The European Digital Identity Wallet was supposed to be the EU's model of privacy-respecting identification infrastructure — a system where citizens could prove their age to a news portal, authenticate to a government portal, or sign a contract without surrendering a biometric trail. That vision collided in June 2026 with a technical committee compromise that reveals how much the Commission's implementing acts diverge from what legislators actually agreed.
The Regulation That Launched a Thousand Implementing Acts
Regulation (EU) 2024/1183, which amended eIDAS and entered into force on 20 May 2024, is explicit about pseudonymity. Its recitals state that wallets "should include a functionality to generate user-chosen and managed pseudonyms, to authenticate when accessing online services" and that accessing services under a pseudonym "should not be prohibited" absent a legal identity requirement. The legislation reflects a hard-fought political bargain: the European Parliament pushed for strong anonymity protections, and those protections made it into the final text.
But Regulation (EU) 2024/1183 also delegated an enormous amount of technical work to the Commission through implementing acts — the fine-grained rules that determine which data fields are mandatory, which formats wallets must support, and how relying parties can request attributes. Commission Implementing Regulation (EU) 2024/2977, adopted in November 2024, began filling in those details, covering person identification data (PID) specifications. It is in those technical specifications where the political commitments have been quietly eroded.
The June Committee Decision
At an eIDAS Committee meeting in mid-June 2026, the Commission finalised the minimum dataset that every EUDI Wallet must contain. The critical dispute centred on whether a biometric facial portrait — in practice, a passport-quality photo — would be mandatory. The Commission had been pushing for it to be included in the minimum PID set, arguing that interoperability with international standards like ISO 18013-5 (the mobile driving licence standard already adopted by Australia, Japan, and Canada) required it.
The compromise reached allows member states to make the facial image optional for individual users — but crucially, does not require member states to offer that option. Countries that choose not to provide an opt-out can include the biometric portrait by default. In practice, this means wallet deployments across 27 member states may vary wildly: some will offer genuine facial-image opt-outs, others may embed biometrics in every wallet without recourse.
"The power dynamics in our society are such that there are many situations where consent is not really given," Thomas Lohninger, executive director of Austrian digital rights organisation epicenter.works, told Biometric Update following the meeting.
Pseudonymity Narrowed to the Login Screen
The biometric portrait is not the only concern. In a March 2026 analysis, epicenter.works identified five structural problems in the Commission's draft implementing acts. The most technically significant is what has happened to pseudonymity.
The parent regulation guarantees pseudonymous access where no legal identity requirement exists — social media platforms, news portals, age-gating services, gambling sites. The implementing acts as drafted, however, restrict pseudonymity to the authentication step only: the moment of logging in. Once a session is established, relying parties can request additional PID attributes, and the Wallet specification as written does not give the wallet software a mechanism to refuse requests that exceed legal entitlement. The result, epicenter.works argues, is that the guarantee of pseudonymity is theoretical at the regulation layer and practically nullified at the implementation layer.
Epicenter.works also identifies a weakening of anti-tracking language: draft specifications changed "prevent" linkability and traceability to merely "hinder" it — a formulation that satisfies the letter of the requirement while permitting correlation attacks that the Parliament had sought to block.
The Case for the Commission's Approach
It would be unfair to dismiss the Commission's position without stating it fairly. Biometric portraits in digital identity are genuinely useful for in-person verification — border crossings, age-sensitive retail, healthcare — and ISO 18013-5 alignment matters if European wallets are to be accepted internationally. A wallet standard that diverges from global mobile driving licence norms risks creating a EU-only island. The Commission can also argue that implementing acts are the appropriate instrument for technical specifications, and that member-state discretion on biometric opt-outs is a real concession.
Even on pseudonymity, there is a coherent argument: some services legitimately need attributes beyond a login credential, and specifying those interactions in implementing acts rather than in the regulation itself is legally orthodox.
Why the Delegation Gap Is Still a Problem
The issue is not that implementing acts exist — it is the direction of their travel. The Parliament during trilog negotiations explicitly removed language that would have mandated biometric processing. When the Commission reintroduces that requirement through technical specifications that are adopted by committee rather than by co-decision, the parliamentary check is bypassed entirely. The same logic applies to pseudonymity: the regulation says pseudonymous access must be available; the implementing act constrains it to a narrow authentication window. The effect is that a political trade enacted by elected legislators is reversed by a technocratic process that receives far less scrutiny.
Epicenter.works has argued for three specific fixes: extend pseudonymity protection to cover all wallet interactions (not just authentication); require member states — not just permit them — to offer biometric portrait opt-outs; and restore "prevent" language for linkability and tracking.
What Proportionate Regulation Actually Looks Like
The EUDI Wallet is a valuable piece of infrastructure if done right. Over 550 organisations across 26 member states plus Norway, Iceland, and Ukraine are already testing it in large-scale pilots. A late-2026 mandatory rollout to every EU citizen and resident is one of the most ambitious digital identity deployments in history. That ambition makes the privacy architecture more important, not less.
A privacy-respecting minimum dataset would separate authentication credentials from attribute data, permit biometric portraits only where legally required for a specific use case (e.g., border control, not online booksellers), and impose a hard prohibition on relying parties requesting attributes beyond their legal basis regardless of what the wallet could supply. The technical implementing acts still have time to be corrected — but only if the Commission treats the privacy commitments in the parent regulation as binding constraints rather than aspirational defaults.