Brussels is racing toward one of the most consequential deployments of public-sector technology in a generation. Under Regulation (EU) 2024/1183 — the revised eIDAS framework — every EU member state must make a European Digital Identity Wallet (EUDI Wallet) available to its citizens, residents, and businesses on a voluntary basis. The European Commission adopted the first batch of implementing regulations in late 2024 and rolled out a transitional age-verification 'mini-wallet' in 2025 as a precursor. The clock is now ticking on the 2026 availability milestone, and the choices made in the next twelve months will determine whether the EUDI Wallet becomes a genuine privacy upgrade or a backdoor route to mandatory digital ID across the bloc.
What the wallet actually does
The EUDI Wallet is a smartphone application — issued or certified by each member state — that lets users store and present verified credentials: a national ID card, a driver's licence, a university diploma, a bank account proof, an e-prescription, or a payment instrument. The legal architecture is laid out in Article 5a of the amended eIDAS Regulation, which requires wallets to support 'selective disclosure': revealing only the attribute a relying party needs (for example, that the user is over 18) rather than handing over a full identity document. In principle, that is a meaningful privacy gain over today's reality, in which presenting a passport at a hotel check-in or uploading a photo of an ID card to verify an online account exposes far more data than the transaction requires.
The Commission has framed the wallet as a cornerstone of the Digital Decade 2030 targets, which include the goal that 80% of EU citizens use a digital ID solution by the end of the decade. Four EU-funded large-scale pilots — POTENTIAL, NOBID, DC4EU, and the EU Digital Identity Wallet Consortium (EWC) — have been testing the architecture across travel, payments, education, and social security use cases since 2023.
The 2026 squeeze
The substantive risks lie in implementation, not intent. Member states have a narrow window to launch wallets that meet the Architecture Reference Framework (ARF) — the detailed technical specification maintained by the Commission's eIDAS Expert Group. Building a cryptographically rigorous wallet that delivers true 'unlinkability' (so that two presentations of the same credential cannot be correlated by issuers or by relying parties acting together) is hard. It generally requires advanced techniques such as zero-knowledge proofs or BBS+ signatures. Earlier ARF drafts leaned heavily on conventional ISO mDL and SD-JWT credential formats that do not, on their own, deliver full unlinkability without additional engineering.
The European Data Protection Supervisor and the European Data Protection Board have repeatedly flagged this gap. Their joint opinion on the eIDAS proposal warned that without strong unlinkability and pseudonymity-by-default, the wallet could enable issuer tracking of every interaction a citizen has with the digital economy — a level of surveillance no national ID system has ever achieved at scale. Civil society groups including EDRi, Epicenter.works, and noyb have pushed for these protections to be hard-coded into the implementing acts rather than left as optional 'high assurance' add-ons.
Voluntary in law, mandatory in practice
The eIDAS revision is explicit that wallet use must remain voluntary for citizens. But the same regulation obliges 'very large online platforms' designated under the Digital Services Act, and a wide range of regulated sectors — banking, telecommunications, healthcare, transport, education — to accept the wallet when a user wishes to authenticate. Once acceptance is universal and relying parties build their flows around it, the wallet becomes the path of least resistance. A user who refuses to enrol could find themselves locked out of the smoothest version of every digital service.
That is the de facto mandatory ID problem in a nutshell. It is a familiar pattern from India's Aadhaar rollout, where formally voluntary enrolment became practically compulsory for accessing welfare, banking, and mobile telephony. Brussels has the benefit of hindsight; it should use it.
What proportionate rollout looks like
The EUDI Wallet is not a bad idea. A federated, open-standards, citizen-controlled credential layer is a meaningful improvement on the status quo of ad hoc KYC uploads and platform-issued logins. But the difference between a privacy upgrade and a surveillance infrastructure is in the engineering and the guardrails. A proportionate rollout should hold to four principles:
- Unlinkability by default, not by configuration. The reference implementations distributed by the Commission should ship with cryptographic unlinkability enabled, with clear penalties for member-state wallets that downgrade it.
- A hard prohibition on conditioning essential services on wallet enrolment. The implementing acts should spell out that public services, healthcare, and basic banking must remain accessible via non-wallet routes.
- Strict limits on relying-party data retention. Selective disclosure is meaningless if the recipient logs the attribute alongside an IP address and timestamp forever.
- An open audit regime. Independent security researchers should have legal certainty to probe wallet implementations without DMCA- or computer-misuse-style liability — a gap the EU's Cyber Resilience Act has only partly closed.
Get these right and the EUDI Wallet can be a genuine model for the rest of the world: privacy-preserving, interoperable, and citizen-controlled. Get them wrong, and Europe will have built the most sophisticated centralised identity tracking system the continent has ever seen — under the banner of digital sovereignty.