This is a big one, yeah. It looks like the current proposed system in the EU requires attestation that the relevant keys are stored in a certified HSM that will e.g. rate-limit the generation of keys.
(I found a list of requirements for them here: https://eudi.dev/2.4.0/annexes/annex-2/annex-2-high-level-re... )