Electronic Attestations of Attributes (EAA)¶
Overview¶
Electronic Attestations of Attributes (EAA) are verifiable digital credentials that attest to attributes of a person or entity. Unlike the Personal Identification Data (PID), which is tightly regulated and issued only by designated government authorities, EAAs can be issued by anyone—public bodies, private companies, associations, or any organization with relevant data.
This openness is by design: the EUDI Wallet ecosystem aims to enable a broad range of use cases, from government-issued qualifications to loyalty cards, membership credentials, and professional certifications.
Issuance vs. acceptance
While anyone can technically issue an EAA, relying parties decide which issuers they trust. This decision is based on trust lists that authorize specific issuers for specific credential types. An EAA from an unauthorized issuer will be rejected during verification.
For qualified EAAs (QEAAs), issuers must be listed on the EU Trusted List. For EAAs, scheme-specific trust lists define authorized issuers. See Catalogue of Attestations for how credential types reference their trust anchors.
Key principle
EAAs are technically identical in structure. What distinguishes them is their legal standing, not their technical implementation.
Examples of EAAs¶
EAAs can represent virtually any verifiable attribute. Common categories include:
| Category | Examples |
|---|---|
| Professional | Medical license, bar admission, pilot certificate, teacher ID |
| Educational | University diploma, professional certification, training badge |
| Membership | Club membership, association card, library card |
| Employment | Employee badge, contractor credential, corporate access card |
| Health | Vaccination record, organ donor status, disability attestation |
| Financial | Bank account ownership, credit status, insurance coverage |
| Access & Entitlement | Public transit pass, event ticket, building access credential |
| Commercial | Loyalty card, subscription status, age verification for retail |
Credentials Are Technically Uniform¶
All credentials in the EUDI ecosystem—whether PID, EAA, QEAA, or PubEAA—share the same fundamental structure:
| Component | Description |
|---|---|
| Claims | The actual attribute data (name, status, qualification, etc.) |
| Metadata | Credential type, issuer identifier, validity period |
| Signature | Cryptographic proof of issuer authenticity and data integrity |
| Key binding | Mechanism linking the credential to the holder |
The differences between credential types lie in:
- Who may issue (anyone vs. qualified trust service providers vs. public authorities)
- Legal effect (contractual vs. document-equivalent evidentiary value)
- Liability regime (scheme-based vs. statutory)
- Trust anchor (scheme governance vs. EU Trusted List)
For guidance on choosing the appropriate credential type, see the Trust Decision Guide.
eIDAS Is One Framework Among Others¶
The eIDAS 2.0 regulation provides a comprehensive legal framework for digital credentials in Europe. However, it is not the only framework:
- ISO/IEC 18013-5 defines the mobile driving license (mDL) independently of eIDAS, with its own trust model based on VICAL (Vehicle Identification Certificate Authority List)
- W3C Verifiable Credentials provide a format specification without prescribing a specific legal framework
- Domain-specific schemes (banking, healthcare, education) may define their own trust rules
The German EUDI Wallet ecosystem acknowledges this reality:
- Credentials can be technically valid without being eIDAS-regulated
- The mDL is a prime example: fully functional, legally recognized for driving purposes, but operating under ISO governance rather than eIDAS qualified status
- Relying parties may accept credentials based on scheme trust rather than eIDAS trust lists
Practical implication
When designing an EAA, first determine whether eIDAS qualification is actually required for your use case. For many scenarios, a well-designed EAA provides sufficient trust at lower cost and complexity.
Section Overview¶
This section provides comprehensive guidance for designing and implementing EAAs:
| Document | Purpose |
|---|---|
| Credential Anatomy | Common mechanisms: signatures, revocation, key binding |
| Design Recommendations | Best practices for well-made EAAs |
| Attribute Catalogues | Registry and discovery of credential types |
For trust-related aspects (who to trust, which attestation type to use), see the Trust section.
For technical protocol flows (OID4VCI, OID4VP), see the Appendix: (Q)EAA Issuance and Presentation.