Digital identity is the first line of defence in digital sovereignty.

Without controlling how you prove who you are, the exercise of every other digital right is contingent on the governance choices of whoever controls the infrastructure.

Despite significant steps in the right direction like eIDAS 2.0, the Swiss eID Act and the UK digital identity framework , Europe lacks a coherent governance framework to protect the identity layer from commercial or state capture.

The brief argues that digital subsidiarity and decentralisation are the only constitutionally acceptable path forward, and sets out four priorities for the next 36 months:

1. Enshrine control over digital identity as a fundamental right, with non-exclusion protections enforceable across the EU, Switzerland, the UK, and all Council of Europe member states.
   
2. Mandate distributed issuance and revocation through local governments, with guaranteed in-person access points and constitutional rights of recourse.
   
3. Build regulatory protection against identity overreach by establishing unlinkability-by-default as a binding architectural requirement, sector-specific credential scope regulations, and a Digital Identity Ombudsman within national data protection authorities.
   
4. Adopt a pan-European Identity Trust Framework grounded in open standards, constitutional change-control mechanisms, and mutual recognition across jurisdictions.

This policy brief was made possible by the kind support of ENS DAO and the Ethereum Foundation.

The information, statements, data and recommendations in this policy brief have been substantiated through in-person stakeholder engagement (Roundtable at EY Zurich, 7 April 2026), direct interviews with Bhutan NDI, Swiyu, and PCTF practitioners, and a companion research document (Appendix) comprising a global comparative analysis of nineteen national and sub-national digital identity systems.