The EU Digital Identity Wallet is a digital wallet initiated by the European Commission for electronic identities. It is intended to offer citizens, consumers and companies in the EU a secure and data protection-friendly option for digital identification. Each wallet will be personal app which enables official proof of identity and other important digital documents to be securely stored, managed and presented when required. It can also be used to sign electronic documents in a legally binding manner.
Aim and purpose of the EU Digital Identity Wallet
The main aim of the EU Digital Identity Wallet is to, control over personal data in the hands of the users. Users should decide for themselves which identity data they disclose online and for what purpose. The wallet allows, for example, public or private services to to prove who you are, without disclosing more personal information than necessary.
This approach follows the EU Commission's guiding principle that everyone should always have the Sovereignty over your own digital identity should keep. Accordingly, the project is in line with European values such as Data protection and the "once-only" principle (data only recorded once) and supports the goal of Digital Decadeto give all EU citizens access to digital identities by 2030.
The wallet is offered in at least one version by each EU member state and is intended to Can be used across borders be. From 2026 all member states must provide a wallet system that meets uniform EU standards. This will allow citizens and businesses to protect their digital identity Seamless use throughout the EU.For example, to use online services abroad, open a bank account or apply for a job in another EU country.
Legal basis: eIDAS 2.0 (European Digital Identity Framework)
The legal basis for the EU Digital Identity Wallet is the Revised eIDAS Regulationalso known as eIDAS 2.0 or the European Digital Identity Framework. The original eIDAS Regulation (Regulation (EU) No. 910/2014) created a legal framework for cross-border electronic identification and trust services in 2014. It made it possible for nationally recognized electronic identity systems to be used in other member states for access to public services. However, according to the EU Commission, this regulation is no longer sufficient in the digital age, as more and more private online services require identification and there are concerns about Profiling and monitoring became loud.
In June 2021, the European Commission therefore proposed a comprehensive revision of the eIDAS Regulation. This proposal provided for the creation of a European framework for digital identities. With the EU Digital Identity Wallet as the central instrument to implement the principle that users retain full control over their digital identity data. Following the EU legislative procedures, the new regulation was finally adopted by the European Parliament on February 29, 2024 and published in the Official Journal in May 2024. It entered into force on May 20, 2024 as Regulation (EU) 2024/1183 in force. This ordinance amends and supplements eIDAS (2014)by establishing the European Digital Identity Framework and, in particular, prescribing the establishment of EU Digital Identity Wallets.
Core content of the eIDAS 2.0 Regulation
The new regulation obliges all member states, under national responsibility, to to provide EU Digital Identity Wallets. This can also be done in cooperation with contracted private providers. The wallets must comply with certain common technical specifications in order to be interoperable across the EU. In addition, eIDAS 2.0 strengthens the use of electronic identities in the private sector. For the first time, it is regulated that private service providers can also accept the wallet as a means of identification or must accept it in certain cases. In particular, very large online platforms (as defined by the Digital Services Act, e.g. large social Networks) will in future be obliged to support the EU Wallet as a login or identification option if it is requested by users. This is intended to prevent a few private login services from dominating the market and to provide users with a neutral, publicly available alternative.
It is important that electronic evidence and digital certificates provided via the wallet (so-called electronic attribute certificates) are legally recognized. The regulation clarifies that a digital certificate may not be rejected solely because it is electronic or does not meet certain qualification requirements. Common minimum requirements are defined for qualified electronic attribute certificates so that they correspond to the legal value of an official certificate on paper. In this way, documents stored digitally in the wallet (e.g. a digital driving license or a university diploma) are to be given reliable legal effect throughout the EU.
Data protection framework of the Identity Wallet
The Identity Wallet solution is designed from the ground up to ensure that key GDPR principles such as Data minimization, Consent, Earmarking and the Rights of data subjects and technically supported. This is achieved both by Legal requirements of the eIDAS 2.0 Regulation as well as by the Architecture of the wallet ensured by the company itself.
Important data protection aspects at a glance:
- Earmarking and prohibition of further processing: The regulation stipulates that personal dataprocessed in connection with the Wallet may only be used for the provision of the Wallet services. One Processing for other purposes - such as the commercial exploitation of the Usage data - is prohibited. Wallet providers are not permitted to view the specific transactions of users ("Unobservability") and do not create profiles about usage behavior. This prevents misuse (e.g. profiling). If, in exceptional cases, it is necessary for the wallet operator to access certain information (e.g. for support purposes), this may only be done with previous explicit Consent of the user on a case-by-case basis and must be fully in accordance with the GDPR take place.
- Data minimization and selective data sharing: As little data as possible, as much as necessary. This principle of GDPR (Art. 5 para. 1 lit. c) is technically implemented by the wallet. By default, only the minimum required attributes are shared. The wallet has Privacy-by-Design-functions such as Selective disclosure and Zero-knowledge proofs. Selective disclosure means that the user only discloses the specific information requested by a service provider when making a request, without disclosing additional details. For example, instead of transmitting the complete identity card, the wallet can confirm that the user is over 18, without date of birth or exact address. Zero knowledge proofs go one step further by allowing the verification of a feature without disclosing the underlying data. For example, it could be proven that a bank account has a minimum balance, without the exact amount. Such cryptographic methods are intended to ensure maximum data protection.
Privacy Dashboard: Transparency and Rights of data subjects
The active Consent The user's freedom of choice is a basic principle that runs through the entire identity wallet system. Users decide for themselves who they make what information from their wallet available to. Every data release requires a conscious action in the wallet (e.g. confirmation via app) so that no unintentional disclosure can take place. This complies with the GDPR requirement of informed, voluntary and specific consent. Consentwhere it is necessary as a legal basis. The eIDAS 2.0 regulation explicitly emphasizes that wallet data may only be accessed with the user's prior consent and in compliance with the GDPR. In many cases, the data transfer is also limited to contractual necessity or legal obligations (e.g. in the banking sector); nevertheless, the wallet ensures that the Affected parties always retains control and authorizes the transfer.
In order to Overview of your own data the wallet apps are to be protected via a built-in Data protection dashboard have. This acts as a Transaction log and clearly shows the user which office has requested or received which data at what time. All data transactions via the wallet are documented here and can be viewed by the user, even if a process has been canceled. This is intended to ensure a high Transparency and prevent untraceable data usage.
The dashboard also allows users to manage their Rights of data subjects according to GDPR easier to exercise. In particular, the wallet can be used directly for each transaction. Deletion of the shared data be requested from the service provider. The Regulation requires that such a deletion request (based on Art. 17 GDPR, Right to be forgotten) with just a few clicks. It should also be possible to report a service provider who requests data unlawfully or conspicuously directly to the national data protection supervisory authority.
Privacy by design/default and security precautions
Data protection compliance is technically anchored. The eIDAS 2.0 Regulation obliges providers of the Identity Wallet to comply with data protection through technology design and data protection-friendly default settings implement. The architecture itself logically separates personal wallet data from other data processing by the provider in order to prevent any mixing.
All wallet data is locally on the device of the user and not stored in a central database. Cloudwhich makes the control and Data security is intended to increase security. Access to the wallet is protected by the security features of the end device (PIN, biometric security, etc.) so that only the authorized person can use the content. In addition Open source code and Safety audits intended to Transparency and find vulnerabilities at an early stage. Should a serious security risk nevertheless arise, the wallet solution in question can be exposed be withdrawn from the market until the problem is resolved. All of these measures are intended to ensure that the wallet meets the strict requirements of the GDPR and creates trust among users.
Reading tip: Pseudonymization - EDSA publishes new Guidelines
Identity wallet providers and exhibitors
The EU Digital Identity Wallet is based on a common technical framework and clearly defined roles to enable their cross-border deployment. Both technical as well as legal is a whole Ecosystem of actors and infrastructures to ensure that the wallets function reliably:
- Wallet providers (Wallet Providers): These are the bodies that develop the wallet on behalf of a member state and make it available to users. In many cases, this will be the government or a state authority itself. Alternatively, a private IT service provider can be mandated. The wallet provider is responsible for technical operation, regular updates and support. Legally, the respective member state is responsible for ensuring that "its" wallet complies with the requirements. Each EU member state must offer at least one wallet, although several are possible in parallel as long as they are all common EU standards
- Issuer: This means that trustworthy organizations digital proofs of identity and other forms of digital documents can feed into the wallet. This includes state authorities (for official identification documents, driving licenses, civil status certificates), but also other bodies such as universities (for diplomas) or banks and certification services. Each issuer provides a user with a electronic certificate (attestation) about a specific attribute or document, which is stored in the wallet. Technically, this is done via digital certificates or Signed data recordsthat guarantee authenticity and immutability. From a legal perspective, issuers must fulfill certain requirements depending on the type of certificate - in particular qualified trust service providers be when it comes to qualified electronic attribute certificates which have special legal effects. The new regulation lists categories of attributes (e.g. name, date of birth, license status) for which Qualified exhibitors must be available. Exhibitors are obliged to Accuracy of the data before issuing a certificate in the wallet so that users can rely on the information stored in the wallet.
Service provider (service provider)
This includes all public or private bodiesthe information from the wallet query, to provide the user with a service. For example: an airline that requires identification for online booking; a car rental company that wants to see a digital driver's license; a bank that requests digital ID data to open an account. Service provider (Relying Parties) use the wallet to authenticate users or have certain attributes (e.g. age, qualifications) verified.
Legally, they must registerif they wish to retrieve Wallet data. This registration with a competent body (designated by the Member State) serves to Transparency and allows the legality of data requests to be monitored. When registering, providers must specify which data they wish to retrieve and for what purpose. Unnecessary or disproportionate data requests can thus be prevented.
The regulation also stipulates that service providers must Data protection impact assessment (DSFA) and, if necessary, consult the data protection supervisory authority, before they process wallet data. This applies in particular if special categories of personal data (e.g. Health data) or extensive profiles are affected. This is to ensure that new wallet applications are thoroughly checked for risks.
Overall, the registration requirement is intended to ensure that only trustworthy services access wallet data and that users know exactly who is using their identity data.
Technical functionality of the wallets
Technically, the interaction of these players is supported by a Common architecture and standards is possible. The EU has issued a Architecture and Reference Framework (ARF) and technical Specifications elaborated. All national wallets, issuer systems and service providers must comply with these standardized protocols and data formats so that a wallet in country A can easily communicate with a service provider in country B. For example, there are Europe-wide standardized Data models (schema catalogs) for certain documents, so that a "digital driving license document", for example, is structured in the same way in every Member State. Likewise, a common trust infrastructure constructed: A kind of public directory of trustworthy bodies (e.g. Issuer-Catalog), which lists all certified issuers and service providers. The wallet can thus automatically check whether an incoming certificate from a Authorized Issuer and whether a requesting service website is actually registered and legitimate. This mutual recognition is ensured by digital certificates and signatures. Similar to SSL certificates on the web, only here for identities and attributes.
An important technical and legal aspect is the SecurityWallet apps must meet strict IT security standards fulfill. The regulation refers to the EU legal framework for Cybersecurity (Regulation (EU) 2019/881) and stipulates that wallets must be licensed in accordance with European or national Certification schemes on their IT security be checked. In concrete terms, this means that each wallet system of a Conformity assessment The product is subjected to an inspection in which the fulfillment of the technical and safety requirements is confirmed. This Certification should be harmonized at EU level if possible (if necessary, with the involvement of the EU agency ENISA). Wallets that pass the test are considered to be "Cybersecurity-certified". For users and service providers, this creates confidence that the respective wallet app is secure (e.g. protected against hacker attacks and free from known malware).
How the Identity Wallet works in practice
In order to use a wallet, the user usually goes through a Onboarding processDownload the wallet app for your own country, secure it (e.g. with PIN/biometrics) and connect it once to a state source of identity. For example, by reading the electronic ID card or via online identification. It can then be used to digital documents by requesting them from the respective issuers (e.g. the driving license office for the digital driving license). The added certificates are stored in the wallet and can be used from then on. If the user logs in to an online service that supports the wallet, they can use the wallet to Release selected data.
Authentication is usually carried out using a Combination of wallet release and possibly an additional confirmation (e.g. a digital signature or authentication via smartphone). Important: The legal confirmation of identity takes place at the moment of release - The service provider receives, for example, a digitally signed confirmation of the identity or the requested attribute, which he can use as a equivalent to the classic ID card must treat each other. Since the wallet proofs are mutually recognized, a citizen from country A enjoys the online service in country B the same legal acceptanceas if he had presented a local identification document.
Overall, the EU Digital Identity Wallets State-of-the-art technology with clear legal assurances combine: A standardized EU infrastructure ensures interoperability and security, while binding rules ensure that all parties involved (states, providers, users) fulfil their role in protecting identity data. The wallets should thus form a cornerstone for trustworthy digital transactions in Europe. However, the question will not only be whether the technical implementation will succeed as described, but also whether citizens and consumers will accept and use the EUDI wallet on a broad scale.
Source: A digital ID and personal digital wallet for EU citizens, residents and businesses
German 
English 
Italian 
French