The Brussels Effect Has Arrived in Digital Identity: What Does AET Europe’s Experience Teach to Brazil About Electronic AR?

Just as the GDPR inspired virtually every data protection regulation on the global stage, eIDAS 2.0 is shaping worldwide digital trust standards. Crypto ID spoke with who have already implemented the self-assisted issuance model for qualified certificates in practice: Wido van de Mast, CEO of AET Europe, and Luís Correia, an expert in Digital Certificates, Digital Signatures, Smartcards, and PKI Solutions, who is responsible for AET Europe’s business development in Brazil

When Europe implements any regulation, the rest of the world pays attention. European technical and legal rigor has a track record of producing long term frameworks that cross borders. This was the case with the GDPR (General Data Protection Regulation), which inspired Brazil’s LGPD and shaped data protection laws in dozens of countries. This phenomenon, called the “Brussels Effect” by Columbia University law professor Anu Bradford, is now operating in the field of digital identity with eIDAS 2.0.

Crypto ID asked to AET Europe, a Dutch company with over 25 years of experience in digital trust and a presence in Brazil that predates ICP-Brasil itself to understand what the Brazilian digital certification industry can learn with them, especially regarding the focal point of the current debate: the issuance of qualified certificates in a self-assisted model, without a physical presence, maintaining full security and legal validity.

What Did CertForum-ID 2026 Highlight as a Challenge?

CertForum-ID 2026, held in Brasília on June 9 and 10, was much more than just another edition of the event. Marking 25 years of ICP-Brasil (the Brazilian Public Key Infrastructure) and 55 million National Identity Cards (CIN) issued, Brazil presented itself as a rare case: a nation that has simultaneously built a continental-scale civil identification infrastructure and a digital trust chain with full legal backing.

Márcio Nunes, president of the ANCD (Associação Nacional de Certificação Digital), was very straight forward during an interview with Crypto ID at the event: Electronic AR (Electronic Registration Authority) is “the key point of the entire debate we have brought here regarding digital certification over these two days.” For him, Normative Instructions ITI No. 36 and No. 37/2026 formally open the way for a new service model focused on the self-assisted issuance of cloud certificates, exclusively for individuals.

The numbers help illustrate what it is: ICP-Brasil already reaches approximately 3.5 million qualified electronic signatures per day using individual cloud certificates. Combining both types, advanced and qualified signatures, Brazil does almost 5 million signature operations per day. While impressive, this volume represents only a fraction of the potential of a country with over 200 million citizens and a deeply rooted document culture.

Electronic AR is the mechanism that can unlock the next layer of growth for digital certification adoption. However, as the president of the ANCD warned, simplifying processes must not be misleading with bad security. “It is a simplification, not a trivialization of security,” he stated clearly the president of ANCD´s.

This balance between user experience and technical rigor is precisely where AET Europe’s international experience becomes highly relevant to the Brazilian debate.

What Europe Has Already Built: The Serbia eID Case Study

Case – link

Serbia is a European country located in the Balkans with approximately 6.5 million inhabitants, holding official candidate status to European Union since 2012. This context makes the case study even more significant: despite not being a full member of the bloc, the country decided to align its digital identity infrastructure with eIDAS 2.0 (the European regulation on electronic identification and trust services) as part of a larger project to modernize public services and align with European standards.

The platform chosen to enable this advance was ConsentID, developed by AET Europe. This is a documented case study shared by the company itself, which authorized its citation as a public reference for the successful implementation of a national-scale digital identity via self-assisted issuance.

How the System Works:

1. The citizen registers through an online portal.
2. They activate the ConsentID app on their smartphone.
3. They can immediately use a qualified electronic certificate stored in the cloud to access a wide range of services—completely free of physical cards or readers.

In the public sector, the system enables access to e-government services, digital health, the national vaccination platform, healthcare subsidies, social benefits, school enrollment, consular services via eConsulate, and the EU Digital Green Card. In the private sector, banks integrate ConsentID directly into their credit and loan approval processes, securely obtaining necessary citizen information upon their explicit consent.

Sending banking information to authorized third parties also goes through the platform, consolidating ConsentID as a trusted infrastructure for both the state and the market.

Since its launch, over 750,000 citizens have registered, with particularly high adoption in rural and remote regions—populations that historically had limited access to in-person registration services.

The distribution of activation keys followed a smart, widespread model: post offices, local tax administrations, and banks served as support points across the territory. However, identity verification remained remote, controlled, auditable, and self-assisted. While the option for physical presence was available, it was not mandatory. This is exactly the type of architecture that the debate surrounding Electronic AR in Brazil aims to establish.

Technical Architecture and What Powers the Decision

The Serbian case study is based on three core components of the AET Europe platform:

• ConsentID– The user-facing layer for authentication, digital signatures, and consent management. Based on PKI (Public Key Infrastructure) and operating within eIDAS parameters, it allows citizens to sign documents, authenticate into services, and manage privacy data directly from their phones without complex plugins or passwords. The platform supports identities for individuals, legal entities, equipment, and IoT (Internet of Things) devices.
• Remote QSCD (Qualified Electronic Signatures (QES) – The qualified signature creation device in the cloud, it stores the signer’s cryptographic keys within a remotely managed hardware security module (HSM), eliminating the need for a USB token or physical smartcard. The qualified signature is done inside the QSCD, and the private key never leaves the secure environment. The user authorizes the operation via smartphone, and the document is returned signed. The CSC (Cloud Signature Consortium) API is the standard protocol used for communication between the platform and the remote QSCD.
• BlueX completes the ecosystem by taking full control of the certificate lifecycle, automating everything from renewals and revocations to the governance of the entire credential chain.

It is precisely through BlueX that the Brazilian market finds the answer to a critical business and operational question:

How do you track the origin of the issuer and the certificate holder for financial compensation and commission purposes?

With the rollout of Electronic AR, both initial issuances and future renewals will shift to a 100% online, self-assisted model. Because of this, the end-to-end traceability delivered by BlueX becomes the ideal solution. It ensures seamless commercial tracking, proving that moving to a remote, digital framework does not change the core principles of auditing and origination that the market relies on.

eIDAS 2.0 Minimum Requirements for Self-Assisted Verification:

• Identity document verification with liveness detection.
• Strong multi-factor authentication.
• Qualified certificates stored in a remote QSCD with secure key management.
• Full traceability of the event chain.
• Data protection aligned with the GDPR.
• Support for selective attribute disclosure (allowing citizens to share only the minimum data required for a specific context).

For ITI and Brazilian Certification Authorities planning to implement Electronic AR, these requirements translate directly into the ICP-Brasil framework. Self-assisted qualified certificate issuance must combine robust proof-of-life, biometric verification, cross-validation with authorized databases, and auditable access trails. This is required not because of eIDAS, but because these are the exact prerequisites needed to legally sustain the presumption of authorship and integrity inherent to an ICP-Brasil signature.

A Company Speaking the Brazilian Market’s Language Since Before ICP-Brasil

AET Europe did not arrive in Brazil as an observer. The company’s presence in the country predates the creation of ICP-Brasil itself, which marked its 25th anniversary in 2026.

Its entry into the Brazilian digital certification ecosystem began with SafeSign IC—the middleware used for digital certificates on cryptographic media like smartcards and tokens. This technology became a core part of the operational infrastructure for Certification Authorities and thousands of digital certificate users across Brazil.

This deep historical root explains why AET Europe not only understands the operational requirements of ICP-Brasil and the technical language of the ITI but has tracked them since before the existence of the regulatory frameworks that structure the sector today.

AET Europe at Glance

For new Brazilian professional’s digital certification ecosystem, AET Europe is a Dutch company founded in 1998, with over 25 years of continuous operations in digital trust, identity management, and eIDAS compliance. It is a consistent global operation built project by project, sector by sector, over decades.

This consistency is no accident. AET Europe delivers robust identity management projects for some of the most demanding environments globally, with a proven track record in critical operations such as: National Defense, Central Banking, Nuclear Power Plants, Aviation and Critical Operations at Healthcare

Among its publicly disclosable projects are: ZORG-ID, which serves 80% of Dutch healthcare professionals, processing 9 million authentications and 38.7 million signatures in 2025 with 99.982% uptime, and Serbia eID, with over 750,000 citizens registered. Other projects remain confidential due to the strict security requirements of the sectors in which they operate.

Leadership Perspectives

Luís Correia, especialista em Certificados Digitais, Assinaturas Digitais, Smartcards e Soluções PKI, e responsável pelo desenvolvimento de negócios da AET Europe no Brasil

Correia states “Brazil has one of the most mature and robust PKI infrastructures in the world. The challenge now is not essentially technical; it is one of implementation, how to scale the issuance of qualified certificates in the self-assisted model while maintaining the level of security and legal presumption that make ICP-Brasil a global benchmark. AET Europe has already walked this path across various regulatory contexts in Europe. We are here to contribute to this debate, share what we have learned, and work alongside CAs and the ITI to build a model that works for Brazil,”

Wido van de Mast, CEO da AET Europe,

Wido reinforces this global perspective: “With the rapid escalation of digital vulnerabilities, where the primary vectors today are identity theft and synthetic identities, the value of AET comes from our track record of protecting environments that have been recurring targets throughout history. What we protect requires a highly tested cryptographic framework because there is no room for failure when dealing with critical infrastructure. The Serbia eID is one of the projects we can present, and it perfectly illustrates what can be built when the technical architecture is precisely defined from the very beginning. The current solutions are even more mature than when we implemented our first nationwide ‘Remote Identity Proofing with Remote QSCD’ process in Europe, which is, in essence, the exactly same challenge Brazil is regulating right now with the Electronic Registration Authority (AR Eletrônica).”

Why AET Europe’s Certifications Matter in This Context

In a debate about Electronic AR, the Common Criteria EAL4+ certification is not just a minor detail. It is the internationally recognized security evaluation standard that the ITI uses as a benchmark for approving cryptographic devices within ICP-Brasil.

An EAL4+-certified solution has undergone independent evaluation, including code analysis, penetration testing, and architectural validation. For a CA submitting its Electronic AR platform to the ITI’s regulatory process, working with technology already certified at this level means starting from a technically rock-solid foundation.

• CEN/TS 419261:2015 – The European standard defining security requirements for the trusted systems a TSP (Trust Service Provider) uses to issue digital certificates and timestamps, ensuring the integrity and auditability of the entire issuance chain.
• EN 419241 Series – Covers specific requirements for remote QSCD and server-signing, technically governing the core of self-assisted issuance.
• ISO 27001:2022 – Guarantees information security management within the operational environment.
• ISO 9001:2015 – Covers the quality management system.

Together, this portfolio significantly reduces due diligence time for any CA or integrator considering a partnership, and it speaks directly to the regulatory language that the ITI will apply when evaluating Electronic AR platforms in Brazil.

The Right Time for the Right Conversation

CertForum-ID 2026 left a clear message: Brazil is ready to take the next step in its digital trust infrastructure. The 25 years of ICP-Brasil and the 55 million issued National Identity Cards (CINs) are not a destination; they are a launching pad for the era of self-assisted issuance, mobile-accessible cloud-qualified certificates, and a digital identity fully integrated into the daily lives of Brazilian citizens and organizations.

The Brussels Effect has arrived in digital identity segment, and AET Europe, which helped build part of this model in Europe, is on the ground in Brazil. The company knows the ecosystem, speaks the language of the ITI, CAs, and ARs, and it has experience needed to contribute to the debate the market must have right now.

We Are AET EUROPE, Your Partner for Digital Trust

Welcome to AET Europe, where we have been committed to developing reliable and innovative digital security solutions for over two decades. We specialize in protecting sensitive information, securing digital identities, and ensuring the integrity of data and communications for organizations worldwide. Our passion for innovation and our commitment to building trusted relationships set us apart as a leader in the industry. At the heart of everything we do are the values of being progressive, dedicated, ingenious, and trustworthy. 

Crypto ID stands at the forefront of the global digital transformation, delivering high-level analysis on the critical pillars of the digital economy: Cybersecurity, Digital Identity, Cryptography, Biometrics, and Blockchain.

For over more than a decade, we have shaped the conversation around digital trust, providing the market with the insights needed to navigate an increasingly complex security landscape. We believe that trust is not just a concept – it is the foundational currency of the digital future.

By aligning your brand with Crypto ID, you are not just advertising; you are championing the technological innovations that power secure, frictionless transactions between businesses and global citizens|. contato@cryptoid.com.br

More about the International News

O artigo original foi redigido em português. Segue o link abaixo

O Efeito Bruxelas Chegou À Identidade Digital: O Que A Experiência Da AET Europe Ensina Ao Brasil Sobre AR Eletrônica? Assim como o GDPR inspirou praticamente todas as regulações de proteção de dados no cenário global, o eIDAS 2.0 molda os padrões mundiais de confiança digital.