In today’s digital society, identity is more than a credential: it is the key that unlocks access to services, rights, and opportunities. This simple truth raises a profound question – who truly controls our identity? The TRUSTED project is built on a clear response: my identity belongs to me. This principle is at the heart of Self-Sovereign Identity (SSI), a model that places individuals – not institutions, platforms, or data infrastructures – at the center of digital identity management.
SSI is not merely a technical architecture. It represents a fundamental shift in how identity is understood, governed and used. Grounded in values such as dignity, autonomy, privacy, and data protection, SSI echoes long-standing European commitments to fundamental rights. It asserts that identity emerges from the person, and that control over personal data is not something granted by systems – it is a natural right.
Yet the infrastructures that mediate identity—digital wallets, authentication frameworks, AI systems, data spaces, and consent mechanisms—play a powerful role in either reinforcing or undermining these rights. This is why TRUSTED approaches SSI as an ethics-driven framework, not just a technological component. Technology is never neutral: it embeds assumptions about power, agency, and accountability. TRUSTED therefore designs identity mechanisms that strengthen, rather than weaken, individuals’ ability to act autonomously and protect their digital footprint.
Putting SSI values into practice
The TRUSTED approach combines SSI with a suite of privacy-preserving technologies to ensure that empowerment is both conceptual and operational. A secure, portable digital identity wallet allows individuals to authenticate, present attributes, and interact with organizations across sectors – health, mobility, volunteering, finance – while maintaining full control over the data they reveal.
Central to this is TRUSTED’s dynamic consent and permissions management system, which allows users to define precisely:
- which attributes they share,
- for what purpose,
- under which conditions,
- and for how long.
Consent is not a one-time agreement; it becomes a continuously manageable expression of user agency. Behind the scenes, the system uses robust cryptographic tools, verifiable credentials, and immutable logging to ensure that the expression of consent is technically enforced. Individuals can see, audit, and adjust how their identity is being used, reinforcing both trust and transparency.
This architecture reflects a clear conviction: identity should never be flattened into a set of static fields managed by others; rather, it must remain a dynamic extension of the person, shaped and governed by the individual.
A shifting regulatory landscape
While TRUSTED advances this rights-centred vision, the broader regulatory environment is also evolving. In 2025, the European Commission launched the Digital Omnibus, a set of proposals intended to simplify the GDPR and the AI Act. The objective is to reduce administrative burdens and encourage AI innovation, particularly for small and mid-size enterprises.
However, these reforms introduce nuanced and potentially far-reaching changes. A more flexible interpretation of “personal data,” broader permissions to process sensitive data for AI development, and delayed enforcement of certain high-risk AI obligations are all part of the proposals. These shifts, though presented as technical fine-tuning, have implications for how identity, consent, and data protection are operationalized within the European digital ecosystem.
For example, redefining personal data around what a specific controller can identify may result in inconsistent protections across shared environments, such as data spaces. A dataset treated as non-personal by one participant may still be identifiable by another. Similarly, broader use of legitimate interest for AI training could reduce the reliance on explicit user consent – risking decreased visibility into how individuals’ data is transformed into model contributions, even in distributed or federated settings.
These changes do not necessarily undermine Europe’s commitment to data protection, but they do highlight a tension: as regulatory frameworks adapt to support innovation, the responsibility for protecting individuals may shift increasingly toward system designers and operators.
This is where TRUSTED’s contribution becomes particularly significant.
Staying true to SSI principles in a time of change
In a landscape where digital rules are being recalibrated, TRUSTED demonstrates that it is possible to uphold strong, rights-based standards irrespective of regulatory softening. The project’s design philosophy ensures that technical safeguards remain aligned with the highest thresholds of privacy and data protection, even if legal requirements become more flexible.
Rather than relying solely on formal legal definitions of personal data, TRUSTED anchors its identity framework in architectural principles: minimization, purpose limitation, selective disclosure, and cryptographic enforcement. This means that even if certain processing activities could legally bypass consent under a new legitimate-interest basis, TRUSTED chooses to treat consent as essential, not optional.
Similarly, while AI Act obligations may be delayed or reduced, TRUSTED integrates privacy-preserving federated learning and strict governance from the outset. These ensure that raw data never needs to be centralized and that model updates are processed with safeguards that limit leakage and inference risks. TRUSTED does not depend on regulatory requirements to enforce fairness, transparency, or accountability – it builds them into the infrastructure.
Most importantly, by grounding access to data and learning tasks in verifiable digital identity mechanisms, TRUSTED ensures that identity remains the gatekeeper, not an afterthought. People decide what attributes they present, when, and under which constraints. Organizations receive only what is strictly necessary, and every access is auditable, attributable, and accountable.
This approach ensures that the core SSI principle – my identity belongs to me – survives and remains meaningful, even in an evolving legal framework where the boundaries of personal data or consent might shift.
TRUSTED’s role in the future of digital identity
As European institutions debate the balance between simplification and protection, TRUSTED offers a concrete demonstration of how innovation and rights can reinforce one another. Data spaces and AI ecosystems can thrive without diluting user autonomy; federated learning can expand knowledge without sacrificing confidentiality; and digital identity can enhance access without eroding dignity or sovereignty.
TRUSTED’s message is clear: the future of digital identity must be built around the individual – not around systems, organisations, or regulatory loopholes.
By combining the philosophical clarity of Self-Sovereign Identity with robust technical safeguards, TRUSTED shows that it is possible to navigate regulatory change while maintaining an unwavering commitment to privacy, transparency, and empowerment.
TrustED has received funding from the European Union’s Horizon Europe Research and Innovation Programme under grant agreementNo. 101168467
