Credentials not anchored in law - versus anchored

When credentials are not anchored in law, the missing legal authority must be compensated with community-governed trust frameworks — aka rulebooks.
These rulebooks make the credentials verifiable and usable even without legal mandate.

Here’s what’s typically needed:

1️⃣ Governance Rulebook

Defines who’s in charge and how trust is earned and maintained.

• Membership criteria for issuers, verifiers, and holders
• Procedures for onboarding/offboarding actors
• Conflict resolution and sanctioning
• Versioning and change management
• Link to trust registries (where accredited issuers/verifiers are listed)

This is the backbone: “Who do I trust to issue or verify this credential?”

2️⃣ Semantic & Data Rulebook

Ensures all parties speak the same data language.

• Defines the schema (data elements, datatypes, cardinality)
• Controlled vocabularies and code lists
• Reference to semantic assets (e.g. EU vocabularies, UN/CEFACT, ISO, DCAT, SKOS, OWL)
• Validation rules (e.g. SHACL shapes)

This is what makes credentials interoperable and machine-readable across borders and sectors.

3️⃣ Process & Liability Rulebook

Describes how the credential is issued, verified, and revoked — and who is liable if something goes wrong.

• Business processes and verification steps
• Evidence required for issuance
• Validity period and revocation policies
• Responsibility and liability of issuers and verifiers
• Audit and supervision procedures
• Dispute handling

This provides the “insurance” that verifiers need before trusting data that’s not legally mandated.

4️⃣ Technical & Security Rulebook

Specifies how the bits flow securely.

• DID method or other identifier scheme
• Protocols (OID4VCI, OID4VP, DIDComm, etc.)
• Encryption and signing requirements
• Hosting and data retention standards
• Conformance testing procedures

This guarantees technical interoperability and trustworthiness.

5️⃣ Business Model & Sustainability Rulebook

Explains why it’s worth joining.

• Cost/revenue model for participants
• Incentives for issuers/verifiers
• Funding of registry/governance operations
• Fee transparency
• KPIs and success metrics

Without this, no ecosystem survives long term — even if the tech works.

6️⃣ Ethics, Privacy & Consent Rulebook

Clarifies rights, duties, and limits of data use.

• GDPR and data minimisation alignment
• Consent management rules
• Transparency and redress mechanisms
• Ethical use principles (esp. if AI-agents are involved)

This prevents “wild west” usage and protects individuals and SMEs.

✅ Summary Table

In short:
When legislation doesn’t provide a trust anchor, rulebooks become the de facto law — the social contract of that credential ecosystem.
They enable “market-driven” credentials (like proof of training, carbon footprint, posted worker notice, etc.) to achieve legal-grade credibility.

"Much easier — but not automatic.

When a credential is anchored in law, a big chunk of the heavy lifting is already done — because the legislation itself functions as the ultimate rulebook.

Let’s unpack that:

✅ What’s already solved when credentials are anchored in law

1️⃣ Governance & authority

• The law defines who can issue (e.g. population register, tax office, vehicle authority).
• Trust registries (or equivalent official lists) already exist — e.g. National Business Register, Qualified Trust Service Provider (QTSP) lists.
• Issuers are legally accountable; liability is implicit in their public mandate.

➡️ Result: No need for a new governance rulebook — the state is the trust anchor.

2️⃣ Process & liability

• Legal acts often prescribe issuance and verification processes (“Tax certificate issued by authority X under procedure Y”).
• Liability follows existing administrative law or sectoral rules.
• Disputes go through existing administrative or judicial systems.

➡️ You don’t need to negotiate liability; it’s codified.

3️⃣ Semantic & data model

• Data elements are often standardised by law (e.g. VAT ID format, company registration data, vehicle type approval codes).
• EU has dozens of such legal schemas in regulations or implementing acts — ready to reuse.

➡️ Semantic alignment is easier — though mapping to verifiable credential (VC) format still requires work. +++this is very important+++

4️⃣ Legitimacy

• Legal credentials carry public authority and presumptive evidential value.
• Verifiers can rely on them without needing bilateral agreements — they’re “good enough by default.”

➡️ That makes onboarding fast and cross-border acceptance possible.

⚠️ What’s still hard, even for legally anchored credentials

1️⃣ Technical harmonisation

• Legislation rarely specifies how to express or exchange credentials (JSON-LD? SD-JWT? OID4VCI?).
• Member States interpret differently — so cross-border interoperability still needs a technical rulebook. +++to be started without delay+++

2️⃣ Semantic nuance

• Even with laws, data definitions differ between countries (“company type,” “tax residence,” etc.).
• Need semantic harmonisation across jurisdictions (that’s where your WP4 work fits perfectly).

3️⃣ Transition of legacy systems

• Authorities still issue PDFs or static XMLs; turning those into live verifiable credentials requires re-engineering. +++very important+++
• Security and privacy upgrades take time.

4️⃣ Liability chain for verifiers

• Even if issuer liability is clear, the verification process (especially automated or by AI-agents) needs defined boundaries for re-use and consent.

🧭 In short

So: anchored-in-law credentials start from trust and liability already solved — leaving only semantics and technology to standardise.
Non-legislated credentials must build all of that from scratch through well-governed ecosystems.