By November 2026, all Member States of the European Union will be required to make European digital identity wallets available to their citizens. These will enable users of public and private services to identify or authenticate themselves securely, while providing only the data strictly necessary for the delivery of the service.
“Every time an application or a website asks us to create a new digital identity or offers us the option to log in easily via a major platform, we have no idea what happens to our data. That is why the Commission will propose a secure European electronic identity. A reliable identity that every citizen will be able to use anywhere in Europe, for any purpose, such as paying taxes or hiring a bicycle. A technology that will allow us to control which data we share and how it may be used,” said Ursula von der Leyen, President of the European Commission.
While, at first sight, this development appears to strengthen the security of our data, questions and concerns persist with regard to the protection of personal data and privacy.
From electronic identification to the European digital identity wallet
Regulation (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions within the internal market, known as “eIDAS”, laid the foundations for electronic identification within the European Union. It defines electronic identification as the process of using personal identification data in electronic form that uniquely represents a natural or legal person. It is therefore a technical process enabling an individual to prove their identity by electronic means.
The primary objective of this regulation was to facilitate cross-border electronic transactions by ensuring mutual recognition of electronic identification means and electronic signatures between Member States. The regulation introduced several key mechanisms, including notified electronic identification schemes, which enable such mutual recognition. In practical terms, where an online public service requires a certain level of security, it must accept a foreign identification means, provided it originates from a notified scheme and offers an equivalent or higher level of assurance. This allows European Union citizens to access online public services in other Member States more easily.
The text also established three assurance levels (low, substantial and high) to assess the reliability of an electronic identification means. These levels ensure that the person presenting themselves as the holder of an identity is indeed the legitimate holder.
Finally, the eIDAS Regulation introduced qualified trust service providers (QTSPs). These are entities that deliver services relating to electronic signatures, electronic seals, timestamps, electronic registered delivery services, or website authentication certificates. Subject to regular supervision, their status attests to compliance with stringent security and reliability requirements.
While this regulation helped to broaden the use of electronic identification and to strengthen citizens’ confidence in remote transactions, the regulatory framework remained relatively stable, even as digital practices evolved significantly over a ten-year period.
The evaluation of the eIDAS Regulation highlighted several limitations. Only a limited number of Member States had notified their national systems (14 as at September 2018, covering just 59% of EU residents), thereby restricting reliable cross-border access. In addition, the scope of application was largely confined to the public sector, whereas most identification needs now arise in the private sector (banks, platforms and similar services). The text also did not address the management of electronic attributes (such as diplomas or medical certificates), nor did it allow users to restrict the sharing of personal data to what is strictly necessary.
In a setting characterised by the expansion of remote interactions and the widespread use of online administrative procedures, the ability to identify and authenticate oneself in a reliable and secure manner has become indispensable. Identification enables an individual to be distinguished within a group, often by means of a unique identifier such as a national insurance number or an identifier assigned by an application. Authentication, by contrast, verifies that the digital identity being used does indeed correspond to the person claiming it. This verification may rely on a password, possession of an object (such as a smartphone), or biometric data.
In response to these developments, the European Union undertook a revision of its regulatory framework. The new version of the eIDAS Regulation, which entered into force on 20 May 2024, provides for the creation of a European Digital Identity Wallet. The objective is to offer citizens and businesses a secure and practical means of identification and authentication, both online and offline, enabling access to public and private services throughout the European Union, and allowing the secure storage and sharing of digital attributes (such as a driving licence or an academic qualification) under the user’s control.
This wallet is based on the concept of digital identity, which encompasses all information used to identify a natural person in a digital environment: surname, given name, age, place of birth or a pseudonym, for example. Recorded in digital form, these data make it possible to associate an individual with other information and to access a range of services, online or otherwise. The same individual may hold several digital identities depending on the context of use (social, professional or leisure) and on the level of reliability required.
Digital identity may take two forms:
- “Sovereign” identity, directly linked to civil status, generally used for administrative or official procedures;
- “Non-sovereign” identity, such as a pseudonym or a name in common use, more frequently used in informal contexts, including social networks or online commerce platforms.
It relies on an electronic identification means (EIM), such as a mobile application or a smart card. The European Digital Identity Wallet is itself a type of EIM, enabling the management and use of a digital identity in a wide range of situations, thereby facilitating procedures that require electronic identification.
While this ambitious project offers clear advantages, it also gives rise to numerous challenges and increasing risks.
The strengths and challenges of the European digital identity wallet
Among the notable benefits of the future European digital identity wallet is the increased control that citizens will be able to exercise over their personal data. For example, it will be possible to prove one’s age without disclosing a full identity, representing a significant step forward in terms of privacy protection. This capability is particularly relevant at a time when online age verification has become a priority for public authorities, notably to regulate minors’ access to social networks and adult content. In this respect, the French data protection authority (CNIL) explicitly recommends avoiding the collection of identity documents such as national identity cards, which reinforces the value of a reliable and secure digital solution for transmitting personal information.
Digital identity could also help to improve everyday cybersecurity by limiting the proliferation of passwords, which are often weak or stored insecurely. A unified identification system, secured through strong authentication mechanisms, would simplify access to services while reducing the risks associated with individual credential management.
Another strategic advantage lies in the fact that this European public solution could offer an alternative to authentication tools provided by major technology companies such as Google or Facebook. By restoring citizens’ control over their data, it would help to reduce dependence on these private platforms and strengthen European digital sovereignty.
Despite its promises, the digital identity wallet project must address several challenges, particularly in relation to personal data protection. The CNIL stresses the need to preserve user freedom of choice: digital identity must not become the sole means of accessing public or private services. Physical alternatives must therefore remain available.
The CNIL (the French data protection authority) also emphasises the importance of avoiding excessive data centralisation. The authority recommends that these services be provided by a diversity of public and private actors, in order to prevent the risk of mass surveillance and to maintain a balance between technological development and respect for individual freedoms.
In response to this European momentum, France has launched the France Identité application, which enables citizens to use a secure digital version of their national identity card. The aim is to simplify access to online services, and ultimately offline services as well, while ensuring a high level of security. Deployment is being carried out progressively, with the ambition of integrating new functionalities and ensuring compatibility with the European wallet currently under development.
Through this future digital identity wallet, the European Union is therefore signalling its intention to regain control over a field that is currently largely dominated by major digital platforms. The objective is no longer merely to simplify access to services, but to restore citizens’ control over their data within a trusted digital environment. France, through the France Identité application, is actively participating in this approach. What remains is to ensure that digital identity does not become either a source of digital exclusion or an instrument of widespread surveillance. This is the real challenge: to build a tool that is effective, sovereign and consistent with European values of freedom and the protection of fundamental rights.
