3. GovStack Building Blocks in the EIDAS 2.0 Profile

3.1 Roles of the Building Blocks

GovStack provides generic components. In an eIDAS compliant deployment, each BB takes on a precise legal and technical role.

3.1.1 Identity Building Block

EU Role: PID Provider & Identity Provider (IdP)

In a standard GovStack setup, this block handles identities and authentication. In the EU profile it acts as the Person Identification Data (PID) Provider, connecting authentic sources such as the Civil Registry and Population Register with the wallet.

Its responsibilities include identity verification, where onboarding flows must rely on notified eID means such as national eID cards or Mobile ID, and the Level of Assurance must reach High in line with Commission Implementing Regulation (EU) 2015/1502. It is also responsible for PID issuance, providing PID as a credential (OpenID4VCI protocol, as profiled by the 'OpenID for Verifiable Credential Issuance' profile specified in HAIP) that contains the mandated attributes—family name, given name, date of birth—and any other legally required elements, and exposing an OIDC4VCI (OpenID for Verifiable Credential Issuance) endpoint aligned with the EUDIW ARF profile. In addition, it manages the lifecycle of PID, including revocation, and renewal whenever registry data changes, such as in cases of name changes, death, or loss of legal capacity.

3.1.2 Digital Wallet Building Block

EU Role: European Digital Identity Wallet (EUDIW)

GovStack’s wallet becomes the EUDIW application, a mobile client that combines application logic with hardware‑backed key protection. It provides user‑centric control by storing Person Identification Data (PID) as well as Qualified Electronic Attestations of Attributes (QEAAs) (including Electronic Attestation of Attributes and Electronic Attestation of Attributes issued by or on behalf of a public sector body responsible for an authentic source), ensuring that only the user can authorise any presentation or signing operation (“sole control”).

The wallet operates within a secure cryptographic environment where keys reside in a Wallet Secure Cryptographic Device (WSCD), such as a Secure Element or a Trusted Execution Environment (TEE), pure software keystores are not acceptable for achieving a High Level of Assurance (LoA). To support interoperability across Member States, the wallet implements the EU profile of OpenID4VP for credential presentation and validates issuers and trust services against the EU List of Trusted Lists (LOTL).

3.1.3 Consent Building Block

EU Role: Privacy & Transparency within Wallet

The Consent Building Block is responsible for ensuring transaction transparency by recording every credential presentation and issuance event in a way that is visible to the user, including which relying party was involved, which attributes were shared, and when the event occurred.

The Privacy Dashboard also enforces data rights by providing functions to withdraw consent and request deletion of data held by wallet providers or relying parties, in line with GDPR Article 17 and relevant eIDAS requirements. Working together with the wallet, it acts as a selective disclosure policy engine to support data minimisation, enabling proofs such as “age above 18” without disclosing the exact date of birth, or proving professional status without exposing unrelated identity data.

3.1.4 Electronic Signature Building Block

EU Role: QES Creation Application

In GovStack, this block is responsible for signing documents, in the EU profile, it functions as a Qualified Signature Creation Application linked to a Qualified Trust Service Provider (QTSP) and a Qualified Signature Creation Device (QSCD). It must be able to produce Qualified Electronic Signatures (QES) with full legal equivalence to handwritten signatures anywhere in the EU, integrate with remote QSCDs such as HSM‑based services operated by a QTSP, and use the wallet with explicit user authorisation for each signature. The block also has to support standard signature formats including PAdES, XAdES, and other profiles required for long‑term validation and archival.