The eID Wallet Still Doesn’t Deserve Your Full Trust

The European Union’s eID Wallet, introduced under Regulation 2024/1183 (eIDAS 2.0), is intended to give citizens a single, portable digital identity for online public‑service transactions. While the regulation was adopted two years ago, the wallet cannot launch until the Commission adopts a set of implementing acts that spell out data formats, APIs, and security certifications. Member states will then build interoperable solutions that respect the same baseline standards. This two‑step approach was designed to balance rapid digital transformation with a harmonised legal framework across the bloc.

Civil‑society groups, led by EDRi and epicenter.works, argue that the current draft of those implementing acts erodes the very protections the regulation promised. The proposals weaken untraceability and unlinkability, introduce mandatory processing of facial biometric data, and narrow the scope for pseudonymous credentials, effectively forcing over‑identification. By making registration certificates optional, the burden of privacy protection shifts to end‑users, who must scrutinise every service request. If adopted, these provisions could turn the wallet into a surveillance instrument rather than a privacy‑by‑design tool.

The stakes extend beyond individual privacy. A mandatory eID Wallet for age‑verification on social‑media platforms would embed the technology into everyday digital life, creating a de‑facto identity checkpoint for a large segment of the population. This could distort competition, limit innovation in alternative verification solutions, and chill free expression, especially for younger users. Policymakers therefore need to revise the implementing acts, reinstate strong unlinkability guarantees, reject compulsory biometric collection, and preserve optional registration certificates. Only a robust, rights‑respecting framework can secure public trust and ensure the wallet supports, rather than hinders, the EU’s digital agenda.