A Secure and Unique Digital Identity for 448 Million People? The Digital ID Wallet is Set to GoMainstream Across Europe

The European Union wants to make a digital identity wallet available to every one of its citizens by 2026. Read about this hugely ambitious project. 

All over the world, the ‘problem’ of digital identity is hurting people and businesses. Take cyber fraud. One estimate says losses from online payment crime could exceed $362 billion between 2023 and 2028. It’s clear that weak digital identity processes are at the heart of this epidemic. In the current environment, it’s very easy for criminals to steal online identities (or set up fictitious ones) in order to scam people and business. 

The solution seems obvious: a robust and secure digital ID system. With such a framework in place, criminals would find it almost impossible to pass as someone else. However, strong digital ID has the potential to do more than reduce online scams. It can also make it easier for citizens to perform a range of critical tasks both online and in physical locations: travelling across borders, proving age, signing documents, claiming prescriptions. The good news is that now, across Europe, such a system is now being built.

A digital wallet available for every EU citizen from 2026

In June 2021, the European Commission (EC) proposed a framework for a new EU Digital Identity Wallet (EDIW) accessible to all EU citizens, residents and businesses. The proposal was built on an existing EU regulation/protocol – eIDAS (electronic identification, authentication and trust services) – which was established in 2014 and later updated as eIDAS 2.0. Under the new legislation, every member state must make a digital identity wallet available to its citizens by 2026.

What does the EU Wallet do?

The new proposal will give every EU citizen a unique digital identity. And it  will be recognised anywhere in the zone and beyond, since the EU wallet is built on interoperable international standards. Users can store a range of encrypted, digitalised ID credentials in their wallets, and then share their credentials with any verified third party that needs to check them. These third parties might include public administrations, customs official, banks, hospitals, employer, e-commerce site and more.

The project promises to change the lives of millions of EU citizens, making it much easier to move around, prove identity and entitlements and access government services. But, more than this, it also has the potential to bring about a new era in which people take more control of their own data – sharing it securely with organisations they trust on their terms.

It’s why Ursula von der Leyen, President of the European Commission, described the wallet as “a secure European e-Identity…that any citizen can use anywhere in Europe…a technology where we can control ourselves what data and how data is used.”

This people-centric model of digital identity – sometimes called self-sovereign identity (SSI) – is an idea that has been around for many years. In this framework, citizens and consumers no longer need to fill out long forms full of personal details or scan documents when on-boarding to a service. Instead, they click on a signed digital credential they have loaded inside their digital wallet, then share it securely with any service provider. Evidence suggests that citizens welcome this model. For example, in 2023 officials in Queensland Australia worked with Thales’ Digital ID Services to launch a digital licence app. 500,000 people downloaded it inside seven months.

How eIDAS 2.0 will promote interoperability across Europe 

The EU’s vision for its eIDAS 2.0 framework is to harmonise the development of digital wallets across the zone. This is an important goal. Why? Because some member states already have their own national schemes. Examples include Belgium’s itsme, Norway and Sweden's BankID, and Italy's SPID. These digital ID services are very popular. For example, itsme, which is linked to Belgium’s banking network, has 7 million users.

For all their success, the established national legacy identification services only work in their home countries. The eIDAS 2.0 framework seeks to change this. It will also extend the capability of mobile digital ID wallets to include issuance, storage, presentation of PID and attestations. The national schemes can do this by modifying their existing solutions or building new dedicated projects to comply to EU wallet technical specifications.

Meanwhile the regulation is expected to help member states that are less advanced. Stakeholders believe that, as relying parties in all countries start to accept EDIW to prove identity and verify official documents, this will create a virtuous circle and boost adoption across the EU zone. What makes this interoperability possible is the EDIW’s inclusion of international standards such as ISO mDoc 18013-5 and VC W3C. They are the pillars the EU digital ID wallet is built upon.

These protocols define the ways that data is exchanged and verified. It means that, when a user presents the digital credential – representing a driving licence or a university degree, for example – the ‘relying party’ can easily check whether it is authentic, valid and if it was issued and signed by a trusted party.

The importance of privacy

In any discussion of digital ID, the topic of privacy always comes up. With this mind, the EDIW has in-built protections. All the digital documents stored in the wallet (digital ID, mobile driving licence, health pass, e-prescription, pay slips etc.) remain private, as will the transactions in which citizens use these documents. Not even the issuers of the documents will know when the documents are shared.

This will ensure only users decide how their data is shared. It will let everyone in the EU access private (or public) digital services safely, while protecting users and service providers against identity theft. And the extra benefit is that, when people use the wallet, they only ever need to supply minimal information. So, for example, if a service is for adults only, the credential can give a yes/no answer to the question: is this person over 18? No other private information is needed.

Bringing the right level of security

Of course, the EDIW model only works if the wallet is secure, with the highest level of assurance. Thus, the EDIW uses advanced cryptographic methods to encrypt personal data and includes safety measures to prevent cryptographic keys from being exported outside the wallet. To build a chain of trust, the verified identify of the holder must be binded to the wallet app. Creating a secure link will ensure that the wallet only hosts documents that belong to the holder.

In addition, member states and software providers will be required to certify every wallet they make available. Digital document issuers will be audited every two years to ensure they take the necessary security measures to address all risks. The burden of trust extends to relying parties too. They have to declare how they will use EDIW data. They must also carry out data protection impact assessments.