Seismic shift in identity-verification incoming

The European Digital Identity Regulation marks a major change in how identity is verified across the EU.

The Regulation (EU) 2024/1183, which establishes the European Digital Identity Framework (EUDI Regulation), came into force in May 2024 and will take legal effect across the European Union in November 2026, write William Fry lawyers Rachel Hayes, Leo Moore  and Aoife Keenan.

Authentication

It reforms the existing electronic identification, authentication, and trust services system under the eIDAS Regulation (EU No 910/2014) and forms part of the EU’s digital decade policy programme 2030.

The EUDI Regulation aims to create a trusted, user-controlled digital identity framework for EU citizens and businesses engaging in online transactions that require identification or authentication.

Each member state must offer at least one European Digital Identity Wallet (EUDI Wallet) to citizens and residents. These wallets will be apps allowing users to store and share verified identity information and documents securely when accessing digital services.

While member states must provide the wallets, use of them will be voluntary. Citizens and residents who choose not to use the wallet cannot be discriminated against.

Goals

For users, the EUDI wallet will:

• Store digital identity information in one secure place,
• Allow selective sharing of information with public or private entities,
• Provide quick and easy access to online services.

The broader aims are to reduce fraud, lower authentication costs for businesses, and strengthen trust in digital transactions. Wallets will link national digital identities with proofs of personal attributes such as driver’s licences, diplomas, or medical prescriptions.

Users will retain control over which information is shared and with whom.

For businesses, the EUDI wallet offers a secure, reliable, and cost-effective way to verify identity, supporting efficient digital interactions.

Businesses can also obtain their own wallets to authenticate their identity in B2B relationships.

For EU users, the wallets will be optional and free of charge, providing a single, privacy-preserving means of identity assurance across the EU.

Application mandatory

Acceptance of EUDI wallets will be mandatory in specific sectors, including transport, energy, financial services, and very large online platforms.

These organisations must support wallet-based identity verification by 2027. Public sector digital services across the EU must also accept EUDI wallets.

Other companies, including non-EU entities, may voluntarily adopt the system to improve trust and compliance.

Legal and compliance risks

The EUDI Regulation must operate alongside existing frameworks such as the General Data Protection Regulation (GDPR).

Article 12a requires EUDI wallets to meet EU cybersecurity certification standards established under Regulation (EU) 2019/881.

Organisations integrating must therefore ensure strong data protection, interoperability, and security.

Key legal risks include:

1. Data protection: Organisations must comply with GDPR principles, including data minimisation, purpose limitation, and security. The EUDI Regulation forbids combining wallet-related data with other datasets unless explicitly authorised. Non-compliance may trigger penalties under both frameworks. Strong internal controls will be needed to prevent data misuse or ‘scope creep’,
2. Technical interoperability: Relying parties must ensure their systems can securely connect with the wallet infrastructure. Failures in data exchange or authentication could lead to service disruptions and reputational damage,
3. Fragmented implementation: Despite the harmonised framework, differences in national rollout and certification could cause legal uncertainty for cross-border service providers,
4. Cybersecurity threats: As the wallet may store sensitive personal and governmental data, it will be a prime target for cyberattacks. Breaches or unauthorised access could lead to severe legal and reputational harm. Organisations must adopt strong encryption, continuous monitoring, and regular risk assessments to mitigate these threats.

Preparing

Member states must provide access to interoperable EUDI wallets by November 2026.

Medium and large organisations, especially in regulated sectors, should prepare now to meet the 2027 compliance deadline. Steps for readiness include:

• Registering as a relying party with national authorities,
• Integrating wallet-based authentication into existing systems,
• Ensuring GDPR and national data protection compliance,
• Accepting EUDI Wallets as valid forms of identification,
• Supporting wallet-based login for large online platforms,
• Conducting internal assessments to evaluate technical and organisational readiness.

Conclusion

The EUDI Wallet represents a seismic shift in digital identity verification across the EU.

If successfully implemented, it promises enhanced user control, improved trust in online interactions, and streamlined access to services. However, it also introduces complex regulatory and cybersecurity obligations.

Failure to comply

Failure to comply could result in penalties, reputational damage, or exclusion from the EU’s digital identity ecosystem.

With sensitive personal data concentrated in one place, ensuring robust protection will be critical.

With the November 2026 deadline approaching, businesses should act now — reviewing their identity verification systems, upgrading infrastructure, and engaging with national authorities or pilot programmes.

Early preparation will position organisations to benefit from this new digital identity era while managing its significant legal and technical challenges.