German implementation of eIDAS will require an Apple/Google account to function

Germany's forthcoming implementation of the EU's Electronic Identification, Authentication and Trust Services (eIDAS) regulation includes a stringent security protocol that will effectively require citizens to use an Apple or Google account to operate the national digital ID wallet. The core of this requirement is a new Mobile Device Vulnerability Management (MDVM) framework. Its purpose is to protect the high-assurance Personal Identification Data (PID) credential, which uses public/private key cryptography, from being duplicated or misused by attackers with a 'high' attack potential. To achieve this, the system must continuously verify the security posture of a user's device—checking device integrity, operating system version, patch level, and the security of the Hardware Security Module (HKS).

This real-time vulnerability monitoring cannot be performed independently by the wallet app. Instead, the technical specification states that to 'Verify device/app security posture,' the solution must use 'security functions from the platform of the user device.' In practice, this means leveraging proprietary, platform-specific attestation services like Apple's DeviceCheck or Google's SafetyNet Attestation API. If a critical vulnerability is detected in a device's OS or HKS, the system will prevent the use of the secured digital ID keys, maintaining the validity of the credential issuer's security assurances. This creates a de facto dependency on the mobile platform ecosystem for a core state function.