Skip to main content
News & Insights

Das Update für
Digital Health.

Technologische Tiefe, regulatorische Updates und Einblicke in die Zukunft der Gesundheitsidentitäten.

5 min read

TI 2.0 & Sectoral Identity Federation: What DiGA Manufacturers Need to Know About the New Telematics Infrastructure

azuma Team
azuma Team
Core Team

The Telematics Infrastructure (TI) is the digital backbone of the German healthcare system – and it is currently undergoing the biggest transformation in its history. Under the banner of TI 2.0, gematik is gradually replacing the hardware-centric architecture of connectors and cards with an internet-based, identity-centric model. For DiGA manufacturers, this is not a distant infrastructure question, but the framework in which GesundheitsID, ePA, and e-prescriptions operate.

This article explains what changes with TI 2.0, how the sectoral identity federation works, and what this specifically means for connecting your application.

From TI 1.0 to TI 2.0: The Architectural Shift

The classic TI (often called TI 1.0) is heavily hardware-bound: access via connectors, authentication via physical cards like the eGK (insured persons) and SMC-B/HBA (healthcare providers), secured via dedicated VPN routes. This is secure, but inflexible, expensive to operate, and poorly suited for mobile, app-based applications.

TI 2.0 reimagines this: away from the card and the connector, towards internet-based access where identities – not network boundaries – establish trust. Important: TI 1.0 and TI 2.0 exist in parallel during a multi-year transition phase; the shift happens gradually, not overnight.

The Four Principles of TI 2.0

gematik describes TI 2.0 via several core features that shape the new model:

  • Internet-based: Access via the open internet instead of via connector and VPN, secured at the application layer.
  • Modular: Loosely coupled services instead of a monolithic infrastructure – individual building blocks can be developed independently.
  • Standard-based: Established industry standards like OAuth 2.0, OpenID Connect, and OIDC Federation instead of proprietary procedures.
  • Identity-centric (Zero Trust): Every access is verified based on a verified digital identity. Trust is no longer established by the network you are in, but by proving who you are.

TI 2.0 Sectoral Federation Architecture

The Core: Sectoral Identity Federation

The central building block of TI 2.0 is the federation of digital identities. Instead of a single central authority, there are many trustworthy Identity Providers working together via a common trust anchor:

  • gematik operates the federation master – the entity that determines which federation participants are trustworthy.
  • Health insurance funds operate sectoral Identity Providers (IDPs), which issue the GesundheitsID to their insured members and handle authentication.
  • Corresponding professional identities are created for healthcare providers and institutions.
  • Your application is a Relying Party (a specialized service) that requests a login and receives verified identity attributes back.

Trust is established cryptographically via signed Entity Statements and published keys (JWKS). How this federation specifically looks for the GesundheitsID is detailed in our article Integrating GesundheitsID into a DiGA.

What This Means for DiGAs and Health Apps

For you as a manufacturer, TI 2.0 means one thing above all: you become a participant in a federation. Instead of talking to a single login provider, your app must dynamically handle many sectoral IDPs and prove itself as a legitimate participant to the federation master.

Three practical consequences:

  • Standard protocols are mandatory, but not sufficient alone. Every modern IAM supports OIDC – but you must additionally implement the federation-specific mechanisms (Entity Statements, OIDC Federation, PKCE, PAR). Why generic systems like Keycloak or Auth0 reach their limits here is highlighted in the article Keycloak & Auth0 vs. Health-IAM.
  • Identity is security-relevant – and subject to audit. Authentication is a separate, certification-relevant block of the BSI TR-03161.
  • Specifications are moving. TI 2.0 is continuously evolving; what you integrate, you must permanently maintain – or outsource to a specialized service.

TI 2.0 and the European Level

TI 2.0 is the national answer to a development that is also happening at the European level: with the EUDI Wallet and eIDAS 2.0, an EU-wide, identity-centric infrastructure is emerging, which will medium-term also cover healthcare. The national sectoral federation and the European wallet layer will coexist and increasingly interoperate. What this specifically means is covered in our dedicated article on the EUDI Wallet in Healthcare.

How to Prepare

  • Rely on standards: OIDC/OAuth 2.0 as a foundation, cleanly secured according to BSI guidelines.
  • Plan for federation capability: Entity Statements, JWKS hosting, certificate rotation – build it yourself or cover it via a component.
  • Think about maintenance: Spec updates from gematik are a permanent task, not a one-off project.
  • Take identity out of scope early: The earlier the identity layer is set up, the smoother the GesundheitsID connection and TR-03161 certification will run.

Frequently Asked Questions

What is the difference between TI 1.0 and TI 2.0?

TI 1.0 is hardware-centric (connector, eGK, SMC-B, VPN). TI 2.0 is internet-based, modular, standard-based, and identity-centric (Zero Trust). Authentication occurs via federated digital identities instead of physical cards and network boundaries.

What is the sectoral identity federation?

A trust network in which gematik operates the federation master and sectoral Identity Providers (e.g., of the health insurance funds) issue digital identities like the GesundheitsID. Applications plug in as Relying Parties.

Must my DiGA support TI 2.0?

The central component of TI 2.0 for DiGAs is the GesundheitsID, the support of which has been mandatory since January 2024. This makes connecting to the federation effectively mandatory for DiGAs.

Are TI 2.0 and GesundheitsID replacing the eGK?

In the medium term, TI 2.0 enables cardless, app-based access. However, during the transition phase, card-based and federated procedures coexist.

Are you building a DiGA or health app and don't want to build the identity layer for TI 2.0 yourself? Talk to our team or get a free developer access and see how azuma provides the GesundheitsID federation as a ready-to-use component.

Status: June 2026. gematik's TI 2.0 specifications are continuously evolving – please cross-check the current status before publication.