Hybrid Cloud
Cybersecurity
Data & AI
IoT & Connectivity
Industry
Health
Banking and Finance
Public Sector
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Smart Cities
The ROI of trust: can sovereign identity technology deliver sustainable business models?
Identity wallets are becoming an increasingly common feature in technology news. Both public authorities and large organisations are preparing for this new paradigm shift in digital identity.
In the last two articles we published on the Telefónica Tech blog, we put on our digital architects' hats. First, we looked at the EUDI Wallet, the application where we will store our digital identity and which will be available from December this year. Yes, December, because all European Union Member States must provide their citizens with an identity wallet before the end of this year. Among its many benefits is the way it will save us the ordeal of filling in the same forms over and over again thanks to reusable KYC, while also allowing us to prove our identity and demonstrate that we are over a certain age without disclosing more information than necessary.
In the following article, we widened the picture to include the European Business Wallet, exploring how businesses will have an equivalent to the citizen wallet that will simplify paperwork across their supply chains, enabling them to sign corporate contracts as easily as we send an instant bank transfer today.
We know the theory, the technical standards are ready, and the European regulation (eIDAS2) is already on its way with a clear implementation timetable. But if there is one thing those of us who launch digital products have learnt, it is that technology and legislation alone are not enough to guarantee widespread success. We could ask the million-pound question, the one every finance director asks when reviewing budgets: how do we make this ecosystem profitable, sustainable and a worthwhile business for everyone involved?
■ The GSMA report, Enabling scalable operating and business models in the EU Digital Identity ecosystem, marks a turning point in the debate around digital identity. With the technological benefits and regulatory framework now established, the focus has shifted to sustainability.
The current goal is to design attractive and scalable business models that encourage the voluntary, large-scale adoption of sovereign identity technology and identity wallets, bringing together everyone from large enterprises to local businesses.
Digital identity will not take off through regulation alone: it will require sustainable business models for every participant in the ecosystem.
EUDI Wallet technology must not become just another compliance obligation
Under the eIDAS 2.0 regulation, private organisations that need to verify their customers' identities to a high level of assurance, such as banks, insurers, energy providers and telecoms operators, will be required by the end of 2027 to accept the EUDI Wallet in their role as a Relying Party.
Take, for example, a financial institution or a major energy supplier. Integrating the EUDI Wallet into their applications, becoming a Relying Party and preparing their systems to receive digital credentials issued by governments, such as the now well-known PID (Personal Identification Data), has significant implications. Training teams is not free; it requires time, analysis, technology and investment.
Complying with eIDAS2 will be mandatory; turning that obligation into business value will be the real opportunity.
If these organisations see the EUDI Wallet merely as another box to tick in order to comply with regulation and avoid penalties, the project may achieve compliance, but they will miss all the benefits that sovereign identity technology and verifiable credentials could bring to their business. So what advantages would they be missing? Let's look at a few examples:
Issuing credentials based on already verified information
A bank has already invested considerable effort in verifying its customers' identities (the well-known KYC process). With the EUDI Wallet, it can issue the customer a 'verified identity' credential that the user stores in their wallet and reuses wherever they choose.
An energy supplier, meanwhile, can issue a credential confirming ownership of an energy supply or that a supply point is linked to a specific address, which the customer can then present to a public authority, insurer or home improvement company without repeatedly requesting certificates. Likewise, a telecommunications provider could issue a credential confirming that a telephone number has been verified.
Identifying customers with a single click
Instead of asking users to complete forms, upload photos of their identity document and wait for manual verification, registration can be completed simply by sharing a credential from the wallet. For a bank, opening an account or taking out a financial product goes from taking days to being completed in seconds.
For an energy provider, setting up a new supply or transferring a contract, processes that are currently full of friction and paperwork, becomes a single interaction simply by clicking a link or scanning a QR code.
Streamlining paperwork and reducing friction
A bank can simplify periodic customer data updates or the approval of a loan by receiving every piece of information already verified at source, instead of requesting payslips, bills and paper documents. An energy supplier can automate eligibility checks for social tariffs or regulated pricing schemes: the customer provides only the necessary information (for example, 'I meet the income threshold' or 'I am part of a large family') without submitting piles of documentation, and the company receives it already verified.
■ Even so, we must not lose sight of the fact that one of the pillars of innovation is that the commercial dimension is equally essential for the ecosystem to thrive. If there is no clear return on investment, new business opportunities will struggle to move forward.
The real scale lies in everyday interactions
If we look at our daily routines, how many times a year do we open a bank account, buy a house or apply for a grant? Once, twice... perhaps three times at most.
Real success, the critical mass, will come when we use the wallet for everyday tasks, the ones we carry out almost without thinking. The GSMA report focuses precisely on this point: the consumer and their everyday habits.
- Hiring a car on holiday: Imagine arriving at the airport after a three-hour flight, skipping the endless queue at the rental desk because you have already shared your verified driving licence from your mobile, and collecting the keys directly from an automated locker.
- Checking into a hotel: Registering at reception simply by holding your phone up to prove who you are, sharing only the information strictly required for the tourist tax, nothing more, without anyone taking your passport or identity card away to photocopy it.
- Buying a discounted ticket: Proving that you are a student, under 25 or a member of a loyalty programme to obtain a reduced price at the cinema or a festival, without having to show your physical identity document or leave a photocopy of your student card in an unknown database.
- Safer online shopping: Confirming that you are the legitimate cardholder with a single click, reducing fraud and headaches for both you and the online retailer. On top of that, it could also allow you to prove that you are over the legal age when purchasing age-restricted products online.
■ This is where the transaction volumes that drive an economy are generated. The challenge is that behind each of these everyday moments lies a cryptographic miracle that makes deciding who pays the bill considerably more complicated.
Mass adoption will come when the wallet makes everyday interactions simpler, more secure and less data-intensive.
The paradox of buying a coffee for someone anonymously
The crown jewel, and one of the defining characteristics of Self-Sovereign Identity (SSI), is privacy by design. To protect the people whose identities it represents, the system relies on a technical principle known as non-observability.
In practice, it works like this: imagine your bank issues you with a digital credential certifying that you are over the legal age, simply because you have already proved this to them. On a Friday night, you go to a venue and use that credential to gain entry by proving your age. Thanks to the magic of decentralisation, the venue can verify that the information is genuine and fully trustworthy, but your bank has absolutely no idea where, when or why you used that identity credential. There is no tracking and no trail.
This is clearly excellent news for our rights as citizens, but it could also become a genuine headache for businesses. If the bank (the issuer) has no way of knowing that the venue (the verifier) has benefited from its infrastructure and the trustworthiness of its data, could it charge for that service?
This is where the paradox of digital identity technology emerges: can the issuer of a credential charge the organisation that consumes it if, for privacy reasons, the issuer cannot see the transaction?
The challenge is to monetise trust without rebuilding the surveillance mechanisms that sovereign identity is designed to eliminate.
The GSMA report warns that this puzzle must be solved if new business models are to emerge. Fortunately, the technology sector is already designing ingenious alternatives that make this possible without compromising people's privacy.
The common principle behind all of them is the same: separating the flow of money from the flow of data. The issuer will be able to charge for the use of its credentials without regaining, through the back door, the surveillance capabilities that have taken so much effort to remove. These are some of the approaches currently being explored:
Zero-knowledge proofs
These make it possible to prove that something is true without revealing the underlying information. Following our example, you could prove to the venue that you are over the legal age without disclosing your date of birth, while the system could confirm that the credential had been used without revealing where or why. This makes it possible to build billing models that count usage without monitoring context. If you would like to learn more about this type of cryptography.
Settlement through aggregated counters
Instead of recording every individual visit to the venue on a Friday night, verifiers keep a running total of how many validations they have performed and periodically settle with the bank. The issuer is paid based on overall volume, sees only the total number of transactions and never the individual interactions behind them. It is much like an electricity bill: you pay for your total consumption, not every time you switch on a light.
Intermediaries and governance frameworks
In other models, a trusted third party or a shared set of ecosystem rules reconciles payments between issuers and verifiers, acting as a clearing house that deliberately keeps financial flows and personal data in separate channels.
Anonymous usage vouchers (blind signatures)
This is perhaps the most ingenious solution, and the easiest way to understand it is by thinking of an envelope. Imagine placing a document inside an envelope lined with carbon paper and asking someone to sign the outside. By pressing down, their signature is transferred onto the document inside, which is now perfectly validly signed even though the signer has never seen what was written.
—Applied to our example, the venue (the verifier) purchases a batch of prepaid 'usage vouchers' from the bank (the issuer). The bank signs and charges for them without seeing their contents. Every time the venue validates a credential, it uses one of those vouchers. When the vouchers are redeemed, the bank recognises its own signature and confirms that it is valid, so it knows it is entitled to payment, but it is impossible for it to know which customer or which evening each voucher relates to. The money arrives; the trail does not.
■ All of these approaches pursue the same objective: issuing and consuming credentials must become a sustainable business without making people's privacy the price to pay. Solving this paradox is likely to be one of the keys to enabling the EUDI Wallet ecosystem to achieve genuine scale rather than remaining little more than a regulatory compliance exercise.
From pilots to production deployments
The EUDI Wallet is maturing at remarkable speed, but the time has come to move it out of the engineering laboratory and into everyday life.
The GSMA's closing call could not be more timely for the major pilot projects currently underway across Europe: this is the moment to take the next step and move beyond the pilot phase.
The next leap is not proving that the technology works, but demonstrating that it can operate, scale and generate returns in real-world environments.
Across the ecosystem, we have already shown that the technology makes perfect sense and offers enormous potential. Now the real test is to validate business models, service agreements and financial flows.
Our overarching goal as product managers is to ensure the technology is useful, intuitive and economically viable. To achieve that, it would help if governments and businesses came together to design these financial ground rules with the same empathy and user focus that we apply when designing applications. Perhaps that will be the moment when citizens' privacy begins to go hand in hand with business profitability, allowing the EUDI Wallet to become more than simply a well-intentioned European regulation and instead move closer to becoming the engine of our everyday digital lives.
