The EU's most ambitious digital infrastructure project in a decade is finally exiting the lab. Under Regulation (EU) 2024/1183 — the recast eIDAS framework better known as eIDAS 2.0 — every Member State must make at least one European Digital Identity (EUDI) Wallet available to its residents within twenty-four months of the Commission's first wave of implementing acts. That clock, started by Commission Implementing Regulations (EU) 2024/2977, 2024/2979 and 2024/2980 in late 2024, runs out around the end of 2026. National rollouts are accelerating accordingly: France Identité, Germany's BundID-linked EUDI pilots supervised by SPRIN-D, Italy's IT Wallet inside the IO app, Spain's Cartera Digital Beta, Poland's mObywatel and Greece's Gov.gr Wallet are all moving from pilot to production this year, with the four Large Scale Pilots — POTENTIAL, NOBID, DC4EU and EWC — winding down cross-border tests of mobile driving licences, age verification, payments and account opening.
Done well, this is a genuine win for European users and for the open internet. Done badly, it becomes a new layer of compulsion stacked on top of an already crowded compliance landscape — GDPR, DSA, DMA, AI Act, Data Act, NIS2 — without the user-side benefits that justify the disruption.
The pro-innovation case for getting this right
The status quo for proving who you are online in Europe is a mess. Citizens upload passport scans to dozens of intermediaries, repeat KYC checks at every bank and telecom, and rely on national eID schemes that rarely work across borders. A genuinely portable, user-controlled credential — one that lets a Polish student rent a flat in Lisbon, a German freelancer open a Spanish bank account, or an Italian parent prove their child's age once rather than fifty times — is exactly the kind of public digital infrastructure that markets cannot easily produce on their own. The European Commission's own 2030 Digital Decade targets envision EU-wide eID availability for all citizens, and recent Eurobarometer surveys suggest a clear majority of Europeans favour having a single digital identity for public services.
The wallet model — selective disclosure, on-device storage, zero-knowledge-style attribute proofs — is also, in principle, an improvement on the status quo of photocopied IDs and password-spraying logins. That is worth defending.
Three design choices that could spoil it
1. The 'unique and persistent identifier' problem
Civil-society groups including epicenter.works, EDRi and Wikimedia Europe have repeatedly warned that the Architecture Reference Framework (ARF, currently at v1.4) still leans on a unique, persistent identifier that could let relying parties — public and private — correlate every interaction a wallet holder ever has. That is not what 'selective disclosure' is supposed to mean. The legal text in Article 5a (notably 5a(4)) says wallets must not reveal more data than necessary and must not allow tracking by providers. The architecture must catch up to the statute. Pairwise pseudonyms, by default, for every relying party should be a non-negotiable engineering requirement, not an optional profile.
2. QWACs and Article 45
Article 45's revival of Qualified Website Authentication Certificates (QWACs) — and the requirement that browsers recognise them — remains the single most concerning provision in the entire regulation from a web security standpoint. Mozilla, the broader CA/Browser Forum community and security researchers spent the better part of two years warning that locking browsers into trusting state-designated CAs without retaining the ability to distrust misbehaving ones would weaken, not strengthen, the open web. The political compromise that emerged is workable only if browser vendors retain meaningful root-store discretion in practice. The Commission's secondary acts and the forthcoming guidance should err firmly on the side of preserving that discretion.
3. The DMA collision over secure-element APIs
Article 5a(11) obliges gatekeeper operating systems — read: Apple's iOS and Google's Android — to expose the APIs needed for Member State wallet apps to function, including access to secure-element hardware that today is tightly held by the platforms. This converges with the DMA's interoperability mandates and is being framed as a clean win for competition. It is more complicated than that. Forcing open low-level secure hardware to a long tail of state-procured apps creates real attack surface; the answer is not to refuse interoperability, but to insist on rigorous, security-reviewed APIs with clear liability allocation, rather than political deadlines that pressure platforms into shipping rushed integrations.
The mandate question
Legally, eIDAS 2.0 is voluntary: citizens are not required to use the wallet, and relying parties cannot refuse service to those who do not. In practice, the gravitational pull of government services, banks and telecoms toward 'wallet-first' flows will be enormous. The Commission and national supervisors should treat the non-discrimination provisions in Article 5f as live commitments, not box-ticking — and resist the temptation, already visible in some national strategies, to bundle wallet adoption with access to housing, welfare or healthcare portals.
What good looks like by late 2026
A successful rollout is one where the wallet is the most convenient option for most users, not the only option for any user; where ARF v2.x has shipped with pairwise pseudonyms on by default; where QWAC obligations coexist with browser root-store independence; and where secure-element interoperability is achieved through engineering, not coercion. Europe has a real chance to set a global benchmark for user-controlled digital identity. It should not waste it by confusing 'mandatory' with 'successful'.