TL;DR: Faster digital signature adoption, a renewed focus on identity authentication, and expanding data protection pressure are emerging as eIDAS 2.0, PSD3, and digital identity wallets reshape trust models across the EU and beyond, according to GlobalSign’s 2023 predictions. The shift is less about new tools than about governance, assurance, and policy alignment across identity programmes.
At a glance
What this is: GlobalSign’s predictions argue that digital signatures, identity authentication, and regulation will accelerate together as eIDAS 2.0 and related policy changes reshape trust online.
Why it matters: IAM, verification, and certificate teams need to treat digital identity policy as a governance problem, because authentication, signing, and compliance expectations are tightening at the same time.
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
👉 Read GlobalSign's predictions on eIDAS 2.0, identity authentication, and digital trust
Context
Digital identity governance is moving from a niche compliance concern to a core security and trust issue. In this article, GlobalSign argues that eIDAS 2.0, digital identity wallets, and changing authentication expectations will push organisations to rethink how they verify people, issue trust services, and support cross-border transactions.
The identity angle matters because changes to signing and authentication do not sit only with legal teams or certificate authorities. They affect IAM, verification, certificate lifecycle management, and the controls that decide whether a person, device, or service can be trusted in a regulated workflow.
Key questions
Q: How should security teams govern digital identity wallets in an existing IAM programme?
A: Treat digital identity wallets as part of the human identity control stack, not as a separate pilot. Governance should cover enrolment assurance, issuer trust, verification policy, revocation, and exception handling. The enterprise needs a clear mapping between wallet ecosystems and the authentication standards it will accept, or wallet adoption will outpace control maturity.
Q: Why do digital signatures need governance beyond cryptography?
A: Because cryptography only proves that a key signed something, not that the right person or system was allowed to use that key. Organisations need identity proofing, certificate lifecycle management, revocation and audit evidence so signatures remain legally and operationally trustworthy.
Q: How do data protection rules affect identity and trust services?
A: They shape what evidence can be collected, how it is stored, and which verification processes are defensible. If privacy requirements and identity assurance are managed separately, organisations can end up with compliant technology and non-compliant operating models.
Q: What should organisations re-evaluate when digital trust regulations change?
A: Re-evaluate assurance levels, certificate governance, federation dependencies, and cross-border trust assumptions. The main risk is not a missing feature, but a mismatch between policy, operating controls, and the claims made by the trust service.
Technical breakdown
eIDAS 2.0 and the new shape of digital trust
eIDAS 2.0 changes the operational context for digital signatures by formalising a broader European digital identity framework. That matters because trust services are no longer just technical artefacts. They become regulated components in workflows that span onboarding, signing, and cross-border identity verification. For practitioners, the challenge is not only certificate issuance but evidence, assurance, and policy consistency across jurisdictions.
Practical implication: Map signing and identity assurance workflows to the regulatory obligations that will govern them, not just to local certificate practices.
Digital identity wallets and authentication governance
Digital identity wallets shift identity authentication from static login events toward reusable, higher-assurance assertions. That can improve trust, but it also raises questions about binding, revocation, recovery, and who controls the wallet lifecycle. If a wallet becomes part of the enterprise trust chain, IAM teams need to understand how assurance level, federation, and recovery processes will work when identity proofing sits outside the organisation.
Practical implication: Review how wallet-based authentication will integrate with federation, recovery, and step-up controls before it reaches production use.
Why certificate and PKI governance remains central
Certificate-based trust still underpins many digital signing and encryption workflows, even as interfaces and user experiences change. The operational risk is governance drift. Organisations can add new identity layers without fixing certificate inventory, renewal, policy enforcement, or revocation discipline. That leaves assurance claims in place while the underlying trust material ages or becomes inconsistent across systems.
Practical implication: Treat certificate lifecycle management as part of identity governance and not as a separate infrastructure task.
Threat narrative
Attacker objective: The attacker seeks to exploit gaps in digital trust so that unauthorised identities or transactions are accepted as valid.
- Entry occurs through weak identity assurance or poorly governed authentication flows, especially where digital trust is reused across services.
- Escalation follows when stale certificates, weak revocation handling, or inconsistent trust policies allow unauthorised assertion of identity.
- Impact is loss of trust in signing, authentication, and regulated digital workflows, which can lead to fraud, compliance failure, or transaction rejection.
NHI Mgmt Group analysis
Digital identity policy is becoming an IAM governance issue, not just a legal one. eIDAS 2.0 and related digital identity changes move assurance decisions into the centre of trust architecture. That means identity proofing, signing, and federation controls have to align with policy and operational reality. Practitioners should expect more cross-functional ownership, but IAM teams still need to own the control plane.
Digital identity wallets will increase the pressure on lifecycle governance. Reusable identity assertions sound efficient, but they also create new questions about binding, recovery, revocation, and assurance drift. In practice, the benefit comes only if organisations can govern the wallet lifecycle with the same discipline they apply to human identities and privileged credentials. The practitioner takeaway is to treat wallet trust as a managed identity lifecycle.
Certificate trust is still the backbone of electronic identity, even when the user journey changes. The article’s focus on digital signatures and CA perception reflects a broader market truth: trust services only work when issuance, rotation, and revocation remain reliable. For identity programmes, this reinforces the need to connect PKI governance to IAM and compliance oversight rather than leaving it in an isolated technical silo.
Data protection change will keep colliding with identity assurance requirements. The article links future data protection reform with broader digital trust changes, and that collision is where many programmes will struggle. When verification, signing, and data governance evolve separately, assurance becomes fragmented. Practitioners should expect identity policy, privacy obligations, and trust services to be managed together.
What this signals
Digital identity programmes are moving toward a model where policy, proofing, and trust services must be managed as one control surface. For teams responsible for IAM and verification, that means the question is no longer whether digital identity will matter, but whether the organisation can prove who or what was trusted, by whom, and under which assurance standard.
Assurance drift: the hidden failure mode here is that identity trust can look compliant at the point of issuance while lifecycle controls quietly weaken afterward. That is where certificate oversight, wallet recovery, and federation policy have to be tied back to operational control, not just legal interpretation.
Practitioners should also expect more overlap between identity governance and privacy oversight as regulations and digital trust frameworks continue to converge. Where personal data, verification evidence, and signing workflows intersect, teams will need stronger reporting, clearer accountability, and tighter lifecycle controls.
For practitioners
- Assess digital identity wallet integration points Identify where wallet-based authentication would touch federation, step-up checks, signing, and recovery flows. Document which systems would need policy changes before any pilot moves beyond a limited trust boundary.
- Review certificate lifecycle governance Inventory certificate issuance, renewal, revocation, and ownership across all trust services. Confirm that renewal and revocation processes are tied to business-owned service lifecycles, not just infrastructure schedules.
- Align identity assurance with regulatory change Map eIDAS 2.0 and related data protection developments to the controls used in onboarding, authentication, and electronic signing. Pay attention to cross-border workflows where assurance evidence must survive audit scrutiny.
Key takeaways
- eIDAS 2.0 and digital identity wallets are shifting trust decisions into the centre of IAM governance, not the edge of compliance.
- The main operational risk is lifecycle drift, where assurance claims remain in place even as certificates, wallets, or policies fall out of sync.
- Practitioners should align identity assurance, certificate governance, and data protection controls before digital trust frameworks expand further.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63C | Digital identity wallets and federation map directly to identity assurance and federation governance. |
| NIST CSF 2.0 | PR.AC-1 | Authentication and identity proofing are central to the article's trust and verification theme. |
| GDPR | Art.32 | The article links digital identity change with data protection and verification evidence handling. |
| ISO/IEC 27001:2022 | A.5.16 | Identity governance and trust service oversight require defined management of identity information. |
Ensure identity and signing workflows preserve security of personal data and verification evidence.
Key terms
- Digital Identity Wallet: A digital identity wallet is software that stores and presents credentials for a person or organisation. It is a portability layer, not an authorization system. The wallet moves verified proof between parties, while the relying party still has to decide whether the proof is sufficient for the requested action.
- Trust Services Principles: The Trust Services Principles are the criteria SOC 2 uses to evaluate a service organisation’s controls. They cover security, availability, processing integrity, confidentiality, and privacy, and each organisation must determine which principles actually apply to the services and data it handles.
- Certificate Lifecycle Management: Certificate lifecycle management is the process of issuing, renewing, rotating, and revoking certificates in a controlled way. It prevents trust from silently degrading when certificates expire, are misused, or remain valid after the underlying relationship or system should no longer be trusted.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Predictions and examples behind the expected growth in digital signatures across the EU and UK.
- The article's discussion of eIDAS 2.0, PSD3, and data protection reform as overlapping policy signals.
- GlobalSign's perspective on how authentication, trust services, and CA perception may change across markets.
- The source article's examples of email security, PKI, and emerging technology trends beyond the identity-specific focus of this post.
Deepen your knowledge
NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, secrets management, and identity lifecycle controls. It is designed for practitioners who need to connect identity governance with broader security operations and risk management.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org