Compliance

Trust Registry is operator-data-only by design. No personal data; all information is about organisations (issuers, federations, authorised VCTs).

ETSI TS 119 612

The standard governing the EU Trusted Lists — member states publish lists of trust service providers with qualified signing keys. Trust Registry ingests these lists, normalises the shape, and exposes them to verifiers via a standard HTTP API.

eIDAS 2.0

Under Regulation (EU) 2024/1183, relying parties verifying EUDIW credentials must trust only qualified issuers. Trust Registry is the machine-readable surface for that — a verifier that trusts only entries sourced from the EU Trusted Lists is automatically eIDAS-conformant on the trust-anchor side.

OpenID Federation 1.0

For private-sector and consortium trust, Trust Registry supports OpenID Federation chains. An issuer's trust is established by chaining up to a federation root; revocation at any point in the chain invalidates downstream trust. Compatible with the ARF's federation requirements.

GDPR

No personal data flows through Trust Registry — only operator identifiers and signing keys. No Art. 30 processing obligations beyond standard service-operator hygiene. If admin actions are attributed to a person, that's controller-side metadata, minimal by scope.

NIS2 — availability + integrity

Because every verifier calls Trust Registry on every presentation, availability is critical. Horizontal scaling, Redis-backed JWKS caching, Postgres replication, health-check endpoints, Prometheus metrics on resolution latency. Integrity: issuer entries are signed on ingestion where possible; admin CRUD is audit-logged.