Multi-entity Control-based Risk Assessment: A European Digital Identity Wallet Use Case

European Digital Identity Wallet (EUDI Wallet) has emerged as a user-centric solution for securely storing and managing digital credentials in compliance with the revised regulation on electronic Identification, Authentication, and Trust Services (eIDAS 2.0). Existing assessment frameworks for the EUDI Wallet tend to focus solely on threat modeling without quantifying risk severity or assume a centralized control model by attributing mitigation responsibilities to a single entity in the EUDI Wallet ecosystem. In reality, effective risk mitigation in the EUDI Wallet ecosystems hinges on cross-entity collaboration. To address this gap, we introduce a multi-entity control-based risk assessment methodology that integrates impact and likelihood factors with entity-specific privacy and security control attribution at multiple implementation levels. Our methodology supports both entity-specific and system-wide evaluations, enabling actionable prioritization of security and privacy controls under varying implementation scenarios. We have implemented our methodology within a tool called DIWAR (Digital Identity Wallet Analysis and Risk Assessment), and tested it considering a set of threats in the context of the EUDI Wallet ecosystem, demonstrating how DIWAR bridges theoretical risk modeling with operational decision-making, ultimately enhancing the resilience of the entire EUDI Wallet ecosystem.