these challenges, as it seeks to generate public trust and encourage widespread adoption of secure and privacy-respecting digital solutions. Coordinated by Gradiant, TrustED focuses on designing and developing a robust self-sovereign identity management method and a set of advanced PETs. This includes AI-based document validation methods, verification tools, and selective disclosure techniques based on ZKPs; enabling secure electronic identification and sharing of specific identity attributes while preserving user privacy.
The voluntary nature of the EUDI Wallet also aims to prevent social rejection and distrust by giving citizens control over their digital identity and data. Likewise, the AI Act, by requiring traceability, clear technical documentation, and transparency about the capabilities and limitations of AI systems, also helps reinforce the citizen trust that is essential for digital adoption.
- The role of private actors in public Identity systems
The implementation of European digital identity and data governance regulations at the national level presents a challenge for collaboration between public entities and private actors, as each country may interpret and apply the rules differently. While the EU establishes the general framework, execution rests with Member States, which can lead to variations in the structure and content of identities and identity providers (centralized, decentralized, or federated).
Data spaces operate as markets where data owners and service providers (which can be private organizations, startups, or hardware companies) may be financially compensated for their contributions. The Connectors implementing the Dataspace Protocol facilitate interaction among these participants. This means that while governance is crucial, the involvement of private actors in the development and provision of solutions is both inevitable and necessary for the functionality of data spaces.
TrustED
The partners of TrustED are developing a secure, portable digital identity tool that enhances citizen control over personal data and encourages adoption of privacy-first digital solutions. The project focuses on robust self-sovereign identity management, AI-driven document validation, ZKP-based selective disclosure, and privacy-preserving federated learning services.
This project has received funding from the European Union’s Horizon Europe research and innovation programme under grant agreement No. 101168467.