European digital identity wallets: how secure are they and what are the risks?

Many people have already heard of national digital wallets like France Identité in France, MyGov.be in Belgium, mObywatel in Poland, in Portugal or Ireland. These services provide a sovereign national digital identity that will be implemented throughout the EU by the end of 2026, once they have been brought into compliance with the EU eIDAS 2 regulation, which aims to establish the EU’s framework for digital identity. At the close of the year, these digital identity services will materialise into a European Digital Identity Wallet (EUDIW). However, as with most digital tools, introducing them poses risks, including identity theft, digital exclusion, and foreign interference. What can you do with a digital ID wallet? The EU ID wallet will allow users to identify themselves via public and private services, including commercial ones, anywhere in the European Union. For example, a French citizen will be able to interact with the German administration just as easily as a German citizen. Depending on the user’s needs, the wallet may contain various types of information, including civil status data, such as first name, surname, date of birth and nationality, as well as electronic personal documents such as a driving license, transport tickets, or invoices. Eventually, users will be able to present these documents to a public service, for instance, sending a copy of a degree to a future employer or using a prescription issued by a French doctor at a pharmacy in Belgium. This bona fide “digital toolkit” will also allow users to present digital ID such as a passports, visas, or airline tickets at border crossings. Users will also be able to digitally sign documents using “qualified” electronic signatures, which have the same legal validity as handwritten signatures. Finally, two people will be able to interact via their wallets. For example, while travelling in Italy, Alice could transfer her digital voting proxy to Felix. Who are they for? And when will they be used? All EU citizens and residents will be able to hold an EUDIW, although it will not be mandatory. The European Commission aims to provide 80% of the population with an EUDIW by 2030. In order to meet this goal, each EU Member State must issue at least one EUDIW by the end of the year. The EUDIW will be presented primarily as a mobile application that can be downloaded onto smartphones. It is expected to operate with a high level of security, both online and offline, offering must-have mandatory features, such as simple and verified digital administrative documents, qualified signatures, and pseudonym generation. It must also be certified by each Member State and listed on a public European registry. By the end of 2027, all businesses and public administrations requiring strong customer authentication (SCA), including banks, will have to accept proof of identity via an EUDIW. At what cost? The cost issue is an important consideration. Issuing and using the digital wallet, as well as issuing verified electronic signatures for non-professional purposes, will be free of charge. Each Member State will be free to determine its own specific conditions. For instance, Poland offers five free signatures per month per citizen. Using electronic signatures for professional purposes may incur a fee. In Belgium, the private wallet provider Itsme charges €4.95 per qualified signature. What are the benefits? The EUDIW should help combat fraud and false declarations, especially regarding the minimum age requirement for accessing pornographic websites. The process of renting a car, which currently requires sending copies of one’s ID card and driving licence, could be fully digitised. Another benefit is that users will have greater control over how their personal data is processed. Users will be able to freely choose and use pseudonyms when strong authentication is not required. Through a mandatory dashboard, they will be able to view the history of data transmitted and report suspicious data requests to their data protection authority, thereby strengthening oversight. The wallet should integrate privacy-enhancing technologies. For example, minors can verify minimum age requirements for social networks using zero-knowledge proof technologies, proving they are under 15 without revealing their name, surname, or date of birth. Only public and private service providers listed on a public registry will be able to use the EUDIW. Providers of electronic documents and qualified signatures will need to obtain prior qualification at national level. We are thus, witnessing a genuine digital identity ecosystem in the making. What are the risks of a digital identity market? The primary risk for users is being forced to use an EUDIW, which is designed as a kind of digital passkey. This could exclude certain segments of the population, particularly those who cannot afford or can use this type of technology. Another risk concerns privacy. Digital wallets could increase the amount of personal data collected without users’ knowing. To address this threat, under EU law digital wallets must be certified. While the certification provides certain safeguards, it does not offer absolute security, as demonstrated by the 2021 PEGASUS case. Cyberattacks may not only seek to steal identities, but also the data linked to them. Some of this data, such as first names, surnames, and diplomas, will be particularly valuable in this respect, as its authenticity will have been verified against authoritative sources. From the perspective of EU States, the EUDIW raises questions of sovereignty, because states are currently the only entities capable of reliably establishing a person’s identity. The provision of EUDIWs by non-European private companies increases the risk of foreign interference, which is a very real concern. For example, Nicolas Guillou, a French judge at the International Criminal Court has been under US sanctions since August 2025. What still needs to be done: choices, audits and alternatives The EUDIW could become an extremely useful everyday tool. However, many decisions still need to be made regarding implementation, enrolment, revocation, and cybersecurity, to effectively combat identity theft. In order to fulfill the promise of a safer digital world, there must be effective oversight and dissuasive sanctions against both European and non-European entities. At the same time, maintaining a hard copy alternative to digital documents is essential. Maintaining paper-based documents will not only help preserve each individual state’s resilience and sovereignty in the event of a cyberattack, but will also allow every citizen to choose whether or not to use an EUDIW. The projects on Traceability for trusted multi-scale data and fight against information leak in daily practices and artificial intelligence systems in healthcare – TracIA and More on the adoption of a healthy Mediterranean diet – MoreMedDiet were backed by France’s National Research Agency (ANR), which finances research projects in France. The ANR’s mission is to support and promote the development of fundamental and finalised research work across all disciplines, and strengthen dialogue between science and society. To find out more, visit ANR.