Compliance

Credential Issuer sits on the issuance side of the eIDAS 2.0 ecosystem. Its compliance posture maps to four frames.

eIDAS 2.0 issuer obligations

Under Regulation (EU) 2024/1183, an issuer of qualified credentials must publish an issuer-register entry, operate with accredited signing keys, maintain a revocation mechanism, and support ARF-specified presentation flows.

• Status-list revocation shipped today; bit-level verifier checks
• OID4VCI pre-auth flow shipped; auth-code flow on roadmap
• Vault Transit signing migration will unlock qualified-signing-key posture (QSCD via Vault HSM)
• Trust Registry JWKS publication — auto-register on boot, rotate on key change

GDPR

The issuer is the data controller for subject claims embedded in credentials. Lawful basis is the contractual relationship with the subject (the user asked for the credential). Data minimisation: templates define exactly which claims are issued. Storage limitation: credentials have intrinsic exp claims; server-side issued-credential rows retained per operator policy.

NIS2

Issuer contributes to the operator's NIS2 posture: ES256 signatures, TLS 1.3, self-hosted dependencies (Postgres, Vault, Trust Registry). Incident detection via signing anomalies, status-list integrity, revocation-propagation metrics.

Sector-specific

• Healthcare: practitioner-licence credentials; revocation on disciplinary action is same-day
• Finance: verified-customer credentials; KYC backchannel via deferred-flow approvals
• Education: diploma credentials; long-lived without revocation unless rescinded
• Public administration: PID, qualified attestations; aligned with member-state issuer registers

Open gaps

• Vault Transit signing migration (current: in-process EC P-256)
• Audit-trail tamper evidence — planned alongside webhook delivery
• Rate limiting on public endpoints — planned
• Wallet-attestation verification on receiving side — planned