top of page
Oud gebouw

Electronic attestation of attributes
(QEAA)

Discover here how electronic attestation of attributes enables individuals and organizations to electronically prove their attributes, such as name, date of birth, address, education, etc. to other trusting parties in a secure and reliable manner.

What is an Electronic Attestation of Attributes (EAA)?

An attestation of an attribute is a type of statement, issued by a trusted party, that confirms a particular attribute is correct.

  • Example #1: The Chamber of Commerce confirms that a person is a director of the private limited company XYZ.

  • Example #2: A doctor logs into a government portal to access medical records. The system must not only know who the person is (identity) but also whether that person is authorized to view medical records (attribute). An EAA can confirm this attribute ("is a certified doctor") in a legally binding and digital way.

 

An attribute is a property or characteristic of a person or organization, for example:

  • Name

  • Date of birth

  • Citizen service number (BSN)

  • Address

  • Membership of a professional group (e.g., doctor, lawyer)

  • Role or authority within an organization

 

Electronic attestation of attributes is the digital version of issuing a declaration—also called an attestation—further developed under the eIDAS regulation (No. 910/2014) as a so-called electronic trust service. This provides a legally recognized and secure way to electronically confirm characteristics of a person or organization, issued by a recognized party. It plays an important role in digital identity and access control, especially in sectors where reliability and security are critical (such as healthcare, government, judiciary, etc.).

An electronic signature is a digital way to sign a document (such as a contract or agreement) or to confirm a transaction. It has the same legal value as a handwritten signature, provided certain conditions are met. The goal is to verify the signer's identity and ensure the integrity of the document.

What categories of Electronic Attestations of Attributes exist under eIDAS 2.0?

Article 3, paragraph 16(g) of eIDAS 2.0 defines the issuance of electronic attestations of attributes as an electronic trust service, with four legal categories of attestations distinguished:

  • Personal Identification Data (PID): A set of data provided under national law that serves to identify a natural person, a legal entity, or a natural person acting on behalf of another natural or legal entity.

  • Qualified Electronic Attestation of Attributes (QEAA): An electronic attestation of attributes issued by a Qualified Trust Service Provider (QTSP).

  • Electronic Attestation of Attributes issued by or on behalf of a competent public authority (Pub-EAA): An electronic attestation of attributes issued by a public authority responsible for an authentic source, or by an entity designated by the Member State to act on behalf of such public authorities.

  • Non-qualified EAA: An electronic attestation of attributes that is neither a QEAA nor a Pub-EAA.

When is an attestation considered a Qualified Electronic Attestation of Attributes (QEAA)?

The main differences between non-qualified electronic attestations of attributes (EAA) and qualified electronic attestations of attributes (QEAA) are:

  • A QEAA may only be issued by a Qualified Trust Service Provider (QTSP) recognized by an EU Member State;

  • A QEAA must meet stricter requirements than an EAA, as explained in the applicable ETSI standards;

  • The QEAA must be signed using a Qualified Electronic Signature (QES) or Qualified Electronic Seal (QESeal) by the trust service provider.

What is a Pub-EAA?

In addition to QTSPs, government agencies, such as independent administrative bodies, may also attest to attributes electronically and issue them, for example, to EUDI wallets. These are called Pub-EAAs, not (Q)EAAs. These public authorities may only issue Pub-EAAs if they hold an approved Conformity Assessment Report (CAR) issued by an accredited Certification Assessment Body (CAB). The legal validity or status of a Pub-EAA is equivalent to that of a QEAA.

What are the main benefits of Electronic Attestation of Attributes?

Electronic attestation of attributes—particularly the qualified variant (QEAA)—offers several key advantages in the context of digital services, identity management, and trust relationships compared to paper-based attestations and other verification procedures:

  1. High reliability and legal value

    • Due to the strict requirements of the eIDAS regulation and the involvement of qualified trust service providers, a QEAA is legally equivalent to a paper attestation.

    • This ensures legal certainty when used in formal procedures (e.g., accessing government services, entering into contracts).

  2. Fast and automated verification

    • Attributes can be verified automatically and in real time, without manual intervention. This speeds up processes such as:

      • Granting access to sensitive systems or information;

      • Digital registration with institutions;

      • Assigning roles/access rights based on function or authority.

  3. Enhanced security

    • Issuance and use of attributes are done via cryptographically secured mechanisms. This reduces the risk of fraud, identity misuse, or forged documents.

  4. EU-wide interoperability

    • QEAAs fall under the eIDAS regulation and are thus recognized in all EU Member States.

    • This enables cross-border digital services—for example, a French doctor needing access to a Belgian health platform.

  5. Protection of personal data (privacy-by-design)

    • Users can selectively share attributes—for instance, confirming "is over 18" without revealing the date of birth.

    • Better aligned with GDPR principles such as data minimization.

  6. Efficiency and cost savings

    • Reduces administrative burden (no paper attestations, no manual checks).

    • Lower long-term costs for organizations that need to verify attributes (e.g., governments, banks, healthcare institutions).

  7. Improved user experience

  • Users need to submit fewer documents.

  • After authentication, attributes can be sent automatically with a single click.

 

In summary: Electronic attestation of attributes combines legal certainty, efficiency, ease of use, and security in digital processes. It is a crucial component of a forward-looking digital identity and access management strategy, especially in sectors like government, healthcare, finance, and education.

What does the eIDAS Trust Service QEAA look like?

The eIDAS trust service QEAA (Qualified Electronic Attestation of Attributes) is designed to securely and legally issue, receive, and make available electronic attestations to so-called relying parties. This service complies with strict requirements set out in the eIDAS regulation and includes the following components:

1. Registration Service

  • Request initiation for attribute attestation: Receives a request from the subscriber for the issuance of a new EAA.

  • Verification procedure: Performs all necessary verifications in accordance with the applicable EAA policy. This includes:

    • Authentication of the subscriber / EUDI wallet holder

    • Confirmation of the subscriber’s authorization to request an EAA

    • Initiation of the identity proofing process

2. Identity Proofing & Binding Service

  • Identification: Verifies the identity of the applicant using evidence that confirms the required identity attributes.

  • Wallet binding: To securely store an EAA in the wallet linked to the identified subscriber, the wallet must first be bound to the subscriber. This process involves verifying the identity of the wallet holder and, if needed, including information about a public attestation key or the associated identification in the EAA.

3. Verification Service

  • Attribute sources: Various attributes are verified based on authentic sources appointed by an EU Member State or so-called authoritative sources.

    • An authentic source (e.g., Trade Register managed by the Chamber of Commerce) is defined as a governmental body or private entity managing the official source of records recognized by the Member State as the primary source of that information.

    • Authoritative sources (e.g., digital safe with notarized deeds) are trusted sources that can provide and verify data about the identity or attributes of a natural or legal person.

  • Attribute validation: Based on the attribute attestation request, the requested attributes are verified by the (Q)EAA service provider against authentic or authoritative source(s).

4. Issuance Service

  • Generating an EAA: A (Q)EAA must contain at least the following mandatory elements:

    • Identity of the subject (natural or legal person)

    • The attested attributes

    • Identity of the QTSP (Qualified Trust Service Provider)

    • Validity period of the attributes

    • Reference to the source of the attribute

    • Digital signature of the QTSP

  • Electronic signature (or seal): To ensure the legal validity and security of qualified attestations, a Qualified Electronic Signature (QES) or Qualified Electronic Seal (QESeal) is required. These guarantee:

    • Authenticity of the issuer

    • Integrity of the attestation
      Without a QES or QESeal, a QEAA cannot provide the full legal assurances needed for secure and verifiable attestations.
      (For more information, refer to the dedicated page on qualified electronic signatures and seals.)

5. Dissemination Service

Issuance of attestations by a QTSP or Pub-EAA provider to authorized natural and/or legal persons. Issuance can occur:

  • To an EUDI wallet

  • Or via other secure channels in the form of an electronic file with guaranteed integrity

6. Revocation Management Service

The EAA service provider must implement procedures and processes for revocation of the EAA—for example, in cases of fraud or errors.

7. Validation Status Service

The EAA service provider must provide continuous (24/7) availability of revocation status information for issued EAAs and ensure the integrity and authenticity of this status data.

Why are ETSI standards important for QEAA?

The eIDAS Regulation refers to specific standards developed by the European Telecommunications Standards Institute (ETSI). These standards are essential to ensure that trust services—such as the Qualified Electronic Attestation of Attributes (QEAA)—function securely, reliably, and interoperably across the European Union.

  • Interoperability: They ensure that QEAA services can be used across borders throughout the EU.

  • Legal certainty: They guarantee that the QEAA meets the formal requirements of the eIDAS Regulation, leading to legal recognition in all member states.

  • Security: They define clear technical and organizational requirements to protect the integrity, confidentiality, and authenticity of attestations against tampering or misuse.

 

Which ETSI standards must an eIDAS QEAA trust service comply with?

1. General Standard for Trust Services and Providers

  • ETSI EN 319 401: "General Policy Requirements for Trust Service Providers"
    Defines general requirements for a Trust Service Provider (TSP), including:

    • Security management

    • Operational procedures

    • Audit requirements

2. Standards for Validation and Issuance of Electronic Attributes

  • ETSI TS 119 471: "Policy and Security Requirements for Providers of Electronic Attestation of Attributes Services"
    Contains the baseline requirements a QEAA service must meet.

  • ETSI TS 119 472-1: "Profiles for Electronic Attestations of Attributes; Part 1: General Requirements"
    Specifies additional requirements for QEAA and Pub-EAA providers regarding the data models used for validation and issuance of electronic attributes.     Supported data models include:

    • SD-JWT Verifiable Credentials (VC)

    • SD-JWT VC Data Model (DM)

    • ISO/IEC 18013-5:2021 (Mobile Driving Licence - mDL)

    • W3C Verifiable Credentials (W3C-VC)

    • X.509 Attribute Certificates (X.509 AC)

    • Hybrid variants combining multiple models

 

Note: If a (Q)EAA is issued to an EUDI wallet, it must at least support the SD-JWT VC or ISO/IEC 18013-5 protocols.

  • ETSI TS 119 472-2: "Profiles for Electronic Attestations of Attributes; Part 2: Profiles for EAA/PID Presentations to Relying Parties"
    Specifies requirements for making EAAs and Personal Identification Data (PID) available to relying parties.

  • ETSI TS 119 475: "Relying Party Attributes Supporting EUDI Wallet User's Authorization Decisions"
    Specifies characteristics that help wallet users inform relying parties about roles and attributes. These attributes support authorization decisions for accessing data stored in the wallet.

 

Additional Technical Specifications and Requirements

Depending on the architecture and implementation of the trust service, the above standards may refer to additional technical specifications and security requirements, including:

  • ETSI TS 119 461: "Policy and Security Requirements for Trust Service Components Providing Identity Proofing of Trust Service Subjects"
    Defines policy and security requirements for components responsible for identity verification.

  • ETSI TS 119 462: "Wallet Interfaces for Trust Services and Signing"
    Provides additional requirements for how the wallet interface should be structured, especially in the context of QEAA trust services and electronic signing.

bottom of page