The next big cyberattack won’t steal your data: it will steal your digital identity
The most dangerous attack scenario: valid but fraudulent proof.
A digital proof is not a simple file. It is what allows a person, company or machine to demonstrate identity, quality, right, authorization, signature, transaction or compliance. When this evidence is compromised, the attacker is not just stealing information. He gains an action ability.
This is the hard point of the subject. The risk is no longer just data leakage. The risk is that an attacker could act as a legitimate entity, produce credible evidence and trigger legal, financial or operational effects.
Digital identity becomes security infrastructure
Europe is moving quickly in this area. The European digital identity framework requires member states to provide digital identity wallets to citizens, residents and businesses. These wallets must make it possible to prove one’s identity, store and share digital documents and sign electronically in an interoperable framework.
This change is major. Digital identity will no longer be just a public service or an authentication tool. It will become an infrastructure layer used by banks, platforms, employers, administrations, insurers, regulated operators and sensitive digital services.
The cyber consequence is direct: anything that issues, stores, verifies, revokes or exploits proof of identity becomes a target.
The real subject is not the wallet. This is the chain of proof.
The public debate will focus on the wallet: mobile application, ergonomics, adoption, data protection. This is too short.
The real risk lies throughout the chain:
The issuer of the proof.
The wallet that stores it.
The user terminal.
The service that checks it.
The API that carries the information.
The register that anchors the attestation.
The revocation system.
The recovery mechanism.
The newspapers that prove what happened.
The service provider who operates part of the infrastructure.
A flaw in a single link may be enough. The attacker does not need to break the whole model. All he has to do is compromise the place where trust is least controlled.
Blockchain does not solve the cyber problem
Blockchain can strengthen certain use cases: traceability, timestamping, shared ledger, proof of integrity, transfer of digital assets. MiCA also provides a European framework for crypto-assets, with rules on issuance, public offering, admission to trading and service providers for crypto-assets.
But blockchain does not automatically secure the ecosystem.
A blockchain can be robust while the private key is stolen.
A smart contract can be audited while the oracle is manipulated.
A register can be tamper-proof while the data initially entered is false.
A wallet can be compliant while the user terminal is compromised.
Governance can be said to be decentralized while critical rights remain concentrated.
The subject is therefore not “blockchain or not blockchain”. The subject is stricter: who controls the evidence, who can modify it, who can revoke it, who can challenge it, who can audit it and who bears responsibility in the event of compromise.
The most dangerous attack scenario: valid but fraudulent proof
The worst incident will not necessarily be spectacular. It will not look like ransomware with red screen and stopped systems.
It will look more like a normal operation.
A user presents a valid certificate.
An account is opened.
A transfer is authorized.
A signature is accepted.
Privileged access is granted.
A right is exercised.
A transaction is recorded.
An internal control validates the operation.
Then the company discovers that the proof was technically legitimate, but fraudulent in its origin, use or context.
This is a problem on another level. When digital evidence is compromised, the line between cyber incident, fraud, litigation and regulatory crisis disappears.
NIS2 requires treating identity as a critical asset
NIS2 pushes organizations towards a more structured risk management logic. In France, ANSSI has made the Cyber France Framework available since March 17, 2026 to support the entities concerned in achieving NIS2 security objectives.
For cyber departments, the message is clear: digital identity must be integrated into the risk perimeter. Not like an annex brick. As a critical asset.
This involves precise mapping of human, technical and organizational identities. This also requires treating wallets, keys, certificates, tokens, APIs, verification services, registries and trust providers as first-rate security components.
The new cyber doctrine: securing issuance, use and revocation
A serious strategy must cover three moments.
First, the show. Who creates the proof? On what data? With what level of verification? By what procedure? With what controls against documentary fraud, usurpation and internal corruption?
Then, use. Where is the evidence presented? What services? With what risk signals? What anomaly detection? What contextual limitation? What level of logging?
Finally, revocation. What happens if a key is stolen? What if a wallet is compromised? If a certificate is fraudulent? If a supplier falls? Should a proof be invalidated after use?
Without controlled revocation, there is no digital trust. There is only irreversible trust. And irreversibility is an operational risk.
Businesses must stop blindly delegating trust
The trap would be to consider that digital identity is a supplier subject. That would be a mistake.
A service provider can provide a wallet.
A publisher can provide an identity solution.
A blockchain can provide a ledger.
An authority can provide a framework.
A regulator can provide obligations.
But the company remains responsible for its access decisions, its accepted evidence, its supplier risks, its logs, its recovery processes and its controls.
The question to ask is not: “is the solution compliant?”
The real question is: “If this evidence is compromised, what business decisions can be triggered, and how much does it cost?”
COMEX must understand risk in one sentence
A compromised identity allows entry.
Compromised evidence allows action.
A compromised chain of proof allows the action to be accepted as legitimate.
It’s the breakup.
The CISO must no longer only protect directories, workstations, servers and applications. It must protect the mechanisms that allow the company to distinguish a legitimate action from a fraudulent action.
In regulated sectors, this subject will become central: finance, insurance, health, energy, industry, public services, crypto-assets, platforms, supply chain, telecoms.
Conclusion
Digital identity, wallets, verifiable certificates, signatures and distributed ledgers will become trust infrastructures. They will therefore become targets.
The issue is not whether these technologies are useful. They are. The question is whether they will be operated with a level of security consistent with the effects they produce.
A digital proof that opens a right, signs a contract, validates a transaction or grants access must never be treated as simple data.
It must be treated as a critical asset.
The next cyber maturity will not only be about preventing intrusion. It will consist of preventing a fraudulent action from being accepted as legitimate.
