Data Strategy — EU regulation

Regulation (EU) 2024/1183 amending eIDAS was published on 30 May 2024, obliging Member States to issue European Digital Identity (EUDI) wallets within 24 months and defining trust service interoperability, consent, and data minimization safeguards. This revision represents the most significant update to the EU's electronic identification and trust services framework since the original eIDAS Regulation entered into force in 2016, responding to growing demand for secure digital identity solutions and lessons learned from the COVID-19 pandemic's acceleration of digital services. Organizations providing digital services to EU citizens and businesses should prepare for wallet integration requirements and improved trust service obligations.

Regulatory Evolution and Objectives

The original eIDAS Regulation (EU) No 910/2014 established the legal framework for electronic identification and trust services including electronic signatures, seals, timestamps, and delivery services. While successful in enabling cross-border recognition of national eID schemes and trust services, the original framework faced limitations including fragmented national adoption, limited citizen uptake, and lack of portable digital identity wallets.

The revised regulation addresses these gaps by mandating EUDI wallets that citizens can use across borders and sectors, establishing new qualified trust services, and strengthening interoperability requirements. The European Commission views digital identity as foundational infrastructure for the Digital Single Market, enabling smooth access to public and private services throughout the EU.

European Digital Identity Wallet Requirements

Plan authentication, attribute verification, and consent capture to interface with state-issued EUDI wallets that all Member States must provide to citizens and residents. Each Member State must offer at least one EUDI wallet within 24 months of implementing act adoption, providing citizens free access to secure digital identity credentials.

Wallets must support storage of identity documents, driving licenses, educational credentials, and other verifiable attributes that users can selectively disclose to service providers. Interoperability requirements ensure wallets issued by any Member State function across the entire EU. Organizations accepting EUDI wallets for customer authentication or attribute verification must implement compliant integration approaches and user consent mechanisms.

Trust Service Framework Updates

Review reliance on qualified electronic signatures, seals, and archiving services subject to updated supervision and security requirements. The revised regulation introduces new qualified trust service types including electronic attestation of attributes, electronic archiving, and electronic ledgers.

Enhanced supervision requirements address cybersecurity, audit procedures, and cross-border cooperation among national supervisory bodies. Qualified trust service providers face updated technical standards and certification requirements that implementing acts will specify. Organizations relying on qualified trust services should verify provider compliance with revised requirements and update contracts to address improved obligations.

Data Minimisation and Consent Controls

Ensure wallet interactions request only necessary attributes and respect selective disclosure mandates protecting citizen privacy. The regulation establishes data minimization as a core principle, prohibiting service providers from requesting more attributes than necessary for their stated purpose. Selective disclosure enables users to share specific credentials or attribute subsets without revealing complete identity documents.

Zero-knowledge proofs and related privacy-enhancing technologies support attribute verification without unnecessary data exposure. Consent mechanisms must clearly explain what attributes are requested, why they are needed, and how they will be used. Users must be able to review and revoke consents through wallet interfaces.

Implementation Timeline and Milestones

Align wallet readiness programs with upcoming implementing acts on technical specifications, certification criteria, and conformity assessment procedures. The regulation enters into force 20 days after Official Journal publication, with Member State wallet obligations triggered by implementing act adoption expected in late 2024 or early 2025.

Technical specifications will detail wallet architectures, credential formats, and interoperability protocols. Certification frameworks will address wallet security, trust service provider qualification, and conformity assessment bodies. If you are affected, monitor implementing act development and participate in pilot programs enabling early wallet integration experience.

Vendor and Partner Assessment

Vet identity providers and trust service partners for compliance with the revised assurance and cybersecurity obligations affecting qualified services. Due diligence should assess provider technical capabilities, regulatory status, and roadmap for revised eIDAS compliance. Contract updates may be necessary to address new obligations, liability provisions, and service level expectations. Multi-provider strategies may be appropriate given evolving market landscapes and varying setup timelines across service categories.

Customer Experience Considerations

Update onboarding flows and UI copy to explain wallet-based authentication, consent mechanisms, and data portability rights enabling citizen control over personal data. Customer education materials should help users understand wallet benefits, security features, and privacy protections. Fallback authentication mechanisms may be necessary during transition periods when wallet adoption remains incomplete. Brief product, legal, and security leaders on new Article 6a obligations and timelines for issuing at least one wallet per Member State. Enhance audit trails capturing consent, attribute exchange logs, and incident reporting tied to wallet transactions.