A trust anchor is the root of trust in a digital identity system: the authoritative starting point that all parties in a trust chain rely on to verify that credentials, certificates, and identities are genuine. Under eIDAS 2.0, trust anchors form the foundation of the entire European Digital Identity ecosystem, making it possible for organisations and individuals to exchange verified identity data with confidence across borders. This article unpacks how trust anchors work, who can act as one, and what this means for your organisation in practice.
How does a trust anchor fit into the eIDAS 2.0 trust chain?
A trust anchor fits into the eIDAS 2.0 trust chain as the starting point from which all trust is derived. When a relying party, such as a bank or government service, receives a verifiable credential, it needs to confirm that the credential was issued by a legitimate, authorised party. The trust anchor is the entity whose trustworthiness is assumed without further verification, and from which everything else in the chain can be validated.
Think of it like a chain of certificates. Each link in the chain can be verified by checking the one above it, all the way back to the trust anchor at the top. Under eIDAS 2.0, this chain is formalised through the EU Trusted Lists, which are official registries maintained by EU Member States that list recognised trust service providers and their cryptographic certificates.
When the EUDI Wallet presents a credential to a relying party, the relying party traces the credential’s provenance back through the chain. If that chain leads to a recognised trust anchor on an EU Trusted List, the credential is considered valid. If the chain cannot be verified back to a trusted root, the credential is rejected. This mechanism is what makes cross-border digital identity verification possible at scale across the EU.
What role does a trust anchor play in the EUDI Wallet ecosystem?
In the EUDI Wallet ecosystem, trust anchors play a central role in ensuring that every piece of identity data stored and shared through a wallet can be cryptographically verified. Without a trust anchor, there is no reliable way for a relying party to confirm that a credential was issued by an authorised source rather than a fraudulent one.
The EUDI Wallet ecosystem involves several interacting parties: wallet providers, credential issuers, relying parties, and users. Each of these parties needs to trust the others to some degree. Trust anchors make this possible by providing a shared, verifiable reference point that all parties can check against.
In practical terms, this means that when a user presents a credential from their EUDI Wallet, such as proof of professional qualification or a government-issued identity document, the receiving organisation can instantly verify that the credential traces back to a recognised trust anchor. This removes the need for manual checks, repeated verifications, or direct relationships between every pair of parties in the ecosystem. It is what enables the “verify once, reuse everywhere” model that eIDAS 2.0 is designed to support.
For organisations operating in financial services or other regulated sectors, this is particularly significant. Accepting identity credentials that are anchored to an EU Trusted List means compliance with regulatory requirements is built into the verification process itself.
Who can act as a trust anchor under eIDAS 2.0?
Under eIDAS 2.0, trust anchors are typically qualified trust service providers (QTSPs) or government authorities that are listed on an EU Member State’s Trusted List. These are entities that have been assessed, certified, and formally recognised as meeting the strict security and operational requirements set out in the eIDAS regulation.
The following types of entities can act as trust anchors within the eIDAS 2.0 framework:
- National governments and public authorities that issue official identity credentials, such as national ID cards or electronic identification schemes
- Qualified Trust Service Providers (QTSPs) that have been assessed by an accredited conformity assessment body and listed on a national Trusted List
- Wallet providers that are officially certified and notified under the eIDAS 2.0 framework
- Authentic sources, such as official registries or public sector bodies, that are authorised to issue verified attributes about individuals or organisations
It is important to note that not every organisation that participates in the ecosystem qualifies as a trust anchor. Relying parties, for example, consume trusted credentials but do not themselves act as trust anchors. The distinction is significant: a trust anchor must be formally recognised and listed, whereas a relying party simply needs to be registered to accept credentials from the ecosystem.
What’s the difference between a trust anchor and a trust service provider?
The key difference is scope and function. A trust service provider (TSP) is any entity that provides digital trust services, such as electronic signatures, certificates, or timestamping. A trust anchor is a specific role within a trust chain: the entity whose public key or certificate is accepted as inherently trustworthy and does not require further verification. All trust anchors in the eIDAS 2.0 context are trust service providers, but not all trust service providers act as trust anchors.
To put it more concretely: a qualified trust service provider might issue certificates for electronic signatures. Those certificates form part of a trust chain. The trust anchor is the root certificate authority at the top of that chain, whose certificate is published on an EU Trusted List and accepted as the ultimate source of trust.
There is also a regulatory distinction. Trust service providers are regulated entities under eIDAS 2.0 and must meet specific requirements to operate. Qualified TSPs face even stricter requirements and undergo independent conformity assessments. Trust anchors, in the context of the EUDI Wallet ecosystem, are specifically those entities whose cryptographic material is published in official trust infrastructure, such as the EU Trusted Lists or the wallet ecosystem’s trust registries.
For organisations building or integrating with digital identity solutions, understanding this distinction matters when deciding which parties you need to rely on and how to structure your verification processes.
How do organisations verify a trust anchor in practice?
In practice, organisations verify a trust anchor by checking the cryptographic certificate chain of a credential or signature against an authoritative, publicly available trust list. Under eIDAS 2.0, the primary mechanism for this is the EU Trusted Lists, which are maintained by each Member State and made available in a standardised machine-readable format.
The verification process typically works as follows:
- Receive the credential or certificate: The organisation receives a verifiable credential, electronic signature, or other trust-bearing artefact from a user or counterparty.
- Extract the certificate chain: The credential contains a chain of cryptographic certificates linking it back to the issuing authority.
- Check the chain against the EU Trusted List: The organisation’s verification system checks whether the root certificate in the chain matches a trust anchor listed on the relevant EU Trusted List.
- Validate status and validity period: The system also confirms that the trust anchor’s certificate has not been revoked and is still within its validity period.
- Accept or reject the credential: If the chain traces back to a valid, listed trust anchor, the credential is accepted. If not, it is rejected.
This process is largely automated in modern identity verification systems. Organisations do not need to manually check trust lists for every transaction. Instead, their software integrates with the relevant trust infrastructure and performs these checks in real time. For organisations in sectors such as government services or healthcare, this automated verification is essential for processing high volumes of identity interactions without adding friction for users.
It is also worth noting that the EUDI Wallet architecture introduces additional trust registries specific to the wallet ecosystem, such as registries of certified wallet solutions and registered relying parties. Organisations operating within this ecosystem need to ensure their verification systems are aligned with these newer registries as well as the existing EU Trusted Lists.
How TrustTech helps with trust anchors and eIDAS 2.0 compliance
Understanding trust anchors is one thing. Putting the right infrastructure in place to work with them is another. That is where TrustTech comes in. TrustTech helps organisations across regulated sectors navigate the technical and regulatory complexity of eIDAS 2.0, so they can build digital identity processes that are secure, compliant, and ready for the EUDI Wallet ecosystem.
Specifically, TrustTech supports your organisation with:
- Connecting to the right trust infrastructure, including EU Trusted Lists and wallet ecosystem registries, so your verification processes are always aligned with recognised trust anchors
- Implementing verifiable credentials that are cryptographically linked to qualified trust anchors, ensuring your credentials are accepted across the EU
- Enabling reusable identity flows that allow users to verify once and share trusted attributes across multiple services, reducing friction and drop-off
- Supporting compliance with eIDAS 2.0 requirements, including the technical specifications for wallet interoperability, qualified trust services, and cross-border identity matching
- Guiding your implementation from strategy through to production, with deep expertise in both the regulatory framework and the technical architecture
Whether you are preparing for the EUDI Wallet rollout, integrating with existing eIDAS-compliant identity schemes, or building new digital onboarding flows, TrustTech provides the expertise and platform to get there. Explore our implementation approach or get in touch with our team to discuss what trust anchor integration means for your organisation.