One of the most interesting parts of our conversation with Mirko Mollik, Identity Architect at Germany’s Federal Agency for Breakthrough Innovation, was how clearly he broke down the credential landscape under the European Digital Identity Wallet.
While the framework can feel complex on paper, in practice it largely comes down to three credential categories, each with very different implications for wallets, issuers, and verifiers.
1) Personal Identity Data (PID)
Personal Identity Data is the highest-value credential in the EUDI ecosystem.
It represents a person’s core legal identity and enables regulated, high-risk actions such as:
- Opening a bank account.
- Applying for a loan.
- Satisfying AML and KYC requirements.
From a technical perspective, Mirko explained that PID:
- Can be issued as either ISO 18013 mdoc or SD-JWT VC, as defined in the Architectural Reference Framework (ARF).
- Must be stored in a certified EU Digital Identity Wallet. This is the onlycredential type with that storage restriction.
That last point is critical.
While many credentials may circulate in the broader ecosystem, PID is treated as special due to its sensitivity and value. The combination of certification, hardware requirements, and legal controls is designed to reflect that risk.
For relying parties, PID becomes the anchor credential: once verified, it can be used as the basis for downstream checks and derived use cases.
2) Qualified Electronic Attestations of Attributes (QEAAs)
Qualified Electronic Attestations of Attributes sit one level below PID in terms of scope, but still carry strong legal and technical assurances.
Typical examples include:
- Professional qualifications.
- Regulated status claims.
- Certain business or role attributes.
According to Mirko:
- QEAAs are issued by qualified providers that meet stricter requirements.
- The issuer must properly identify the holder, and is liable if that identification is insufficient.
- QEAAs can be stored in non-EUDI wallets, not just certified EUDI wallets.
From a business perspective, QEAAs introduce an important trade-off:
- They offer higher assurance and cross-border trust.
- But they also come with higher cost, due to certified processes and hardware requirements.
This is why Mirko stressed that not every use case needs a qualified attestation.
In many scenarios, the additional assurance simply isn’t worth the overhead, and unqualified credentials may be more appropriate.
3) Public electronic attestations (public EAAs)
The third category is often misunderstood, but it plays a crucial role.
Public electronic attestations are used only where national law explicitly authorizes specific institutions to issue certain attributes.
A common example:
- Universities issuing bachelor’s or master’s degrees, where the law defines who is allowed to issue those credentials.
Key characteristics Mirko highlighted:
- Authorization is based on a legal mandate, not just technical qualification.
- These issuers and their roles are published in trust lists.
- Being a qualified provider does not automatically grant the right to issue public EAAs.
This distinction matters because it separates:
- Technical trust (can you issue credentials correctly?)
- From legal authority (are you legally allowed to issue this credential?)
The importance of this distinction
Together, these three categories define how identity will actually work in practice under EUDI:
- PID anchors legal identity and regulated use cases.
- QEAAs provide trusted, portable attributes where higher assurance is needed.
- Public EAAs reflect legally mandated authority within national systems.
For many organizations, the opportunity isn’t issuing PID at all, but:
- Consuming PID and attestations.
- Deriving purpose-specific credentials for their own ecosystems.
Understanding which category applies, and why, is the difference between over-engineering a solution and building something that will actually scale under the EUDI framework.
