European Blockchain Sandbox: Lessons Learned

Building a Web3 Identity Solution

padding: 12px;

background: var(--button-shadow-color-normal);

border-radius: 8px;

">

TL;DR:

The European Blockchain Sandbox has concluded its second cohort, featuring IOTA Foundation’s Tokenized Know Your Customer Solution with IDnow, walt.id, and Bloom Wallet. The Sandbox provided key lessons on compliant and privacy-preserving identity verification in Web3, including the use of off-chain verification, soulbound tokens, and GDPR-aligned wallet and node practices.

We’ve completed our participation in the European Blockchain Sandbox, a three-year initiative by the European Commission that gives innovative distributed ledger projects the chance to test their solutions with regulators across Europe. Each year, 20 projects are selected to join, and the IOTA Foundation was part of the second cohort, which ran from June 2024 to March 2025.

Our contribution focused on the Tokenized Know Your Customer (KYC) Solution, developed together with IDnow**,** walt.id**,** andBloom Wallet. This proof-of-concept solution lets users verify their identity off-chain and receive a tokenized proof in their wallet. This allows dApps, exchanges, and other services to confirm eligibility requirements (such as age verification) without exposing sensitive data on-chain.

The close of the sandbox is marked by the European Commission’s Best Practices Report for the second cohort. The report shares recommendations and best practices from the program, offering valuable guidance for anyone developing DLT solutions and navigating their regulatory implications.

Key Sandbox Takeaways: Sharing Customer Data

A key focus in the Sandbox was how Anti-Money Laundering (AML) and KYC rules apply in practice. Regulators emphasized that crypto-asset exchanges and other service providers have a legal obligation to know their users’ identities. This is why our Tokenized KYC Solution enables the entity responsible for carrying out a KYC check to obtain access to verified personal data from the identity verification provider (in our case, IDnow). Similarly, authorities like the police can request personal data linked to a specific non-transferable (soulbound) token

To make customer onboarding easier, companies can sometimes reuse KYC data that another entity has already collected. But the rules for doing this vary across Europe. In some countries, data can only be shared among the same category of entities, while broader sharing requires special approval from national authorities. Fortunately, the upcoming Anti-Money Laundering Regulation (AMLR) is expected to harmonize these rules regarding the use of customer information collected by other entities

Key Sandbox Takeaways: Soulbound Tokens

The Report also highlighted key learnings on self-hosted wallets, KYC, and how data is classified on public permissionless DLTs like IOTA. In our Tokenized KYC Solution, only soulbound tokens are recorded on-chain. These tokens don’t contain personal data themselves but prove that the KYC process was completed, with the underlying KYC data stored securely off-chain. The Sandbox noted that such tokens may still be treated as pseudonymized personal data, meaning the GDPR applies. Because this classification may evolve with new case law and guidelines, it requires ongoing review. To minimize data protection risks, our solution follows a data protection by design approach by limiting the amount and type of data shared on-chain. This follows the principle of data protection by design.

Key Sandbox Takeaways: Wallet Providers and Node Operators

Another important topic in the Sandbox was howwallet providers and node operators are classified under the GDPR

• The report concludes that self-hosted wallet providers are not considered data controllers or processors if the wallet runs solely on the user's device without relying on an external backend. In our Tokenized KYC Solution, verified identity data stays off-chain with IDnow, while the user’s self-hosted wallet only holds a soulbound KYC attestation. This design aligns with the GDPR guidance: responsibility for personal data rests with the entities that actually access or use it – for example, IDnow for verification and off-chain data storage and, where applicable, an integrating service like a dApp or exchange when it lawfully requests or uses the data.
• The GDPR classification of node operators needs careful nuance. As we recently commented on the European Data Protection Board’s European Data Protection Board's guidelines for personal data in blockchains, nodes perform only technical functions; they neither determine nor control the purposes of data processing. Treating them as controllers would misrepresent their role and impose disproportionate obligations. Our Tokenized KYC Solution reinforces this distinction. Verified identity data stays off-chain with IDnow, while the chain records only a non-transferable KYC attestation without personal attributes. Nodes simply relay or validate this pseudonymised attestation and never access the identity dataset. Even if such attestations qualify as personal data, the design minimizes on-chain exposure and ensures accountability rests with the entities that actually process identity information. This provides a workable path to meet AML/KYC requirements while respecting data-protection principles.

The Future of Tokenized KYC?

New regulations like the Transfer of Funds Regulation and Anti-Money Laundering Regulation require entities like cryptoasset exchanges to hold data about the user of a self-hosted wallet and to identify the owner of the self-hosted wallet. At the same time, dApps and DeFi operators are increasingly looking for ways to enable compliant identity checks without compromising privacy and security. There is an increasing need for on-chain identification tools to ensure smooth and compliant interactions in Web3 ecosystems

Our proof-of-concept Tokenized KYC Solution brings together all the necessary steps into one easy-to-use tool:

• A trusted party witnesses an identification process and tokenizes it as a soulbound token, allowing dApps and other entities to have confidence in the identification process, without revealing the actual Personally Identifiable Information
• The soulbound token can be used for on-chain processes, allowing Web3 native interactions.
• The trusted party can reveal the identity information if requested by an authorised party (e.g., law enforcement)
• The trusted party can also revoke the token if an invalidation is needed (e.g., watchlist changes).

Following the completion of this project, the rebased IOTA Mainnet has launched with a new architecture based on the Move Virtual Machine. To support use cases like the Tokenized KYC Solution, we’ve developed the IOTA Trust Framework, a suite of composable infrastructure components, each developed with privacy, compliance, and usability in mind.

We want to thank IDnow**,** walt.id**,** andBloom Wallet for their dedication and hard work in this project! The solution successfully showcased an easy-to-use, compliant, and privacy-preserving solution for the Web3 space.