What are “Electronic Attestations of Attributes” (EAAs)?

The most important facts in brief

• Definition: EAAs are legally secure digital proofs of characteristics (e.g. age, professional qualification, driver’s license) that are certified by trustworthy sources.
  
• Strategic benefit: They enable the verification of specific facts without having to disclose the entire identity (selective disclosure – e.g. “of legal age” instead of the exact date of birth).
  
• EUDI Wallet Integration: EAAs are the core content of the upcoming European digital wallet.

• Interoperability: EAAs work across borders throughout the EU, both for public authorities and private companies.

_______________________________________________________________

With the introduction of the eIDAS 2.0 Regulation and the EUDI Wallet (European Digital Identity Wallet), the way we prove our identity is changing. Previously, the primary question was: “Who are you?”. In future, the focus will be on: “What are you allowed to do?”, “What qualifications do you have?” or “What distinguishes you?”.

Electronic Attestations of Attributes (EAA) are the digital answer to these questions. They are the translation of our analog certificates – from driving licenses to diplomas – into the digital world.

What is an attribute?

Before we talk about the technology, let’s clarify the term: an attribute is a property or characteristic that describes a person or an organization (entity). You can think of it like a piece of a puzzle that paints an overall picture of an identity.

Attributes encompass an enormous range of information:

• Personal identification data (PID): Such as your name, place of birth or nationality.
  
• Professional characteristics: Academic titles, professional designations or official licenses.
  
• Rights & authorizations: Specific authorizations, such as signing authority in a company or a driver’s license.

The leap into the digital world

In the context of digital identity, attributes are used to prove characteristics online beyond doubt without being physically present. A distinction is made between two categories:

1. Static attributes: Information that (almost) never changes, such as your date of birth.
   
2. Dynamic attributes: Characteristics that are in flux, such as your current registration address, your current professional status or your age.

For these attributes to be considered trustworthy online, they must come from a secure source – for example, from government registers, educational institutions or certified authorities. Only this digital confirmation turns a simple attribute into tamper-proof proof (EAA), which you can use to identify yourself to online services.

What are Electronic Attestations of Attributes?

An EAA is therefore a digital data record that confirms one or more attributes of a person and has been electronically signed or sealed by a qualified or non-qualified trust service provider (TSP).

The decisive difference: while a classic eID often transfers the entire data record, an EAA provides specific information. A Qualified Electronic Attestation of Attributes (QEAA) has the highest probative value, as it is issued by state-supervised providers.

The 3 types of attestations according to eIDAS 2.0

Not every digital certificate has the same legal force. To ensure interoperability throughout Europe, the EU defines three specific categories of attribute certificates. These differ primarily in terms of the issuer and legal validity:

1. Self-issued attributes (self-asserted): Information that you enter yourself (e.g. a delivery address). They are practical for forms, but have no official probative value.
   
2. Electronic attestations (EAA): These are issued by verified sources. They are digitally signed and significantly more secure than conventional documents. (EAA include EAA and PuB-EAA).
   
3. Qualified electronic attestations (QEAA): The highest level. They are issued by state-supervised, qualified trust service providers (QTSPs). A QEAA is legally equivalent to a paper document with an official seal and is recognized throughout the EU.

Type	Focus & Publisher	Level of confidence & probative value	Data source	Practical example
Q-EAA (Qualified)	State-approved: Issued by qualified trust services providers (QTSPs).	Maximum: EU-wide recognition obligation and maximum probative value in court.	Official documents or sovereign data.	Academic degrees, medical licenses or notarial deeds.
EAA (non-qualified)	Private sector: Issued by companies or organizations.	Flexible: Legal acceptance is context-dependent (e.g. general terms and conditions).	Any source (depending on business needs).	Digital employee IDs, customer cards or event tickets.
PuB-EAA (Public)	Official: Directly from public sector bodies.	Very high: Relies on the integrity of state registers; recognized throughout the EU.	Official state registers (e.g. population registers).	Birth certificates, proof of residence or driving licenses.

Market check: How widespread will this evidence be?

It is important to understand that not all EAA types will flood the market at the same time. Based on the eIDAS 2.0 roadmap, the distribution in the wallets can be estimated as follows:

• Q-EAA & PuB-EAA (very high): These will form the basis of the EUDI Wallet. As the Member States are obliged to provide official documents (such as ID cards and driving licenses) digitally, every wallet user will automatically have these highly secure attributes.

• EAA (medium to increasing): The ball is in the private sector’s court here. The spread depends on how quickly companies (such as airlines, fitness chains or employers) recognize the added value and issue their own digital certificates.

Strategic importance for companies and authorities

The integration of EAAs is far more than just a technical gimmick – it is a massive lever for business processes. Depending on the use case and the required legal force, different types of EAA are used:

1. Seamless onboarding & KYC (Q-EAA)
   Heavily regulated sectors such as banks or insurance companies can check identity data and proof (e.g. income or professional qualifications) in real time. Instead of reviewing documents manually, the system validates the Q-EAA immediately – which massively reduces the drop-out rates during onboarding.
   
2. Digital authorization management (EAA & Q-EAA)
   In logistics or industry, licenses, company affiliations or safety instructions can be verified directly in the EUDI Wallet.
   Example: A fitness studio grants discounts with a simple EAA (employee ID), while a dangerous goods driver shows a Q-EAA for his driver’s license.
   
3. Authority automation (PuB-EAA)
   Thanks to the “once-only principle”, online authorities accept PuB-EAAs directly from other state registers. Proof of residence or pension status no longer has to be obtained on paper, which minimizes bureaucracy for citizens and authorities.
   
4. Data protection through “selective disclosure”
   EAAs make it possible to disclose only what is absolutely necessary.
   The principle: A system only confirms “over 18 years” for proof of age without having to transmit the exact date of birth or name.
   
5. Borderless interoperability
   Thanks to the EU-wide standard, an attribute issued in Germany (e.g. a master craftsman’s certificate) is immediately recognized digitally in Spain or Poland. This greatly facilitates the cross-border mobility of skilled workers and services.

Important for private users

• Zero tracking: In contrast to big tech logins, issuers do not know where or when you use your attribute. Your digital trail remains invisible.

• Voluntary: The use of the wallet and the EAAs is completely voluntary. You decide which data you store digitally and who you show it to.

Conclusion: Why EAAs are the future of identity

EAAs are far more than just digital copies of paper documents. They are the key to a data-efficient society. Thanks to functions such as selective disclosure, users retain full sovereignty over their data, while companies benefit from automated, tamper-proof processes.

Strategic advantage for your company: Companies that position themselves as relying parties or issuers at an early stage massively reduce their manual verification efforts and increase legal certainty in digital channels.

FAQs on the topic

• Is an EAA the same as a digital signature? No. A signature confirms the declaration of intent for a document. An EAA confirms a characteristic or property of a person.
  
• When will EAAs be introduced across the board? With the rollout of national EUDI wallets (from 2027/2028), EAAs will become the standard for digital proofs in the EU.
  
• Can companies issue EAAs themselves? Yes, companies can act as “issuers” for specific professional or company characteristics.
  
• Is an EAA more secure than a PDF certificate?
  Definitely. A PDF is easy to forge. An EAA is cryptographically sealed. Any subsequent change immediately invalidates the proof. In addition, the validity (e.g. in the case of revoked licenses) can be checked in real time.

• What is the difference between EAA and QEAA?
  An EAA is an electronic confirmation of an attribute (e.g. age, education or authorization) that is signed by an issuer. A QEAA (Qualified Electronic Attestation of Attributes) is a special form of this issued by a qualified trust service provider in accordance with the eIDAS Regulation. QEAAs meet stricter legal and technical requirements and are therefore more legally binding and recognized throughout Europe.
  
• Can the issuer see where I am displaying my attribute?
  No. Modern EAA systems are designed in such a way that the issuer cannot track where or when you present your attribute. Verification takes place directly between you and the recipient. This means that your privacy remains protected and there is no centralized tracking of your use.
  
• Can I revoke an EAA?
  Yes, EAAs can be revoked by the issuer, for example if an attribute changes or becomes invalid. Recipients can check the revocation status during verification to ensure that the attribute is still valid.
  
• Will EAAs replace the classic KYC audit?
  EAAs can significantly simplify or partially replace the KYC check, especially if they originate from trusted or qualified issuers. In many cases, verified attributes can be used directly without having to go through the entire KYC process again. However, whether EAAs completely replace KYC depends on the regulatory requirements and the respective use case.

• Will my data be stored centrally?
  No. The control is yours. The EAAs are securely encrypted in your personal EUDI wallet on your smartphone, not in a central government cloud database.