The EUDI Wallet is coming – what businesses need to know

The EU is moving towards a new framework for digital identity. Under the revised eIDAS Regulation each Member State must make at least one European Digital Identity Wallet (EUDI Wallet) available by the end of 2026. Designed to support secure and interoperable digital identification across the EU, both online and offline, the EUDI Wallet is intended to enable users to prove their identity and share digital credentials in a more controlled and privacy-preserving way. For businesses, the EUDI Wallet will create a new ecosystem for electronic identification and authentication, bringing new legal and technical requirements and opening up new opportunities. This blog post outlines the key features of the EUDI Wallet, explains the business roles that matter most and briefly touches on what this means for businesses operating in Germany.

I. What the EUDI Wallet is and why it matters

The EUDI Wallet is introduced by the revised eIDAS Regulation (Regulation (EU) 2024/1183), which amends the eIDAS Regulation of 2014 (Regulation (EU) 910/2014). In essence, the EUDI Wallet is a secure digital wallet, typically made available through a smartphone app, that allows its users to prove their identity, authenticate when accessing services and store and share verified digital credentials. Those credentials may include driving licences, proof of age, professional qualifications, educational certificates or other electronic attestations of attributes. Users can selectively share these credentials with public or private service providers that rely on verified identity information (so-called relying parties), disclosing only the data needed for a particular transaction.

Electronic attestations of attributes allow users to prove specific facts about themselves – such as being of legal age or holding a particular driving licence category – without disclosing additional personal data. This selective disclosure is one of the defining features of the EUDI Wallet and a key reason why it represents a meaningful step forward for privacy in digital transactions.

The EUDI Wallet is the EU legislator’s answer to the shortcomings of the original eIDAS Regulation. Although the 2014 framework sought to facilitate secure cross-border electronic transactions, implementation remained largely national, resulting in fragmented systems and limited cross-border uptake. The revised eIDAS Regulation seeks to address this by introducing the EUDI Wallet as a harmonised, EU-wide means of electronic identification.

II. How EUDI Wallets are provided

While the revised eIDAS Regulation requires each Member State to ensure that at least one EUDI Wallet is made available, it leaves Member States flexibility as to how they meet that obligation. In principle, there are three possible models: 

• The Member State may develop and operate the EUDI Wallet itself.
• The Member State may entrust a private actor with building and operating the EUDI Wallet on its behalf.
• Finally, a private actor may develop its own wallet independently and seek recognition from a Member State.

Member States may choose one or more of these models. Germany, for example, has opted to implement all three models under its forthcoming German Digital Identity Act (Digitale-Identitäten-Gesetz), whose cabinet draft was adopted on 20 May 2026, with the notable feature that numerical caps on the number of independently developed and recognised wallets are expressly prohibited.

For businesses, the third model is particularly relevant, as it allows private providers to develop their own EUDI Wallet solutions independently and participate directly in the emerging wallet ecosystem, subject to recognition by a Member State. For private wallet providers, the choice of the recognising Member State is often a strategic one, as it will shape the applicable national certification pathway, the competent supervisory authorities and the wider regulatory environment in which they operate.

III. Key features of the EUDI Wallet

The revised eIDAS framework sets a high bar for the design and operation of EUDI Wallets. Several features are particularly important from a business perspective.

The EUDI Wallet must be provided free of charge and designed in a user-friendly manner. Security is a core element, and the revised eIDAS Regulation sets out very high security requirements for the EUDI Wallet accordingly. On interoperability, the EUDI Wallet aims to standardise the exchange of information across borders by obliging wallet providers to implement common protocols and interfaces, so as to ensure that the EUDI Wallet functions seamlessly across the EU. Regarding privacy and data protection, the EUDI Wallet must include features designed to ensure data minimisation. In particular, it must be possible for the user to disclose only selective data. In addition, the user must be able to trace their actions within the EUDI Wallet, and the use of data is limited, for example by a prohibition on combining EUDI Wallet data with data from other services. Before a wallet can be made available, it must be certified by a conformity assessment body designated by the Member State from which recognition is sought.

Beyond the mandatory core functions described above, the revised eIDAS Regulation gives Member States the option to allow additional functionalities of the EUDI Wallet. For example, Germany will make use of this option. Under the German Digital Identity Act, EUDI Wallet providers in Germany may integrate existing electronic payment instruments, such as credit cards, virtual debit cards and online payment services, into the wallet as an additional function, provided this does not impair the wallet’s core identity functions.

IV. Business roles in the EUDI Wallet ecosystem

The EUDI Wallet ecosystem involves several roles that are relevant for businesses. The three principal ones are EUDI Wallet provider, relying party and trust service provider. A fourth category, the intermediary, is also worth noting for businesses that act on behalf of relying parties. Each role carries different legal obligations, registration requirements, and commercial opportunities, and a business may occupy more than one role simultaneously.

1. EUDI Wallet providers – building and operating the wallet

The most direct way for a private business to enter the EUDI Wallet ecosystem is as a wallet provider. As explained above (under II.), Member States can recognise EUDI Wallets that have been developed independently by private actors. This creates a market-entry opportunity for businesses with the technical capability and relevant business case to build wallet solutions.

The bar for entry is, however, high: EUDI Wallets are required to be provided under an electronic identification scheme with assurance level high. They must ensure security-by-design and support a comprehensive set of common protocols and interfaces. These must cover, among other things, the issuance of person identification data and electronic attestations of attributes, the request and validation of data by relying parties, and the sharing and presentation of data to relying parties both online and, where appropriate, offline.

Compliance with these requirements must be demonstrated through a certification process conducted by a conformity assessment body designated by the Member State from which recognition is sought. In Germany, the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) is responsible for establishing the national certification scheme.

A further structural constraint is worth noting: The EUDI Wallet must be free of charge to all natural persons. Any business model built around wallet provision must therefore be structured around services adjacent to the EUDI Wallet rather than around charging users for its core functions.

EUDI Wallet providers are also subject to strict data minimisation requirements. They may not collect data beyond what is necessary for the provision of wallet services, and personal data relating to the wallet must be kept logically separate from any other data held by the provider. Finally, the source code of the application software components of EUDI Wallets must, in principle, be open-source licensed. However, Member States may provide that, for duly justified reasons, the source code of specific components other than those installed on user devices shall not be disclosed.

Businesses considering entry into the wallet provider market should begin by mapping the technical and certification requirements against their existing infrastructure, identifying the Member State from which they intend to seek recognition and engaging early with the relevant conformity assessment process. Given the open-source requirement and the strict data separation rules, compliance architecture needs to be defined at the design stage.

2. Relying parties – who can and who is obliged to accept the EUDI Wallet

Any business that wishes to use the EUDI Wallet to verify user identity or obtain electronic attestations of attributes will do so as a relying party. This is likely to be the most widespread role, and for many businesses in regulated sectors it will not be a matter of choice but of legal obligation.

A relying party needs to register in the Member State where it is established. As part of that registration, the relying party must provide at least the information necessary to authenticate to EUDI Wallets, including its name, its contact details, the Member State of establishment, and the intended use of the wallet, including an indication of the data to be requested from users. Once registered, a relying party may not request any data beyond what was indicated in the registration. For example, in Germany, the Federal Office of Administration (Bundesverwaltungsamt) acts as the central registration authority for relying parties established in Germany.

The revised eIDAS Regulation also imposes obligations on how relying parties interact with users during any given transaction. Relying parties must identify themselves to the user before requesting any data from the wallet and are responsible for authenticating and validating the data received. Where identification is not legally required, relying parties must also accept the use of pseudonyms.

On the question of mandatory acceptance, the revised eIDAS Regulation takes a calibrated approach, imposing mandatory acceptance on three specific categories of actors:

• Public sector services. Where a Member State requires electronic identification and authentication to access an online service provided by a public sector body, it must also accept EUDI Wallets. Given that electronic identification and authentication is already required for a wide range of eGovernment services across the EU, this will create a significant and immediate field of application for the wallet from the moment national implementations go live.

Private relying parties in regulated sectors. Where private relying parties that provide services are required by EU or national law, or by contractual obligation, to carry out online identification with strong user authentication, they may be required to accept EUDI Wallets – no later than 36 months from the date of entry into force of the relevant implementing acts and only upon the voluntary request of the user. This is likely to be particularly relevant in sectors such as transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education and telecommunications. Micro and small enterprises are exempt from this obligation.

• Providers of very large online platforms (VLOPs). Where VLOPs as referred to in Article 33 of the Digital Services Act require user authentication for access to online services, they may also be required  to accept the EUDI Wallet, only upon the voluntary request of the user and limited to the minimum data necessary for the specific service concerned. In practice, this is likely to be particularly relevant for major online platforms that operate user login or authentication processes.

In all three cases, use of the EUDI Wallet remains voluntary for the user. Access to public and private services must not be restricted or made disadvantageous for persons who do not use the EUDI Wallet, and relying parties must continue to maintain existing access channels.

3. Trust service providers – issuing and validating digital credentials

Trust service providers play a central role in the EUDI Wallet ecosystem as the providers of the verified content that users store in and share from their wallets. Trust services cover a broad range of electronic services, from issuing and validating certificates for electronic signatures and seals to issuing and validating electronic attestations of attributes, creating electronic timestamps and recording data in electronic ledgers. Trust services may be provided on a commercial basis, which makes this a role with significant revenue potential as demand for verified digital credentials grows.

As highlighted above, electronic attestations of attributes are of particular practical importance. Qualified electronic attestations of attributes, and attestations issued by or on behalf of a public sector body responsible for an authentic source, carry the same legal effect as lawfully issued paper documents and must be accepted as evidence in all Member States.

The revised eIDAS Regulation distinguishes between qualified and non-qualified trust service providers. Qualified trust service providers must meet stricter requirements – including prior notification of the supervisory body, submission of a conformity assessment report and regular audits – but benefit from stronger legal standing, including listing on national trusted lists and a more favourable liability framework. Non-compliance can lead to withdrawal of qualified status, and the revised eIDAS Regulation introduces a mandatory minimum fines regime of up to EUR 5 million or, for larger providers, up to 1% of worldwide annual turnover.

Finally, trust service providers are also subject to specific data protection obligations beyond the GDPR. Personal data relating to the provision of attestation services must be kept strictly separate from data relating to any other services offered by the provider or its business partners. 

4. Intermediaries – acting on behalf of a relying party

Where a business acts on behalf of a relying party rather than directly as one, it operates as an intermediary. Intermediaries are treated as relying parties themselves and are subject to the same obligations. One additional constraint applies specifically to this category: intermediaries may not store data about the content of the transaction. This strict data minimisation rule is a material compliance consideration for any business, such as an identity verification or authentication service provider, that positions itself between the EUDI Wallet and a relying party.

V. Key takeaways

• The EUDI Wallet is moving from concept to implementation. Once live, it will become a central tool for digital identification and authentication across the EU, both for public services and large parts of the private digital economy. In practice, the EUDI Wallet is intended to make digital identity verification more secure, interoperable and privacy-preserving, while giving users greater control over the data they share.
• Businesses may participate in the EUDI Wallet ecosystem in different roles, most notably as wallet providers, relying parties or trust service providers. Each role comes with its own regulatory requirements, registration obligations and commercial opportunities, and some businesses may ultimately combine more than one of these roles.
• For some organisations, acceptance of the EUDI Wallet may not be optional. Depending on the circumstances, public sector bodies, private relying parties in regulated sectors such as banking, energy, health and telecommunications, and providers of very large online platforms may fall within the acceptance obligation under the revised eIDAS Regulation.
• Early preparation is likely to create an advantage. Businesses that may fall within the mandatory acceptance regime should assess whether and when the obligation will apply, complete the necessary registration and ensure interoperability with the EUDI Wallet infrastructure. Compliance should be built into system design from the outset. Businesses outside the mandatory acceptance regime should also consider whether voluntary integration may create strategic value.