Jim Kent from ITnation spoke to their CEO Fabrice Aresu about the company’s journey.

LuxTrust is celebrating its 20-year anniversary! How long have you been with them and how has the company changed during this time?

I joined the company in 2017, 8 years ago, when we were fewer than 50 people and focused mainly on large Luxembourg-based clients. Since then, the company has evolved largely driven by regulation. We also opened several offices in neighbouring countries and acquired many new customers thanks to our new product suite. So yes, the company has grown significantly. Today, we are more than 130 people and have customers using our solutions all over the world.

I only knew of your authentication activities that I use daily in Luxembourg, so where are you present in Europe and what are you doing there?

In Europe, we opened offices in Paris, Brussels and Monaco. Geography played a key role in this decision. Once we attained a solid base of large customers in a region, it made sense to establish a local presence to better support them. While institutional and banking sectors remain our two core markets, we confirmed the strategic relevance of our solutions across all industries. As a result, we secured clients in Africa and Asia and are well on track to become a global actor.

I understand that authentication is a key part of your offer, but the technology behind authentication is evolving quickly. How are you keeping up?

Authentication relies on electronic identities, which we have invested in from the very beginning. Having a digital identity opens the door to much more than just authentication. It enables access to a wide range of digital services, such as electronic signatures and electronic seals, which are at the heart of the digital transformation of companies worldwide. However, you cannot offer reliable digital services without leveraging trust services. They are subject to strict and continuously evolving regulations. All citizens, especially in Europe, expect guarantees on how their data is handled and protected.

For the past twenty years, we’ve been dedicated to providing our clients with cutting-edge technologies and processes that are fully optimised and adhere to the highest regulatory standards. This is our bread and butter and our unwavering commitment to our customers.

Sam Altman, CEO of Open AI, has recently challenged some of the financial institutions who were still using voice imprint technology to authorize transactions. He said that AI made it too easy to imitate voice, do you share his view?

Absolutely! AI has made tremendous progress and is becoming an increasingly powerful tool, not only for good but also for deception.

It can be used to trick both people and machines. This problem is not new. When encryption first arrived, fake encryption and fraud quickly followed. So, it’s no surprise that fraudsters are using AI to create deep fakes, using voice, video or images. The technology works very well, so I think Altman is right. The key point here is: how do we leverage AI to defend ourselves against the frauds? Fortunately, there are ways to identify AI generated content. This is the classic cat and mouse game between fraudsters and defenders.

Cybersecurity is high on the Luxembourg government’s agenda, perhaps even more so after the attack on POST Luxembourg in the summer. How can LuxTrust help citizens more?

This is a very broad question and one that concerns us all. Scammers always attack the weakest link and we, as humans, remain that link. Under stress, our judgement is impaired, and fraudsters have become increasingly sophisticated at manipulating their targets. The only real defence is awareness, education and a dose of common sense. If your Luxembourg bank calls you at 9pm and sends someone to pick up your credit card at your house, this should immediately raise some red flags. While this example seems obvious, in hindsight, the reality is that when people find themselves in these emotional contexts, they lose their common sense and act as commanded by
the fraudster.

To better support our users, we invest heavily in media campaigns and digital tools. For example, when a person registers on a new device, we assess and analyse the context to detect unusual or strange behaviour, which could raise an alert. Ultimately, the user must remain in control, similarly to banking. A bank can limit your transfers, but in the end, it is your money and your responsibility.

So, it is a trade-off between allowing users to do what they want, while providing sufficient warnings, guidance and education to make informed choices.

With current regulations, are we close to having a true pan-European digital identity?

That’s a very provocative question. In fact, the introduction of a pan-European digital ID was initially envisioned as early as 2016, with the implementation of the original eIDAS regulation. As longtime supporters of these kinds of initiatives, we are encouraged to see them being actively pursued and refined.

However, the reality has been very different. The framework was, frankly, inefficient and poorly adopted by the private sector, meaning that Europeans have not been able to rely on truly interoperable eIDAS digital identities. Simply put, it hasn’t worked as intended. That’s why, nearly eight years later, we’re now looking at eIDAS 2.0.

This updated regulation introduces digital wallets and other tools specifically designed to address those earlier shortcomings – with the ambition of finally delivering a functional, pan-European digital identity that citizens and businesses can use.

With eIDAS 2.0., there’s been far greater involvement from industry and subject-matter experts, resulting in concrete, practical outcomes. For example, citizens will soon be able to use their digital driving license to rent a car in any EU country without providing additional paperwork – and the same will apply to opening a bank account abroad. A true pan-European digital ID will streamline and secure the exchange of verified information.

Where would you put Luxembourg in the league table of successful digital trust services?

In terms of adoption and the spread of Trust services, we are amongst the best in Europe. Usage across the population has reached more than 95%, which is quite an achievement – and this for longer than a decade, if you compare us to France, for instance, where electronic identity schemes are less than 5 years old. Another useful metric is the quality of electronic signatures in use. In contrast to Luxembourg, where we have the highest quality and thus security level, most electronic signatures in France are of low quality. We are not alone. Estonia and parts of Italy have also implemented highquality solutions. Therefore, Luxembourg is among the European leaders in terms of trust, but that is not to say we are among the leaders in digital services.

Since you became CEO, the geopolitical landscape has changed rapidly, and more companies and individuals have become focused on where their data is stored. How are you responding to this and how can companies really understand where their data is stored?

Data sovereignty has always been at the heart of our work. Historically, we stored sensitive data in Luxembourg by default for Luxembourgish customers. As we began selling our services abroad, some clients requested that their data remain in their jurisdiction. Therefore, we invested in systems and partnerships to address these concerns and guarantee ad-hoc data storage.

Recent geopolitical changes, especially in the USA, have raised the issue of sovereignty to an even higher level. Our clients are concerned not only about where their data is stored, but also about who can access it and what would happen if a company or foreign administration suddenly decides that the data is no longer accessible.

We anticipate some changes in the EU regulations and standards regarding cloud computing and data storage.

I would also like to mention the AI consumption of data as another key point. The sources of training data can be obscure. EU citizens are only beginning to discover this through recent media stories such as those involving Meta or We Transfer who changed their terms and conditions to allow the use of customer data for AI training purposes.

This is a critical subject in the coming years. At LuxTrust, we focus on developing solutions that ensure customers’ consent is verifiable and revocable and provide them full transparency on how their data is used.

Businesses want to exchange confidential information in a secure way. Is this an area where LuxTrust can assist?

Since our inception, we have been building mutual trust between parties. While many people know LuxTrust for securing individual access and authentication, our services go far beyond that, particularly in the B2B sector. Whether it’s information or financial data, our role is to ensure the origin, the integrity and the authenticity of the exchange.

We also secure interbank transactions through the MultiLine ecosystem. Every user is authenticated and each transaction is signed using LuxTrust services. We also operate in the space and military sectors, providing traceability and guarantees over data transfer and data consumption. To further strengthen our capabilities, we have invested in our platforms and even acquired a company specialised in secure data transfer bringing secured B2B data transfers solutions for SMEs.

What about for individuals?

Many citizens, when asked to send sensitive information such as their passport might use Dropbox or WeTransfer, while not being aware of the limited protection that internet protocols provide for security. Our ambition has been to take the most secure solutions on the market and to embed within our own solution, thus, offering a much greater degree of security for our users.

What about Quantum computing, are your solutions ready?

Ever since the Enigma machine, the science of cryptography has rapidly evolved, and quantum computing is simply the next step in this evolution. From a corporate perspective, there is no magic, you need to invest early and anticipate.

We have been preparing for the quantum era for years. We fund PhD research, participate in projects and research initiatives, such as those focused on quantum key distribution. We are also part of some European consortia alongside prestigious industry players.

Quantum computing will likely be powerful enough to break certain cryptographic keys. However, quantum-resistant algorithms and mechanisms are already in development. We have already embedded some of them in our technologies. We are committed to staying ahead: continuously testing, adapting and integrating the latest approaches as the technology matures.

What about the future?

The upcoming introduction of the business wallet is going to reshape the market and unlock exciting new use cases for enterprises. In addition, the increasing adoption of Digital Twins will open new perspectives in the way we perform research, innovation, or even make daily decisions. We shall witness major breakthroughs in essential industries such as healthcare, based on the large data sets available and the progresses of AI models. Obviously, the sensitivity of such data requires the highest standards of security and confidentiality.

Luxembourg is making strong progress on these emerging use cases. One of its key strengths is the ability to bring private sector experts and policymakers to the same table quickly. As such, I think Luxembourg can be in a leading position in the Europe’s digital landscape, or at least to be part of the leading pack.

By staying agile and deeply engaged with public and private partners, LuxTrust will continue to democratise digital services and promote a harmonised adoption across Europe. Paving the way for a more secure, efficient, and trustworthy digital economy.