EU Trust Lists
EU Trust Lists are the backbone of trust infrastructure in the European Digital Identity ecosystem. They provide a standardized, machine-readable mechanism for establishing and verifying the trusted status of entities participating in digital identity transactions across the European Union.
What Are EU Trust Lists?
EU Trust Lists are cryptographically signed, authoritative registries that contain trust anchors (public keys and identifiers) for entities authorized to participate in the European Digital Identity ecosystem. They enable wallets, relying parties, and other ecosystem components to automatically verify that an entity is supervised and trusted.
The trust list infrastructure operates at two levels:
| Level | Description | Managed By |
|---|---|---|
| National Trusted Lists | Country-specific lists of trusted entities | Individual Member States |
| EU List of Trusted Lists (LoTL) | Aggregated list linking all national trusted lists | European Commission |
The source of trust for the LoTL is the Official Journal of the European Union (OJEU), providing a legally binding foundation for the entire trust infrastructure.
Entities Covered by Trust Lists
Under the eIDAS 2.0 framework and the EUDI Wallet Architecture Reference Framework (ARF), trust lists contain trust anchors for:
- Wallet Providers – Organizations authorized to provide EUDI Wallet applications
- PID Providers – Issuers of Personal Identification Data (national identity credentials)
- QEAA Providers – Qualified Electronic Attestation of Attributes providers
- PuB-EAA Providers – Public Electronic Attestation of Attributes providers
- Access Certificate Providers – Issuers of certificates for relying party authentication
- Registration Certificate Providers – Issuers of certificates for entity registration
Verification Process
When a wallet or relying party needs to verify an entity's trusted status:
- Retrieve the LoTL – Download the EU List of Trusted Lists from the European Commission
- Locate the National TL – Find the relevant Member State's trusted list
- Verify the Entity – Check if the entity's trust anchor appears in the national list
- Validate Signatures – Cryptographically verify the chain of signatures from the entity back to the LoTL
Technical Standards
EU Trust Lists are governed by ETSI (European Telecommunications Standards Institute) specifications:
| Standard | Purpose |
|---|---|
| ETSI TS 119 612 | Defines the format and structure of trusted lists |
| ETSI TS 119 602 | Specifies trust list policies for the EUDI Wallet ecosystem |
| ETSI EN 319 412 | Certificate profiles for trust service providers |
Trust List Format
Trust lists are published in XML format with the following key components:
- Scheme Information – Metadata about the trust list (version, operator, territory)
- Trust Service Provider List – Entries for each trusted entity
- Service Information – Details about each trust service (type, status, certificates)
- Digital Signature – Cryptographic signature ensuring integrity and authenticity
eIDAS 2.0 and Trust Lists
The revised eIDAS Regulation (EU) 2024/1183 significantly expands the role of trust lists:
New Trust Service Types
eIDAS 2.0 introduces additional qualified trust services that must be registered in trust lists:
- Qualified electronic attestation of attributes (QEAA)
- Qualified electronic archiving services
- Qualified electronic ledger services
- Management of remote qualified electronic signature/seal creation devices
Timeline for Implementation
| Date | Milestone |
|---|---|
| April 2026 | Trust List v6 (TLv6) format enforcement |
| April 2026 | Implementing Decision (EU) 2025/2164 applies |
| 2026-2027 | Full EUDI Wallet ecosystem deployment |
Migration Required: All stakeholders must ensure system compatibility with the new TLv6 format by April 28, 2026, to avoid validation failures.
Benefits of EU Trust Lists
For Relying Parties
- Simplified Trust Decisions – Single source of truth for entity verification
- Cross-Border Recognition – Automatic trust in entities from other Member States
- Reduced Compliance Burden – No need to maintain individual trust relationships
For Trust Service Providers
- Market Access – Inclusion enables cross-border service provision
- Legal Recognition – Qualified status provides legal certainty
- Interoperability – Standardized format ensures compatibility
For Citizens
- Security Assurance – Only verified entities can participate in the ecosystem
- Privacy Protection – Trusted entities must comply with data protection requirements
- Cross-Border Usability – Credentials work seamlessly across the EU
Comparison with Other Trust Frameworks
| Aspect | EU Trust Lists | ICAO PKD | VICAL (ISO 18013-5) |
|---|---|---|---|
| Scope | EU Member States | Global (passports) | Regional (mDL) |
| Governance | European Commission | ICAO | National/Regional bodies |
| Primary Use | Digital identity ecosystem | Travel documents | Mobile driver's licenses |
| Format | XML (ETSI TS 119 612) | LDAP/X.509 | CBOR/COSE |
Working with EU Trust Lists
Accessing Trust Lists
Trust lists are publicly available through:
- EU Digital Building Blocks Portal – Official repository for all national trust lists
- National Supervisory Bodies – Direct access to country-specific lists
- EUDI Wallet Reference Implementation – Test environment for developers