The Launch That Crystallises a Contradiction
In early June 2026, Germany's Sparkassen-Finanzgruppe — the network of 343 regional savings banks serving more than 50 million customers — made a notable EU debut: the first eIDAS 2.0-aligned age verification credential integrated directly into Google Wallet. Users can now prove they are 18 or older with a single tap on an Android device, disclosing no date of birth, name, or address. The system uses zero-knowledge proof cryptography: Sparkasse issues the credential as GDPR data controller, and Google's Credential Manager API handles secure transmission to participating services.
Technically, it is an impressive piece of privacy engineering. Politically, it is a case study in what happens when ambitious European digital sovereignty regulation meets compressed implementation timelines and no production-ready alternatives.
What the DIdG Actually Says
Six weeks before the Sparkassen launch, on May 20, 2026, the German federal cabinet adopted the draft Digitale-Identitäten-Gesetz (DIdG). The bill — now proceeding through the Bundestag and Bundesrat — implements EU Regulation 2024/1183 (eIDAS 2.0) at the national level. It sets a hard target of December 24, 2026 for Germany to have an EUDI Wallet operational, with full public rollout planned for January 2027.
The DIdG explicitly permits three deployment models: a state-operated wallet, a wallet deployed by third parties acting on behalf of the state, or a wallet issued directly by private providers officially recognised and certified by the state. That third option is the legislative gateway that enables a company like Google — via a partnership with a state-supervised institution like Sparkasse — to operate infrastructure carrying government-backed identity credentials. The German Ministry for Digitalization (BMDS) has confirmed the state wallet's source code will be publicly accessible. But the state wallet does not launch until January 2027. The gap between now and that date is being filled by the Sparkassen/Google system.
The eIDAS Contradiction
EU Regulation 2024/1183 is explicit: the EU digital wallets will be open-source licensed, ensuring transparency and security. The regulation was designed, in part, to reduce European citizens' dependency on US technology platforms for core identity functions — the policy literature consistently frames eIDAS 2.0 as an assertion of digital sovereignty against the infrastructure dominance of American and Chinese technology giants.
Yet Germany's first live eIDAS-aligned credential runs through Google's proprietary Credential Manager API. The open-source mandate in the regulation applies to the wallet application itself, not to the underlying operating system SDK — a distinction that creates a grey zone large enough to drive a platform through.
The sovereignty critique is not abstract. Once 50 million Sparkasse customers build digital ID habits inside Google Wallet, the behavioural and technical lock-in is substantial. If Google suspends an account, changes API terms, or exits the European market, citizens enrolled in a state-mandated identity programme could find their government service access disrupted by a California company's product decisions. The byteiota.com analysis summarises the structural problem precisely: temporary platform integrations have a documented tendency to become permanent infrastructure, and migration after 50 million users have adopted a system is effectively impossible at scale.
Steelmanning the Other View
The case for the Sparkassen/Google approach deserves honest engagement. The EU's December 2026 wallet deadline is a hard legal obligation — not an aspiration. No production-ready, interoperable, open-source EUDI Wallet existed at scale before this year. Building one from scratch would have required years Germany did not have.
The zero-knowledge proof design is genuinely privacy-preserving: no biometric is stored, no DOB is transmitted, and Sparkasse — a German public institution subject to BaFin oversight and GDPR — remains data controller. The system has a concrete compliance purpose: the Digital Services Act requires proportionate age verification for online platforms from February 2025, and something had to fill that gap. Baker McKenzie's analysis of the EUDI Wallet framework notes that service providers legally required to identify customers will soon be obligated to accept certified wallets — meaning the infrastructure being built today is not optional. Speed matters when the alternative is non-compliance with EU law.
What Proportionate Regulation Looks Like Here
This is not a story about bad actors. Both Sparkasse and the German government are trying to meet legitimate EU-mandated deadlines with available tools. Google's Credential Manager API is, in its design, consistent with the privacy architecture eIDAS 2.0 envisions: credential issuance stays with the regulated institution; the platform is a transport layer, not an identity authority.
But the DIdG's private-provider provision needs clearer guardrails before it hardens into settled policy. Three targeted reforms would reduce lock-in risk without sacrificing the innovation:
- Time-limited certification windows: Private wallet providers authorised under DIdG should receive certification periods of two to three years, requiring renewal as the state wallet matures — not open-ended approvals.
- Portability mandates: Citizens who establish eIDAS credentials through a private provider must have a statutory right to migrate to the state wallet or any certified alternative without losing validity or continuity.
- API transparency obligations: Where a proprietary SDK carries state-backed credentials, the API contract governing data flows should be disclosed to the BMDS and independently auditable, even if commercially confidential.
The BMDS has indicated that alternative wallet providers can seek certification approximately 12 months after the state wallet launches, creating a more competitive market by early 2028. That is the right direction. The open question is whether 50 million users already habituated to one platform will migrate when the state alternative arrives.
The Broader EU Lesson
Germany's situation is not unique. All 27 EU member states face the same December 2026 deadline, the same shortage of mature open-source infrastructure, and the same institutional temptation to use what works today. What distinguishes Germany is that the DIdG makes the private-provider pathway explicit statutory policy rather than an emergency workaround — which creates a legal framework for accountability that pure regulatory improvisation would not.
The EU designed eIDAS 2.0 to assert digital sovereignty. It may also, inadvertently, be the regulation that legitimises Big Tech's role in carrying state identity infrastructure across a continent. Both outcomes depend on what guardrails member states build into their national implementing legislation — and how quickly state alternatives move from cabinet paper to working wallet.