Explainer: Digital identity & trust frameworks — what it is, why it matters, and how to evaluate options

Over 80% of EU citizens will have access to a digital identity wallet by 2027 under the revised eIDAS 2.0 regulation, yet fewer than 15% of enterprises have begun integrating trust framework requirements into their compliance and sustainability workflows, according to the European Commission's 2025 Digital Decade Progress Report. For sustainability leads operating in the EU, digital identity is no longer a niche IT concern: it underpins supply chain traceability, ESG data verification, corporate climate disclosures, and the Digital Product Passports mandated under the EU's Ecodesign for Sustainable Products Regulation. Understanding how trust frameworks function, how they differ across jurisdictions, and how to evaluate vendor options is now a core operational requirement.

Why It Matters

Digital identity and trust frameworks define the rules, standards, and governance structures that determine how individuals, organizations, and devices prove who they are in digital transactions. In the sustainability context, this infrastructure matters because nearly every emerging regulatory requirement depends on verified data flowing between parties who may not know or trust each other directly.

The EU's regulatory agenda makes this concrete. The Corporate Sustainability Reporting Directive (CSRD) requires over 50,000 companies to report audited sustainability data starting in 2025, with Scope 3 emissions data requiring verified inputs from suppliers across global value chains. The EU Digital Product Passport framework, which takes effect for batteries in 2027 and textiles by 2028, requires machine-readable records of material composition, carbon footprint, and circularity metrics attached to individual products throughout their lifecycle. The Carbon Border Adjustment Mechanism (CBAM) demands verified emissions data from non-EU producers of steel, cement, aluminium, fertilizers, electricity, and hydrogen.

Each of these regulatory instruments depends on the ability to verify the identity of the entity providing data, the integrity of the data itself, and the authority of the entity to make specific claims. Without robust digital identity infrastructure, sustainability reporting risks becoming an exercise in unverifiable self-attestation, which is precisely the condition that anti-greenwashing regulations like the EU Green Claims Directive are designed to eliminate.

The financial stakes are significant. The European Commission estimates that a functioning EU digital identity ecosystem will generate EUR 9.6 billion in annual economic value by 2030, with cross-border business verification and supply chain authentication representing 35% of that total (European Commission, 2025). Companies that delay integration face both compliance risk and competitive disadvantage as trading partners, regulators, and financial institutions increasingly require machine-verifiable credentials.

Key Concepts

Trust framework: A trust framework is the complete set of governance rules, technical standards, legal agreements, and operational procedures that govern how digital identities are issued, verified, and accepted within a specific ecosystem. The EU's eIDAS 2.0 regulation establishes one such framework at supranational scale, defining how member states must issue European Digital Identity Wallets, how relying parties must accept them, and what liability rules apply when things go wrong.

Verifiable credentials (VCs): A W3C standard for tamper-evident digital attestations that a specific issuer makes about a specific subject. In sustainability contexts, a verifiable credential might certify that a factory meets ISO 14001 environmental management standards, that a shipment of steel has a verified carbon intensity of 1.2 tonnes CO2e per tonne, or that a company's Scope 1 emissions have been third-party audited. The credential is cryptographically signed by the issuer and can be verified by any relying party without contacting the issuer directly.

Decentralized identifiers (DIDs): Globally unique identifiers that enable entities to create self-managed digital identities without depending on a central registry. DIDs are resolved through decentralized networks (blockchains, distributed ledgers, or peer-to-peer systems) and are a foundational building block for self-sovereign identity architectures. The EU's approach under eIDAS 2.0 takes a federated model where member state authorities issue identities, but allows for DID-based approaches within the broader architecture.

European Digital Identity Wallet (EUDIW): A mobile application that EU member states must make available to all citizens and residents by 2027. The wallet stores identity attributes (name, date of birth, nationality) and qualified electronic attestations of attributes (professional qualifications, company registrations, sustainability certifications). For businesses, organizational wallets will store legal entity identifiers, tax registrations, and verified sustainability credentials.

Levels of assurance (LoA): The eIDAS framework defines three levels of assurance: low, substantial, and high, corresponding to the rigor of the identity proofing and authentication process. Sustainability data reporting under CSRD and CBAM will likely require "substantial" or "high" assurance, meaning that identity verification must include document validation, biometric checks, or in-person verification depending on risk level.

What's Working

EU Digital Identity Wallet pilot programs are producing operational results. The European Commission funded four Large Scale Pilots (LSPs) under the EU Digital Identity Wallet program, each involving multiple member states and real-world use cases. The POTENTIAL consortium, involving 148 organizations across 19 member states, completed its first interoperability tests in late 2025, demonstrating cross-border company registration verification between France and Germany with transaction times under 3 seconds. The EWC (EU Digital Identity Wallet Consortium) pilot demonstrated supply chain credential exchange in the pharmaceutical sector, with verified credentials for Good Manufacturing Practice (GMP) certification flowing from manufacturers in Ireland to distributors in Spain without manual document exchange (European Commission EUDIW Pilot Report, 2025).

Verifiable credentials for ESG data are moving beyond proof-of-concept. Spherity, a German digital identity startup, deployed its credentialing platform with BASF and Evonik to issue verifiable Product Carbon Footprints (PCFs) along chemical supply chains, enabling downstream buyers to receive cryptographically verified emissions data rather than PDF certificates. The Catena-X automotive data ecosystem, backed by BMW, Mercedes-Benz, and SAP, integrated verifiable credential exchange for battery passport data in 2025, with over 12,000 credential exchanges processed in its first six months of operation (Catena-X Association, 2025).

Legal Entity Identifiers (LEIs) are bridging traditional and digital identity. The Global Legal Entity Identifier Foundation (GLEIF) introduced verifiable LEI (vLEI) credentials in 2024, allowing organizations to prove their legal identity in digital transactions using cryptographically verifiable credentials anchored to their LEI registration. By early 2026, over 8,500 organizations had obtained vLEI credentials, with adoption concentrated in financial services and supply chain management. GLEIF's partnership with the International Organization for Standardization (ISO) ensures that vLEI aligns with both ISO 17442 (LEI standard) and W3C verifiable credential specifications.

What's Not Working

Interoperability between national wallet implementations remains fragile. While eIDAS 2.0 mandates mutual recognition of digital identity wallets across all 27 EU member states, the implementing acts that specify detailed technical requirements were still being finalized in early 2026. Different member states have chosen different technology stacks for their reference wallet implementations: Germany's ID Wallet uses an OpenID4VC-based architecture, while France's France Identite app uses a different credential format. The EU Architecture and Reference Framework (ARF) version 1.4, published in December 2025, addresses many of these gaps, but full interoperability testing across all member states is not expected to complete until mid-2027.

SME adoption lags significantly behind enterprise and government readiness. Large enterprises with dedicated compliance and IT teams are engaging with digital identity infrastructure, but SMEs, which represent 99% of EU businesses and contribute the majority of Scope 3 supply chain data, lack awareness and technical capacity. A 2025 survey by the European Digital SME Alliance found that 72% of SMEs with fewer than 50 employees had not heard of the EUDIW, and 85% had no plan for integrating verifiable credentials into their business processes. Without SME participation, the verified data chain breaks at precisely the points where Scope 3 emissions and supply chain traceability data originate.

Governance complexity creates implementation uncertainty. Trust frameworks involve multiple layers of governance: EU-level regulation, member state implementing legislation, accredited trust service providers, qualified electronic attestation issuers, and wallet providers. The accreditation process for Qualified Trust Service Providers (QTSPs) under eIDAS 2.0 requires national supervisory body approval, with timelines varying from 6 to 18 months across member states. Organizations attempting to issue verifiable sustainability credentials (such as audited carbon footprint data) face uncertainty about which entity must serve as the qualified issuer and what liability attaches to credential errors.

Privacy concerns around corporate data sharing remain unresolved. While the EUDIW architecture includes privacy-by-design principles such as selective disclosure (sharing only the specific attributes needed for a transaction), corporate sustainability data creates tension with competitive confidentiality. A supplier sharing verified emissions data via a verifiable credential may inadvertently reveal production volumes, energy sources, or process efficiencies to competitors. The technical mechanisms for zero-knowledge proofs that can verify that emissions fall below a threshold without revealing the exact figure exist but are not yet integrated into mainstream wallet implementations.

Key Players

Established Companies

• Thales: provides digital identity and security solutions deployed by over 30 national government ID programs globally, and is a lead partner in the POTENTIAL EUDIW pilot
• Idemia: supplies biometric identity verification technology used in ePassports and national ID cards across 180+ countries, participating in EUDIW reference implementations
• SAP: integrated verifiable credential exchange into its supply chain management platform through the Catena-X ecosystem, enabling sustainability data verification for automotive manufacturers
• GLEIF: operates the global Legal Entity Identifier system covering 2.6 million entities and introduced vLEI verifiable credentials for organizational identity

Startups

• Spherity: German startup providing decentralized identity infrastructure for supply chain credentialing, deployed with BASF and Evonik for product carbon footprint verification
• Dock.io: offers a verifiable credential platform enabling organizations to issue, manage, and verify digital credentials with W3C and eIDAS 2.0 compliance
• walt.id: Austrian startup building open-source identity infrastructure including wallet SDKs and credential issuance tools aligned with EUDIW technical specifications
• Procivis: Swiss startup providing trusted digital identity solutions for government and enterprise clients, with deployments in Swiss cantonal identity programs

Investors and Funders

• European Commission: directly funded EUR 46 million for the four EUDIW Large Scale Pilots and provides ongoing support through the Digital Europe Programme
• European Investment Bank: provided EUR 15 million in venture debt to digital identity startups through its InvestEU-backed technology innovation window
• Speedinvest: European VC firm with a dedicated digital identity thesis, backed Dock.io and multiple identity infrastructure companies

Key Metrics

Metric	Current State	Target (2027-2030)	Unit
EU citizens with wallet access	<5% (pilot phase)	80%+ by 2027	% of EU population
Organizations with vLEI credentials	8,500	100,000+ by 2028	organizations
Cross-border wallet interoperability	4 pilot consortia	27 member states	countries with mutual recognition
SME awareness of EUDIW	28%	70%+ by 2028	% of SMEs surveyed
Verifiable credential exchanges (Catena-X)	12,000 in first 6 months	1M+ per year by 2028	credential exchanges
QTSP accreditation timeline	6-18 months	3-6 months	months per accreditation

Action Checklist

• Audit your current identity verification processes across supplier onboarding, ESG data collection, and regulatory reporting to identify where verifiable credentials can replace manual document exchange
• Map your regulatory exposure to eIDAS 2.0, CSRD, CBAM, and Digital Product Passport requirements to determine which trust framework components are mandatory for your operations
• Evaluate whether your organization needs to act as a credential issuer (providing verified sustainability data to customers), a credential verifier (accepting data from suppliers), or both
• Engage with at least one EUDIW Large Scale Pilot consortium or industry data space (such as Catena-X for automotive or Gaia-X for cross-sector) to gain hands-on experience with credential exchange workflows
• Assess vendor options for wallet infrastructure and credential management, prioritizing solutions that support W3C Verifiable Credentials, OpenID4VC, and the EU ARF specification
• Develop an internal capability plan that addresses both technical integration (APIs, credential formats, key management) and organizational readiness (legal review, data governance, staff training)
• Establish a Legal Entity Identifier (LEI) if your organization does not already have one, and evaluate obtaining a vLEI credential for digital transaction verification
• Include digital identity requirements in procurement specifications for sustainability reporting software and supply chain management platforms

FAQ

Q: What is the difference between eIDAS 2.0 and the original eIDAS regulation, and why does it matter for sustainability teams? A: The original eIDAS regulation (2014) established mutual recognition of national electronic identification schemes and created a framework for trust services such as electronic signatures and seals. However, adoption was limited: only 14% of EU citizens had access to a cross-border recognized eID by 2024. eIDAS 2.0, adopted in 2024 and taking effect by 2027, introduces the mandatory European Digital Identity Wallet, extends the framework to cover electronic attestations of attributes (including sustainability certifications and ESG data), and requires that both public and private sector relying parties accept wallet-based credentials. For sustainability teams, eIDAS 2.0 means that the infrastructure for issuing and verifying audited sustainability data digitally will become universally available across the EU, replacing the current fragmented system of PDFs, emails, and proprietary platforms.

Q: How do verifiable credentials improve the reliability of sustainability data compared to current approaches? A: Current sustainability data exchange relies primarily on self-reported data transmitted via spreadsheets, PDFs, or proprietary platforms, with verification occurring through periodic audits. This creates multiple failure points: data can be altered after issuance, the identity of the reporting entity may not be verified, and auditors cannot efficiently validate data at the scale required by Scope 3 reporting. Verifiable credentials solve these problems by cryptographically binding the data to the issuer's identity, making any alteration detectable, and enabling instant verification by any relying party. When BASF issues a verifiable Product Carbon Footprint credential through Spherity's platform, the downstream buyer can verify in real time that the data was issued by BASF, has not been modified, and was issued on a specific date, without contacting BASF or a third-party auditor.

Q: What should sustainability leads prioritize if their organization operates primarily in the EU? A: Start with three concrete actions. First, obtain or verify your organization's LEI and explore vLEI credentials through GLEIF's network of qualified vLEI issuers, as the LEI is becoming the standard organizational identifier across EU sustainability regulations. Second, assess your CSRD and CBAM data flows to identify which supplier interactions would benefit most from verifiable credentials, focusing on high-volume, high-risk data exchanges where manual verification is currently a bottleneck. Third, engage with the ARF specification (publicly available on the European Commission's GitHub repository) and begin technical planning for credential issuance or verification, even if production deployment is 12 to 18 months away. Organizations that build internal understanding now will be positioned to move quickly when wallet infrastructure reaches general availability.

Q: Is blockchain required for digital identity and trust frameworks? A: No. While early decentralized identity projects relied heavily on blockchain-based DID methods (such as did:ethr on Ethereum or did:ion on Bitcoin), the EU's eIDAS 2.0 framework is deliberately technology-neutral. The EU Architecture and Reference Framework supports multiple DID methods, including blockchain-based, web-based (did:web), and centralized registry-based approaches. The emphasis is on interoperability and compliance with governance requirements rather than any specific underlying technology. In practice, many enterprise deployments use did:web or EBSI (European Blockchain Services Infrastructure) as their trust anchor, depending on the use case and regulatory requirements. Sustainability teams should evaluate solutions based on compliance, interoperability, and vendor maturity rather than underlying technology choices.

Sources

• European Commission. (2025). Digital Decade Progress Report 2025: Digital Identity and Trust Services. Brussels: European Commission.
• European Commission. (2025). EUDIW Large Scale Pilot: Interim Results and Interoperability Assessment. Brussels: European Commission.
• Catena-X Association. (2025). Catena-X Operating Report: Verifiable Credential Exchange and Battery Passport Implementation. Berlin: Catena-X Automotive Network.
• GLEIF. (2025). vLEI Ecosystem Progress Report: Adoption Metrics and Use Case Analysis. Basel: Global Legal Entity Identifier Foundation.
• European Digital SME Alliance. (2025). SME Readiness for the European Digital Identity Wallet: Survey Results and Policy Recommendations. Brussels: European DIGITAL SME Alliance.
• European Commission. (2025). Architecture and Reference Framework for the European Digital Identity Wallet, Version 1.4. Brussels: European Commission.
• Spherity GmbH. (2025). Product Carbon Footprint Credentialing: Deployment Report with BASF and Evonik Chemical Supply Chains. Dortmund: Spherity.