How does eIDAS 2.0 define electronic attestation of attributes?

Sealed official document with embossed certification stamp on a glass desk beside an EU flag pin, soft natural light, gold accents.

Under eIDAS 2.0, an electronic attestation of attributes (EAA) is a digitally signed statement that confirms specific characteristics or qualifications about a person or organisation, such as a professional licence, age, or educational credential. Unlike a traditional identity document, an EAA does not need to prove who you are, only that a particular fact about you is true and has been verified by a trusted source. This article unpacks how EAAs are defined, who can issue them, and what they mean in practice for organisations and users across the EU.

What types of electronic attestation of attributes does eIDAS 2.0 recognise?

eIDAS 2.0 recognises two types of electronic attestation of attributes: qualified electronic attestations of attributes (QEAAs) and non-qualified electronic attestations of attributes (EAAs). QEAAs are issued by accredited trust service providers and carry the highest level of legal certainty. Non-qualified EAAs are issued by other parties, including public sector bodies acting on behalf of authentic sources, and carry a lower but still meaningful level of trust.

The distinction matters because it determines how much legal weight the attestation carries and who is allowed to issue it. A QEAA confirming that someone holds a valid medical licence, for example, carries the same legal standing across all EU member states as a paper certificate issued by the relevant authority, but in a format that is instantly verifiable and machine-readable.

Both types can contain a wide range of attribute data, including:

  • Professional qualifications and licences
  • Educational credentials and diplomas
  • Age verification and nationality
  • Organisational roles and authorisations
  • Health data such as prescriptions or insurance entitlements
  • Driving licence information

This flexibility is one of the core design goals of the eIDAS regulation update. Rather than limiting digital identity to a single national ID, eIDAS 2.0 allows a rich ecosystem of verifiable claims to be issued, stored, and presented through the digital identity infrastructure that organisations and governments are now building.

How do electronic attestations of attributes differ from eIDs?

An eID proves who you are, while an electronic attestation of attributes proves something specific about you. An eID is a government-issued identity credential that establishes your legal identity, typically through name, date of birth, and a unique identifier. An EAA, by contrast, is a targeted claim issued by a relevant authority, confirming a particular fact without necessarily revealing your full identity.

Think of it this way: your passport is an eID. A certificate confirming you are a licensed pharmacist is an EAA. Both are digitally signed and verifiable, but they serve different purposes and come from different issuers.

This separation is deliberate. eIDAS 2.0 is designed to support data minimisation, a principle rooted in the GDPR. When a user wants to prove they are over 18 to access a service, they should not have to share their full name, address, and date of birth. An EAA can confirm the age threshold is met without revealing any unnecessary personal data. This gives users meaningful control over what they share and with whom.

For organisations in sectors like financial services or healthcare, this distinction is also operationally important. Accepting an EAA instead of a full identity document reduces the amount of sensitive data you handle, which in turn reduces compliance risk under data protection law.

Who can issue qualified electronic attestations of attributes under eIDAS 2.0?

Qualified electronic attestations of attributes can only be issued by qualified trust service providers (QTSPs) that have been officially recognised on a national trusted list. These providers must meet strict requirements set out in the eIDAS 2.0 regulation and its implementing acts, covering security, audit, and operational standards. Public sector bodies responsible for authentic sources, such as professional registers or population databases, can also issue EAAs, though these may be non-qualified depending on the context.

The regulation establishes a clear chain of accountability. A QTSP issuing a QEAA must be able to verify the underlying attribute from an authoritative source before attesting to it. For example, a QTSP issuing a QEAA confirming a lawyer’s bar membership must obtain that confirmation from the relevant bar association or official register.

This is a significant shift from the original eIDAS framework, which focused primarily on electronic signatures and identity. Under eIDAS 2.0, the trust service ecosystem expands considerably to cover a much broader range of attribute issuers, including employers, educational institutions, and professional bodies, provided they operate within the recognised framework. Organisations exploring their role in this ecosystem can find practical guidance through TrustTech’s implementation approach.

How does the EUDI Wallet store and present electronic attestations of attributes?

The European Digital Identity Wallet (EUDI Wallet) stores electronic attestations of attributes as verifiable credentials in a standardised, cryptographically protected format. When a user needs to present an EAA to a service provider, the wallet generates a selective disclosure response, sharing only the specific attributes the service requires, without exposing the full credential or any unrelated data.

This works through a combination of cryptographic techniques and standardised protocols defined in the Architecture and Reference Framework (ARF). The wallet holds the credentials issued to the user and manages the presentation process. The relying party, meaning the organisation requesting the information, receives a cryptographically verifiable proof that the attribute is genuine and has not been tampered with.

In practical terms, this means a user can present their professional qualification to an employer, their age to an online platform, or their health insurance entitlement to a pharmacy, all from the same wallet app, without ever handing over a physical document or repeating a manual verification process. The wallet is designed to work both online and in physical interactions, such as presenting a mobile driving licence during a roadside check.

For organisations in sectors like healthcare or government, this creates real operational opportunities. Verifying a credential presented from an EUDI Wallet is faster, more reliable, and more auditable than checking a paper document or running a manual database query.

What legal effects do electronic attestations of attributes carry across EU member states?

Qualified electronic attestations of attributes have equivalent legal effect across all EU member states. This means a QEAA issued in one member state must be accepted by relying parties in all other member states, provided it relates to attributes that fall within the scope of the regulation. Non-qualified EAAs carry legal weight too, but their cross-border recognition depends on the specific context and the policies of the receiving organisation.

This cross-border recognition is one of the most significant practical outcomes of eIDAS 2.0. Before this regulation, a professional credential issued in Germany might not be automatically accepted by a digital service in Spain, because there was no common technical or legal framework for verifying it remotely. eIDAS 2.0 changes that by establishing a binding interoperability framework.

The legal effects are structured as follows:

  1. QEAAs must be accepted wherever the relevant attribute type is legally recognised across the EU, with the same standing as equivalent paper-based certificates.
  2. Non-qualified EAAs from public sector bodies carry strong evidentiary weight and are expected to be widely accepted, though the legal framework may vary by use case.
  3. Non-qualified EAAs from private issuers are legally valid but their acceptance depends on the relying party’s policies and any applicable sector-specific rules.

For organisations operating across borders, particularly in regulated sectors such as finance, pharmaceuticals, or professional services, this framework removes a significant barrier. A verified credential issued once can be reused across multiple services and jurisdictions, reducing duplication and speeding up processes that previously required separate verification in each country.

How TrustTech helps with electronic attestation of attributes

Understanding the eIDAS 2.0 framework for electronic attestations of attributes is one thing. Implementing it in a way that works for your organisation is another challenge entirely. TrustTech specialises in exactly this transition, helping organisations in regulated sectors prepare for and integrate the next generation of digital identity infrastructure.

Whether you are looking to issue, accept, or manage electronic attestations of attributes, TrustTech provides the expertise and technology to make it work in practice. This includes:

  • Assessing your current identity and compliance infrastructure against eIDAS 2.0 requirements
  • Implementing verifiable credential issuance and verification workflows
  • Connecting your systems to the EUDI Wallet ecosystem for both online and offline interactions
  • Enabling selective disclosure so your users share only what is necessary
  • Supporting cross-border interoperability for organisations operating in multiple EU member states

TrustTech works with organisations across finance, government, healthcare, and other trust-sensitive sectors, combining deep regulatory knowledge with hands-on technical implementation. If you are ready to move from understanding to action, get in touch with TrustTech to discuss how your organisation can prepare for eIDAS 2.0 and the EUDI Wallet ecosystem.