The EU Digital Identity Wallet: A 2026 Developer Guide
The EUDI Wallet arrives across the EU by the end of 2026, and by 2027 many businesses must accept it. Here is what eIDAS 2 means for your product and how to prepare.
Every EU member state has to offer citizens a European Digital Identity Wallet by the end of 2026. Not a pilot, not a whitepaper: a real app, built to shared specifications, that holds a government-issued identity and can prove who you are to any website or app that asks. For most product teams this has been easy to file under "someday". It is about to stop being someday.
The regulation behind it, eIDAS 2, does not only create the wallet. It also creates obligations for the businesses on the other side of it, the ones asking users to log in, verify their age, sign a contract or open an account. In regulated sectors, banks, telecoms, and platforms that already do identity checks, those businesses have to accept the wallet within roughly a year of it going live. If you build software that onboards users in Europe, this is a schema change coming to your login screen.
This is a practical look at what the wallet is, who has to support it, and what you can do now so it is a feature you ship on purpose rather than a deadline you scramble against.
What the EUDI Wallet actually is
Think of it as a government-backed credential holder that lives on the user's phone. Each member state issues (or certifies) a wallet app. Into it go verifiable credentials: a Person Identification Data (PID) set derived from the national eID, and later things like a mobile driving licence, diplomas, professional qualifications and bank-issued attestations.
When your service needs to know something about a user, it does not ask them to type it and hope. It sends a request to the wallet, the user approves exactly what gets shared, and the wallet returns a cryptographically signed answer your backend can verify against a trusted issuer. The difference from a typical "sign in with X" button is that the data is issued by an official authority, the user controls disclosure at the field level, and it works across borders by design.
The vocabulary that matters
An issuer creates credentials (a government issues the PID). A holder keeps them (the citizen, in their wallet). A relying party requests and verifies them (your business). eIDAS 2 mostly regulates issuers and relying parties. If you run an onboarding or login flow, you are a relying party.
Selective disclosure changes how you ask for data
The feature that trips up teams used to OAuth is selective disclosure. A user does not hand you their whole identity. They hand you the single claim you asked for.
The classic example is age. Today, to check that a customer is over 18, most sites collect a full date of birth, often a document scan, and then store it. Under the wallet model you request a boolean-style attestation, "is this person at least 18", and you receive a signed yes. You never see the birth date, so you never have to protect it or explain in your privacy policy why you kept it.
That is a genuine shift in data-minimisation posture, and it is enforced by design rather than by policy. It also means the old habit of "collect everything now in case we need it later" becomes actively harder to justify. Before you wire anything up, go through your onboarding form field by field and write down the actual decision each field drives. Most teams find they were collecting three things and using one.
Who has to accept it, and when
The headline dates are the part worth getting right, because "end of 2026" and "you must support it" are two different deadlines.
| Milestone | Roughly when | What it means |
|---|---|---|
| Wallets available | End of 2026 | Every member state offers at least one certified wallet |
| Public services | 2026 into 2027 | Governments must accept wallet-based identification |
| Regulated private sector | ~2027 | Banks, telecoms and large platforms that already do strong authentication must accept the wallet |
| Everyone else | Optional, ongoing | Any business may become a relying party if it wants the benefits |
The nuance: if you are in a regulated sector or you already perform legally mandated identity verification (know-your-customer, strong customer authentication under PSD2, age checks), acceptance is coming as an obligation. If you are a typical SaaS or e-commerce business, it is an option, but often a very attractive one, because it can replace document uploads, SMS one-time codes and clunky manual review with a single tap.
The specs are still moving
The Architecture and Reference Framework is published and maturing, but certification schemes and some technical details are still being finalised as wallets ship. Build against the reference implementation and abstract the wallet behind your own interface. Do not hardcode today's payload shapes deep into your auth code.
What "getting ready" looks like in practice
You do not need to integrate a wallet this quarter. You need to make integrating one a small change instead of a rebuild. A few things pay off regardless of your exact timeline.
Isolate identity behind a boundary. If your login, onboarding and verification logic is scattered across controllers, adding a new credential source means touching everything. Route identity through one service or module now, so a wallet becomes another provider behind a stable interface, the same way you would add an OAuth provider.
Inventory every identity signal you collect. For each one, note who mandates it, how long you keep it, and whether a signed attestation could replace a stored copy. This inventory is useful even if you never touch a wallet, and it is exactly what you need to scope the integration when you do.
Watch your member state's wallet. Rollout is national. The Portuguese wallet, the German one and the French one ship on the same framework but on their own timelines and with their own onboarding for relying parties. Know which wallet your users will actually carry, and how to register as a relying party for it.
Design the consent moment. The wallet handles the cryptography, but you own the screen where you explain what you are requesting and why. A vague request ("share your identity") gets declined. A specific one ("confirm you are over 18 to buy this") gets approved. Treat that copy as part of the product.
Why bother if it is optional for you
For a lot of businesses the honest answer is fraud, friction and cost. Document-upload onboarding is slow, easy to fake with a decent photo editor, and expensive to review. Wallet-based verification gives you an official, signed, tamper-evident answer in seconds, works the same for a customer in Lisbon or Lyon, and shrinks the pile of sensitive personal data you are on the hook to protect.
There is also a trust dividend. "Verify with your EU Digital Identity Wallet" is a stronger signal to a cautious European customer than one more password field. The teams that treat this as a product feature, not a compliance chore, are the ones who will quietly convert better while everyone else is still scanning passports.
The wallet is coming to every phone in the EU on a fixed clock. The work to be ready for it, a clean identity boundary and an honest look at the data you collect, is work worth doing anyway.
Written by
Rafael Costa
Software Engineer & Technical Writer
Rafael is a software engineer at Lusivision who writes about web development, cloud architecture and applied AI. He has spent over a decade shipping production software for companies across Europe and enjoys turning hard technical topics into clear, practical guides.
View all articles