Essential EU government services cannot be devised on the hope that US companies will invent something that - contrary to current US legislation - will somehow provide the attestation services needed in a GDPR-compliant way without forcing EU citizens to provide personal data to US companies.
If it's not possible to create such a system for mobile phones because of legal issues (as you seem to acknowledge and judges have found in the past), then the focus would have to be on creating hardware devices in the EU, ideally with open source hardware and software. These can be made reasonably secure, have been used by banks for a long time, and would enhance digital sovereignty.
What I find unacceptable is the attitude "well, it will violate the law but as a matter of practicality it's the only choice we have right now so we'll just do it."
> Essential EU government services cannot be devised on the hope that US companies...
I don't disagree. I am just pointing out that this is wishful thinking right now.
As said, Europe has zero footprint in hardware or software so the choice is either not to develop any digital services or to accept that they will run of foreign hardware/software because everything is either Android or Apple and runs on hardware that is from US/Taiwan/China.
Developping honegrown alternives is pie in the sky or a 20 year project if we are optimistic (which I am not)...
Frankly, many comments, and the reactions to mine, show how out of touch and idealistic or naive the HN crowd can be.
EU can build token-generation hardware and that's the solution to the perceived problem. Such approaches have been used by banks for decades. It's not a "20 years project" to issue similar hardware to what my German bank issued 10+ years ago. I've explicitly stated in my post that the EU should not build a software solution for smartphones with US operating systems since this approach violates the GDPR and other laws because of a fundamental incompatibility of EU law with the US CLOUD Act that has been recognized by judges already. The proposed solution you seem to favor is illegal.
If I'm right, you're the person ignoring reality and basing their judgment on wishful thinking, not me. I understand why you want to have a smartphone solution ("practicality") but AFAIK that's currently not a viable approach. I might be wrong about the legal situation but that's what I've claimed. Just repeating your talking point is not a reasonable reply to these legal concerns. In addition to this, there are also serious national security concerns, of course.