Electronic Attestations of Attributes (EAAs) constitute a fundamental element of the European Digital Identity (EUDI) ecosystem. They enable users to securely and efficiently present verified personal information, such as name, professional title, qualification, or residence, through digital means.
However, not all EAAs are created equal. They differ in terms of their legal status, assurance level, and issuing authority. This article provides an overview of the three types of EAAs and their distinct characteristics.
What is an attribute ?
An attribute is a piece of information that characterizes an individual or an entity. Attributes can include a wide range of personal or professional data, such as a person’s name, date of birth, nationality, educational qualifications, professional titles, or specific rights and permissions. In the context of digital identity, attributes are essential for proving identity or validating specific characteristics within online services. Attributes can be static (e.g., date of birth) or dynamic (e.g., current address), and they may be derived from official registries, personal documents, or certifications issued by trusted authorities.
What is an Electronic Attestation of Attributes (EAA)?
An Electronic Attestation of Attributes (EAA) is a type of digital document that confirms the accuracy of a specific attribute, such as a place of residence or professional qualification. Unlike the attribute itself, which is merely a data point, the EAA serves as an official, machine-readable document. It is issued by an authorized provider, guaranteeing authenticity and carrying the same legal value as its paper-based equivalent. An EAA can be added, stored and presented with the EU Digital Identity Wallet.
The three types of EAAs
EAAs are categorized into three primary types, each associated with a distinct level of assurance and legal effect.
1. Qualified Electronic Attestations of Attributes (QEAA)
Qualified EAAs are issued exclusively by or on behalf of Qualified Trust Service Providers (QTSPs) in accordance with the stringent requirements set out in the European Digital Identity Regulation. These attestations offer the highest level of legal assurance and work in pair with Personal Identification Data, the key reference data in the EU Digital Identity Wallet (name, date of birth…). Verification of QEAA data involves cross-checking with authentic sources, such as government databases, to ensure accuracy.
Since QEAA Providers are considered qualified trust services, they are subject to continuous monitoring and regular audits by Conformity Assessment Bodies (CAB). This rigorous scrutiny ensures compliance with security and data protection standards, enhancing confidence in the use of digital identity.
For an up-to-date and comprehensive list of Qualified Trust Service Providers (QTSPs), please refer to the EU Trust List. Under eIDAS 1, qualified trust services were limited to electronic signatures, timestamps, and certificate issuance. With eIDAS 2, the scope has been extended to include new services such as Electronic Attestations of Attributes.
2. Non-Qualified Electronic Attestations of Attributes (EAA)
In contrast to QEAA, non-qualified EAAs are issued by non-qualified Trust Service Providers (TSPs) and do not guarantee the same level of legal assurance. These attestations may be subject to sector-specific regulations or contractual agreements. Although they offer a lower assurance level, they remain valuable for numerous applications where high-level trust is not strictly necessary, including education, digital payments, and commercial services.
For an up-to-date and comprehensive list of Non-Qualified Trust Service Providers (QTSPs), please refer to the EU Trust List.
3. Public Electronic Attestations of Attributes (PuB-EAA)
Public EAAs (PuB-EAA) are issued on behalf of public sector bodies or official authorities when the data originates from official registries or government databases. These attestations hold legal equivalence to paper-based documents and are particularly relevant for public services, such as issuing birth certificates or driver’s licences.
PuB-EAA Providers are not considered Qualified Trust Service Providers; however, they must possess a qualified certificate issued by a Qualified Trust Service Providers to sign PuB-EAAs. This ensures that the attestations meet the same legal requirements as traditional official documents, especially for verifying attributes listed in Annex VI of Regulation (EU) No 910/2014, such as age, address, nationality or professional qualifications.
Summary table of the three types of EAAs
| Type of EAA | Provider Type | Level of assurance | Legal Effect | Example Use Case |
|---|---|---|---|---|
| Qualified Electronic Attestations of Attributes (QEAA) | Qualified Trust Service Provider (QTSP) | High* | Equivalent to paper-based certificates | Qualified certificate for electronic signature, qualified time stamp, qualified certificate for website authentication… |
| Non-Qualified Electronic Attestations of Attributes (EAA) | Trust Service Provider (TSP) | Substantial to low* | No guaranteed legal equivalence | Certificate for electronic signature, time stamp service, membership attestations, commercial credentials… |
| Public Electronic Attestations of Attributes (PuB-EAA) | Public Sector Body or Official Authority | High* | Equivalent to official public documents | Birth certificates, driver licences… |
* The level of assurance (LoA) reflects the degree of confidence in the identity verification process. It ranges from minimal to high, with each level aligning the strength of identity verification with the potential risks of a transaction. While QEAA consistently offers a high level of assurance, non-qualified EAAs vary from substantial to low, depending on the robustness of the provider’s identity verification processes. PuB-EAA, when issued by public authorities, also ensures a high level of assurance.
Electronic Attestations of Attributes are an essential component of secure, efficient, and trustworthy digital interactions within the European digital identity framework. By digitizing verified attributes, EAAs enhance interoperability and robust data protection, making them integral to the future of digital identity management across Europe.