On May 21, 2026, Estonia's Information System Authority (RIA) opened a €21.65 million public tender to build and run the country's EU Digital Identity (EUDI) Wallet — a 96-month contract covering development plus five years of operation, with bids due June 29. RIA is using a competitive dialogue procedure, expects to shortlist three to five applicants, and has declined to split the work into lots, citing "technical and security interdependencies." Margit Aus, who leads RIA's wallet program, says the agency wants a solution that lets users "securely store and present authentication data, use various types of attestation of attributes, and give digital signatures."
For most EU member states, that description reads like a leap forward. For Estonia, it describes infrastructure that has existed for two decades.
Estonia is not starting from zero
Estonians have been signing documents, voting, filing taxes, and accessing health records with a state eID since the early 2000s. RIA reports that more than 800 million digital signatures have been given via ID-card, Mobile-ID and Smart-ID, with annual volume climbing from 14,317 in 2003 to over 100 million a year. More than 99% of public services are online. The e-Residency program, which issues a digital identity to non-residents, brought in €125 million in 2025 — up 87% — and e-resident-founded firms now make up roughly a fifth of all new Estonian companies.
In other words, Estonia is procuring a wallet to satisfy a Brussels mandate for capabilities its citizens already use daily. That inverts the usual logic of EU harmonization, and it sharpens a question the rest of the bloc will face more slowly: what does a mandated, common-architecture wallet add — and what might it put at risk?
The case for the mandate
Start with the strongest argument for the rule. The EUDI Wallet exists because eIDAS 1.0 (Regulation 910/2014) largely failed at its central promise: cross-border recognition. An Estonian signature is trusted everywhere in Estonia, but a citizen trying to use a national eID to open a bank account or enroll at a university in another member state has historically hit a wall of incompatible national schemes. Regulation (EU) 2024/1183, which amended eIDAS and entered into force on May 20, 2024, requires every member state to offer at least one interoperable wallet, and the Commission's implementing acts set a hard deadline of roughly late December 2026. A common architecture with mandatory selective disclosure could, in principle, give some 450 million Europeans a privacy-preserving credential that works across all 27 markets. That is a genuine public good, and the kind of coordination problem that markets rarely solve alone.
Where proportionality strains
The risk is in execution, not ambition. By industry assessments, the December 2026 deadline will produce a staggered, uneven rollout: only a handful of states look near-certain to ship a usable wallet on time, while others will field thin compliance apps with little real-world utility. A deadline met on paper but not in practice helps no one, and it invites exactly the kind of low-adoption "checkbox" infrastructure that erodes public trust in digital government.
For a frontrunner, the danger is different: that conforming to a common framework forces duplication of — or worse, regression from — a system that already works. Estonia's smartest move in this tender is to require that the new wallet be compatible with its existing eID ecosystem rather than replace it. The procurement's structure reflects proportionate thinking. A competitive dialogue keeps vendors honest on a hard technical problem; the five-year operational tail aligns the builder's incentives with long-term reliability rather than ship-and-leave delivery; and a single integrator avoids the security seams that come from splitting identity infrastructure across contractors.
The privacy fault line
The deeper concern should worry anyone who values an open internet. Digital rights group EDRi argues that the Commission's implementing acts are "weakening the Wallet safeguards (untraceability and unlinkability) meant to prevent surveillance," and that a narrow reading of pseudonym rules "makes over-identification of users the default." A wallet that defaults to handing over more identity than a transaction requires — or that lets verifiers correlate a user's activity across services — would turn a convenience tool into surveillance infrastructure. The regulation permits member states to deploy privacy technologies like zero-knowledge proofs, but only on a voluntary basis. That is the wrong default. Unlinkability and data minimization should be load-bearing requirements, not optional upgrades.
Estonia is unusually well-placed to set that bar high. Its eID model has long rested on citizen control and once-only data collection, and its engineers have the standing to push the EU's common architecture toward strong privacy defaults rather than away from them. If the country that proved digital identity can be both ubiquitous and trusted now builds a wallet that bakes in unlinkability, it raises the floor for the other 26.
The real test
The €21.65 million question is not whether Estonia can build the app — it plainly can. It is whether a mandate written in Brussels can reproduce what Estonia achieved through two decades of incremental, utility-driven adoption. Wallets succeed when people reach for them because they are useful, not because a regulation requires their existence. Estonia's tender, with its long operational horizon and insistence on backward compatibility, is a model of how to procure for utility. The EU's deadline, by contrast, is a reminder that you can legislate a wallet into existence far faster than you can legislate it into people's pockets.