European Blockchain Sandbox: Lessons Learned

Building a Web3 identity solution

TL;DR:

The European Blockchain Sandbox has completed its second cohort, with IOTA Foundation’s Tokenized Know Your Customer solution featuring IDnow, walt.id and Bloom Wallet. The Sandbox provided important lessons about compliant and privacy-preserving identity authentication in Web3, including the use of off-chain authentication, soulbound tokens, and GDPR-aligned wallet and node practices.

We have confirmed our participation in the European Blockchain Sandboxa three-year initiative from the European Commission that gives innovative distributed ledger projects the opportunity to test their solutions with regulators across Europe. Twenty projects are selected to participate each year, and the IOTA Foundation was part of the second cohort, which ran from June 2024 to March 2025.

Our contribution focused on the Tokenized Know Your Customer (KYC) solutiondeveloped together with IDnow, walt.id, AndBloom wallet. This proof-of-concept solution allows users to verify their identity off-chain and receive a tokenized proof in their wallet. This allows dApps, exchanges and other services to confirm eligibility requirements (such as age verification) without exposing sensitive data on-chain.

The closure of the sandbox is marked by that of the European Commission Best practice report for the second cohort. The report shares recommendations and best practices from the program, offer valuable guidance for anyone developing DLT solutions and navigating their regulatory implications.

Top Sandbox Tips: Share Customer Data

An important focus in the Sandbox was how Anti-money laundering (AML) and KYC In practice, rules apply. Regulators emphasized that crypto asset exchanges and other service providers have a legal obligation to know the identities of their users. This is why our Tokenized KYC Solution enables the entity responsible for conducting a KYC check to access verified personal data from the identity verification provider (in our case IDnow). Similarly, authorities such as the police can request personal data linked to a specific non-transferable (soulbound) token.

To make customer onboarding More easily, companies can sometimes reuse KYC data that another entity has already collected. But the rules for doing this vary across Europe. In some countries, data can only be shared between the same category of entities, while broader sharing requires special approval from national authorities. Fortunately the next one Anti-Money Laundering Regulation (AMLR) is expected to harmonize these rules regarding the use of customer information collected by other entities.

Key Sandbox Takeaways: Soulbound Tokens

The report also highlighted key lessons on this self-hosted wallets, KYC, and how data is classified on public DLTs without permission such as IOTA. In our Tokenized KYC solution, only soul-bound tokens are registered on-chain. These tokens do not contain any personal data themselves, but prove that the KYC process has been completed, with the underlying KYC data stored securely off-chain. The Sandbox noted that such tokens can still be treated as pseudonymised personal data, meaning the GDPR applies. Because this classification may evolve due to new case law and guidelines, continued evaluation is required. To minimize data protection risks, our solution takes a data protection by design approach, limiting the amount and type of data shared across the chain. This follows the principle of data protection by design.

Key Sandbox Points: Wallet providers and node operators

Another important topic in the Sandbox was how wallet providers and node operators are classified under GDPR.

The report concludes that self-hosted wallet providers are not considered data controllers or processors if the wallet runs exclusively on the user’s device, without relying on an external backend. In our Tokenized KYC solution, verified identity data remains off-chain with IDnow, while the user-hosted wallet only contains a soul-bound KYC attestation. This design is consistent with GDPR guidelines: responsibility for personal data lies with the entities that actually access or use it – for example IDnow for authentication and off-chain data storage and, where applicable, an integrating service such as a dApp or exchange when it lawfully accesses or uses the data.
The GDPR classification of node operators needs careful nuance. As we recently noted about the findings of the European Data Protection Board European Data Protection Council Guidelines for personal data in blockchains, nodes perform only technical functions; they neither determine nor control the purposes of data processing. Treating them as controllers would misrepresent their role and impose disproportionate obligations. Our Tokenized KYC solution strengthens this distinction. Verified identity data remains outside the chain at IDnow, while the chain only registers a non-transferable KYC certificate without personal characteristics. Nodes simply pass or validate this pseudonymized attestation and never have access to the identity dataset. Even if such attestations qualify as personal data, the design minimizes exposure in the chain and ensures that responsibility lies with the entities that actually process identity information. This provides a workable path to meet AML/KYC requirements while respecting rel=”noreferrer”>Money transfer regulation and the Anti-Money Laundering Regulation require entities such as cryptoasset exchanges to maintain data about the user of a self-hosted wallet and to identify the owner of the self-hosted wallet. At the same time, dApps and DeFi operators are increasingly looking for ways to enable compliant identity checks without compromising privacy and security. There is an increasing need for on-chain identification tools to ensure smooth and compliant interactions in Web3 ecosystems.
Our proof-of-concept Tokenized KYC solution brings together all the necessary steps in one easy-to-use tool:
- A trusted party witnesses an identification process and tokenizes it as a soul-bound token, allowing dApps and other entities to have confidence in the identification process without revealing the actual personally identifiable information.
- The soulbound token can be used for on-chain processes, enabling Web3-native interactions.
- The trusted party may release the identity information if requested by an authorized party (e.g., law enforcement).
- The trusted party can also revoke the token if an invalidation is necessary (for example, watchlist changes).
Following the completion of this project, the re-based IOTA Mainnet was launched with a new architecture based on the Move Virtual Machine. To support use cases like the Tokenized KYC solution, we have the IOTA trust frameworka set of composable infrastructure components, each designed with privacy, compliance, and usability in mind.

Source link

What's Hot

Ethereum Rising Wedge Warning: A disruption could send the price to $1,500

Could Jane Street’s $19 Million Bitcoin Sale Create New Liquidation Risks?

A groundbreaking leap into the consumer future of decentralized AI

A groundbreaking leap into the consumer future of decentralized AI

BitGo to Power SoFiUSD Stablecoin Infrastructure as SoFi Launches First Nationally Chartered Bank Token

AINFT extends multi-chain AI services with BNB chain integration

CMC Markets Begins 24/7 Blockchain Settlements with JP Morgan’s Kinexys

Chainlink helped Visa, ANZ and Fidelity do what banks have been trying to do for years

US lawmakers consider ban on prediction markets amid bets on Iran

De volatiliteit van Bitcoin zou in april kunnen exploderen als SEC de markt achter de ETF-leverage beoordeelt

Crypto company Kraken secures a direct link to Federal Reserve payments

Bitcoin’s $85 billion derivatives engine may move onshore as CFTC eyes April approval

De deadline voor stablecoins van het Witte Huis verstrijkt terwijl de CLARITY Act vastloopt

Billionaire Peter Thiel dumps a $74,400,000 stake in three assets, including one of Warren Buffett’s favorites

Bitcoin Price Rally Slows, Consolidation Signals Possible Next Step

XRP Price Ladder Shows What Conditions Are Needed for $18, $100, and $500

Bitcoin’s rally from $73,000 faces a crucial test as momentum looks to change

‘Good Times Have Arrived’ – Trader Michaël van de Poppe Says the Bitcoin Bear Phase is Over – Here Are His Goals

What Is Wrapped ETH (WETH) and Why Do You Need It in DeFi?

What Is Crypto Protocol and Why Coins Need It

Wat is Liquid Proof-of-Stake: uitgelegd voor beginners

The 9 Most Common Crypto Scam Types

Sidechains Explained: What They Are, How They Work, and Why They Matter

A groundbreaking leap into the consumer future of decentralized AI

BitGo to Power SoFiUSD Stablecoin Infrastructure as SoFi Launches First Nationally Chartered Bank Token

AINFT extends multi-chain AI services with BNB chain integration

CMC Markets Begins 24/7 Blockchain Settlements with JP Morgan’s Kinexys

Ethereum Bulls Eye New Records despite market volatility – What drives sentiment?

check your eligibility

Bitcoin Price Takes a Big Hit, But Uptrend Is Far From Over – Here’s Why

Bitcoin slides 5%, whales take a profit – is it time to sell or do you have to wait?

Ripple CLO says XRP ruling bodes well for Coinbase, Binance SEC cases

Sandeep Nailwal welcomes UFC-Polymarket deal powered by Polygon

Could XRP Rise After US Elections? Data points to huge rally

Top Insights

Ethereum Rising Wedge Warning: A disruption could send the price to $1,500

Could Jane Street’s $19 Million Bitcoin Sale Create New Liquidation Risks?

A groundbreaking leap into the consumer future of decentralized AI

What's Hot

European Blockchain Sandbox: Lessons Learned

Building a Web3 identity solution

Top Sandbox Tips: Share Customer Data

Key Sandbox Takeaways: Soulbound Tokens

Key Sandbox Points: Wallet providers and node operators

Related Posts

Subscribe to Updates