Back to the overview
07-21-2025 Article

The new EU Digital Identity Wallet (EUDI)

Update Data Protection No. 218

The new European Digital Identity Wallet (EUDI) marks a significant step in the development of the European legal framework for digital identities. Regulation (EU) 2024/1183, which came into force in April 2024, comprehensively revises the previous eIDAS Regulation (EU) No. 910/2014. The regulation obliges all EU member states to provide their citizens with access to an interoperable, trustworthy digital wallet by November 2026. This results in legal and technical requirements for companies, especially if they use electronic identification or authentication in their processes. The following provides an overview of the points that companies should consider now.

I. Concept and function of the EUDI wallet

The EUDI is designed as a digital means of identification that will be available in all EU Member States in the future. The aim is to offer natural and legal persons a standardized, secure way to store their identity and other digital evidence, so-called attribute certificates, in electronic form and to prove it to third parties. The wallet should not only be usable for online services, but also in an offline context and, in particular, meet the "high" security level.

It is planned that users will be able to use the wallet to digitally prove their place of residence, professional qualifications, powers of representation or payment information, for example. It should also be possible to use qualified electronic signatures directly via the wallet. The EUDI should be designed to be data protection-friendly and include functions for selective data disclosure and transaction logging. These wallets can be issued by both public authorities and recognized private institutions.

In Germany, the federal government has already initiated the development of a state wallet. This is to be introduced gradually by 2027 and will initially enable citizens to identify themselves digitally and securely via smartphone. The range of functions will then be continuously expanded. Private providers will also be able to develop EUDI wallets in future and have them recognized in Germany.

The introduction of the EUDI is particularly relevant for companies if they carry out digital identity checks or authentication, for example when opening an account, concluding a contract or providing sensitive digital services. In certain cases, companies will be obliged to accept the wallet as proof of identity.

A joint analysis by the German Federal Office for Information Security (BSI) and the French ANSSI underlines the security relevance of wallet onboarding in this context. This is the process in which users verify their personal identification data (PID) for the first time and transfer it to the EUDI wallet. The authorities are particularly critical of video-based remote identification procedures that capture biometric data and ID documents via camera and microphone. Although such methods are considered accessible and user-friendly, they are susceptible to scalable forms of attack such as presentation attacks (e. g. with photos, masks or deepfakes) and injection attacks (e. g. manipulated video or data streams).

The paper warns that many of these attacks are difficult to detect and make it considerably more difficult to reliably validate the authenticity of people and documents in practice. At the same time, it criticizes existing weaknesses in standardization, in particular the still incomplete assignment of the verification procedures to the eIDAS trust levels. BSI and ANSSI are therefore calling for a harmonized approach across Europe with clear technical requirements, mandatory test procedures and the preferential use of secure technologies such as reading chip data instead of optical character recognition (OCR). Only robust and uniformly tested onboarding procedures can guarantee the high level of security of the EUDI and create lasting trust among users and service providers.

II. Affected companies  

The personal scope of application of the EUDI Regulation extends on the one hand to companies that are considered "relying parties" within the meaning of the Regulation. So-called "relying parties" are natural or legal persons "who rely on an electronic identification, European digital identity wallet or other means of electronic identification or a trust service" (Art. 3 No. 6).

According to Art. 5b para. 1, the mere intention to use the wallet as a means of identification for the provision of public or private services triggers the obligation to register in advance with the competent authority in the respective Member State.

In turn, companies are legally obliged to accept the EUDI if they are legally or contractually obliged to carry out online identification with strong authentication. According to Art. 5f para. 2, users must be enabled to use the European wallet for their identification at their voluntary request by the end of 2027 at the latest. This acceptance obligation applies in particular to regulated areas such as transport, energy, banking, financial services, social security, health, drinking water supply, postal services, digital infrastructures, education and telecommunications. The only exceptions are micro and small companies that employ fewer than 50 people and whose annual turnover or annual balance sheet does not exceed EUR 10 million.

In addition, providers of very large online platforms within the meaning of the Digital Services Act (Regulation (EU) 2022/2065) are obliged under Art. 5f para. 3 to enable the use of the EUDI wallet for authentication purposes if the user so wishes (further information on the DSA can be found here). This also creates an obligation for digitally particularly visible players on the platform market to integrate the wallet into their login and identification processes.

Secondly, trust service providers are also directly affected by the scope of the EUDI Regulation. These providers provide electronic services such as issuing, creating, validating, preserving or archiving electronic signatures, seals, time stamps, attribute certificates, website certificates or registered mail and therefore play a central role in the EU's digital trust infrastructure. The regulation distinguishes between qualified and non-qualified trust service providers.

For qualified trust service providers, the requirements already applicable under the original eIDAS Regulation remain largely in place. According to Art. 19, they are still obliged to take technical and organizational measures to adequately manage security risks, in particular to prevent or minimize the impact of security incidents. Such incidents must be reported within 24 hours to the competent supervisory body and, where appropriate, to the persons concerned and other relevant bodies.

Art. 19a of the Regulation introduces different requirements for non-qualified trust service providers. These must now have suitable concepts and procedures in place, in particular for registration and integration procedures, administrative controls and the management of the trust service itself. They are also obliged to report significant security breaches or disruptions within 24 hours if personal data or service availability are affected.

The EUDI Regulation is also relevant for trust service providers with regard to the future role of the EUDI wallet itself. This will not only be a means of identification, but will also represent a central technical interface for the provision and use of trust services, in particular signatures and attribute certificates. Trust services must therefore be designed in such a way that they are interoperable with the EUDI infrastructure and can be seamlessly integrated into the wallets. Providers of such services should therefore check at an early stage whether and in what way their systems need to be technically and organizationally adapted to the requirements of wallet use.

III. Internal measures for implementation

Companies that are considered to be relying parties should start preparing internally for the integration of the EUDI wallet at an early stage. The regulation makes it clear that by the end of 2027, affected companies must technically and organizationally integrate the wallet as a means of digital identification if they are legally or contractually obliged to provide strong user authentication and the user actively uses the wallet.

The first step is to register as a relying party in accordance with Art. 5b para. 1. Registration takes place with the Member State of establishment and is linked to certain information obligations, including details of the company, the type of service and the intended processing of personal data in connection with the use of the wallet.

In addition, technical precautions must be taken to integrate the wallet into existing authentication and access processes. This includes, for example, the establishment of compatible interfaces for wallet communication and the connection to the infrastructure for qualified trust services, if these are required in the process (e. g. for signature or verification functions). The technical connection must meet the requirements for interoperability, security and availability, which have been specified in the implementing acts issued.

Under data protection law, relying parties are obliged to adapt data processing in connection with wallet use to the requirements of the GDPR and the EUDI Regulation itself. This includes, among other things, a precise definition of the purpose of processing, the principle of data minimization and the obligation to provide information to users. In many cases, a data protection impact assessment will also be required, especially if sensitive data categories are processed.

Finally, organizational embedding should not be neglected. Processes for validating and storing evidence, for logging authentication procedures and for responding to technical faults or security incidents must be documented, verifiable and embedded in the company. In addition, targeted training of employees involved in identity checks or digital onboarding processes is recommended to ensure that the new identity infrastructure is handled in a legally compliant and proper manner.

Against this backdrop, trust service providers are also required to prepare their systems for future integration with the EUDI wallet at an early stage. As the wallet will act as a central interface for the use of trust services such as signatures, seals or attribute certificates, these services must be technically designed in such a way that they can be seamlessly integrated into the wallet infrastructure. This includes, in particular, the provision of interoperable interfaces via which users can access trust services directly from the wallet.

In addition to the technical connection, existing security and reporting processes must be reviewed and, if necessary, adapted to the new requirements. This applies in particular with regard to the obligation to report significant security incidents within 24 hours and the implementation of suitable technical and organizational measures to control risks. The future binding requirements for the administration and implementation of trust services also require a structural and documented anchoring of corresponding procedures. Providers should therefore assess at an early stage which operational and technical adjustments are required to ensure interoperability with the EUDI and compliance with regulatory requirements.

IV. Conclusion

With the introduction of the EUDI wallet, the EU is setting a uniform, mandatory framework for digital identification across national and sector boundaries. The regulation significantly expands the previous eIDAS framework and creates binding requirements for a broad group of companies for the first time. They must be prepared to integrate EUDI wallets technically and organizationally by the end of 2027 at the latest if they operate in regulated areas or are required to provide strong authentication.

The associated requirements relate not only to technical interfaces and IT security, but also to processes for registration, data processing, verification and incident reporting. Companies are well advised not to postpone implementation: The necessary adjustments are complex, interfere with existing systems and require a coordinated interplay of technical, organizational and legal measures. The EUDI not only entails obligations, but also creates the basis for a uniform, legally binding and user-centered identity infrastructure in the European single market.

This article was created in collaboration with our student employee Emily Bernklau.

Download as PDF
Download as PDF

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Related articles

12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
12-02-2025
Competition authority files another lawsuit against Amazon – What impact could this have on platform liability?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-14-2025
A new facet of coaching law: Is the invalidity of coaching contracts unconstitutional?
11-13-2025
Digital Omnibus: EU Commission presents draft
11-13-2025
GEMA vs. OpenAI: Landmark ruling on AI language models and copyright law
10-28-2025
AI ACT: Should ChatGPT be classified as High-Risk AI?
10-15-2025
EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?
10-15-2025
More transparency, more responsibility: The new EU Regulation 2024/900 and its consequences for political advertising
10-01-2025
DATA ACCESS WITHIN THE COMPANY GROUP: Are companies permitted to access the IT systems of parent, sister, or subsidiary companies?
09-25-2025
Patent Mediation and Arbitration Center (PMAC) – Alternative dispute resolution in patent law

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.