We have been watching the EU Digital Identity Wallet since day one – over 20 submissions, seven open letters, four and a half years of reading every draft and tracking every change. And the single most important thing we have learned: the Commission has no qualms about reversing protections it just agreed to introduce. And that’s exactly what’s happening again now.

Where we are now

When the EU passes a law, that's not the end of the story. The law sets out the goals and the framework. But in technical matters the Commission and EU member states together write the technical rulebook that determines how the law actually works in practice. Think of it like building a house: parliament approves the architect's vision, but the builders decide how thick the walls are, where the doors go, and whether the locks actually work. Right now, the builders are making decisions that contradict what the architects intended.

The current drafts fail to address critical outstanding privacy concerns and in several respects make things worse. The most alarming example: mandatory biometric facial images in every Wallet.

We urge the Commission and Member States to change course and finally take privacy risks and users' interests into consideration.

Our open letter

The five problems

Open Backdoors

When a company or authority wants to use the EU Wallet to request data from users, it must register in advance and declare which data it needs for which purpose. It is not allowed to ask for more information. This "no over-asking" rule is one of the core user protections in the EU Digital Identity Wallet.

The current draft makes the certificates optional that allow the Wallet to detect overasking. A company can register in a member state that doesn't issue them – and request data from users across the EU with no check on legality. We raised this with 14 organisations in a previous open letter. The Commission corrected their mistake only to reverse course a year ago and reintroduce the problem. Now is our last chance to fix it!

The right to stay anonymous – quietly buried

The eIDAS Regulation is explicit: users have the right to use the Wallet pseudonymously where no law requires them to identify themselves. Social media platforms, pornography websites, gambling services, news portals: none of these have a legal basis to identify their users. Yet many have a strong commercial interest to do so.

The current drafts narrow this right drastically. Under the proposed wording, pseudonymity would only apply for authentication purposes – i.e. for logging in. Once logged in, services could ask for identification data they are not entitled to, and the Wallet would have no mechanism to stop them and allow users to give a pseudonym instead of their real name. This would lead to drastic over-identification and many online and offline situations in which anonymity or pseudonymity is no longer an option.

Your face in the Wallet

This is the most alarming new development in the fourth batch: the Commission proposes to include a mandatory biometric portrait photo in the minimum data set that every EUDI Wallet must contain. Every use i.e. proving your age, ordering books, signing a contract etc. would potentially transmit a facial image.

Looking back: During the trilog negotiations on the eIDAS Regulation, language protecting users specifically from biometric processing was explicitly removed from the text. The Commission now appears to be introduce mandatory biometrics through an implementing act and thus bypassing Parliament entirely.

Free Pass for Big Tech

The eIDAS Regulation requires very large online platforms like Google, Meta, Apple and co. to accept the EUDI Wallet as a login option. This was intended as a structural intervention: forcing the gatekeepers of the internet to open up to a European public infrastructure for digital identity.

But current technical specifications allow existing passkey solutions i.e. Google Passkeys or iCloud Keychain to substitute for genuine EUDI Wallet integration. Meaning we are left with the same proprietary options as before, while the regulation gives the appearance of having solved the problem. The responsible Digital Commissioner Henna Virkkunen has “Tech Sovereignty” in her job title, but she appears to do the opposite.

Hindering is not Prevention

The technical architecture of the EUDI Wallet shall not allow providers or any other party to obtain data that enables transactions or user behaviour to be tracked, linked or correlated. The standard is prevention. Not reduction. Not minimisation. Prevention.

In the current implementing act, that obligation has been quietly reworded. The text now requires revocation mechanisms that are privacy-preserving and "hindering" linkability or traceability – not preventing it. The difference is not semantic. Something that is merely hindered can still be achieved by a sufficiently determined adversary. Something that is prevented cannot.

This is not a drafting error. It is a substantive weakening of a protection that was explicitly written into the Regulation. An implementing act cannot legally lower the standard set by the Regulation it is implementing. But that is exactly what this does.

What happens next?

Last Thursday we and our umbrella EDRi have participated in the public consultation on this issue. We can see in the other responses that many industry stakeholders are applauding the European Commission in their efforts to weaken privacy. Today, we also publish an open letter together with other digital rights and consumer protection organisations to sound the alarm. We will keep on pushing publicly and behind close doors for these essential repairs. A decision on is expected late March or Q2. The Wallet should become available by the end of 2026.

Did you know epicenter.works is also developing a platform to help oversight and enforcement of eIDAS called whoidentifies.me? Subscribe to the newsletter to stay informed!