eIDAS Embedded Disclosure Policies

Article 5a (Paragraph 5e) of the current eIDAS Regulation (“eIDAS 2”, 2024) introduces so-called Embedded Disclosure Policies. These allow an issuer (Provider) of electronic attribute attestations to define which service providers are permitted to access the issued document.

An example would be an electronic credential containing personal attributes that should only be accessible to government authorities. This policy is encoded in a machine-readable format and embedded in or attached to the credential (the attribute attestation), and is enforced by the wallet software.

As part of this project, the current state of the eIDAS 2 regulatory framework and technical framework (ARF) with regard to embedded disclosure policies was analyzed. In addition, further possibilities beyond the applicable implementing acts and the current technical framework were explored.