Architecture Reference Framework (ARF)
The eIDAS 2.0 regulation establishes what digital identity must achieve in the EU. The Architecture Reference Framework (ARF) defines how to achieve it. It translates legal principles into specific technical requirements that wallets, attestation providers, and Relying Parties must implement.
The Truvity EUDIW Connector implements the ARF requirements relevant to credential verification, so you can focus on your business logic while the connector handles protocol compliance.
From legal principles to technical requirements
The ARF bridges the gap between high-level legal mandates and concrete technical specifications:
-
Legal principle (eIDAS 2.0): Users must control their data and disclose only what is necessary. Technical requirement (ARF): Implementations must support selective disclosure to enable sharing specific attributes without revealing the entire credential.
-
Legal principle (eIDAS 2.0): Relying Parties must be authenticated and authorized. Technical requirement (ARF): Relying Parties must use X.509 access certificates to authenticate themselves to wallets during the presentation flow.
This translation ensures that a wallet developed in one member state can interact with a Relying Party in any other member state.
Key ARF topics for Relying Parties
RP registration and authentication
The ARF defines how Relying Parties are identified and trusted by wallets:
- Access certificates: You authenticate yourself to wallets using X.509 certificates. The connector uses these certificates to sign authorization requests, allowing the wallet to display your verified identity to the user.
- Registration: In a production environment, you register with member state authorities to obtain these certificates. The connector supports both self-signed certificates for development and CA-issued certificates for production.
Relying Party Intermediaries
The ARF defines the role of a Relying Party Intermediary (RPI)—a party that acts on behalf of Relying Parties to connect to Wallet Units and request attributes. Article 5b(10) of eIDAS 2.0 establishes two binding rules for RPIs: they are deemed to be Relying Parties (with all associated obligations), and they must not store data about the content of the transaction.
Separately, the connector uses an ephemeral data model as a security architecture choice that minimizes the attack surface for sensitive identity data. Verification results are delivered through callbacks and not persisted.
Presentation protocol
The ARF mandates specific protocols for credential exchange:
- Protocol: The ecosystem uses OpenID for Verifiable Presentations (OID4VP)
- Profile: The High Assurance Interoperability Profile (HAIP) constrains OID4VP with strict security parameters that the connector implements by default
- Query language: Requests use DCQL to specify exactly which credentials and attributes are needed
- Flows: Both same-device and cross-device flows are required
Trust evaluation
Verification involves more than checking a signature. The ARF requires comprehensive trust evaluation:
- Chain verification: Validating the issuer's certificate chain against the trusted list of the relevant member state
- Revocation checking: Verifying that the credential has not been revoked by the issuer
- Device binding: Verifying that the entity presenting the credential is the legitimate holder
Connector compliance
The connector implements ARF requirements so you can focus on your integration logic:
| ARF requirement | What the connector handles |
|---|---|
| Protocol implementation | Implements OID4VP with the HAIP profile, supporting both same-device and cross-device flows |
| Data minimization | Implements an ephemeral data model. Verification results are delivered through callbacks and not persisted. Ephemeral encryption keys are used per session and deleted afterward |
| Cryptographic operations | Handles signature validation, key binding verification, and SD-JWT parsing automatically |
| Trust management | Uses your X.509 certificates for RP authentication and automates issuer trust chain and revocation status validation |
| Query construction | Provides interfaces to construct DCQL queries for specific credentials and attributes |
Standards ecosystem
The ARF relies on a stack of existing and emerging standards:
- OID4VP: The transport protocol for requesting and receiving verifiable credentials
- HAIP: A strict security profile ensuring interoperability across the EUDI ecosystem
- DCQL: The query format for requesting specific credentials and attributes
- SD-JWT: A credential format that enables selective disclosure and key binding
Implementing Acts
The ARF translates eIDAS 2.0 into technical requirements, but the legally binding rules are formalized in Commission Implementing Regulations (CIRs). Key Implementing Acts relevant to Relying Parties include:
- CIR (EU) 2024/2982—defines the protocols and interfaces for the EUDI Framework, covering credential issuance, attribute presentation, data erasure requests, and Relying Party reporting to supervisory authorities.
- CIR (EU) 2025/848—establishes rules for the registration of wallet-relying parties, including requirements for national registers and the information that Relying Parties must provide during registration.
- CIR (EU) 2024/2977—defines rules for Personal Identification Data (PID) and electronic attestations of attributes (EAA), including attestation formats and issuance requirements.
For a complete list of Implementing Acts and their scope, see compliance and regulations.
Further reading
- eIDAS 2.0 requirements—the legal framework that the ARF implements
- Compliance and regulations—your compliance responsibilities as a Relying Party
- Connector architecture—how the connector implements ARF requirements