In brief
The EUDI (European Union Digital Identity) Wallet will have significant impact on Very Large Online Platforms (VLOPs), app stores, social media services, video-sharing platforms, regulated services such as gambling or adult media, healthcare providers, financial and banking services, public sector bodies and everyone who is obliged either by contract or law to implement two-factor authentication to identify their users.
In depth
Intro — Obligations and opportunities
On 20 May 2024, Regulation (EU) 2024/1183 entered into force. The Regulation implements, among other things, the new EU digital identification wallet (“EUDI Wallet”), which is supposed to harmonize user identification and age-gating in the EU. As such, it will likely have significant impact on the digital world and businesses ranging from financial services to media companies to social networks.
The law aims to establish a legally recognized identification mechanism that requires no more than a few clicks on the end user’s device. Identification will be as easy as paying a restaurant bill with a phone. Certain public bodies, practically all VLOPs and several other private parties will be required to implement and accept the EUDI Wallet to verify their users' identities. The wallet also presents an opportunity for platforms, VLOPs and regulated sectors (e.g., banking and telecommunications) to drive revenue.
Not just one app — What is the EUDI Wallet?
The EUDI Wallet will work as an app that can be installed on common user devices such as smartphones. However, despite a common misconception, there is no single EUDI Wallet app. Instead, the term “EUDI Wallet” refers to the technical and legal standard established by the Electronic Identification, Authentication and Trust Services (eIDAS) 2.0 Regulation.
While it is correct that each EU member state must offer at least one wallet solution by late 2026, the legal framework of the eIDAS 2.0 Regulation was intentionally left open to everyone to enable private parties the creation of their own wallet through complying with the technical standards set out in the Regulation.
Thus, multiple wallets can and very likely will co-exist. The goal of opening the regulatory framework to everyone is to promote technical innovation and widespread acceptance of the wallet. Big tech and platforms will be able to establish their own wallet and integrate it into their platform ecosystem or world of services.
The eIDAS 2.0 Regulation stipulates three different means by which EUDI Wallets can be provided:
| Means of provision |
Explanation |
|
| 1. | Directly by a member state |
In this scenario the provider of the EUDI Wallet app is the respective member state. Each Member State must provide at least one EUDI Wallet until 21 November 2026. |
| 2. | Under a mandate from a member state |
In this scenario, the provider of the EUDI Wallet app is a third-party (e.g., a private company), which is providing the app on behalf of the respective member state. |
| 3. | Independently of a member state (incl. by private parties) but recognized by that member state |
In this scenario, the provider of the EUDI Wallet app can be anyone. Private parties can design the app based on their own needs, e.g., as part of their world of services or platform economy. However, they have to meet certain objective design criteria (e.g., technical standards) and go through an official recognition process. |
Who is required to implement the EUDI Wallet?
The following parties are statutorily required to implement the EUDI Wallet and accept it as a means of identification:
- Providers of VLOPs under the Digital Services Act (DSA) are required to accept the EUDI Wallet as a means of identification, if they require user authentication for access to their online services.
- Since there are currently no VLOPs which function without authentication (i.e., with user accounts, login, etc.) the requirement to implement and accept the EUDI Wallet in practice applies to all VLOPs.
- Private parties which are required by law to use strong user authentication for online identification.
- Strong user authentication means two-factor authentication, e.g., by using a smart phone (factor 1) with touch ID or face ID (factor 2) to log into online banking or execute a payment.
- Typical examples of private parties which are legally required to implement two-factor authentication for their users and are therefore mandated to accept the EUDI Wallet include healthcare providers managing electronic records, banking institutions processing digital payments, and telecommunication companies verifying user identities for mobile contracts.
- Private parties under a contractual obligation to implement strong user authentication.
- Private parties are required to accept the EUDI Wallet if they are contractually obliged by a business partner to use strong user authentication (i.e., two-factor authentication) to identify their users.
- This may occur through B2B agreements, insurance requirements, industry-specific service level agreements (SLAs) or where two-factor authentication is required by contract as a technical and organisational measure (TOM) to comply with the General Data Protection Regulation (GDPR).
- While the eIDAS 2.0 Regulation explicitly lists 12 key sectors (such as digital infrastructure, energy, transport, and telecommunication) as primary obligors, this list is not exhaustive. The obligation to accept the EUDI Wallet extends to any private party — regardless of the sector — as long as a contractual obligation for strong user authentication exists.
- Public sector bodies which provide an online service that requires electronic identification and authentication (e.g., vehicle registration, address registration, business registration, pension insurance, health insurance, tax authorities, student loans/grants, universities, criminal record certificates, driving records.
Driving revenue — What are the most significant business cases?
When a new regulation comes into effect, the initial reaction is usually to consider how it can be avoided or how its impact on business can be mitigated. The EUDI Wallet represents a rare exception, as it will very likely lead to a significant and measurable increase in revenue for numerous service providers.
Since all VLOPs, nearly all public bodies that require identification, and numerous private companies are required to adopt the wallet, it can be assumed that it will become widely established across the EU in a short period of time. This will open up numerous opportunities.
To name just a few:
- Telecommunications providers, banks, and financial service providers no longer need to engage and pay third-party providers to verify a customer’s identity via video chat when concluding a contract online. Instead, all it takes is 2-3 clicks via the EUDI Wallet. With the same process, users can also sign the contract in a legally valid manner. This significantly speeds up the process, increases the conversion rate, and reduces costs.
- Social networks and video sharing platforms will have access to a harmonized and established age-gating and identification tool which they can leverage to fully comply with their DSA age-gating obligations.
- App stores and platforms (many of which must adopt the wallet anyway) can integrate the EDUI Wallet into their platform ecosystem (e.g., into existing payment wallets). These (enhanced) wallets can then in turn be made available to app providers and other third-party services (just like payment wallets already are). Third-party providers can then identify their users with just 2-3 clicks or verify their age for age verification purposes. The platform, in turn, can either monetize the use of the wallet (e.g., by charging the third-party service/app per identification) or benefit from a larger platform economy (more apps, more content, more in-app purchases, more revenue share). Just consider the following regulated services, which can identify their users or verify their age in seconds, allowing them to offer their products and services legally in most member states:
- Gambling services can identify customers within seconds. There is no conversion loss and no extensive costs for third-party identification services.
- 18+ movies and video games, or so-called “indexed” media in Germany, can be legally sold in physical and digital formats, without conversion loss or the need to meet country-specific age-gating requirements.
- Sellers of regulated products such as alcohol, tobacco, drugs and marijuana can legally age-gate and sell within seconds.
- Adult media, which is economically a significant sector that so far largely operates in a grey zone, can be provided fully legally while appropriate age-gating is ensured.
Timing — EUDI Wallet implementation
The eIDAS 2.0 Regulation officially came into force on 20 May 2024, but the timeline for implementation depends on when the first technical implementation acts were published and on who has to comply with them.
The technical implementation acts were already published on 4 December 2024. Based on this date, the following timelines apply:
- Member States: 24 months after the technical implementation acts were adopted, every EU Member State has to provide at least one EUDI Wallet to its citizens (whether operated by the member state or by another body on its behalf). So, the first wallet needs to be ready by 6 December 2026. However, Germany's official EUDI Wallet website states that “[b]y early 2027, at least one EUDI […] is to be available in every Member State.”
- Similarly, public sector bodies must accept the EUDI Wallet 24 months after the technical implementation acts were adopted, i.e., 6 December 2026.
- VLOPs: The eIDAS Regulation 2.0 does not specify a timeline for VLOPs to accept the EUDI Wallet as a means of identification. However, the regulation states that VLOPs shall accept and facilitate the use of the EUDI Wallets “that are provided in accordance with this Regulation”. The common interpretation is that this means, when member states provide the first wallet. Hence, this would December 2026/early 2027.
- Private parties which are required by law to use strong user authentication for online identification and for which strong user authentication for online identification is a contractual obligation imposed by another party must accept the EUDI Wallet 36 months after the technical implementation acts were adopted, i.e., 6 December 2027.