European Identity & Cloud Conference 2026 in Berlin

Agentic AI

The next evolution in AI: Agents. The main difference between Generative AI and Agentic AI is that agents use tokens and perform agnostic tasks for us. We delegate these agents to use resources and data where it's deemed appropriate. However, before we can delegate agents, we must be able to identify them. AI Identity becomes a real challenge when AI agents spawn other AI agents to delegate tasks. Preferably, we can trace back every AI agent back to the human identity and register every AI agent to provide identity and trust.

EU Sovereignty

The next unavoidable topic is about the dependency that European IT services have on American cloud providers. A large majority of our critical workloads are built on US cloud. Recent political tensions and trade sanctions have sped up the wish for a sovereign EU built cloud where identity and data of all EU citizens can be kept safe from foreign political powers.

The European Commission (EC) has created a framework for cloud sovereignty. It specifies 5 levels of Sovereign Effective Assurance Level (SEAL):

0 - No Sovereignty - Service, technology or operations under exclusive control of non-EU third parties, entirely in non-EU jurisdiction.

1 - Jurisdictional Sovereignty - EU law formally applies with limit enforceability. Service, technology or operations under exclusive control of non-EU third parties

2 - Data Sovereignty - EU law applicable and enforceable with material non-EU dependencies. Service, technology or operations under indirect control of non-EU third parties

3 - Digital Resilience - EU law applicable and enforceable. EU actors exercising meaningful but not full influence. Service, technology or operations under marginal control of non-EU third parties.

4 - Full Digital Sovereignty - Technology and operations under complete EU control, subject only to EU law, with no critical non-EU dependencies.

Since Identity is considered a critical workload, the Rabobank CIAM department is investigating their approach to achieve appropriate digital sovereignty. Wish to read more? See the link to the EC document below this article.

EU Wallets

Meant to keep identity safe and provide free choice of identity provider to all EU citizens are the EU Digital Identity Wallets. The wallet allows you to prove who you are and safely sign for contracts, a bank account or education. The first wallets should be available for the consumer market before the end of 2026. Some key notes also highlighted the developments and challenges with business wallets that are coming out quite soon as well.

Post Quantum Cryptography

Quantum computing is expected to break asymmetric key encryption (RSA, ECC, DH) somewhere in the early 2030s. Strong encryption levels can be broken in mere seconds by a quantum computer with sufficient computing power. The crux is - we don't know exactly when such hardware will be available and to whom it will be available once it exists. Fact is, once the asymmetric cryptography is broken, it impacts every service or component in our current infrastructure: TLS, FIDO, OAuth, OIDC.

Hackers also target data encrypted with strong encryption to break once such hardware becomes available to them. This practise is called ‘Harvest now, Decrypt later’.

Post Quantum Cryptography (PQC) is already available: Module-Lattice based cryptography (ML-KEM & ML-DSA). However, not all hardware currently in use is able to run this cryptographic method, possibly making them unable to adapt to post-quantum cryptography.

Most cloud vendors are aiming to fully adapt to PQC around 2030, making all their services, communication and signatures quantum ready by that time.

Links

https://commission.europa.eu/document/download/09579818-64a6-4dd5-9577-446ab6219113_en?filename=Cloud-Sovereignty-Framework.pdf