eID

For more than five years we have been following the European Digital Identity Wallet. We have submitted comments, analysed technical drafts, coordinated civil society coalitions and fought for safeguards that would make Europe's digital identity infrastructure privacy-friendly by design.

In March, together with EDRi, Arbeiterkammer and dozens of digital rights and consumer organisations, we published an open letter warning that the last batch of eIDAS Implementing Acts would weaken key protections in the EU Wallet. In May, the European Commission replied.

Unfortunately, the reply confirms a pattern we have observed throughout the eIDAS process: the Commission agrees with the goals of privacy, user control and data minimisation, while simultaneously proposing technical rules that make those protections harder to achieve in practice.

Technical systems do not protect rights because a recital says so. They protect rights because the architecture makes abuse impossible.

Our concerns remain unchanged.

Following this process for five years has made one thing clear: analysing and informing is not enough. We need to keep pushing institutions to uphold their own rules and we need your help to do so!

Become a supporting member now!

The Law Cannot Fix What Technology Has Broken

Again and again, the Commission's reply pointed to legal obligations contained in the Regulation itself. But rights in digital systems depend on technical implementation. If technology creates risks and fails to protect people, abstract rights are no remedy. We believe the Commission's technical specifications undermine the protections the eIDAS Regulation demands and that industry pressure is a key reason why.

The problems we have been flagging for years were still present in this latest batch: missing registration certificates, mandatory biometric data, no workable pseudonymity, Big Tech loopholes and weakened anti-tracking protections. As we wrote in our rejoinder.

Member States Push Back

The latest batch of implementing acts was supposed to be voted on by the Member States on 6. May 2026. But there simply was too much protest and the Commission had to withdraw their proposal. Several governments criticized the Commission for their procedure to add complex standards months away from the deadline, making a robust and safe product unrealistic. A qualified majority of 14 member states (Germany, France, Spain, Poland, Romania, the Netherlands, Austria, Hungary, Finland, Sweden, Slovenia, Norway and Luxembourg) demanded that registration certificates finally became mandatory. This was a significant win and a direct confirmation of the arguments we have been making for years.

The biometrics issue triggered its own coalition. Ten member states (Belgium, Germany, Spain, Italy, Finland, Denmark, Romania, Estonia, the Netherlands and Luxembourg) clearly positioned themselves against mandatory portrait images in the Wallet. And for good reason: under the Commission's proposal, every time a citizen uses the Wallet to prove their age, sign a contract or order a book, a signed facial image could be transferred to the requesting company or authority. Employers, police, border crossings… the situations where users might be pressured to hand over their biometrics are easy to imagine.

This is an unprecedented extension of the scope. Nothing in the eIDAS Regulation even hints at biometrics. Parliament gave up all of its safeguards to protect citizens’ biometric data because the Commission assured the Parliament this would be out of scope. Now with Parliament no longer at the table, those assurances are being walked back.

We made sure this didn't happen quietly. We got the issue covered by Politico and EurActive ahead of the vote, and the European Parliament Rapporteur for eIDAS, MEP Romana Jerković, issued a formal protest letter to the Commission.

Today's Vote: What We Won, What We Lost

Today, 18 June, another vote was held and while we haven’t seen the last minutes changes to the legal text, we know the outlines of the result.

After years of pushing, we won on registration certificates. The Wallet can now adequately protect against over-asking. That matters, and it would not have happened without sustained pressure from civil society and a coalition of member states.

On biometric portrait images, the situation is more complicated. States must issue a portrait, but can offer citizens the option to opt out. Whether that opt-out will be meaningful in practice depends entirely on how member states implement it. We sadly lost on weakened tracking protections, the right to use pseudonyms and Big Tech loopholes.

What Comes Next

Member States now have half a year to offer European Digital Identity Wallets to their populations. In that time Google is actively startingmoving to creep into the European Digital Identity eEcosystem. Age verification debates are already exploring whether the Wallet could be used to verify users on social media and pornography platforms. Handing sensitive identification infrastructure to some of the least trustworthy actors online.

We remain committed to our role as public watchdog for the eIDAS ecosystem. Through our role in the APTITUDE project, we will scrutinise how member states implement the Wallet in practice.

Our project whoidentifies.me is on track to release a free software pilot by the end of the year. A tool that will help everyone monitor the emerging EU Digital Identity ecosystem and identify problems and trends in real time.

Check out our prototype

Europe's digital identity infrastructure will not be judged by the promises made in press releases or legal recitals. It will be judged by what it actually does when citizens use it. Given the state of things we can not recommend people to use the European Digital Identity Wallet before independent audits have been conducted and never in online situations where tracking is a concern.

Since you're here

… we have a small favour to ask. You want to keep a close eye on the government? You want to stay up-to-date on surveillance, privacy, net neutrality, and all matters related to your fundamental rights on the internet? Subscribe to our newsletter and approximately once a month, we will send you a message (in German) about everything that happens around digital policy in Austria and in Europe, about our actions, legal analyses and position papers.

Together, we defend our fundamental rights in the digital age – because civil society works! Stay informed!

Related stories:

When we first introduced WhoIdentifies.me, a simple yet previously unanswered question was at its core: Who accesses which data within the emerging eIDAS ecosystem; essentially a European equivalent of ID Austria? With the publication of our prototype, we are pleased to come significantly closer to…

eID

We have been watching the EU Digital Identity Wallet since day one – over 20 submissions, seven open letters, four and a half years of reading every draft and tracking every change. And the single most important thing we have learned: the Commission has no qualms about reversing protections it just…

eID

An eventful and successful year: This was our anniversary year 2025.

Education , Government Spyware , Privacy and Data Protection , Digital Euro - Right to Cash , eID , Face Recognition , IT-Security , AI , Net Neutrality , Transparency/Open Government , UN-Cybercrime-Convention , Surveillance

Transparency for Europe’s digital identity. According to the EU’s plans, digital identity is to become a central part of our lives and our everyday online activities.

Privacy and Data Protection , eID , IT-Security , Transparency/Open Government

eID

Under the banner of “simplification,” the European Commission plans to revise core pieces of digital protection: from data protection to cybersecurity and artificial intelligence. What sounds like cutting red tape could, in reality, erode Europe’s digital safeguards. Instead of clarity and strategic…

eID , IT-Security , AI