From post-quantum cryptography to cross-continental Digital Product Passports, the infrastructure of global digital trust is being built right now. Here’s what the frontlines look like.

Despite significant strides being made in digital identity and trust services over the last decade or so, one uncomfortable truth remains: trust rarely extends beyond national borders. In Europe, of course, this is beginning to change. In fact, the European Union already has a wide range of regulations that aim to standardise digital identities (eIDAS), privacy (GDPR), and cybersecurity (e.g. the Cybersecurity Act and NIS2).

Outside of Europe, however, the picture looks very different. Although a document or electronic transaction verified through an EU-accredited process is trusted within the bloc’s regulatory perimeter, it is largely invisible outside it.

This is not a technical failure. Indeed, the building blocks of digital trust — certificates, signatures, trust lists — were designed to be interoperable. The ‘border barriers’ are legal, regulatory and political. And they are beginning, slowly, to come down…

This was just one topic of discussion at the recent Cloud Signature Consortium Trust Without Borders Summit 2026 in Bogotá, Colombia. This year’s event was the largest gathering in history, drawing 150 regulators, trust service providers, technologists, and policymakers from 25 countries across four continents. IDnow was there, not as spectators, but as active participants: presenting, debating, and helping to shape the direction of the conversation, standards and frameworks that will define the infrastructure of digital trust for years to come.

Sebastian Elfors, Chief Security Officer at IDnow Trust Services and an active contributor to ETSI, CEN and ENISA standardisation working groups, has been tracking these technical shifts closely.

“The technical groundwork for EU-Mercosur (South American trade bloc) interoperability is further along than people might expect. The Mercosur List of Trusted Lists mirrors the EU’s own architecture in meaningful ways,” said Sebastian.

“The harder work now is on the legal, audit and supervision side — getting those frameworks to a place where the EU can formally recognise them. But the direction of travel is clear, and the appetite is genuinely strong.”
Sebastian Elfors, Chief Security Officer at IDnow Trust Services.

The Architecture of Cross-Border Trust.

The Mercosur trading bloc — comprising Argentina, Brazil, Paraguay, and Uruguay — offers one of the most instructive case studies in what cross-border digital trust can look like when the political will exists.

Each Mercosur country has established a national trust list, and those lists are federated into a Mercosur List of Trusted Lists (LOTL). The structure deliberately mirrors the EU’s own trust list architecture, and eIDAS provides a legal pathway for the EU to formally recognise third-country trust lists. The technical foundation, in other words, is already in place.

What remains is the harder layer: legal equivalence, audit alignment and supervisory recognition. For the EU to extend mutual recognition to Mercosur’s trust infrastructure, it must be satisfied that the governance frameworks underpinning those lists meet comparable standards. Although the work is underway, it will take time and sustained engagement from both sides.

Passports for Products?

The urgency of that engagement is about to become considerably more concrete — and it comes in a form that many outside the digital trust community will not have anticipated: product passports.

The Digital Product Passport (DPP), mandated under the EU Ecodesign for Sustainable Products Regulation (ESPR), comes into force in 2027. Although the concept is straightforward in principle (think of it as an identity document for goods), the implications are considerable. DPPs provide a standardised digital record attached to a product and carry verified information about its origin, composition, repairability, and environmental footprint.

What makes the DPP directly relevant to the cross-border trust discussion is the requirement that each passport be sealed by a qualified certificate issued by an EU-accredited Qualified Trust Service Provider (QTSP).

Several Mercosur nations rank among the EU’s most significant trade partners in agri-food, chemicals, and manufactured goods — precisely the sectors the ESPR targets first. From 2027, a Brazilian soy exporter, an Argentine chemicals producer, or a Uruguayan agricultural supplier will need to be able to issue a DPP, and that DPP will need to carry a qualified electronic seal, applied by a qualified certificate issued by a QTSP in the EU. The question of how a company in Buenos Aires or São Paulo obtains that certificate from a European QTSP — and how that enrolment process can work at scale across multiple jurisdictions — is now a tangible problem with a hard deadline.

This is where the interoperability work between the EU and Mercosur stops being an exercise in technical alignment and starts being a business imperative. The trust infrastructure being negotiated today will determine whether LatAm exporters can meet their obligations in 2027 or find themselves locked out of one of the world’s largest markets by a qualification they cannot yet obtain.

The Quantum Shadow Over Digital Signatures.

While the interoperability challenge is pressing, it shares the agenda with a threat that operates on a longer — but no less certain — timeline: the arrival of cryptographically relevant quantum computing.

The risk is well understood among security specialists. Sufficiently powerful quantum computers will be capable of breaking the asymmetric encryption that underpins today’s digital signatures and secure communications. For data that is merely transmitted and consumed, this presents a future problem. For data that is being harvested and stored today with the intention of decrypting it once quantum capability matures — the so-called ‘Harvest Now, Decrypt Later’ attack — the problem already exists.

The implications for long-term digital trust are significant. A contract signed today, a certificate issued this year, an identity assertion made in 2026 — all of these may carry cryptographic vulnerabilities that only become exploitable years from now. Industries that depend on the long-term validity of digital signatures — legal, financial, regulatory — need to be thinking about this now.

For digital signatures specifically, long-term Advanced Electronic Signatures (AdES/ AES) — properly time-stamped, preserved, and archived according to ETSI standards — offer a meaningful line of defence. “Long-term AdES offers protection against post-quantum attacks on digital signatures,” Sebastian explains. “The more difficult problem is encrypted data, which remains vulnerable to Harvest Now, Decrypt Later cybersecurity attacks. But the standards community is moving, and the The Internet Engineering Task Force (IETF) has proposed a new draft standard Merkle Tree Certificates that protect against the migration challenges of Post-Quantum Cryptography (PQC) by optimising certificate size and reducing signature overhead.”

Sebastian also presented the ETSI standardisation work of selective disclosure and zero-knowledge proofs and how Qualified Electronic Attestations of Attributes (QEAAs) can be embedded into AdESsignatures. Embedding QEAAs into AdES signatures will allow for role-based attributes (such as a doctor’s license) to be included in an AdES signature. This could result in an update to the CSC API, which in turn could be profiled by the ETSI standard.

Showing Up Where It Matters.

None of this progress happens by itself. Standards are written by people who show up to write them. Frameworks are negotiated by organisations that send representatives to the table and genuine interoperability is built through sustained technical engagement.

“Trust is perhaps the most crucial global infrastructure of our time.”
Johannes Leser, Managing Director of IDnow Trust Services.

“What struck me most was the sense of shared purpose at this event. Yes, we were discussing problems, but we were also shaping solutions. That’s why it matters for IDnow to be in these rooms. And with the next gathering set to expand to Asia, bringing in representatives from every continent, the ambition is only growing,” added Johannes.

The conversations happening in this space, especially around cross-border credential recognition and how digital trust can scale globally without sacrificing sovereignty or security are incredibly important. They will determine the shape of the infrastructure that businesses, governments and individuals rely on for decades to come.

For IDnow, being part of those conversations is key to our mission of building identity and trust solutions that are technically rigorous, standards-compliant and ready for the world of tomorrow — not only today.

The borders that digital trust cannot yet cross are real. But the people working to remove them are in rooms like we were in at the Trust Without Borders Summit 2026. And the timeline is moving faster than most realise.