It's only partially open source. Some server-side code remains proprietary, and the client-side will depend on proprietary code of Google and Apple and they do not plan to support platforms that are actually Free Software. The law overall is badly written. For example, articles 12 and 26 effectively say that "The source is shared with public, except if it is proprietary or insecure." Or take Article 4: "The government may operate systems that protect the privacy of the identity subjects."

The Swiyu team dropped the Play Integrity requirement on Android: https://github.com/swiyu-admin-ch/eidch-android-wallet/issue... This means that the E-ID will be officially supported on AOSP based secure ROMs like GrapheneOS, without any requirement for Google services.

why is that bad?

I'm guessing you'd want to separate age verification from identity verification. A hash of your name is as good as your name since you don't change name and you provide both to certain providers, or it can be bruteforced.

It's a bit better than that, you really have to get access to the disclosure because the hash also contains a salt. But it's a needless risk