Don’t reinvent the wheel: Existing standards can deliver security, scalability and interoperability for EUDI Wallets

Gil Bernabeu, GlobalPlatform CTO

The clock is now ticking for all 27 EU member states. By December 2026, they are working to make a secure EUDI wallet available to a maximum number of citizens, while delivering an effortless user experience.

Security, scalability, interoperability and user convenience will lie at the heart of successful wallet deployments. The fundamental question – with numerous different makes and models of smartphone in the market, how can member states ensure their EUDI wallets are compatible with, and can be securely stored on, as many smartphones as possible?

To meet these requirements, the EU Commission has recommended the use of a secure element (SE) within the device that hosts the wallet. This is firstly because SEs supports two key security architecture requirements: for trusted hardware (the Wallet Secure Cryptographic Device or WSCD) and for the secure application (the Wallet Secure Cryptographic Application or WSCA).

SEs are also recommended because most premium smartphones already embed them as hardware security (more than 100 billion GlobalPlatform-standardized SEs have been issued globally since 1999), meaning that they can be used as a way to deliver convenient, interoperable and secure EUDI wallets to the majority of the EU population.

This blog outlines the existing standards available to member states to achieve this and set their EUDI wallet deployments up for long-term success. Simply put, by referencing these standards in their implementing acts and transitional certification schemes they can quickly align their ecosystem. Smartphone makers are then clear that if their device and its SE supports the standards, it will be able to effectively download, store, run and manage EUDI wallets.

Interoperability and scalability, built on standardization 

Importantly for all EU member states, SEs are already standardized by GlobalPlatform and are certified to stringent requirements. They provide a minimal-risk and widely-adopted route to market, enabling highly-scalable, convenient and secure EUDI implementations that work without an active network connection.

To take advantage of best-practice industry collaboration and the advanced work that has already been delivered and shared by the GlobalPlatform membership, all EU member states should familiarize themselves with the relevant GlobalPlatform standards and reference them in their transitional schemes.

Specifications versus configurations: Understand the difference

When considering how GlobalPlatform’s standards can be correctly referenced within transitional schemes, it is important to first understand the distinction between GlobalPlatform Specifications and GlobalPlatform Configurations.

GlobalPlatform Specifications comprehensively define the universal functionalities and security features for the associated technology (e.g. from smart card to SEs). They outline all the possibilities on offer (in everyday speak they are like an inventory of everything you have in your fridge before starting cooking!).

Conversely, GlobalPlatform Configurations more narrowly specify which functions and features of the specification are needed, and how they are implemented, for particular markets or use cases. (Using the same analogy as above, configurations are recipe that’s tried, tested and loved by the whole family!)

Configurations provide the basis upon which GlobalPlatform certifies technology products for use in different use cases. If a product is built to comply with a defined configuration, GlobalPlatform can test that all functional requirements of that configuration are both present and behaving as intended.

In terms of the GlobalPlatform Configurations that are highly relevant and valuable to the EUDI value chain, as they support the deployment of applets on SEs in smartphones, the following configurations should be on every EU member state’s radar:

• SE Configuration – This sets out the functionalities, APIs and other requirements that ensure SEs – typically found in smartphone – can securely perform sensitive operations and protect against a wide range of threats. It enables interoperability and facilitates the deployment of secure services across various devices and platforms – both key requirements for EU member states and their impending deployments.

• Secured Applications for Mobile (SAM) Configuration – This enables member states to independently deploy and manage applications on SEs within devices (regardless of the smartphone manufacturer or mobile network operator). Crucially, member states should raise awareness of this standard among their national agencies, wallet developers, pilot programs and other stakeholders.

A new configuration will also be available this year:

• Cryptographic Service Provider (CSP) Configuration – CSP streamlines the certification process for member states by allowing a single applet certificate to be applicable for all smartphone and SE platforms supporting this technology, reducing time and costs associated with security assessment. Member states should look to this configuration while developing their application and also reference the CSP Configuration as part of their requirements.

Defining transitional EUDI certification schemes: Leverage existing standards

As member states define their transitional certification schemes, they can immediately reference these GlobalPlatform standardized configurations in their implementing acts. This will help to align all stakeholders in the EUDI wallet value chain around a detailed set of features and behaviors that enable applets to work effectively on smartphones and other devices with compliant SEs.

The configurations can be used by EUDI wallet stakeholders – including SE vendors and smartphone makers – to align with member states’ requirements by achieving functional certification. Certification stamps can be requested by member states’ certification schemes as proof that the SEs comply with the requirements of EUDI wallet applets.

This process enables everyone involved in the issuance and management of EUDI wallets to ensure that the technology supports the required functionality and that the maximum number of citizens benefit from a smooth and secure user experience. Importantly too, this technology already exists and is available for immediate use. Against a ticking clock, and a December 2026 deadline, the value this offers to EU member states is immeasurable.

Requirements, key use cases, market dynamics and more will continue to evolve over time, and industry standards will continue to evolve in alignment. By adopting a standards-based approach from the start of EUDI projects, member states can set their implementations up for long-term success.

Want to learn more?

Member states can liaise with the eID Wallet Task Force to clarify questions around SE technology and the GlobalPlatform configurations.

To get stakeholders up to speed on these new solutions and understand how to access, program and manage SEs, GlobalPlatform is hosting a two-day SE for EUDI training session in Brussels on March 17-18.

Developers can register for the Java Card Development on SE for EUDI Training on March 19 at the same location in Brussels.

A position paper will soon be published by the GlobalPlatform eID Task Force, outlining how EU member states can use existing, established technologies, certifications and governance models to deliver successful EUDI wallet implementations. Register your interest in receiving this paper to your inbox here.