The European Digital Identity Framework: introducing the new EU Digital Identity Wallet

By the end of 2026, the EU has mandated that all Member States provide at least one EU digital identity wallet (eID Wallet) to their citizens. These mandatory eID Wallets will link citizens’ national digital ID with proof of other personal attributes like driving licences, diplomas and bank accounts. This mandate is the culmination of a journey that started with Regulation (EU) No 910/2014 (eIDAS), which sought to create a digital single market in the EU for electronic identification and trust services. eIDAS was amended by Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 (eIDAS 2.0), which established a comprehensive European Digital Identity Framework through inserting a new Section 1 into Chapter II of eIDAS. The end goal is to allow all EU citizens to have control over their own identity data and to have access to public and private services across the EU requiring verification of ID and to participate in the digital economy.

While eIDAS laid the groundwork for cross-border electronic identification services, it suffered from significant shortcomings that hindered widespread adoption. From 2018, it has been mandatory for Member States to recognise any digital identity systems that have been evaluated, approved and listed by the EU Commission under eIDAS, which are known as “notified electronic identification schemes”. However, it was left entirely up to individual Member States as to whether they planned to develop a national electronic identification scheme, leading to a fragmented landscape where access for individuals to a notified eID scheme was inconsistent across the EU. Moreover, prior to eIDAS 2.0, interoperability relied on a superstructure to connect the assorted electronic identity systems, which was prone to technical problems. Furthermore, the infrastructure was primarily geared toward public sector services and lacked a seamless mechanism for sharing their digital ID and specific personal attributes in digital form, such as professional qualifications, a driving licence or bank details, with the private sector.

The new framework under eIDAS 2.0 addresses these shortfalls by:

• Mandating that every Member State offers a national eID Wallet App to all citizens, residents and businesses, built to the same specifications, by the end of 2026. Each version of the eID Wallet must be interoperable and work across the EU and shall include a common dashboard embedded into the design, and a user-friendly interface which shows the user a list of all relying parties with whom their data or attributes have been shared. 
• Making the source code for the eID Wallet application available under an open-source licence, ensuring transparency and promoting trust. 
• Promoting a harmonised security approach by facilitating a common technical architecture, reference framework and standards to enable interoperability of national eID schemes. 
• Mandating compliance with EU cybersecurity legislation to promote confidence in the solution. 
• Extending the scope of eIDAS beyond purely national identity documents to enable electronic attestation of attributes such as academic qualifications and professional entitlements. 
• Enabling the use of a qualified electronic signature free of charge to all natural persons for non-professional purposes. 
• Placing the citizen in sole control of their data, enabling citizens to select which aspects of their data they share with third parties.

Individuals using an eID Wallet App should benefit from access to a number of public and private services while their privacy remains protected through strong cryptographic encryption. Only necessary data will be shared, in accordance with the GDPR principle of privacy by design – this means that the features will automatically apply the principles of purpose limitation, data minimisation and will allow users to request the immediate erasure of their data under Article 17 of the GDPR. Digital identities will continue to be provided by individual Member States, but the eID Wallet will ensure that digital identities may be used and shall be accepted across the EU. And crucially, because the aim of eIDAS 2.0 is to promote the fundamental rights of EU citizens under legal safeguards and to protect democratic societies, Member States must not, either directly or indirectly, limit access to services to persons who do not opt to use an eID Wallet.

To translate these high-level requirements into technical reality, the European Commission intends to publish implementing acts to provide the mandatory technical specifications and certification standards so as to ensure interoperability of the system.

It is expressly states that the new requirements will not change any existing EU or national laws regarding the conclusion or validity of contracts or other legal obligations. On a practical level, eIDAS 2.0 suggests that Member States should agree on common elements with regard to business model and fee structure, to facilitate take-up of eID Wallets by SMEs.

The new regime will be enforced through administrative fines. Member States shall be obliged to legislate to set in law penalties for infringements of eIDAS 2.0 such as any direct or indirect practices leading to confusion between qualified and non-qualified trust services, or to abuse of the EU trust mark by non-qualified trust service providers.

In the future, the EU aims to extend the benefit of eIDAS into cross-border transactions, recognising the benefit of convenience and legal certainty for international trade. The EU Commission may adopt implementing acts to set the conditions under which trust frameworks within third countries could be considered as equivalent to the eIDAS trust framework, subject to those frameworks’ compliance with the EU GDPR (regarding data protection) and the NIS2 Directive (regarding cybersecurity). And where a very large online platform (VLOP) within the meaning of Article 33(1) of the Digital Services Act - the list of which includes Amazon, Google and TikTok – requires users to be authenticated to access online services, that VLOP shall be required to accept an eID Wallet on the request of the user but this must be freely chosen and the VLOP will not be permitted to obligate users to authenticate through this means. Whether this will be readily accepted by the VLOPs, is another question.

Electronic identification services have the potential to be transformative in the financial services sector and for other services for which AML and client verification checks are a requirement. Having a universal, harmonised system will reduce costs for firms and improve access for customers.

Comparing the EU and the UK approaches

While the EU seeks to give all EU citizens the right to a digital identity that is under their sole control, take-up within the UK of digital identification may be said to be running at a slower pace and with a different philosophy. Recent UK legislation lays the groundwork to change that. 

The UK approach

The Data (Use and Access) Act 2025 marked a significant shift in the UK’s legislative handling of digital ID and data as a whole. Part 2 of the Act established the Digital Verification Services (“DVS”) trust framework. By codifying a national trust framework, the Act aims to move beyond fragmented, manual processes toward a streamlined system where identity proofing is more secure, cost-effective, and widely accepted.

To oversee this ecosystem, the Act formally empowers the Office for Digital Identities and Attributes (OfDIA) to operate as the new statutory body responsible for enabling a trusted and secure digital ID market in the UK. In a notable departure from the EU’s more centralised, top-down enforcement model, the OfDIA’s primary tool is the Statutory Register of DVS Providers, which serves as the "source of truth" for trustworthy UK services. In this way, the UK relies on a "certification-based" model where providers choose to be certified against government standards to gain a "trust mark."

This certification-based model is designed to encourage innovation while maintaining safeguards and technical standards. Under this framework:

• Providers voluntarily choose to undergo assessment against the government’s DVS trust framework.
• Upon successful certification, providers are granted a formal trust mark, signalling to the market that their service is reliable and interoperable.
• Users can share their verified attributes without the need for physical documents, and with the full knowledge that the provider is safe and reliable. 

Comparison between the EU and UK regimes

For the present, the UK and the EU have taken different approaches to enabling digital ID. The EU has adopted a mandatory approach, meaning that in the EU it is a legal obligation on the state to provide and on public and private sector service providers to accept the eID Wallet. This is in contrast with the UK, where the system is built on voluntary market participation. Although it is important to note that in either system, no citizen is forced to have a digital ID. 

In terms of maturity, it is arguable that the EU’s approach promotes certainty as it is set to come into force in August 2026 and has a much wider territorial and service scope, harmonising the system across the European Union and encompassing not only digital identity services, but also electronic signatures and electronic attestation of attributes. While the British government has announced plans to hold a citizen’s assembly to consult on future digital ID plans; it is evident that the debate is not yet settled and it seems the government is keen to build trust amongst the public before making any further decisions on the matter. 
 
As well as the political approach differing, the technical architecture and user experience model chosen by the two bodies diverge significantly too. The eID Wallet aims for a unified “single app” feel across the entire bloc. Conversely, the UK seeks to create a competitive ecosystem of multiple private-sector providers that interact with government services. These providers compete to offer verification services that can interact with various government departments and private businesses, overseen by the OfDIA.

Lastly, the EU’s regulations as brought into effect through the implementing acts, guarantee cross-border interoperability and places this requirement at front and centre. Yet the UK currently sits outside this mutual recognition, meaning UK-based trust services may face challenges as a "third country" when operating within the EU Digital Identity Framework.

Conclusion

Given that the UK and the EU are taking two very different approaches to the implementation of digital IDs, organisations operating in these areas must be conscious of the differences to comply with the relevant rules, in particular the mandatory recognition of digital ID of EU citizens. On the other hand, the UK’s approach presents an opportunity for certain organisations to innovate in the digital ID space and become the benchmark of what a good digital ID service provider looks like. However, the UK‘s framework is less developed than the system which is expected to be soon be rolled out across the EU and organisations seeking to create digital ID services should be aware of the differences and plan ahead to meet any requirements.