In a stunning reversal, the European Commission is once again poised to undermine the privacy of citizens across Europe in the ongoing eIDAS reform process. After promising to close a dangerous loophole in the eIDAS implementing acts, the Commission has yielded to powerful industry lobbyists and reintroduced an optional regime for “relying party registration certificates.” This dramatic backslide threatens the core principle of the European Digital Identity (EUDI) Wallet project: namely, giving users across the EU secure digital identities under reliable and uniform protections.

The Fight for Trust and Security in eIDAS

For months, civil society organizations, consumer advocates, the European Data Protection Supervisor and even national delegations had repeatedly called on the Commission to guarantee a mandatory system of registration certificates for “relying parties” (i.e., the companies and public authorities that use or integrate EUDI Wallet services). Such certificates are vital. They specify which user attributes a given relying party is allowed to request, creating a powerful check on overreach or illegal demands for personal data. If registration certificates are left optional, relying parties can simply “forum shop” in Member States that do not mandate certificates—leaving wallet users exposed to excessive data requests without any real line of defence.

That is precisely what the Commission had fixed in a previous draft of the text. Yet, in the most recent version sent to negotiators for the upcoming comitology meeting on April 9, 2025, the Commission undid this crucial safeguard with virtually no explanation. Rather than follow its own promises to protect users and listen to repeated criticisms from digital rights and consumer protection advocates, it surrendered to the few corporate voices demanding reduced oversight and weaker user protections.

Why Mandatory Certificates Matter

• Preventing Illegal Data Requests: Registration certificates are the only way for the EUDI Wallet to detect whether a relying party is asking for attributes (e.g. financial or health information, family status, etc) beyond what they are legally authorized to request. Without a mandatory certificate, the wallet cannot tell if a request is legitimate or an unlawful intrusion on user privacy.
• Ensuring a Level Playing Field: eIDAS aims to foster trust in cross-border services. If certain Member States fail to require registration certificates, unscrupulous companies will flock there to bypass protections. That leaves users in the rest of the EU defenseless and incentivizes a race to the bottom, eroding trust in the entire eIDAS ecosystem. There is a risk here that the mistakes of the GDPR will be repeated, where weak enforcement by Irish authorities has led to a Europe-wide erosion of fundamental rights and consumer protection. In effect, Facebook Ireland could ask everything from Europeans.
• Preserving the Right to Pseudonymity: The eIDAS Regulation explicitly protects the right to use pseudonyms in scenarios where no legal requirement to identify the user exists. By making registration certificates optional and failing to distinguish between “know-your-customer” (KYC) and non-KYC use cases, the Commission effectively strips away the possibility for users to remain pseudonymous when the law allows. Tech giants can then demand real identities in contexts that do not require them.
• Upholding the Spirit of the Law: During the negotiations, lawmakers agreed that the EUDI Wallet should warn users about illegal or overreaching information requests. However, for that safeguard to work, each relying party must be compelled to list which data they may lawfully request. Making these certificates optional contradicts the very spirit of eIDAS and short-circuits meaningful user control.

A Political and Democratic Failure

Equally worrying is the Commission’s audacious move to extend identity-matching mechanisms—originally meant for public sector cross-border procedures—beyond what the legislators explicitly negotiated. The Commission’s own text introduces broad allowances for private sector players, even if they have no legal obligation to identify users. This undermines the carefully balanced political agreement reached in trilogue negotiations, disregarding both the letter and the spirit of the democratically adopted regulation.

As our previous blog posts show ([1], [2]), the Commission has a track record of slipping in last-minute changes that erode user safeguards. This time, it has gone even further, ignoring the broad consensus built around mandatory relying party registration certificates and clear user rights.

Even the European Unions own Data Protection Supervisor (EDPS) agrees with us. In their statement in 2023 they stressed the importance of distinguishing use cases to protect users and recently in 2025 they were even more explicit in calling for mandatory relying party registration certificates.

Read our Policy Analysis

Call to Action: Demand a Secure and Trustworthy eIDAS

The European Commission’s decision to make relying party registration certificates optional is nothing short of abandoning the promise of eIDAS to put the people in the EU in control over their data. It jeopardizes individual privacy, undermines user confidence, and tramples on the legislative consensus that shaped the eIDAS Regulation.

We call on everyone—European citizens, consumer groups, Member State governments, and especially Members of the European Parliament—to step in and stop this last-minute capitulation to powerful private interests. The single market, the success of the EUDI Wallet, and the fundamental rights of millions of EU citizens are at stake.

• Spread the Word: Share this blog post to raise awareness of the Commission’s about-face on this crucial user protection.  
• Contact Your Representatives: Urge MEPs and national representatives to demand that the eIDAS implementing acts restore mandatory registration certificates.
• Stay Engaged: Follow our updates and join efforts across civil society organizations calling out this rollback of essential safeguards.

If Europe wants an eIDAS framework that truly puts people in control of their data, we must ensure that relying parties are held to consistent standards. Without mandatory certificates and strict oversight, the entire promise of the EUDI Wallet could collapse under the weight of corporate-driven loopholes—just when we most need a secure digital identity system that respects our fundamental rights.

epicenter.works remains committed to exposing these backroom deals and protecting the privacy rights of all people in Europe. We will continue to monitor the upcoming comitology meeting, advocate for robust amendments, and work with partners across the EU to fight for a truly user-centric digital identity ecosystem. Stay tuned for more updates, and let’s send a clear message that our digital rights are not for sale.