Skip to content

Ecosystem Architecture

Deployment View

This Deployment View describes the allocation of application and technology components to physical infrastructure within the EUDI Wallet ecosystem. It aims to provide a high-level overview and identifies which actors operate which systems and where these systems are deployed.

The view provides a structured overview of the logical architecture mapped onto concrete technology elements, including hardware resources, deployed software components, and the interfaces between the participating actors.

Its purpose is to illustrate the realization of the ecosystem by explicitly linking software components to specific infrastructure elements, rather than defining a purely hardware-agnostic solution. This enables the identification of required interfaces, clarifies responsibilities across organizational boundaries, and supports the definition of appropriate security controls and trust boundaries for these interfaces.

German eID ProviderUser's DeviceTrust ComponentsWallet ProviderOrchestratorEAA ProviderPID ProviderRelying Party«secure»eIDeID ServerUser's EUDI Wallet InstanceEU List of Trusted ListsQTSPAuthentic SourcesAccess Certificate IssuerRegistration Certificate IssuerWallet BackendRegistrarEcosystem Management PortalEAA Issuing ServicePID ProviderBackendAuth Component         Legend  Ecosystem Components Not part of the Ecosystem

Nodes

Nodes Description
EAA Provider Electronic Attestations of Attributes (EAA) provide a flexible form of electronic attribute attestations under eIDAS. EAA providers are trusted sources that issue EAAs for the wallet and can access QTSPs and Authentic Source when needed.
German eID Provider The organization responsible for issuing and operating the German electronic identity (eID). The issuer provides the trust framework, security policies, and backend services required for secure electronic identification and authentication in accordance with applicable regulations.
Orchestrator Is operating the Registrar to issue access and relying party registration certificates and hosts the Ecosystem Management Portal
PID Provider The PID Provider represents the one institutional entity that is responsible for the issuance and governance of Personal Identification Data (PID). It is subject to legal requirements and ensures compliance with legal and regulatory provisions. It is also responsible for the correct and lawful provision of personally identifiable data within the system landscape.
Relying Party The Relying Party represents an organization that relies on issued Personal Identification Data (PID) for identification or verification purposes within its own systems and processes. It is responsible for integrating PID usage into its applications and for ensuring lawful and compliant handling of PID.
Trust Components List of Trust components that were already established or newly created in the context of building the ecosystem.
User's Device A mobile device (smartphone) operated by the end user. The application is deployed to the device as a mobile app and runs locally, enabling user interaction and communication with backend services.
Wallet Provider An organization that provides a German EUDI wallet. The organization is responsible for providing and certifying the wallet and must operate the wallet backend. It implements the security requirements from the blueprint and represents the trust anchor for its own wallet instances.

Components

Components Description
EAA Provider - EAA Issuing Service Issuing service provided by serveral providers of Electronics Attribute Attestations (EAA)
German eID Provider - eID The German electronic identity implemented as a highly secure smartcard. It stores identity attributes and cryptographic keys and enables secure electronic identification and authentication when accessed via authorized backend systems.
German eID Provider - eID Server Backend system operated by the eID issuer and accessed by the native mobile app on the user device. It provides the eID Server services, orchestrates identification and authentication processes, and securely communicates with the German eID to perform identity verification.
Orchestrator - Ecosystem Management Portal The Ecosystem Management Portal is the central governance and coordination platform of the German EUDI ecosystem, enabling secure onboarding, certification, and lifecycle management of ecosystem participants.
Orchestrator - Registrar The Registrar is the authoritative entity within the German EUDI ecosystem responsible for validating, registering, and maintaining verified ecosystem participants and services.
PID Provider - PID Provider Backend The PID Provider Backend is a technical component responsible for issuing Personal Identification Data (PID) upon request. The backend generates and delivers PID but does not persist or store any personal identification data. It operates in a stateless manner and enforces the applicable institutional and regulatory rules during the issuance process.
Relying Party - Auth Component The Authentication Component is a technical system provided and operated by the Relying Party to authenticate users or subjects. It interacts with the PID Provider Backend as part of the authentication or identification process and consumes issued PID without storing or generating PID itself.
Trust Components - Access Certificate Issuer Issues certificates to Relying Parties after Registrar validation.
Trust Components - Authentic Sources Authentic Sources are authoritative data providers that supply verified and legally reliable identity attributes, such as civil registry, educational, or professional qualification data.
Trust Components - EU List of Trusted Lists Trust Lists for PID Provider, (Q/Pub)EAA Provider, Wallet Provider, Registrar, Access Certrificates and Registration Certificates
Trust Components - Registration Certificate Issuer Registration certificates issued to RPs after Registrar validation.
Trust Components - QTSP The Qualified Trust Service Provider (QTSP) within the eIDAS framework is a certified entity authorized to deliver qualified trust services such as electronic signatures, seals, timestamps, and certificates.
User's Device - User's EUDI Wallet Instance A native mobile application distributed via the official app stores. The EUDI Wallet Instance is certified and installed on the user’s device. It requires an active network connection and is not capable of offline operation. The app provides the user interface and communicates with backend services.
Wallet Provider - Wallet Backend A backend operated by the wallet provider for initiating sessions and issuing wallet attestations. The backend ensures the authenticity of the wallet application in all PID processes and implements security functions to verify that it is an official and certified wallet.

Connections

Connections in this table describe the high-level interactions between actors, nodes, and their components. This table is intended to support a conceptual understanding of the overall collaboration and does not replace the Runtime View, which is described separately. The listed connections are therefore non-normative and focus on explaining the general interplay rather than exact runtime behavior.

Connection Description
1 In the EUDI Wallet ecosystem, the user’s device hosts the wallet instance and securely generates, stores, and presents credentials under the user’s sole control. The wallet provider supplies the wallet software, ensures compliance, lifecycle management, and trust framework integration, but has no access to the user’s private keys or credential data.
2 Within the ecosystem, the User’s Device establishes a secure, mutually authenticated connection to the German eID Provider to request identity data and perform user authentication. The eID provider verifies the user’s credentials and attributes and transmits the approved identity data directly to the wallet instance under the user’s control.
3 User's Wallet Instance establishes a secure, mutually authenticated channel with the PID Provider to receive the Person Identification Data (PID) credential after successful identity verification. The credential is generated and cryptographically bound to the wallet instance on the User’s Device, ensuring that it remains under the user’s control and cannot be reused by other parties.
4 The PID Provider establishes a secure, mutually authenticated connection to the German eID provider to perform identity verification and retrieve authoritative identity attributes. The German eID provider authenticates the user and returns verified identity data, which the PID Provider uses as the basis for issuing the PID credential.
5 The User’s Device establishes a secure, mutually authenticated session with the Relying Party to present verifiable credentials or requested attributes. The Relying Party validates the cryptographic proofs and trust chain, while the wallet ensures user consent and selective disclosure before transmitting any data.
6 The User’s Device establishes connection to the EAA Provider to request and receive an Electronic Attestation of Attributes (EAA). The EAA Provider verifies the required evidence and issues the attestation cryptographically bound to the wallet instance on the User’s Device under the user’s control.
7 Within the EUDI Wallet Ecosystem, the User’s Device, PID Provider, EAA Provider, and Relying Party establish secure, mutually authenticated connections to the Orchestrator to exchange transaction metadata, trust information, and protocol messages. The Orchestrator coordinates the interaction flows and enforces trust framework policies, without accessing private keys or the underlying credential contents.