🔔 Prepare for eIDAS 2.0 now: with workshop & live testing of your use cases.

EUDI-Wallets – was Unternehmen jetzt wissen müssen!

Grafik mit dem Titel: EUDI-Wallet - Kernfragen & Handlungsempfehlungen. Rechts daneben ist eine digitale Wallet mit verschiedenen  Personaldokumenten abgebildet. Rechts oben ist sind die EU-Sterne zusehen.

Share

EUDI-WALLETS – THE MOST IMPORTANT QUESTIONS & ANSWERS FOR COMPANIES

Standardized wallets for managing digital identity data, so-called EUDI-Wallets (European Digital Identity Wallet), are coming to Europe. All EU member states have committed, with the adoption of the eIDAS 2.0 Regulation on March 26, 2024, to provide their citizens and all legal entities with at least one such EUDI-Wallet by November 21, 2026. We answer the 10 most important core questions regarding the practical consequences for companies in Germany.

10 CORE QUESTIONS FOR COMPANIES

1. What are EUDI-Wallets and when are they coming?
EUDI-Wallets (European Digital Identity Wallet) will be digital wallets in the form of an app on smartphones. They allow citizens to securely use their identity data and verified attributes from key documents, such as identity cards, driver’s licenses, or certificates, in digital applications. Additionally, users can generate legally binding digital signatures within the EUDI-Wallet. EUDI-Wallets will be available free of charge.

All EU countries are required to offer their citizens at least one nationally certified and approved EUDI-Wallet by the end of November 2026. Another deadline in eIDAS states that each member state must provide such a EUDI-Wallet within 24 months of the enactment of designated implementing regulations—these implementing regulations are still under discussion at the EU level as of October 2024.

To implement these, various technical standards are currently being developed within the Architectural Reference Framework (ARF). A total of nearly 50 EU implementing regulations are expected, defining uniform implementation standards to create a European and interoperable ecosystem.

2. How will customer onboarding change with the launch of EUDI-Wallets?
The EUDI-Wallet in Germany will be based on the eID function of the national identity card, the practical use of which among the population currently stands at only 22%, according to the E-Government Monitor 2024. The initialization of a German EUDI-Wallet will generally require the use of the eID.

The EUDI-Wallet will thus complement the range of identification methods for onboarding. Certain sectors and companies are obligated to accept EUDI-Wallets. Functional EUDI-Wallets will be visible in the market at the earliest by the end of November 2026, and their potential market relevance will gradually develop from 2027 at the earliest. Established identification methods such as Photo-Ident, Bank-Ident, or Local-Ident will continue to play a significant role in the practical reach when onboarding customers.

3. What should be considered when accepting EUDI-Wallets?
EUDI-Wallets will introduce new technical standards and protocols for identity verification. At the same time, all international EUDI-Wallets from across Europe must always be accepted. Identity verification with EUDI-Wallets is represented solely through the PID attributes (‘Personal ID Data’), which only include first name, last name, date of birth, and nationality. This represents a change for established identification and business processes. Additionally, the accepting partner must decide whether to incorporate the new technical standards into their business processes or whether the protocols should initially be transformed into established formats. Therefore, preparation for the introduction of EUDI-Wallets should begin early.

4. What level of trust do EUDI-Wallets serve?
The stored PID attributes are defined at a ‘high’ level of trust and are intended to meet all identity verification requirements for EU-based citizens in regulated sectors. Specifically, this means that the attributes can be used for identity verification in the context of the Anti-Money Laundering Act (GwG), Telecommunications Act (TKG), and eIDAS, as well as within the telematics infrastructure of the German healthcare sector. The additional attributes of the German eID will also be stored in German EUDI-Wallets at a ‘high’ level of trust. Whether biometric authentication will be possible for retrieving attributes and what the corresponding user experience will look like, for example, in an onboarding process with EUDI-Wallets in regulated and unregulated identification or authentication processes, is still unclear as of October 2024.

5. Will the use and acceptance of EUDI-Wallets be free of charge?
For citizens, the use of EUDI-Wallets, including the creation of PID (in Germany via the eID function), and the issuance of private signatures (QES) will be free of charge. Companies will register as acceptance partners (‘Verifier’ or ‘Relying Party’) in the publicly administered ecosystem through a paid process. The technical integration of EUDI-Wallets as an additional identification method and the retrieval of verified attributes may involve costs. The exact conditions are still being developed with regard to the market-relevant launch of EUDI-Wallets at the end of 2026.

6. Who will offer EUDI-Wallets?
Each EU member state is required by the eIDAS 2.0 Regulation to provide at least one EUDI-Wallet offering for its citizens by the end of 2026. Each EUDI-Wallet requires certification.

According to BT-Drucksache 20/12796 of September 19, 2024, the German federal government initially plans a non-certified preliminary version of a German EUDI-Wallet that will only enable the identification of natural persons. Additional functions, such as qualified electronic signatures (QES) and other verified attributes (e.g., driver’s licenses, university diplomas, membership cards), as well as on-site use, will follow later. The full functionality of a certified EUDI-Wallet is expected 24 months after the implementing regulations come into force, which are still under discussion as of October 2024. The Federal Office for Information Security (BSI) is mentioned as the certification body. The practical significance of a non-certified preliminary version of a German EUDI-Wallet for acceptance partners in the private and public sectors is currently unclear.

Thus, a state-run EUDI-Wallet is initially expected for Germany. It is likely that private providers’ EUDI-Wallet solutions could also be approved through a still-to-be-defined national certification process. Across the EU, there will be at least 28 different EUDI-Wallets at the start, which must be accepted in each country without discrimination.

7. How will widespread use of EUDI-Wallets be ensured in practice? EUDI-Wallets form the core of a digital identity ecosystem. It is critical to success that many citizens use EUDI-Wallets in their daily lives and that there are many acceptance points. Regulated and large companies will be required to accept EUDI-Wallets, which will provide a good starting point but does not yet define everyday relevance. The entry barrier for citizens in Germany will remain the eID through the online ID function of the national identity card, which as of 2024 has a penetration rate of only around 22%.

A secure ID on a smartphone offers very limited value without practical use cases. Acceleration in usage and adoption could come from private-sector EUDI-Wallets, which are directly integrated into the smartphone experience and high-frequency applications. In parallel, it may be helpful to offer lower levels of trust for mass applications and biometric authentications for a convenient user experience.

Beyond ‘online identification’ as the core application of EUDI-Wallets, the ecosystem for further verified attributes must still develop. For example, processes need to be established to capture and verify a wide range of relevant attributes. Newly defined qualified trust service providers (qTSP) will support this by supplying so-called QEAA (‘qualified electronically attested attributes’) that confirm the authenticity and validity of the respective attributes. Moreover, processes and applications must be developed so that users can practically apply their digital attributes from their EUDI-Wallets in real-life situations. Here, too, it applies that a verified attribute offers very little value if it does not find broad application.

Thus, the launch of EUDI-Wallets is an important starting point for a complete ecosystem that will take many years and decades to fully develop in practice.

8. Should companies offer their own EUDI-Wallets?
The possibility exists. Companies can decide whether to act as issuers of verified attributes (‘Issuer’), as acceptance partners (‘Verifier’), or even as EUDI-Wallet providers within the ecosystem. The specific efforts and potential returns from each role should be evaluated in the individual context. In each EU member state, a EUDI-Wallet and its infrastructure must undergo a national certification process. For private-sector offerings, it may be useful to build on an already approved white-label platform to efficiently structure initial development efforts as well as ongoing development and operational costs.

Verimi has many years of experience in building and operating regulated ID wallets and also offers customized solutions for partner-specific wallet offerings based on EUDI-Wallet standards, including a complete white-label EUDI-Wallet solution under the partner’s brand for market deployment.

9. Are the technical EUDI-Wallet standards relevant to my own identity management?
The EUDI-Wallet introduces new technical standards that bring significant advances in the efficiency and security of handling digital identity data. These standards are very relevant for in-house solutions to take advantage of the trusted processing of digital identities in Europe for proprietary applications and specific business processes. Additionally, this ensures that the company’s attributes could potentially be used later in the open ecosystem with other acceptance partners. Verimi has extensive experience integrating digital identity data into individual use cases and advises on the aspects that need to be considered in the context of your systems.

10. What can companies do now?
EUDI wallets will be available by the end of 2026. While their practical relevance for citizens will develop over time, regulated and large companies, in particular, will be required to accept EUDI wallets from the start for customer identification (onboarding) and as an authentication channel (2-FA).

The obligation to accept these wallets raises fundamental questions for companies, as EUDI wallets introduce new technical and content standards that must be addressed. Once a basic understanding of the implications has been established within the organization, established interfaces and business processes need to be validated for EUDI wallet compatibility. Decisions will need to be made regarding the scope, timing, and priorities of the necessary adjustments, and systems must be prepared accordingly. Ideally, these changes should be tested well in advance of the market’s go-live through selected pilot applications and proof-of-concept implementations. Therefore, it is recommended to start these initiatives early.

Verimi has extensive experience and expertise in integrating ID wallet-based processes and is happy to assist in validating EUDI wallet compatibility.

CLASSIFICATION – WHAT IMPACT DO THE EUDI-WALLETS HAVE ON VERIMI’S OFFERING?

The EUDI wallets and eIDAS standards are an integrated part of Verimi’s service offering. The standards for “verified credentials” are already a productive part of the Verimi ID wallet today.

In Verimi’s identity services, EUDI wallets and identification with the EUDI wallet—once available—will be ready for all Verimi partners alongside all established identification methods. Users will be able to use the EUDI wallet for identification with Verimi partners as well as in the Verimi ID wallet itself, as an alternative to photo ID, bank ID, video ID, and local ID. The Verimi ID wallet itself will be updated to comply with all relevant EUDI wallet standards as soon as possible and will be approved as an EUDI wallet. For partners, relevant data and protocols will be expanded, and established connections can, of course, continue to be used.

On Verimi’s white-label platforms, the EUDI wallet will be available “as-a-service.” Verimi develops and operates customized identity management solutions for its partners, ranging from closed ecosystems for proprietary applications to company-specific EUDI wallets as part of the open ecosystem of digital identities in Europe.

For piloting individual components or business processes, productive proof-of-concept (POC) applications can be used for pilot implementations.

BASICS OF THE EUDI-WALLET

Here, we briefly summarize the key aspects of the EUDI wallet for you. It should be noted that as of the end of 2024, various aspects are still being finalized and adopted by the EU and national bodies, so certain changes may still occur.

What is the core identity (PID) of the EUDI wallets?

At the heart of the EUDI wallet are the so-called Personal ID Data (PID), which include basic personal data such as first name, last name, date of birth, and nationality. In Germany, the core identity is derived from the eID, i.e., from the online ID function, ensuring a high level of trust (LoA High) for populating the German EUDI wallet. In other European countries, national systems will be defined for capturing the core identity in their respective EUDI wallets. This core identity forms the basis for identification, authentication, and digital signatures within the EUDI wallet. This allows companies and public authorities to reliably use digital identities and verified attributes, making processes such as onboarding and customer verification more efficient and secure—even across borders in the EU.

What other attributes and credentials can be stored in the EUDI wallet?

In addition to the Personal ID Data (PID), citizens can include additional attributes and credentials in their personal EUDI wallet. These include verified contact details, such as address, email address, and mobile phone numbers, as well as verified proofs of qualifications, permissions, characteristics, or rights—such as driver’s licenses, educational degrees, professional certificates, or authorizations and powers of attorney. These and other verified available attributes enable easy and quick use of many existing or new digital applications, for example in public administration, education, financial services, or mobility.

The generally recognized verification of attributes is made possible under the eIDAS regulation through the introduction of a new trust service: For the “qualified electronic attestation of attributes” (QEAA), qualified trust service providers (qTSP) are authorized as issuing authorities to verify and confirm the authenticity of the respective attributes.

What is the eIDAS regulation, and how does it relate to the EUDI wallet?

The EUDI wallet is based on the revised eIDAS regulation (eIDAS 2.0). This regulation requires all EU member states to introduce a digital wallet by the end of 2026 at the latest, to standardize the digital identity of citizens. From 2027, companies will be required to accept the EUDI wallet. The goal is for at least 80% of the EU population to use EUDI wallets by 2030.

How are EUDI wallets implemented technically?

The EU and its member states have defined technical requirements in the so-called Architecture and Reference Framework (ARF) to ensure that EUDI wallets across Europe are based on a uniform standard and are thus interoperable. In Germany, the development process is already actively underway, with national standards such as the eID serving as the basis.

What advantages do EUDI wallets offer the public?

The EUDI wallet offers citizens numerous advantages, particularly in simplifying everyday processes. By securely storing verified proofs such as identity cards, driver’s licenses, or other attributes digitally, EUDI wallets enable secure and fast processes in both the public and private sectors. Users can authenticate themselves online throughout Europe without having to repeatedly provide or verify the same information. At the same time, they retain full control over their data, as they can decide which information to share and with whom (“selective disclosure”).

In addition, the EUDI wallet provides the ability to create qualified electronic signatures (QES) directly within the wallet, which simplifies and legally validates digital agreements, such as contracts.

What advantages do EUDI wallets offer companies?

For companies, the EUDI wallet brings significant efficiency gains in digital business processes. The high level of trust (LoA High) and the ability to quickly verify digital identities allow companies to reduce costly and time-consuming identity and attribute checks. This is especially relevant for companies that are subject to regulatory requirements, such as in KYC (Know Your Customer) processes.

In addition, EUDI wallets offer the flexibility to integrate verified credentials of all kinds as attributes, making digital business processes more efficient or even possible within the secured trust network.

Are companies required to accept EUDI wallets?

  • Regulated industries: Yes, in regulated sectors, eIDAS 2.0 mandates the acceptance of EUDI wallets as an identification and authentication tool.

  • Non-regulated industries: For very large platforms, eIDAS requires mandatory acceptance of EUDI wallets as an identification and authentication tool. Other companies may do so on a voluntary basis.

It is important to note that all approved EUDI wallets from across Europe must be accepted without discrimination. Acceptance partners therefore have no choice or preference option for individual EUDI wallets. This should also be considered with regard to potential commercial billing models for verified attributes.