The Regulation (EU) 2024/1183, which establishes the European Digital Identity Framework (EUDI Regulation), came into force in May 2024 and will take legal effect across the European Union in November 2026.

The EUDI Regulation reforms and enhances the electronic identification, authentication and trust services framework (by reforming Regulation (EU) No. 910/2014, the e-IDAS Regulation).

It also forms part of the Digital Decade Policy Programme 2030 (Decision (EU) 2022/2481), which lays down Europe’s objectives and digital targets by 2030.

The EUDI Regulation aims to foster an EU-wide trusted, voluntary and user-controlled digital identity for businesses and citizens when engaging in online transactions requiring identification, authentication, or verification. 

What does the EUDI Regulation offer to European citizens and residents? 

A key feature of the EUDI Regulation is the mandate for each Member State to offer at least one form of European Digital Identity Wallet (EUDI Wallet) to EU citizens and residents (together, Users). The objective is to ensure Users have access to a digital identity that is under their sole control, which enables them to exercise their rights in the digital environment and participate in the digital economy. 

Under the EUDI Regulation, Users will have access to secure and reliable electronic identification schemes and services, fostering trust in online transactions with public and private service providers. 

What is the EUDI Wallet? 

The EUDI Wallet will be an app on Users’ mobile devices in which they can store important documents and use certain identity information to authenticate themselves when using digital services. While Member States are required to make available EUDI Wallets, they are optional for EU citizens and residents to use. Users who opt not to use it, cannot be discriminated against.  

Why is Europe introducing the EUDI Wallet?

The EUDI Regulation has several goals for Users, which include:

• The ability to store digital identity information in one (secure) place;
• The option to control the information about them that is shared with either public authorities or businesses accepting EUDI Wallets (e.g. the intention is that Users will be able to share specific attributes without revealing all identity information or other personal details); and
• To provide quick access to services online. 

Broader goals of the EUDI Regulation include the EU’s objective to reduce fraud and minimise the costs for businesses to authenticate individuals (i.e. by businesses accepting EUDI Wallets, rather than other or manual authentication tools/services).

Users will be in control of the information stored in their EUDI Wallet, which will generally be any information that links their national digital identities with proof of other personal attributes such as driver’s licence, educational records, bank account information, medical prescriptions, transport tickets, and more. 

Who can use the EUDI Wallet?

Member States must make EUDI Wallets available to EU-based Users and businesses/organisations. Some of the key benefits of the EUDI Wallet will be as follows:

• For EU Users, EUDI Wallets will be an optional, free-of-charge means of identity assurance used to authenticate Users’ identities with service providers. This enables Users to easily access a range of public and private services within the EU while also protecting their personal data. Users will be able to download the EUDI Wallet at no cost, and it can include their verified documents, such as identification cards and diplomas.

• For businesses, EUDI Wallets will provide a secure, reliable, and more cost-effective way to authenticate the identity of Users within the EU, helping them conduct business more efficiently. Businesses will also be able to apply for their own wallets to confirm their identities in B2B relationships.

Does the EUDI Regulation apply to EU and non-EU businesses? 

The EUDI Regulation applies as follows:

• EU-based private organisations: acceptance of the EUDI Wallet will be mandatory in certain industries such as transport, energy, financial services and very large online platforms (even if they already use strong authentication schemes and are not small enterprises). Organisations in these industries must support EUDI Wallet logins and identity checks by 2027.  Non-regulated companies (EU or non-EU), may voluntarily accept EUDI Wallets to improve trust, simplify compliance and enhance User experience.

• EU-based public organisations: acceptance of the EUDI Wallet will be mandatory for digital public services.

Are there any risks with the EUDI Wallet?

The EUDI Regulation will require compliance with cybersecurity standards and must work in parallel with other legal frameworks, such as the General Data Protection Regulation (GDPR). Notably, Article 12a of the EUDI Regulation requires certification of the conformity of EUDI Wallets in accordance with European cybersecurity certification schemes adopted pursuant to Regulation (EU) 2019/881, which establishes the EU cybersecurity certification framework while ensuring the protection of personal data and privacy through secure and privacy-preserving digital identification across the EU.  

The EUDI Wallet introduces potential legal risks that organisations should carefully assess as part of their compliance programmes. Certain legal risks include:

1. Data protection: Organisations must provide the capabilities required under the EUDI Regulation while ensuring that any processing of personal data processed through the EUDI Wallet accords with the GDPR. The EUDI Regulation references the GDPR, and organisations must adhere to data protection principles, such as data minimisation, purpose limitation and data security. Unless explicitly permitted, the EUDI Regulation prohibits combining wallet-related personal data with other datasets. Any infringement could lead to enforcement action under the EUDI Regulation and the GDPR. Organisations will need to ensure they have processes in place to avoid scope creep and data misuse.

2. Technical interoperability and reliability: Organisations designated as relying parties must ensure their systems can securely interact with the EUDI Wallet infrastructure. Any authentication or data exchange failure could lead to service disruptions or reputational damage.

3. Fragmented implementation: Despite the harmonised framework, national variations in the rollout and certification processes may create legal uncertainty for cross-border service providers.

4. Cybersecurity: The EUDI Wallet will facilitate User access to various services, including sensitive personal and governmental services. This makes the EUDI Wallet a possible target for malicious actors. If an organisation’s connection to the EUDI Wallet is compromised through identity theft, data manipulation, or other unauthorised access, there is a risk of significant legal and reputational consequences. Organisations may be liable for failing to implement adequate technical and organisational measures or cybersecurity measures to safeguard data. Proactive risk assessments, robust encryption, and continuous monitoring will be essential to mitigate these risks and ensure compliance.

What should businesses interested in the EUDI Wallet for identity authentication do?

Member States are mandated to offer EU Users access to a secure and interoperable EUDI Wallet by November 2026. The EUDI Regulation applies directly across the EU and introduces obligations for both public and private sector organisations.

While micro and small enterprises may be exempt, medium and large organisations should begin preparations to meet the 2027 compliance deadline.

For organisations caught under the EUDI Regulation, particularly those offering digital services or operating in regulated sectors, they should carry out assessments to identify what steps are needed to adhere to the new rules. Some steps for consideration, include:

• registering as a relying party with national authorities;
• facilitating technical integration of wallet-based authentication systems;
• ensuring compliance with GDPR and national data protection requirements;
• facilitating the acceptance of the EUDI Wallet as a valid form of identification;
• facilitating support for wallet-based login and verification, in particular, for large online platforms; and
• carrying out assessments of internal systems and processes to ensure readiness for regulatory compliance.

Conclusion

The EUDI Wallet represents a seismic shift in identity verification for Users across the EU. To facilitate this shift, organisations need to ensure that they have the technical capabilities and appropriate preparations in place to facilitate the implementation of the EUDI Wallet as prescribed in the EUDI Regulation.

If the EUDI Wallet is introduced successfully across the EU, organisations and Users can expect to see significant benefits, including increased access and control over data shared when engaging with services online or in business-to-business interactions, streamlined access to services and sharing of data, and strengthened trust, access to and reliance on digital interactions. 

While the successful implementation of the EUDI Wallet has many benefits, its implementation also poses significant risks for organisations and Users.

Organisations integrating with the EUDI Wallet must navigate complex legal and technical obligations, including compliance with GDPR, certification schemes, and interoperability standards. Failure to meet these obligations could result in regulatory penalties, reputational damage, or exclusion from the digital identity ecosystem.

Further, from a practical perspective, if a User’s sensitive data is stored in one location, it is of the utmost importance that the data is adequately protected, as a personal data breach could seriously affect a User’s data protection rights and have other significant ramifications for individuals and organisations alike.

Given the November 2026 deadline, businesses should begin assessing their readiness now.

Early assessments will include reviewing existing identity verification processes, updating infrastructure to support EUDI Wallet integration, and ensuring alignment with privacy and cybersecurity laws.

Early engagement with national authorities and participation in pilot programmes may also help mitigate risks and position organisations for success in the evolving digital identity landscape.

• Rachel Hayes and Leo Moore are partners and Aoife Keenan is an associate at William Fry LLP.