The European Digital Identity Framework: introducing the new EU Digital Identity Wallet

The European Union (the EU) is replacing a patchwork of national digital identity schemes with a harmonised legal framework under which every Member State must make at least one EU digital identity wallet (eID Wallet) available to their citizens, residents and businesses, by the end of 2026. These mandatory eID Wallets will link citizens’ national digital ID with proof of other personal attributes like driving licences, diplomas, professional qualifications and bank accounts. This mandate is the culmination of a journey that started with Regulation (EU) No 910/2014 (eIDAS)[NM1] , which sought to create a digital single market in the EU for electronic identification and trust services. eIDAS was amended by Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 (eIDAS 2.0), which established a comprehensive European Digital Identity Framework through inserting a new Section 1 into Chapter II of eIDAS. The end goal is to allow all EU citizens to have control over their own identity data and to have access to public and private services across the EU requiring verification of ID and to participate in the digital economy. We consider first in this article the main features of the new EU Digital Identity Framework and then compares that regime with the UK’s emerging digital verification model.

What eIDAS 2.0 changes

eIDAS 2.0 does more than update the EU’s existing framework for electronic identification. It introduces a new legal and technical architecture for digital identity, designed to make the EU Digital Identity Wallet interoperable, trusted and usable across both public and private sector services. Two aspects are particularly important: first, the core features of the wallet itself, and second, the wider legal and practical implications of the new framework.

The core features of the EU Digital Identity Wallet

While eIDAS laid the groundwork for cross-border electronic identification services, it suffered from significant shortcomings that hindered widespread adoption. From 2018, it has been mandatory for Member States to recognise any digital identity systems that have been evaluated, approved and listed by the EU Commission under eIDAS, which are known as “notified electronic identification schemes”. However, it was left entirely up to individual Member States as to whether they planned to develop a national electronic identification scheme, leading to a fragmented landscape where access for individuals to a notified eID scheme was inconsistent across the EU. Moreover, prior to eIDAS 2.0, interoperability relied on a superstructure to connect the assorted electronic identity systems, which was prone to technical problems. Furthermore, the infrastructure was primarily geared toward public sector services and lacked a seamless mechanism for sharing their digital ID and specific personal attributes in digital form, such as professional qualifications, a driving licence or bank details, with the private sector.

The new framework under eIDAS 2.0 addresses these shortfalls by:

• Mandating that every Member State offers a national eID Wallet App to all citizens, residents and businesses, built to the same specifications, by the end of 2026. Each version of the eID Wallet must be interoperable and work across the EU and shall include a common dashboard embedded into the design, and a user-friendly interface which shows the user a list of all relying parties with whom their data or attributes have been shared.
• Making the source code for the eID Wallet application available under an open-source licence, ensuring transparency and promoting trust.
• Promoting a harmonised security approach by facilitating a common technical architecture, reference framework and standards to enable interoperability of national eID schemes.
• Mandating compliance with EU cybersecurity legislation and with the Regulation’s certification, security and incident-management requirements to promote confidence in the solution.
• Extending the scope of eIDAS beyond purely national identity documents to enable electronic attestation of attributes such as academic qualifications and professional entitlements.
• Enabling the use of a qualified electronic signature free of charge to all natural persons for non-professional purposes.
• Placing the citizen in effective control of their data, enabling citizens to select which aspects of their data they share with third parties.

The legal and practical implications of the new framework

Individuals using an eID Wallet App should benefit from access to a number of public and private services while their privacy remains protected through strong cryptographic encryption. Only necessary personal data will be shared, in accordance with the General Data Protection Regulation (GDPR) principle of privacy by design – this means that the features will automatically apply the principles of purpose limitation, data minimisation and selective disclosure. Users retain their GDPR rights, including the right to request erasure where the conditions in Article 17 GDPR are met. Digital identities will continue to be provided by individual Member States, but the eID Wallet will ensure that digital identities may be used and shall be accepted across the EU by those relying parties falling within the relevant acceptance obligations. And crucially, because the aim of eIDAS 2.0 is to promote the fundamental rights of EU citizens under legal safeguards and to protect democratic societies, Member States must not, either directly or indirectly, limit access to services to persons who do not opt to use an eID Wallet.

To translate these high-level requirements into technical reality, the European Commission has already adopted core implementing regulations covering matters such as wallet integrity and core functionalities, certification, person identification data and electronic attestations of attributes, and notifications relating to the wallet ecosystem. Further implementing acts may still follow where required by the framework.

It is expressly stated that the new requirements will not change any existing EU or national laws regarding the conclusion or validity of contracts or other legal obligations. On a practical level, eIDAS 2.0 suggests that Member States should agree on common elements with regard to business model and fee structure, to facilitate take-up of eID Wallets by SMEs.

The new regime will be enforced through administrative fines. Member States shall be obliged to legislate to set in law penalties for infringements of eIDAS 2.0 such as any direct or indirect practices leading to confusion between qualified and non-qualified trust services, or to abuse of the EU trust mark by non-qualified trust service providers. More broadly, the framework also imposes supervisory, governance and security obligations on wallet providers, issuers, relying parties and trust service providers.

In the future, the EU aims to extend the benefit of eIDAS into cross-border transactions, recognising the benefit of convenience and legal certainty for international trade. The EU Commission may adopt implementing acts to set the conditions under which trust frameworks within third countries could be considered as equivalent to the eIDAS trust framework, subject to conditions set by the Commission. And where a very large online platform (VLOP) within the meaning of Article 33(1) of the Digital Services Act - the list of which includes Amazon, Google and TikTok – requires users to be authenticated to access online services, that VLOP shall be required to accept an eID Wallet on the request of the user but this must be freely chosen and the VLOP will not be permitted to obligate users to authenticate through this means. Whether this will be readily accepted by the VLOPs, is another question. It is also important to distinguish between the end-2026 deadline for Member States to make wallets available and the later acceptance obligations that apply to certain relying parties.

Electronic identification services have the potential to be transformative in the financial services sector and for other services for which AML and client verification checks are a requirement. Having a universal, harmonised system will reduce costs for firms and improve access for customers.

Comparing the EU and UK regimes

Although both the EU and the UK are seeking to enable digital identity in a more structured way, they are doing so through markedly different legal and policy models. The EU has adopted a harmonised regulatory framework with mandatory elements, whereas the UK is developing a more market-led verification regime. This comparison matters for organisations operating across both jurisdictions.

The UK digital verification framework

The Data (Use and Access) Act 2025[NM2]  marked a significant shift in the UK’s legislative handling of digital ID and data as a whole. Part 2 of the Act established the Digital Verification Services (“DVS”) trust framework. By codifying a national trust framework, the Act aims to move beyond fragmented, manual processes toward a streamlined system where identity proofing is more secure, cost-effective, and widely accepted.

To oversee this ecosystem, the Act formally empowers the Office for Digital Identities and Attributes (OfDIA) to operate as the new statutory body responsible for enabling a trusted and secure digital ID market in the UK. More precisely, the Act places statutory duties on the Secretary of State to establish and maintain the DVS register[NM3]  and trust mark regime, while OfDIA operates the system within DSIT and on the Secretary of State’s behalf rather than as a separate statutory regulator. In a notable departure from the EU’s more centralised, top-down enforcement model, the OfDIA’s primary tool is the Statutory Register of DVS Providers, which serves as the "source of truth" for trustworthy UK services. In this way, the UK relies on a "certification-based" model where providers choose to be certified against government standards to gain a formal "trust mark."

This certification-based model is designed to encourage innovation while maintaining safeguards and technical standards. Under this framework:

• Providers voluntarily choose to undergo assessment against the government’s DVS trust framework.
• Upon successful certification, providers are granted a formal trust mark, signalling to the market that their service is reliable and interoperable.
• Users can share their verified attributes without the need for physical documents, and with the full knowledge that the provider is safe and reliable.
• Providers may also be removed from the register if they cease to meet the statutory requirements or fail to maintain conformity.

Key points of divergence between the EU and UK models

For the present, the UK and the EU have taken different approaches to enabling digital ID. The EU has adopted a mandatory approach, meaning that in the EU it is a legal obligation on the state to provide and on public and private sector service providers to accept the eID Wallet. This is in contrast with the UK, where the system is built on voluntary market participation. Although it is important to note that in either system, no citizen is forced to have a digital ID. In the EU, however, the acceptance obligation is not universal across all businesses from day one; it applies to categories of relying parties identified by the Regulation and the implementing framework.

In terms of maturity, it is arguable that the EU’s approach promotes certainty as it is set to come into force in August 2026 and has a much wider territorial and service scope, harmonising the system across the European Union and encompassing not only digital identity services, but also electronic signatures and electronic attestation of attributes. The more precise position is that the amended eIDAS Regulation is already in force, Member States must make wallets available by the end of 2026, and certain acceptance obligations follow thereafter. While the British government has announced plans to hold a citizen’s assembly to consult on future digital ID plans, it is evident that the debate is not yet settled and it seems the government is keen to build trust amongst the public before making any further decisions on the matter.

As well as the political approach differing, the technical architecture and user experience model chosen by the two bodies diverge significantly too. The eID Wallet aims for a unified “single app” feel across the entire bloc. Conversely, the UK seeks to create a competitive ecosystem of multiple private-sector providers that interact with government services. These providers compete to offer verification services that can interact with various government departments and private businesses, overseen by the OfDIA. At the same time, the UK is also developing a GOV.UK Wallet and broader public-sector digital identity capability, so the UK model is no longer purely private-sector in orientation.

Lastly, the EU’s regulations as brought into effect through the implementing acts guarantee cross-border interoperability and place this requirement at front and centre. Yet the UK currently sits outside this mutual recognition, meaning UK-based trust services may face challenges as a "third country" when operating within the EU Digital Identity Framework. That does not mean UK trust services are automatically excluded from all EU-facing use cases, but they do not benefit from the EU’s internal mutual-recognition architecture.

What organisations should do now

Given that the UK and the EU are taking two very different approaches to the implementation of digital IDs, organisations operating in these areas must be conscious of the differences to comply with the relevant rules, in particular the mandatory recognition of digital ID of EU citizens.

For organisations operating in the EU, the immediate legal question is whether they will fall within the categories of relying parties required to accept the wallet once the acceptance obligations begin to apply. For organisations operating in the UK, the key issue is whether certification under the DVS trust framework and listing on the register will become commercially necessary even where it is not formally mandatory.

The UK’s approach presents an opportunity for organisations to innovate in the digital ID space and help shape the market standard for trusted digital verification services. However, the UK‘s framework remains less developed than the EU system, which is due to be rolled out across the EU by the end of 2026. Organisations seeking to develop digital ID services should understand the differences between the twos systems and plan ahead to meet the applicable requirements.