An empty wallet is a useless wallet – European digital identity wallet needs more meat to the bones and fast

For daily life in a close-knit union of 27 countries to run smoothly, cross-border services should be made as easy as possible – also online. EU citizens and residents must be able to use both public and private digital services safely and easily across member state borders. Businesses will also have a much easier time operating in the single market if they have a common set of rules for electronic identification and digital services.

The European Commission started taking action in the summer of 2021, when it proposed a new regulation establishing a framework for a European digital identity and amending the eIDAS regulation. After much debate, the European Digital Identity Regulation, also known as eIDAS 2.0, finally entered into force in May 2024, with the first implementing acts issued in August and expected to enter into force in November 2024. The aim of the regulation is to facilitate secure cross-border transactions by establishing a framework for digital identity and authentication for both individuals and organisations.

======
The European digital identity wallet allows users to easily manage
their digital identity and store and share digital documents.
======

A key element of the eIDAS 2.0 is the European digital identity wallet, which allows users to easily manage their digital identity and store and share digital documents. In practice, the digital identity wallet is a mobile app that enables users to authenticate their identity, sign documents electronically and store and share their official documents such as a driving licence digitally. Digital identity wallets will be available free of charge to any EU citizen, resident or business willing to use it. Every member state will have to provide at least one wallet solution. In Finland, the national digital identity wallet will be provided by the Digital and Population Data Services Agency.

The aim of the initiative is all well and good. The EU single market’s cornerstone is the free movement of goods, capital, services and people. Reliable electronic identification facilitates the fulfilment of this principle and streamlines single market activities in the digital era. But the problem is that the regulation is too vague. So far, the Commission has only managed to establish the bare bones of a European digital identity and the related wallet solutions. It is still working on the technical specifications and large-scale pilots, which will add meat to the bones.

Much is riding on the Commission’s implementing acts, and their finalisation is awaited as eagerly as Christmas morning. The implementing acts on the wallet’s key functions and certification are crucial, since their adoption timeline will also determine the transition periods: the revised regulation mandates member states to provide digital identity wallets to their citizens within 24 months of the adoption of the implementing acts. The Commission is expected to issue more implementing acts in 2025, with plans to amend the adopted acts along the way.

The financial sector has reservations about the revised regulation, although as a rule we support the Commission’s efforts to further promote cross-border online services and business in the EU. Our reservations stem largely from the obligations that the new framework imposes on certain private-sector organisations, which are currently still very vague.

Under the new regulation, financial sector companies are obligated to accept digital identity wallets in the provision of their services, for example when customers open a bank account, apply for a loan or make payments. The main concerns arising from this obligation are the responsibilities related to payment transactions, which are unclear at the moment. A clear division of responsibility is direly needed. Moreover, payments are also regulated by payments services regulation, and sector-specific regulation should be respected.

======
What do payments mean in the context of the eIDAS?
======

The revised eIDAS regulation also touches on payments, but what do payments actually mean in the context of the eIDAS? At this point, nobody knows for certain because the Commission is still running pilots and preparing technical specifications. However, it seems unlikely that the Commission will issue an implementing act on payments specifically.

This raises the question of where the requirement to accept digital identity wallets in payments originates from, especially in the authorisation of payments as advertised by the Commission? The new regulation only mentions the initiation of transactions, so one would think that the authorisation of transactions would continue to take place through solutions provided by the bank. At the moment, however, we cannot be sure of this.

Under the new regulation, organisations in designated sectors must accept the digital identity wallets no later than 36 months after the entry into force of the implementing acts, most likely in late 2027. It is not yet clear what this will mean in practice; the authorities will have much responsibility in interpreting the regulation and clarifying policies. But what is clear is that the Commission has not thought things through. With technical specifications still being prepared, standards missing and a European certification only being developed, it looks like the Commission may have bitten off more than it can chew.