[{"data":1,"prerenderedAt":662},["ShallowReactive",2],{"eidas2/issuer":3},{"id":4,"title":5,"author":6,"body":7,"description":647,"extension":648,"meta":649,"navigation":650,"path":651,"publishedAt":652,"seo":653,"stem":654,"tags":655,"updatedAt":652,"__hash__":661},"eidas2Articles/eidas2/issuer.md","eIDAS 2 Issuer Requirements: How to Issue Credentials Under eIDAS 2","Tamino Baumann",{"type":8,"value":9,"toc":626},"minimark",[10,25,28,33,65,67,71,78,183,196,198,202,205,263,265,269,272,414,421,423,427,434,472,475,477,481,484,520,525,533,565,577,579,583,586,589,593,596,600,603,607,610,614,617,621,624],[11,12,13,14,18,19,24],"p",{},"An ",[15,16,17],"strong",{},"eIDAS 2 issuer"," is a government or business that attests claims about a person or organisation — such as a name, qualification, or entitlement — and issues them as a digital credential into an ",[20,21,23],"a",{"href":22},"/eidas2/eudi-wallet","EU Digital Identity Wallet (EUDI Wallet)",". To do so compliantly, an issuer must register in the eIDAS 2 trust ecosystem, issue credentials in the mandated formats and protocols, and manage each credential's full lifecycle.",[26,27],"hr",{},[29,30,32],"h2",{"id":31},"what-is-an-eidas-2-issuer","What is an eIDAS 2 issuer?",[11,34,35,36,39,40,46,47,52,53,58,59,64],{},"An issuer cryptographically signs a set of attributes about a user and delivers it to their EUDI wallet. Trust is established through official ",[15,37,38],{},"EU Trusted Lists",": every issuer must be registered so that wallets and verifiers can confirm the credential came from a legitimate source. The credential follows a mandated format (",[20,41,45],{"href":42,"rel":43},"https://docs.walt.id/concepts/digital-credentials/sd-jwt-vc",[44],"nofollow","SD-JWT VC",", ",[20,48,51],{"href":49,"rel":50},"https://docs.walt.id/community-stack/concepts/digital-credentials/mdoc-mdl-iso",[44],"ISO/IEC 18013-5",", or ",[20,54,57],{"href":55,"rel":56},"https://docs.walt.id/concepts/digital-credentials/verifiable-credentials-w3c",[44],"W3C VC",") and is delivered over the ",[20,60,63],{"href":61,"rel":62},"https://docs.walt.id/concepts/data-exchange-protocols/openid4vci",[44],"OID4VCI"," protocol.",[26,66],{},[29,68,70],{"id":69},"the-five-credential-types-an-eidas-2-issuer-can-issue","The five credential types an eIDAS 2 issuer can issue",[11,72,73,77],{},[20,74,76],{"href":75},"/eidas2","eIDAS 2"," (Regulation (EU) 2024/1183) defines five categories of attestation, in descending order of assurance and legal weight. The category determines who can issue it and which requirements apply.",[79,80,81,100],"table",{},[82,83,84],"thead",{},[85,86,87,91,94,97],"tr",{},[88,89,90],"th",{},"Credential",[88,92,93],{},"Full name",[88,95,96],{},"Issued by",[88,98,99],{},"Legal weight",[101,102,103,120,136,152,167],"tbody",{},[85,104,105,111,114,117],{},[106,107,108],"td",{},[15,109,110],{},"PID",[106,112,113],{},"Person Identification Data",[106,115,116],{},"Government-appointed PID Providers",[106,118,119],{},"Core digital ID; required to activate a certified EUDI wallet",[85,121,122,127,130,133],{},[106,123,124],{},[15,125,126],{},"LPID",[106,128,129],{},"Legal Person Identification Data",[106,131,132],{},"LPID Providers",[106,134,135],{},"Core digital ID for companies and organisations",[85,137,138,143,146,149],{},[106,139,140],{},[15,141,142],{},"PuB-EAA",[106,144,145],{},"Public Sector Body Electronic Attestation of Attributes",[106,147,148],{},"Public-sector bodies (registries, tax, immigration)",[106,150,151],{},"Same legal value as the paper original",[85,153,154,159,162,165],{},[106,155,156],{},[15,157,158],{},"QEAA",[106,160,161],{},"Qualified Electronic Attestation of Attributes",[106,163,164],{},"Qualified Trust Service Providers (QTSPs)",[106,166,151],{},[85,168,169,174,177,180],{},[106,170,171],{},[15,172,173],{},"EAA",[106,175,176],{},"(Non-Qualified) Electronic Attestation of Attributes",[106,178,179],{},"Any business (Non-Qualified EAA Provider)",[106,181,182],{},"Defined by the credential's rulebook",[11,184,185,186,189,190,195],{},"The concrete attributes and rules for each credential — and any sector-specific requirements, such as those for banking — are defined in dedicated attestation ",[15,187,188],{},"rulebooks",". Attribute definitions for PID and EAAs are set in ",[20,191,194],{"href":192,"rel":193},"https://eur-lex.europa.eu/eli/reg_impl/2024/2977/oj/eng",[44],"Regulation (EU) 2024/2977",".",[26,197],{},[29,199,201],{"id":200},"eidas-2-issuer-requirements-the-compliance-checklist","eIDAS 2 issuer requirements: the compliance checklist",[11,203,204],{},"Every eIDAS 2 issuer, regardless of credential type, must meet the same core obligations. The checklist below is the baseline for compliance.",[206,207,208,215,221,227,233,239,245,251,257],"ol",{},[209,210,211,214],"li",{},[15,212,213],{},"Register as an issuer"," in the eIDAS 2 Trusted Lists to become a trusted actor in the ecosystem, and obtain an access certificate.",[209,216,217,220],{},[15,218,219],{},"Verify the user's identity at Level of Assurance (LoA) High"," before issuance — typically through document verification, biometric checks, or by reusing the user's existing PID.",[209,222,223,226],{},[15,224,225],{},"Authenticate the wallet unit"," before issuing: verify the Wallet Unit Attestation (WUA) signature, confirm it has not been revoked, and check proof of key possession.",[209,228,229,232],{},[15,230,231],{},"Issue in the mandated formats",": SD-JWT VC (IETF) and ISO/IEC 18013-5 (mdoc) are mandatory for PID, PuB-EAA and QEAA; W3C VC (VCDM 2.0) is optional and only for EAAs.",[209,234,235,238],{},[15,236,237],{},"Implement OID4VCI V1 with the HAIP profile"," for credential delivery, and ISO/IEC 18013-7 for mdoc remote flows.",[209,240,241,244],{},[15,242,243],{},"Bind the credential cryptographically"," to the wallet's secure element (WSCD).",[209,246,247,250],{},[15,248,249],{},"Manage status and revocation",": publish status information (Attestation Status Lists, Attestation Revocation List) so verifiers can check validity, and support short-lived credentials and revocation on request.",[209,252,253,256],{},[15,254,255],{},"Conform to the attestation rulebook"," for the credential's structure, identifiers, and metadata.",[209,258,259,262],{},[15,260,261],{},"Apply privacy-enhancing measures",": prevent batch issuance from being correlated, and optionally embed disclosure policies that limit which verifiers may receive a credential.",[26,264],{},[29,266,268],{"id":267},"eidas-2-issuer-requirements-by-credential-type","eIDAS 2 issuer requirements by credential type",[11,270,271],{},"While the baseline is shared, the obligations tighten with the assurance level of the credential. This table maps the key differences.",[79,273,274,290],{},[82,275,276],{},[85,277,278,281,284,286,288],{},[88,279,280],{},"Requirement",[88,282,283],{},"PID / LPID",[88,285,142],{},[88,287,158],{},[88,289,173],{},[101,291,292,306,321,334,347,362,375,388,401],{},[85,293,294,297,300,302,304],{},[106,295,296],{},"Register as a trusted issuer",[106,298,299],{},"Required",[106,301,299],{},[106,303,299],{},[106,305,299],{},[85,307,308,311,313,316,318],{},[106,309,310],{},"Identity proofing at LoA High before issuance",[106,312,299],{},[106,314,315],{},"Required (can reuse PID)",[106,317,315],{},[106,319,320],{},"Per rulebook",[85,322,323,326,328,330,332],{},[106,324,325],{},"Authenticate the wallet before issuance",[106,327,299],{},[106,329,299],{},[106,331,299],{},[106,333,299],{},[85,335,336,339,341,343,345],{},[106,337,338],{},"Support SD-JWT VC & ISO/IEC 18013-5",[106,340,299],{},[106,342,299],{},[106,344,299],{},[106,346,299],{},[85,348,349,352,355,357,359],{},[106,350,351],{},"Support W3C VC (VCDM 2.0)",[106,353,354],{},"–",[106,356,354],{},[106,358,354],{},[106,360,361],{},"Optional",[85,363,364,367,369,371,373],{},[106,365,366],{},"Support OID4VCI / ISO 18013-7",[106,368,299],{},[106,370,299],{},[106,372,299],{},[106,374,299],{},[85,376,377,380,382,384,386],{},[106,378,379],{},"Credential must carry a revocation status (if valid > 24h)",[106,381,299],{},[106,383,299],{},[106,385,299],{},[106,387,320],{},[85,389,390,393,395,397,399],{},[106,391,392],{},"Align with the attestation rulebook",[106,394,299],{},[106,396,299],{},[106,398,299],{},[106,400,299],{},[85,402,403,406,408,410,412],{},[106,404,405],{},"Embedded disclosure policies",[106,407,354],{},[106,409,361],{},[106,411,361],{},[106,413,361],{},[11,415,416,417,195],{},"Source: eIDAS 2 Implementing Acts and the Architecture and Reference Framework (ARF). A full role-by-role breakdown is available in the ",[20,418,420],{"href":419},"/white-paper/eidas2-implementers-guide","eIDAS 2 Implementers Guide",[26,422],{},[29,424,426],{"id":425},"how-credential-issuance-works-under-eidas-2","How credential issuance works under eIDAS 2",[11,428,429,430,433],{},"Issuance follows a defined sequence built on the ",[15,431,432],{},"OID4VCI (OpenID for Verifiable Credential Issuance)"," protocol with the HAIP profile:",[206,435,436,442,448,454,460,466],{},[209,437,438,441],{},[15,439,440],{},"Trust establishment"," — the issuer presents its access certificate so the wallet can authenticate it against the EU trusted lists.",[209,443,444,447],{},[15,445,446],{},"Wallet authentication"," — the issuer verifies the Wallet Unit Attestation (WUA) and confirms the wallet controls its private key, the key is in a secure environment and the Wallet Provider is trusted.",[209,449,450,453],{},[15,451,452],{},"Identity proofing"," — the user's identity is verified at LoA High, often by reusing the PID already in their wallet.",[209,455,456,459],{},[15,457,458],{},"Attribute sourcing"," — attributes are fetched from an authentic source (e.g. a registry or tax authority) or another trusted data-source (e.g. a database) and validated.",[209,461,462,465],{},[15,463,464],{},"Signing and binding"," — the credential is signed with the issuer's key and cryptographically bound to the wallet.",[209,467,468,471],{},[15,469,470],{},"Delivery"," — the credential is delivered into the wallet over OID4VCI, in the mandated format.",[11,473,474],{},"Issuers must also keep credentials valid over time — supporting updates, suspension, and revocation through a published status mechanism.",[26,476],{},[29,478,480],{"id":479},"build-vs-buy-how-to-meet-eidas-2-issuer-requirements","Build vs buy: how to meet eIDAS 2 issuer requirements",[11,482,483],{},"Becoming a compliant issuer means implementing credential standards, exchange protocols, key management, revocation, certificate management, and rulebook conformity — and keeping all of them current as the ARF and Implementing Acts evolve. There are three paths:",[485,486,487,503,514],"ul",{},[209,488,489,492,493,497,498,502],{},[15,490,491],{},"Build apps, buy infrastructure"," ",[494,495,496],"em",{},"(recommended)"," — build only the application layer and use a standards-compliant issuance provider (such as ",[20,499,501],{"href":500},"/eidas2#infrastructure","the walt.id Enterprise Stack","). Fastest time to market, lowest regulatory and technical risk.",[209,504,505,508,509,513],{},[15,506,507],{},"Build apps, own infrastructure"," — use open-source solutions (such as the ",[20,510,512],{"href":511},"/community-stack","walt.id Community Stack",") to retain full control while avoiding implementing OID4VCI and the credential formats from scratch.",[209,515,516,519],{},[15,517,518],{},"Build everything in-house"," — implement and maintain the full stack internally. Viable only for organisations with a dedicated identity engineering team.",[521,522,524],"h3",{"id":523},"how-waltid-helps-issuers-comply","How walt.id helps issuers comply",[11,526,527,528,532],{},"The ",[20,529,531],{"href":530},"/issuer","walt.id Issuer"," delivers what the requirements demand, out of the box:",[485,534,535,541,547,553,559],{},[209,536,537,540],{},[15,538,539],{},"Issuance of every credential type"," — PID, LPID, PuB-EAA, QEAA, and EAA — in SD-JWT VC, ISO/IEC 18013-5, and W3C VC formats over OID4VCI with the HAIP profile.",[209,542,543,546],{},[15,544,545],{},"Automated trust and certificate management"," — access certificates and Trusted List validation handled by a shared Trust Service.",[209,548,549,552],{},[15,550,551],{},"Credential lifecycle and revocation"," — Token Status List and Bitstring Status List support, short-lived credentials, and revocation built into the issuer API.",[209,554,555,558],{},[15,556,557],{},"Rulebook schema conformity"," — credential data validated against the official eIDAS 2 rulebook schemas during issuance.",[209,560,561,564],{},[15,562,563],{},"Single, batch, deferred, and re-issuance"," modes, with flexible attribute mapping from existing backends and authentic sources.",[11,566,567,568,571,572,576],{},"Explore the ",[20,569,570],{"href":500},"eIDAS 2 infrastructure layer"," or ",[20,573,575],{"href":574},"/contact","talk to the team"," about a specific issuance use case.",[26,578],{},[29,580,582],{"id":581},"frequently-asked-questions","Frequently asked questions",[521,584,32],{"id":585},"what-is-an-eidas-2-issuer-1",[11,587,588],{},"An eIDAS 2 issuer is a government or business that attests claims about a person or organisation and issues them as a digital credential into an EU Digital Identity Wallet. Issuers must register in the eIDAS 2 Trusted Lists, issue credentials in the mandated formats (SD-JWT VC, ISO/IEC 18013-5, or W3C VC) using the OID4VCI V1 protocol with the HAIP profile, and manage the full lifecycle of each credential including revocation.",[521,590,592],{"id":591},"what-are-the-requirements-to-become-an-eidas-2-issuer","What are the requirements to become an eIDAS 2 issuer?",[11,594,595],{},"An eIDAS 2 issuer must: register in the Trusted Lists and obtain an access certificate; verify the user's identity at Level of Assurance High; authenticate the wallet unit before issuance; issue in the mandated credential formats; implement OID4VCI with the HAIP profile; cryptographically bind credentials to the wallet; publish a revocation status; and conform to the relevant attestation rulebook.",[521,597,599],{"id":598},"what-credential-types-can-an-eidas-2-issuer-issue","What credential types can an eIDAS 2 issuer issue?",[11,601,602],{},"There are five: PID (Person Identification Data) and LPID (the equivalent for legal entities), both issued by government-appointed providers; PuB-EAA, official government documents issued by public-sector bodies; QEAA, qualified attestations issued by Qualified Trust Service Providers; and EAA, everyday credentials that any business can issue.",[521,604,606],{"id":605},"which-protocols-and-formats-must-an-eidas-2-issuer-support","Which protocols and formats must an eIDAS 2 issuer support?",[11,608,609],{},"Issuers must support OID4VCI V1 with the HAIP profile for credential delivery, and ISO/IEC 18013-7 for mdoc remote flows. SD-JWT VC (IETF) and ISO/IEC 18013-5 (mdoc) are mandatory credential formats for PID, PuB-EAA, and QEAA. W3C VC (VCDM 2.0) is optional and can only be used for non-qualified EAAs.",[521,611,613],{"id":612},"do-banks-and-universities-count-as-eidas-2-issuers","Do banks and universities count as eIDAS 2 issuers?",[11,615,616],{},"Yes. Any organisation that issues a credential into an EUDI Wallet is an issuer. A university issuing diplomas, a bank issuing an account or SCA attestation, and a public registry issuing a company formation document are all issuers — each falling into the credential type (QEAA, EAA, or PuB-EAA) that matches the credential's legal status and the issuing body.",[521,618,620],{"id":619},"how-long-does-it-take-to-become-eidas-2-compliant-as-an-issuer","How long does it take to become eIDAS 2 compliant as an issuer?",[11,622,623],{},"The timeline depends on the build-versus-buy decision. Implementing OID4VCI, the mandated credential formats, key management, and revocation in-house represents months of specialised engineering. Using a standards-compliant issuance solution like walt.id removes most of that work, leaving registration, attribute sourcing, and integration as the main tasks.",[26,625],{},{"title":627,"searchDepth":628,"depth":628,"links":629},"",2,[630,631,632,633,634,635,639],{"id":31,"depth":628,"text":32},{"id":69,"depth":628,"text":70},{"id":200,"depth":628,"text":201},{"id":267,"depth":628,"text":268},{"id":425,"depth":628,"text":426},{"id":479,"depth":628,"text":480,"children":636},[637],{"id":523,"depth":638,"text":524},3,{"id":581,"depth":628,"text":582,"children":640},[641,642,643,644,645,646],{"id":585,"depth":638,"text":32},{"id":591,"depth":638,"text":592},{"id":598,"depth":638,"text":599},{"id":605,"depth":638,"text":606},{"id":612,"depth":638,"text":613},{"id":619,"depth":638,"text":620},"A complete guide to eIDAS 2 issuer requirements: what an issuer is, the five credential types (PID, LPID, PuB-EAA, QEAA, EAA), the full compliance checklist, the issuance protocols and formats, and how to build compliant issuance infrastructure.","md",{},true,"/eidas2/issuer","2026-06-10",{"title":5,"description":647},"eidas2/issuer",[656,657,658,659,660],"eidas 2 issuer","eidas2 issuer requirements","oid4vci","credential issuance","eidas2","sYY5GOawPwlEvdnHYZ9LKW0BRk9c74cCZN-06MONEaE",1781592066368]