Re: Utah State-Endorsed Digital Identity (SEDI) legislation

On Sun, Feb 15, 2026 at 8:41 AM Steffen Schwalm
<Steffen.Schwalm@msg.group> wrote:
> I guess the key is the combination of legislation and math. Math without legal backing is interesting science but not useable in regulated environments, law without technical basement = math is meaningless because its goals not achievable.

Counterpoint: Web browsers, the World Wide Web, and the Internet. :)

Web browsers have no mandatory regulatory regime, yet they're used in
highly regulated activities (payments, banking, interaction with
government). They don't have to "prove their code is secure" before
engaging with a website during a regulated activity.

Transport Layer Security (TLS) depends on math, not legislation, to
secure connections over the Web and Internet.

Web sites have no mandatory regulatory regime that is checked for by
the Web browser before requesting arbitrary information from the
individual and the Web browser has no mandatory regulatory regime that
it checks before sending arbitrary information from the individual to
the website.

There are 5.5 billion people on the planet that use this system to
engage in regulated environments... and it needs far less European
regulation to operate than what EUDI is attempting.

Now, that's not to say that there isn't regulation involved. The
Domain Name System (DNS) does have governance policies and there is
regulation in place to determine who gets to manage top-level domains
as well as certificate authorities. So, this isn't a "there should be
zero regulation" stance -- it's just that EUDI is overdoing it, by a
very wide margin.

> Basically we have no BigTech in the QTSP.

Why would BigTech want to become a QTSP? There is no money or control
in it... the money and control is in holding the most critical
identity documents of an individual in a digital wallet and then
charging the market for access to those identity documents.

For example, Apple and Google can charge a larger percentage of a
credit card transaction if they also have a PID in the same digital
wallet -- that's many tens of billions of dollars a year in revenue
without having to become a QTSP. Google can do more targeted
advertising with a PID in a wallet... and if the PID is in a wallet,
the fact that more credentials tied to that PID are likely to appear
gives them even more data for targeted advertising, which is many
hundreds of billions of dollars a year more. Banks will pay them to
put their cards in the wallet, give them basis point kickbacks (to the
tune of billions of dollars), because that's what people are using
(and they get visibility into consumer spending habits)... that
doesn't happen in the state-issued government wallet, which will never
hold the variety of credentials that BigTech wallets will hold.

All BigTech needs to do is make sure that the competitive landscape is
hobbled and the EU is doing a fine job of that by making the
regulations so complex and hard to meet that there will be very little
real competition when it comes to digital wallets in the EU.

> Reason is complexity in becoming and running a QTSP.

Yes, that's why small organizations can't become a QTSP in the EU. But
for Big Tech... no, that's not the reason. BigTech has no problem
throwing money at regulatory complexity if there is a profit motive
there. They could become a QTSP if they wanted to... it's just that
there's no need for them to do so in order to hit their profit motive
(yet)... and frankly, I don't think Google even asked the EU to
constrain competition in the way that has ended up happening... the EU
shot itself in the foot wrt. wallet competition all by itself. I
expect Apple is overjoyed with the current direction.

> So QTSP regime seems more a key to keep BigTech out of regulated environments - so far the experiences from eIDAS 1. Only DocuSign was bit successful but by underlying EU rules.

EU is not an attractive market to digital credential businesses
outside of the EU because the regulations are such that home-grown
systems built for the EU market are so complex and EU-centric that
they don't have a chance of surviving in other markets. It's one of
the reasons the EU does not have many tech companies that can compete
at a global scale. You're hobbling your own tech companies through
regulatory overreach, all in the name of "protecting the citizen",
which is largely security theatre.

Just take a look at what it takes to become a QTSP (checklist on pages 16-30):

https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Conformity%20Assessment%20of%20Qualified%20Trust%20Service%20Providers.pdf

and the laundry list of European-centric standards that you have to
implement, that the rest of the world does not use, to become a QTSP
(on page 11):

https://www.enisa.europa.eu/sites/default/files/publications/ENISA%20Report%20-%20Recommendations%20for%20QTSPs%20based%20on%20Standards.pdf

Speaking as an entrepreneur, I do not envy European tech companies
that need to build to overcome those regulatory hurdles. I think it's
telling that your governments are the one's largely building and
funding digital wallets. I expect only the larger companies, that do
so at a loss, will be able to survive over the long term... and even
they will be overcome when a less Minitel-like system[1] is overtaken
by a more Web-like system.

... and to be thoroughly clear, I think that certain US state
governments allowing Big Tech to be the sole holder of state-issued
identity documents, with proprietary protocols run between the state
and the Big Tech digital wallet, to be an even worse outcome... but at
least the US hasn't made the regulatory mistakes the EU has (yet).

Utah is the only state I've seen so far get the regulatory stuff
mostly right. Time will tell if they fumble the execution, or if they
do a good job there as well.

-- manu

[1] https://www.bbc.com/news/magazine-18610692

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
https://www.digitalbazaar.com/

Received on Sunday, 15 February 2026 15:11:42 UTC