In the current reference framework, the provider of the wallet is to be registered as a trusted party (see link: EUDI wallet provider to Trusted List Registrar). However, there's no such requirement for the wallet provider's own suppliers. This allows a wallet provider to use non-trusted parties as a supplier, thus increasing the risk for a supply chain attack on the wallet eco-system, eroding the trust level of the eco-system.
In the current reference framework, the provider of the wallet is to be registered as a trusted party (see link: EUDI wallet provider to Trusted List Registrar). However, there's no such requirement for the wallet provider's own suppliers. This allows a wallet provider to use non-trusted parties as a supplier, thus increasing the risk for a supply chain attack on the wallet eco-system, eroding the trust level of the eco-system.