Essential EU government services cannot be devised on the hope that US companies will invent something that - contrary to current US legislation - will somehow provide the attestation services needed in a GDPR-compliant way without forcing EU citizens to provide personal data to US companies.

If it's not possible to create such a system for mobile phones because of legal issues (as you seem to acknowledge and judges have found in the past), then the focus would have to be on creating hardware devices in the EU, ideally with open source hardware and software. These can be made reasonably secure, have been used by banks for a long time, and would enhance digital sovereignty.

What I find unacceptable is the attitude "well, it will violate the law but as a matter of practicality it's the only choice we have right now so we'll just do it."