Self-Sovereign Identity and eIDAS 2.0: An Analysis of Control, Privacy, and Legal Implications

European digital identity initiatives are grounded in regulatory frameworks designed to ensure interoperability and robust, harmonized security standards. The evolution of these frameworks culminates in eIDAS 2.0, whose origins trace back to the Electronic Signatures Directive 1999/93/EC, the first EU-wide legal foundation for the use of electronic signatures in cross-border electronic transactions. As technological capabilities advanced, the initial eIDAS 1.0 framework was increasingly criticized for its limitations and lack of comprehensiveness. Emerging decentralized approaches further exposed these shortcomings and introduced the possibility of integrating innovative identity paradigms, such as Self-Sovereign Identity (SSI) models. In this article, we analyse key provisions of the eIDAS 2.0 Regulation and its accompanying recitals, drawing on existing literature to identify legislative gaps and implementation challenges. Furthermore, we examine the European Digital Identity Architecture and Reference Framework (ARF), assessing its proposed guidelines and evaluating the extent to which its emerging implementations align with SSI principles.

💡 Research Summary

The paper provides a comprehensive comparison between the European Union’s digital identity regulation (eIDAS 2.0) and the emerging Self‑Sovereign Identity (SSI) paradigm. It begins by distinguishing between self‑generated online identities (e.g., social media accounts) and legally recognised digital identities (e.g., government‑issued eIDs), noting that current centralized or federated identity management systems suffer from single points of failure, limited attribute sharing, and privacy concerns. While GDPR has strengthened data protection, identity authentication remains largely dependent on centralized trust anchors.

The authors outline the technical foundations of SSI, which relies on Decentralised Identifiers (DIDs) and Verifiable Credentials (VCs) stored on Distributed Ledger Technologies (DLTs). They adopt Christopher Allen’s ten SSI principles—Existence, Control, Access, Transparency, Persistence, Portability, Consent, Interoperability, Minimalisation, and Protection—as the analytical framework.

The paper then reviews the shortcomings of eIDAS 1.0 (limited cross‑border interoperability, rigid national implementations, exclusion of private sector use‑cases) and describes how eIDAS 2.0 attempts to address these through three Levels of Assurance (Low, Substantial, High), the European Digital Identity Wallet (EUDI Wallet), and the Architecture Reference Framework (ARF). However, ARF is a non‑binding technical guide and does not explicitly incorporate SSI concepts.

Methodologically, the study conducts a systematic literature review (SLR) across IEEE Xplore, ACM DL, ScienceDirect, and Scopus, initially identifying 272 records, filtering down to 33 relevant papers. The authors synthesize SSI properties into ten evaluation criteria and map each criterion against eIDAS 2.0 provisions, recitals, and ARF components. The mapping reveals the greatest gaps in Control, Portability, and Minimalisation, while Interoperability and Security show relative alignment.

Legally, eIDAS 2.0’s definition of “identity provider” as a centralized trust anchor conflicts with SSI’s multi‑issuer, holder‑centric model. Moreover, the regulation lacks explicit provisions for holder consent, data portability, and revocation mechanisms required for GDPR‑compliant VC lifecycle management. Technically, the authors recommend standardising on‑chain DID registries and revocation registries, and designing the EUDI Wallet to support both a “self‑sovereign mode” and a “regular mode” that interoperates with existing eIDAS flows.

Policy recommendations include: (1) amending eIDAS 2.0 to embed SSI‑specific rights (full holder control, transparent consent, data portability); (2) elevating the ARF to a binding Implementation Act that mandates support for DID, VC, and revocation standards; (3) establishing an EU‑wide “Digital Identity Lab” to pilot SSI‑eIDAS integration, generate best‑practice guidelines, and drive standardisation. By adopting these measures, the EU could reconcile centralised trust models with decentralised identity sovereignty, delivering a secure, interoperable, and user‑centric digital identity ecosystem for the future.