Europe’s Digital Identity Wallet: The Promise, the Problems, and the Questions We’re Not Asking

Europe’s Digital Identity Wallet: The Promise, the Problems, and the Questions We’re Not Asking

By Sharmin Chougule

05 February 2026

The EUDI Wallet is coming to Europe by 2026. But while a universal digital identity sounds laudable, the tight schedule and complex architecture suggest a deeper tension. We are at a critical juncture: Is this a foundation for trust, or the quiet assembly of a surveillance apparatus?

Created with Adobe Firefly.

1. The Problem we’re trying to solve

Imagine this: You’re booking a flight in Germany, you want to rent a car in Italy, you’re opening a bank account in France. Each time, you need to prove who you are. You dig through desk drawers for your passport or identity card, you wait on hold to verify your identity with a call center, you have to take pictures of your face, fill out physical forms by hand, scan documents and send it all by mail. Unless you have a phone with NFC reader and your ID is acceptable in that e-verification format the former scenarios still represent how identity verification works across Europe in the majority of cases.

This is one of the problems the European Union is trying to fix with the European Digital Identity (EUDI) Wallet, mandated under the new eIDAS 2.0 Regulation. Starting in December 2026, every EU Member State must offer citizens a digital wallet, an app on your phone. It allows you to prove your age, provide information regarding your driving licence, your professional qualifications or your bank account, without exposing unnecessary personal data in the process.

It is to be noted that identity theft and account takeover have emerged as significant threats within Europe’s online fraud landscape, with phishing and social engineering remaining the primary vectors for credential theft.1 And in the financial sector and banking, digital identity is increasingly the key that unlocks accounts and payments, so design choices here quickly become ‘money questions’.

On paper, the EUDI Wallet is a win: faster services, less fraud, more citizen control. But if looked at closely there appears a gap between the promise and the reality.

2. What’s actually happening under the hood

2.1. The technology works but the problem is everything else

The technical architecture of the EUDI Wallet is sophisticated. It uses cryptographic protocols with names like Password Authenticated Connection Establishment (PACE), Basic Access Control (BAC), and Extended Access Control (EAC). Don’t worry, you don’t need to know what they mean.

The key innovation is selective disclosure like Zero-Knowledge Proof (ZKP), which is a potential game-changer. Think of a ZKP like a bouncer at a club who verifies you are “over 18” by scanning a green light on your ID, without ever seeing your actual birthdate. It proves a fact is true without revealing the data behind it. This allows for genuine privacy-by-design. Furthermore, with an EUDI wallet you can prove you’re over 18 without revealing your birthdate, for example prove your age to an online store without uploading your passport. You can confirm you have a valid driving licence without exposing your home address or licence number. While all this sounds feasible, one has to remember that technology doesn’t exist in a vacuum. A perfect cryptographic protocol cannot fix a broken governance model.

The European Commission spent 2025 translating the EUDI vision into operational rules. In May 2025, they adopted the Implementing Regulation that specifies how Member States submit wallet certifications. Italy has begun beta testing. Germany’s digital ID programme officially launched with biometric integration. By the metrics of regulatory efficiency, it’s all moving forward. Yet beneath the implementation announcements lies a deeper question: Who controls the infrastructure, and what are they using it for?

The European Union is also exploring blockchain and distributed ledger technology (DLT) as a potential component of EUDI infrastructure, not as a mandatory core, but through pilot projects and the European Blockchain Sandbox initiative. The appeal is real: instead of storing credential issuance and revocation lists in centralised government databases, some Member States are testing blockchain solutions to create immutable, decentralised trust registries.

Pilot projects are experimenting with Decentralised Identifiers (DIDs) anchored to public blockchains, including Ethereum, Cheqd, and Internet of Things Application (IOTA), as mechanisms to prove credential ownership without revealing the issuing authority. On the surface, this appears to solve the concentration problem: if identity verification is genuinely decentralised, then no single actor (government or company) can control the infrastructure.

Yet, this framing obscures three critical problems. First, who actually governs these ‘decentralised’ systems? Public blockchains like Ethereum are run by networks of validators, essentially, computers around the world that verify transactions. But these validators aren’t evenly distributed. If most of them are controlled by a handful of companies or concentrated in specific countries, is that really decentralisation? And what happens when a government decides that a particular blockchain ecosystem is a geopolitical threat?  Second, blockchains are slow and expensive. They consume more energy and process transactions more slowly than traditional databases. When we talk about blockchain use on such a large scale, we should look into the European Sustainability Goals.

The EUDI framework does not transparently discuss the performance trade-offs or environmental costs of blockchain integration. It might be beyond its scope or maybe with the assumption that Europe’s sustainability goals are anyway applicable irrespective of whether a piece of regulation specifically calls out for it or not. Is the claimed privacy or decentralisation benefit worth the infrastructure burden? Third, and most importantly, governance remains centralised regardless of technical innovation: Member States still certify wallets, still control credential issuance rules, and still retain oversight authority. This means blockchain provides technical immutability but may not provide structural governance decentralisation. The distributed ledger creates what we might call “trust theatre”, technically interesting and genuinely innovative, but not transformative. It allows policymakers to claim they are advancing decentralisation while maintaining centralised control.

When the wallet becomes obligatory by December 2026, the odds are low that Member States will implement fully blockchain-integrated systems; historical precedents from eHealth and prior EU digital initiatives suggests that significant delays are probable instead. And the so-called Blockchain Trilemma is another challenge: Security, scalability, and decentralisation are challenging or rather impossible to achieve at the same time. Until the window of December 2026 closes blockchain remains a potential future feature, if used correctly, rather than a confirmed architecture, and when the window does arrive, blockchain will likely serve as infrastructure sophistication rather fulfil hopes of power redistribution.

2.2. The surveillance paradox: What the EU isn’t saying loudly

Here’s where things get interesting. During the legislative negotiations, a debate erupted over Article 452 and ‘Qualified Website Authentication Certificates’ (QWACs). Security researchers and browser vendors warned that the initial proposal could have forced browsers to trust government-issued certificates without exception, effectively creating a technical pathway for ‘man-in-the-middle’ interception.3 Is this a direct threat today?

The practical implementation of this balance remains contested between browser vendors, EU authorities, and security researchers, and will be determined through enforcement and standards-setting procedures.

The final text of eIDAS 2.0 includes a compromise: browsers must recognise these certificates, but they are not forced to compromise their own security standards to do so. The immediate danger of a mandatory ‘backdoor’ has been averted.4 Yet the regulatory framework persists and future amendments could eliminate browser discretion without renegotiating the entire architecture, making the current compromise vulnerable to regulatory reinterpretation. The compromise itself is revealing. It shows how digital identity infrastructure is inherently contested between citizen privacy, law enforcement access, and national security interests. This isn’t a technical question that engineers solved. It’s a political choice that remains unresolved.

If a government’s certificate key were compromised tomorrow, current rules let browsers reject it. But regulatory reinterpretation could mandate trust: no new law required, just administrative discretion. The danger is: Once governments normalise interception infrastructure, removing it becomes politically challenging. This is not a claim about current intentions in Brussels or national capitals; it is a warning that once such capabilities are built into the infrastructure, they can be used, or expanded, by future governments regardless of their original purpose. The concern here is less about declared political intentions today and more about the structural possibility of interception that the infrastructure quietly enables for tomorrow.

This illustrates the tension between regulatory trust assumptions and cryptographic trust properties. Legal frameworks cannot reliably constrain technical capabilities once they exist. This is particularly acute in EU digital identity architecture where regulatory mandates intersect with browser security models over which they lack full control. These are largely designed and controlled by non‑European providers. The EU can set legal obligations, but it cannot directly reconfigure how these browsers implement their trust decisions.

2.3. The implementation crisis nobody’s talking about

The deadline is December 2026, less than 12 months away. Sounds doable? Maybe. But look at the historical track record. The original eIDAS Regulation was adopted in 2014. Widespread compliance took years longer than expected. As noted earlier, eHealth initiatives across Europe have repeatedly missed implementation targets. Testing, interoperability, cross-border certification, all of this is harder in practice than in regulatory timelines.

As of the beginning of 2026, here’s the reality:

  1. Italy is beta testing. A few other Member States have pilot projects.
  2. No major Member State has announced full production deployment.
  3. Cross-border interoperability testing is still ongoing.
  4. Certification procedures are still being refined.

Some Member States will hit the December 2026 deadline. Others won’t. What happens then? Do businesses remain exempt from accepting wallets if the technology isn’t ready? Can relying parties defer integration? The framework doesn’t say.

This fragmentation creates real legal and operational uncertainty. Relying parties (banks, government agencies, companies) will face a patchwork of wallet solutions on different timelines. Citizens in Member States that miss the deadline will experience service delays. Interoperability failures will accumulate.

2.4. The accessibility crisis: Digital infrastructure as gatekeeping

Here are scenarios the EUDI policy documents don’t really address: A 78-year-old in rural Spain with minimal digital skills. An asylum seeker in Belgium without a consistent address or government ID. A visually impaired user in France whose bank’s wallet app doesn’t work with screen readers. A teenager without a smartphone trying to access age-gated services.

The EUDI framework mandates that private entities accept the wallet whenever identification is legally required. It does not mandate offline fallbacks. This creates a critical gap: What happens when citizens cannot use the wallet? The regulation uses permissive language, for Member States to ensure alternative means remain available. But it’s not mandatory. In practice, this means banks can make the wallet the default, relegating alternative verification to cumbersome offline processes. This isn’t formal exclusion. Its functional exclusion achieved through design.

The evidence from other EU digital initiatives is instructive. Estonia is often cited as the model for digital governance, yet the data reveals a stark ‘grey digital divide.’ While 98% of young Estonians use digital services effortlessly, research shows that over 70% of citizens aged 75+ do not use the internet at all, leaving them dependent on proxies or physical assistance.5 When services like tax filing or health records become ‘digital-first,’ this group is effectively pushed into second-class citizenship. For the skilled, it is efficiency; for the unconnected, it is a barrier.

If the EUDI Wallet follows the same pattern, the most vulnerable populations, elderly, disabled, asylum seekers, people in rural areas with poor or low connectivity, will be systematically excluded from services they legally should be able to access. There’s no mandatory testing with vulnerable populations. There’s no requirement that offline verification remain genuinely available (not just theoretically available). There’s no tracking of how many people actually can’t use the system.

2.5. The power problem: Who controls your identity?

If the EUDI Wallet becomes the de facto identity infrastructure… then whoever controls it has gatekeeping power over European economic and civic life. Who are these gatekeepers? They are the state agencies that can revoke your ID at the click of a button. They are the tech giants (Apple, Google) whose operating systems host the wallet. They are the issuers (banks for instance) who decide if your credentials are valid.

This isn’t paranoia. It’s basic infrastructure governance. When you centralise identity, you centralise the power to exclude. Think about what happens when your wallet is blocked, deleted, or suspended. You lose access to banking, government services, healthcare portals, and commerce. In practice, this means identity infrastructure becomes financial infrastructure: when the wallet fails, everyday economic participation fails with it. The framework includes safeguards: citizens can appeal certification decisions, and the system includes data minimisation. But these are limited protections. A government can refuse to certify a wallet. Citizens have limited immediate recourse if their wallet is suspended.

Private wallet providers face different pressures. They must comply with government certification, handle personal data under GDPR, and respond to relying-party requests. Yet the framework doesn’t clearly limit their ability to refuse service to specific users or categories.

Over time, we’re likely to see market concentration. Large tech companies (like again Google, Apple) may dominate with wallet solutions, leveraging existing user bases. Financial institutions may develop proprietary wallets. EU-funded consortia will look to create “official” solutions. But relying parties will face pressure to accept all certified wallets, creating complexity and cost burdens. The incentive structure likely favors large, stable providers over niche alternatives.

2.6. The question of standards and global power

Europe isn’t alone in building digital identity infrastructure. Singapore has its National Digital Identity. Canada is developing its Digital Credentials ecosystem. India has Aadhaar and even DigiLocker. Global standards organisations are competing on specifications.

The EUDI is effectively Europe’s bid for global digital identity standards leadership. If eIDAS 2.0 becomes the de facto standard, through EU market size and regulatory power, then European norms about data minimisation, transparency, and citizen control become global norms.

Conversely, if competing models dominate elsewhere, European digital identity principles become parochial. This standards competition has reflective implications for global data governance, privacy protection, and power distribution. It’s not just technical. It’s geopolitical.

3. What needs to happen now

The infrastructure decisions are being made now, often without transparent public deliberation. Three things matter:

3.1. First: Accountability must be proactive, not reactive.

The EUDI framework spreads responsibility across multiple actors: Member States certify wallets, private providers operate them, relying parties integrate them, citizens use them, and the European Commission oversees the system. But responsibility fragmentation creates accountability gaps, exactly the kind of gaps that emerge when new infrastructure fails.

Consider a scenario: A wallet provider uses cryptographic services from a third-party vendor. That vendor is compromised. Citizens’ credentials leak. Who’s liable? The wallet provider? The vendor? The Member State that certified the wallet? The bank that relied on it? The framework doesn’t clearly answer.

For financial compliance, currently, when you apply for a loan, it requires handing over your entire digital life. With the EUDI wallet, you could cryptographically prove for example  ‘Income > €50k’ or ‘Credit Score > 700’ without revealing your employer or full transaction history.

For banks, however, this is a double-edged sword. On one hand, it promises to slash Know Your Customer (KYC) costs by replacing manual checks with cryptographic certainty. On the other hand, it turns every major bank into a mandatory ‘Relying Party’ (unable to add independent verification and data assessment). By 2027, banks must accept these wallets for Strong Customer Authentication (SCA) under PSD2/PSD3 rules. If a wallet is compromised or wrongly issued, the result is not just a privacy incident, the consequences ripple and scale quickly: it can lead to account takeovers, fraudulent payments, and eventually a dispute over who carries the loss.  

Or imagine a relying party accidentally receives too much personal data due to a malformed wallet request. Who bears the cost of the data breach? These questions will eventually be resolved through litigation and regulatory guidance. But waiting for court cases to clarify responsibility gaps is insufficient. By the time courts rule, damage has been done and infrastructure patterns are already embedded. Member States should publish clear liability mapping before wallets go live in 2026.

Also, not every person can read legal jargons. Laymen should be clearly informed about their rights, what they can refer to when things go sideways and what are their options for enforcing their rights in a proper manner. If despite having the digital wallet, citizens with a dysfunctional wallet have to wait the weekend for the bank’s regular office hours, that is likely to become a very frustrating weekend. The example of a bank is only indicative: a similar dead end can arise if, for instance, a job seeker’s wallet stops working when they try to identify themselves at the employment agency or social benefits office, delaying unemployment payments or housing support simply because no one can override the system outside ‘normal’ hours. Also, for instance, a patient’s wallet malfunctions on a Friday night and the pharmacy can no longer retrieve their e‑prescription, leaving them without essential medication until a physical urgent visit to the hospital or a helpdesk/alternative verification channel reopens. Can we expect a technical staff to be available like in some Asian nations in call centres? Where you can call 24×7 to seek assistance. In Europe, the demand for technical staff already outstrips supply: in 2022, over 60% of EU enterprises that tried to recruit ICT specialists reported difficulties filling those vacancies, according to Eurostat’s hard‑to‑fill‑vacancies statistics.6

This isn’t bureaucratic box-checking; it’s the difference between accountability that prevents failures and accountability that responds to them after the fact. Member States should publish clear liability mapping before wallets go live. There should be independent ombudsman mechanisms for citizen complaints. Regular public audits of wallet security, interoperability, and accessibility should happen, not just once, but continuously.

3.2. Second: Inclusion cannot be an afterthought.

If EUDI Wallets become mandatory for accessing essential services, then digital inclusion must be central to system design, not a compliance footnote. This means mandatory offline verification pathways (not permissive language about alternatives). It means accessibility audits before certification, with Web Content Accessibility Guidelines (WCAG) 2.17 compliance as baseline. It means explicit protection for populations unable to use digital systems. It means transparent reporting on inclusion metrics: How many citizens can actually use wallets? How does this vary by age, disability, geography, and immigration status?

The regulatory push toward digital identity should not replicate the digital divides that already exist in Europe. It should aim to rather find a way to reduce at the same time mitigate the impact of it.

3.3. Third: The surveillance question needs honest deliberation.

The TLS weakening provisions,8 state access requests, and mandatory acceptance architecture raise a fundamental question: Does the EUDI framework prioritise citizen empowerment or state control?

This isn’t a binary choice. But it requires honest deliberation about trade-offs. Current policy language obscures these trade-offs through rhetoric of “trust” and “security.” Genuine transparency requires:

  1. Public debate about what genuine law enforcement needs actually exist, what security costs would follow, and whether governments should have routine intercept capabilities for digital identity traffic.
  2. Independent security audits of wallet systems, with public reporting on vulnerabilities.
  3. Transparent governance of standards development, with civil society participation.
  4. Sunset clauses on security weakening provisions, periodic re-evaluation of whether surveillance architecture is necessary or merely path-dependent.

4. The moment is now

The EUDI Wallet represents a genuine European achievement in technical design. The ambition to provide all citizens with secure digital identity is laudable.

But the governance architecture, implementation timeline, and surveillance provisions create a fundamental tension that cannot be resolved through technology alone. It’s a tension between trust infrastructure and surveillance apparatus. This tension can be managed, but only through accountability, genuine inclusion, and honest deliberation about power. The window for this deliberation is closing. By 2026, wallet deployment will accelerate. By 2030, the infrastructure will be embedded in European life. Once embedded, the choices become harder to revisit. They become technical requirements, regulatory compliance, citizen habit.

This is the moment, now, for policymakers, businesses, civil society, and citizens to ask hard questions:

  1. Does the EUDI framework advance European digital sovereignty, or does it create new dependencies?
  2. Does it protect privacy or enable surveillance?
  3. Does it include vulnerable populations or exclude them by design?
  4. Does it distribute power more equitably, or concentrate it?

These questions deserve answers grounded in evidence, deliberation, and democratic legitimacy, not merely in regulatory compliance and implementation timelines.

The technical infrastructure is coming. The governance infrastructure, the one that determines how power is distributed and who benefits or loses, is still being negotiated. We should make sure we’re asking the right questions about it.

RSS-Feed zum eFin-Blog abonnieren

Zurück zur Startseite des BlogsZum Diskursprojekt Demokratiefragen des digitalisierten Finanzsektors

1    ENISA: ENISA Threat Landscape: Finance Sector, January 2023 to June 2024, Brussels: European Union Agency for Cybersecurity, 2024, available at: https://www.enisa.europa.eu/sites/default/files/2025-02/Finance%20TL%202024_Final.pdf

Europol: Online Fraud Schemes: A Web of Deceit – Spotlight Report, The Hague: European Union Agency for Law Enforcement Cooperation, 2023, available at: https://www.europol.europa.eu/cms/sites/default/files/documents/Spotlight-Report_Online-fraud-schemes.pdf.

Mastercard, cited in: Biometric Update: Mastercard wants everyone to have a digital wallet and mDL to make ID like payments, (August 4, 2025), available at: https://www.biometricupdate.com/202508/mastercard-wants-everyone-to-have-a-digital-wallet-and-mdl-to-make-id-like-payments.2    Article 45 of the eIDAS Regulation (specifically the recast eIDAS 2024/1183, originally the 2014 eIDAS Regulation with a 2021 proposal for amendment). This article mandates that web browsers recognise QWACs issued by EU Member States’ designated Qualified Trust Service Providers, though the final text does not mandate unconditional trust.

The legislative debate on this concerns a contentious provision that requires browsers to accept these EU-approved certificates, which has generated significant opposition from cybersecurity experts and browser vendors due to security and interception concerns. We should note that most European citizens don’t know this debate happened.3    Joint Open Letter by 400+ Scientists & NGOs on eIDAS, Nov 2023.4    Bitkom Position Paper on eIDAS 2.0 Trilogue Outcome, Nov 2023.5    Leppiman, A., et al. (2020): Old-Age Digital Exclusion as a Policy Challenge in Estonia and Finland. In: Walsh, K. et al. (eds.): Social Exclusion in Later Life. International Perspectives on Aging, Springer, S. 409-419 (Noting that internet usage drops significantly after age 75, a demographic often excluded from standard “16-74” statistical surveys).

Statistics Estonia (2019/2023) data on internet usage by age group.6    Eurostat: ICT specialists – statistics on hard-to-fill vacancies in enterprises (Statistics Explained article, Data extracted in June 2025).7    WCAG 2.1 is the international standard for making websites and applications usable by people with disabilities, requiring features like screen reader compatibility and keyboard navigation.8    The encryption that protects most web traffic. Think of Encryption as a way of scrambling data so that only someone with the right and secured key can read it.