Unlocking the EU digital future with eIDAS 2 and digital wallets

The EU’s digital transformation and the rise of trusted digital identities

The EU, like the rest of the world, is experiencing a significant digital transformation driven by emerging technologies, with citizens, businesses, and governments increasingly relying on online services.

At the centre of the shift lies digital identity, which enables secure, verifiable, and seamless online interactions.

Digital identity has also become a cornerstone of the EU’s transition toward a secure and competitive digital economy. As societies, businesses, and governments increasingly rely on online platforms, the ability for citizens to prove who they are in a reliable, secure, and user-friendly way has gained central importance.

Without trusted digital identities, essential services ranging from healthcare and education to banking and e-commerce risk fragmentation, fraud, and inefficiency.

The EU has long recognised the challenge. The first introduction of the eIDAS Regulation, on Electronic Identification, Authentication and Trust Services, in 2014, was a milestone in creating a legal framework for electronic identification and trust services across its borders.

However, it quickly became clear that further steps were necessary to improve adoption, interoperability, and user trust.

In May 2024, the updated framework, eIDAS 2 (Regulation (EU) 2024/1183), came into force.

At its heart lies the European Digital Identity Wallet, or EDIW, a tool designed to empower EU citizens with a secure, voluntary, and interoperable way to authenticate themselves and store personal credentials.

EU security

By doing so, eIDAS 2 aims to strengthen trust, security, and cross-border services, ensuring Europe builds digital sovereignty while safeguarding fundamental rights.

Lessons from eIDAS 1 and the need for a stronger digital identity framework

Back in 2014, when the first eIDAS Regulation was adopted, its purpose was to enable the mutual recognition of electronic identification and trust services across member states.

The idea was simple (and logical) yet ambitious: a citizen of one EU country should be able to use their national digital ID to access services in another, whether it is to enrol in a university abroad or open a bank account.

The original regulation created legal certainty for electronic signatures, seals, timestamps, and website authentication, helping digital transactions gain recognition equal to their paper counterparts.

For businesses and governments, it reduced bureaucracy and built trust in digital processes, both essential for sustainable development.

Despite the achievements, significant limitations emerged. Adoption rates varied widely across member states, with only a handful, such as Estonia and Denmark, achieving robust national digital ID systems.

Others lagged due to technical, political, or budgetary issues. Interoperability across borders was inconsistent, often forcing citizens and businesses to rely on paper processes.

Stakeholders and industry associations also expressed concerns about the complexity of implementation and the absence of user-friendly solutions.

The gaps highlighted the need for a new approach. As Commission President Ursula von der Leyen emphasised in 2020, ‘every time an app or website asks us to create a new digital identity or to easily log on via a big platform, we have no idea what happens to our data in reality.’

Concerns about reliance on non-European technology providers, combined with the growing importance of secure online transactions, paved the way for eIDAS 2.

The eIDAS 2 framework and the path to interoperable digital services

Regulation (EU) 2024/1183, adopted in the spring of 2024, updates the original eIDAS to reflect new technological and social realities.

Its guiding principle is technological neutrality, ensuring that no single vendor or technology dominates and allowing member states to adopt diverse solutions provided they remain interoperable.

Among its key innovations is the expansion of qualified trust services. While the original eIDAS mainly covered signatures and seals, the new regulation broadens the scope to include services such as qualified electronic archiving, ledgers, and remote signature creation devices.

The broader approach ensures that the regulation keeps pace with emerging technologies such as distributed ledgers and cloud-based security solutions.

eIDAS 2 also strengthens compliance mechanisms. Providers of trust services and digital wallets must adhere to rigorous security and operational standards, undergo audits, and demonstrate resilience against cyber threats.

In this way, the regulation not only fosters a common European market for digital identity but also reinforces Europe’s commitment to digital sovereignty and trust.

EU European Commission Quantum tech Cybersecurity

The European Digital Identity Wallet in action

The EDIW represents the most visible and user-facing element of eIDAS 2.

Available voluntarily to all EU citizens, residents, and businesses, the wallet is designed to act as a secure application on mobile devices where users can link their national ID documents, certificates, and credentials.

For citizens, the benefits are tangible. Rather than managing numerous passwords or carrying a collection of physical documents, individuals can rely on the wallet as a single, secure tool.

It allows them to prove their identity when travelling or accessing services in another country, while offering a reliable space to store and share essential credentials such as diplomas, driving licences, or health insurance cards.

In addition, it enables signing contracts with qualified electronic signatures directly from personal devices, reducing the need for paper-based processes and making everyday interactions considerably more efficient.

For businesses, the wallet promises smoother cross-border operations. For example, banks can streamline customer onboarding through secure, interoperable identification. Professional services can verify qualifications instantly.

E-commerce platforms can reduce fraud and improve compliance with ‘Know Your Customer’ requirements.

By reducing bureaucracy and offering convenience, the wallet embodies Europe’s ambition to create a truly single digital market.

Cybersecurity and privacy in the EDIW

Cybersecurity and privacy are central to the success of the wallet. On the positive side, the system enhances security through encryption, multi-factor authentication, and controlled data sharing.

EU Cybersecurity

Instead of exposing unnecessary information, users can share only the attributes required, for example, confirming age without disclosing a birth date.

Yet risks remain. The most pressing concern is risk aggregation. By consolidating multiple credentials in a single wallet, the consequences of a breach could be severe, leading to fraud, identity theft, or large-scale data exposure. The system, therefore, becomes an attractive target for attackers.

To address such risks, eIDAS 2 mandates safeguards. Article 45k requires providers to maintain data integrity and chronological order in electronic ledgers, while regular audits and compliance checks ensure adherence to strict standards.

Furthermore, the regulation mandates open-source software for the wallet components, enhancing transparency and trust.

The challenge is to balance security, usability, and confidence. If the wallet is overly restrictive, citizens may resist adoption. If it is too permissive, privacy could be undermined.

The European approach aims to strike the delicate balance between trust and efficiency.

Practical implications across sectors with the EDIW

The European Digital Identity Wallet has the potential to reshape multiple sectors across the EU, and its relevance is already visible in national pilot projects as well as in existing electronic identification systems.

Public services stand to benefit most immediately. Citizens will be able to submit tax declarations, apply for social benefits, or enrol in universities abroad without needing paper-based procedures.

Healthcare is another area where digital identity is of great importance, since medical records can be transferred securely across borders.

Businesses are also likely to experience greater efficiency. Banks and financial institutions will be able to streamline compliance with the ‘Know Your Customer’ and anti-money laundering rules.

In the field of e-commerce, platforms can provide seamless authentication, which will reduce fraud and enhance customer trust.

Citizens will also enjoy greater convenience in their daily lives when signing rental contracts, proving identity while travelling, or accessing utilities and other services.

National approaches to digital identity across the EU

National experiences illustrate both diversity and progress. Let’s review some examples.

0JzKZNWx flags Figure 10 EU

Estonia has been recognised as a pioneer, having built a robust e-Identity system over two decades. Its citizens already use secure digital ID cards, mobile ID, and smart ID applications to access almost all government services online, meaning that integration with the EDIW will be relatively smooth.

Denmark has also made significant progress with its MitID solution, which replaced NemID and is now used by millions of citizens to access both public and private services with high security standards, including biometric authentication.

Germany has introduced BundID, a central portal for accessing public administration services, and has invested in enabling the use of national ID cards via NFC-based smartphones, although adoption is still limited compared to Scandinavian countries.

Italy has taken a different route by rolling out SPID, the Public Digital Identity System, which is now used by more than thirty-five million citizens to access thousands of services. The country also supports the Electronic Identity Card, known as CIE, and both solutions are being aligned with wallet requirements.

Spain has launched Cl@ve, a platform that combines permanent passwords and electronic certificates, and has joined several wallet pilot projects funded by the European Commission to test cross-border use.

France is developing its France Identité application, which allows the use of the electronic ID card for online authentication, and the project is at the centre of the national effort to meet European standards.

The Netherlands relies on DigiD, which provides access to healthcare, taxation, and education services. Although adoption is high, the system will require enhanced security features to meet the new regulations.

Greece has made significant strides in digital identity with the introduction of the Gov.gr Wallet. The mobile application allows citizens to store digital versions of their national identity card and driving licence on smartphones, giving them the same legal validity as physical documents in the country.

These varied examples reveal a mixed landscape. Countries such as Estonia and Denmark have developed advanced and widely used systems that will integrate readily with the European framework.

Others are still building broader adoption and enhancing their infrastructure. The wallet, therefore, offers an opportunity to harmonise national approaches, bridge existing gaps, and create a coherent European ecosystem.

By building on what already exists, member states can speed up adoption and deliver benefits to citizens and businesses in a consistent and trusted way.

Risks and limitations of the EDIW

Despite the promises, the rollout of the wallet faces significant challenges, several of which have already been highlighted in our analysis.

First, data privacy remains a concern. Citizens must trust that wallet providers and national authorities will not misuse or over-collect their data, especially given existing concerns about data breaches and increased surveillance across the Union. Any breach of that trust could significantly undermine adoption.

masked hacker under hood using computer to commit data breach crime

Second, Europe’s digital infrastructure remains uneven. Countries such as Estonia and Denmark (as mentioned earlier) already operate sophisticated e-ID systems, while others fall behind. Bridging the gap requires financial and technical support, as well as political will.

Third, balancing innovation with harmonisation is not easy. While technological neutrality allows for flexibility, too much divergence risks interoperability problems. The EU must carefully monitor implementation to avoid fragmentation.

Finally, there are long-term risks of over-centralisation. By placing so much reliance on a single tool, the EU may inadvertently create systemic vulnerabilities. Ensuring redundancy and diversity in digital identity solutions will be key to resilience.

Opportunities and responsibilities in the EU’s digital identity strategy

Looking forward, the success of eIDAS 2 and the wallet will depend on careful implementation and strong governance.

Opportunities abound. Scaling the wallet across sectors, from healthcare and education to transport and finance, could solidify Europe’s position as a global leader in digital identity. By extending adoption to the private sector, the EU can create a thriving ecosystem of secure, trusted services.

Yet the initiative requires continuous oversight. Cyber threats evolve rapidly, and regulatory frameworks must adapt. Ongoing audits, updates, and refinements will be necessary to keep pace. Member states will need to share best practices and coordinate closely to ensure consistent standards.

At a broader level, the wallet represents a step toward digital sovereignty. By reducing reliance on non-European identity providers and platforms, the EU strengthens its control over the digital infrastructure underpinning its economy. In doing so, it enhances both competitiveness and resilience.

The EU’s leap toward a digitally sovereign future

In conclusion, we firmly believe that the adoption of eIDAS 2 and the rollout of the European Digital Identity Wallet mark a decisive step in Europe’s digital transformation.

By providing a secure, interoperable, and user-friendly framework, the EU has created the conditions for greater trust, efficiency, and cross-border collaboration.

The benefits are clear. Citizens gain convenience and control, businesses enjoy streamlined operations, and governments enhance security and transparency.

But we have to keep in mind that challenges remain, from uneven national infrastructures to concerns over data privacy and cybersecurity.

eu cybersecurity standards

Ultimately, eIDAS 2 is both a legal milestone and a technological experiment. Its success will depend on building and maintaining trust, ensuring inclusivity, and adapting to emerging risks.

If the EU can meet the challenges, the European Digital Identity Wallet will not only transform the daily lives of millions of its citizens but also serve as a model for digital governance worldwide.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

International search widens for ransomware fugitive on EU Most Wanted

A Ukrainian cybercrime suspect has been added to the EU’s Most Wanted list for his role in the 2019 LockerGoga ransomware attack against a major Norwegian aluminium company and other global incidents.

The fugitive is considered a high-value target and is wanted by multiple countries. The US Department of Justice has offered up to USD 10 million for information leading to the arrest.

Europol stated that the identification of the suspect followed a lengthy, multinational investigation supported by Eurojust, with damages from the network estimated to be in the billions. Several members of the group have already been detained in Ukraine.

Investigators have mapped the network’s operations, tracing its hierarchy from malware developers and intrusion experts to money launderers who processed illicit proceeds. The wanted man is accused of directly deploying LockerGoga ransomware.

Europol has urged the public to visit the EU Most Wanted website and share information that could assist in locating the fugitive. The suspect’s profile is now live on the platform.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Google hit with $3.5 billion EU fine

The European Commission fined Google nearly $3.5 billion after ruling that the company had abused its dominance in digital advertising. Regulators found that Google unfairly preferred its ad exchange, AdX, in its publisher ad server and ad-buying tools, which violated EU antitrust rules.

Officials ordered Google to end these practices within 60 days and to address what they described as ‘inherent conflicts of interest’ across the adtech supply chain. Teresa Ribera, the Commission’s executive vice president, said the case showed the need to ensure that digital markets serve the public fairly, warning that more potent remedies would follow if Google failed to comply.

Google announced it would appeal, arguing that its advertising services remain competitive and that businesses have more alternatives than ever. The fine marks the EU’s second-largest competition penalty, following a record $5 billion action against Google in 2018.

The ruling drew criticism from US President Donald Trump, who accused Europe of unfairly targeting American tech firms and threatened retaliatory measures.

Trump hosted a dinner with industry executives, including Google CEO Sundar Pichai and co-founder Sergey Brin, where he won praise for his policies on AI.

Meanwhile, Google secured partial relief in a separate antitrust case in the United States when a judge declined to impose sweeping remedies such as forcing the sale of Chrome or Android.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EASA survey reveals cautious optimism over aviation AI ethics

The European Union Aviation Safety Agency (EASA) has published survey results probing the ethical outlook of aviation professionals on AI deployment, released during its AI Days event in Cologne.

The AI Days conference gathered nearly 200 on-site attendees from across the globe, with even more participating online.

The survey measured acceptance, trust and comfort across eight hypothetical AI use cases, yielding an average acceptance score of 4.4 out of 7. Despite growing interest, two-thirds of respondents declined at least one scenario.

Their key concerns included limitations of AI performance, privacy and data protection, accountability, safety risks and the potential for workforce de-skilling. A clear majority called for stronger regulation and oversight by EASA and national authorities.

In a keynote address, Christine Berg from the European Commission highlighted that AI in aviation is already practical, optimising air traffic flow and predictive maintenance, while emphasising the need for explainable, reliable and certifiable systems under the EU AI Act.

Survey findings will feed into EASA’s AI Roadmap and prompt public consultations as the agency advances policy and regulatory frameworks.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

CJEU confirms Zalando’s status as very large online platform under DSA

On 25 April 2023, the European Commission designated Zalando, as a ‘very large online platform’ (VLOP) under the Digital Services Act (DSA), noting that over 83 million people used the platform monthly, well above the 45 million threshold. As a VLOP, Zalando is subject to stricter obligations, particularly in protecting consumers and preventing the spread of illegal content.

Zalando contested this designation before the General Court of the European Union, arguing that only its third-party seller section (the Partner Programme) should qualify as an online platform under the DSA, not its direct retail operations (Zalando Retail).

The Court rejected Zalando’s arguments and upheld the Commission’s decision. It ruled that Zalando qualifies as a VLOP due to its Partner Programme. Since Zalando could not distinguish between users exposed to third-party seller content and those who were not, the Commission was entitled to consider all 83 million users as active recipients.

The Court also dismissed Zalando’s claims that the DSA violated legal certainty, equal treatment, and proportionality principles. It highlighted the potential for large platforms to facilitate the distribution of dangerous or illegal goods. As such, Zalando remains subject to the enhanced responsibilities imposed on very large online platforms under the DSA.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

CJEU dismisses bid to annul EU-US data privacy framework

The General Court of the Court of Justice of the European Union (CJEU) has dismissed an action seeking the annulment of the EU–US Data Privacy Framework (DPF). Essentially, the DPF is an agreement between the EU and the USA allowing personal data to be transferred from the EU to US companies without additional data protection safeguards.

Following the agreement, the European Commission conducted further investigations to assess whether it offered adequate safeguards. On 10 July 2023, the Commission adopted an adequacy decision concluding that the USA ensures a sufficient level of protection comparable to that of the EU when transferring data from the EU to the USA, and that there is no need for supplementary data protection measures.

However, on 6 September 2023, Philippe Latombe, a member of the French Parliament, brought an action seeking annulment of the EU–US DPF.

He argued that the framework fails to ensure adequate protection of personal data transferred from the EU to the USA. Latombe also claimed that the Data Protection Review Court (DPRC), which is responsible for reviewing safeguards during such data transfers, lacks impartiality and independence and depends on the executive branch.

Finally, Latombe asserted that ‘the practice of the intelligence agencies of that country of collecting bulk personal data in transit from the European Union, without the prior authorisation of a court or an independent administrative authority, is not circumscribed in a sufficiently clear and precise manner and is, therefore, illegal.’As a result, the General Court of the EU dismissed the action for annulment, stating that:

  • The DPRC has sufficient safeguards to ensure judicial independence,
  • US intelligence agencies’ bulk data collection practices are compatible with the EU fundamental rights, and
  • The decision consolidates the European Commission’s ability to suspend or amend the framework if US legal safeguards change.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EU and Australia diverge on paths to AI regulation

The regulatory approaches to AI in the EU and Australia are diverging significantly, creating a complex challenge for the global tech sector.

Instead of a unified global standard, companies must now navigate the EU’s stringent, risk-based AI Act and Australia’s more tentative, phased-in approach. The disparity underscores the necessity for sophisticated cross-border legal expertise to ensure compliance in different markets.

In the EU, the landmark AI Act is now in force, implementing a strict risk-based framework with severe financial penalties for non-compliance.

Conversely, Australia has yet to pass binding AI-specific laws, opting instead for a proposal paper outlining voluntary safety standards and 10 mandatory guardrails for high-risk applications currently under consultation.

It creates a markedly different compliance environment for businesses operating in both regions.

For tech companies, the evolving patchwork of international regulations turns AI governance into a strategic differentiator instead of a mere compliance obligation.

Understanding jurisdictional differences, particularly in areas like data governance, human oversight, and transparency, is becoming essential for successful and lawful global operations.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

ENISA takes charge of new EU Cybersecurity Reserve operations with €36 million in funding

The European Commission has signed a contribution agreement with the European Union Agency for Cybersecurity (ENISA), assigning the agency responsibility for operating and administering the EU Cybersecurity Reserve.

The arrangement includes a €36 million allocation over three years, complementing ENISA’s existing budget.

The EU Cybersecurity Reserve, established under the EU Cyber Solidarity Act, will provide incident response services through trusted managed security providers.

The services are designed to support EU Member States, institutions, and critical sectors in responding to large-scale cybersecurity incidents, with access also available to third countries associated with the Digital Europe Programme.

ENISA will oversee the procurement of these services and assess requests from national authorities and EU bodies, while also working with the Commission and EU-CyCLONe to coordinate crisis response.

If not activated for incident response, the pre-committed services may be redirected towards prevention and preparedness measures.

The reserve is expected to become fully operational by the end of 2025, aligning with the planned conclusion of ENISA’s existing Cybersecurity Support Action in 2026.

ENISA is also preparing a candidate certification scheme for Managed Security Services, with a focus on incident response, in line with the Cyber Solidarity Act.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

Trump threatens tariffs over EU digital taxes on US tech companies

President Donald Trump has threatened to impose retaliatory tariffs on countries implementing digital taxes or regulations affecting American technology companies. His comments, made in a post on Truth Social, were interpreted as a warning to the European Union.

The EU and several member states have introduced digital services taxes and regulations, including the Digital Services Act and the Digital Markets Act.

These measures aim to tackle illegal content, increase oversight of large online platforms, and ensure that major tech firms, such as Google, Amazon, Apple, and Meta, pay taxes in the countries where they generate revenue.

According to AP News, Trump’s administration previously argued that these taxes unfairly target US-based companies and considered tariffs on European goods in response.

The Guardian reports that Trump’s latest threat adds pressure on the UK and the EU, which have recently signed trade agreements with the US.

While the EU continues to enforce strict digital regulations and taxes, the UK has maintained its digital services tax, introduced in 2020, despite earlier criticism from US officials and a trade deal reached with the Trump administration.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!

EU and South Korea unite on AI and energy

The European Union and South Korea will bring together top policymakers, industry experts, and academics for a high-level seminar on the role of AI in transforming energy systems. The event, titled ‘AI & Energy: Delivering EU and Korea’s Digital and Green Ambitions’, will take place on 27 August 2025 during the World Climate Industry Expo in Busan.

It comes at a time when AI is revolutionising global industries and driving up energy demand, with data centres alone expected to double their electricity use by 2030. Around 150 participants will explore how AI can optimise grids, boost efficiency, and make energy systems more flexible, while ensuring sustainability.

Senior European officials, including Ditte Juul Jørgensen of the European Commission and climate leaders from Finland and the Netherlands, will join Korean representatives to discuss opportunities for cooperation. The seminar builds on the momentum of international clean energy talks held a day earlier.

The discussions also align with the EU’s Affordable Energy Action Plan, which launched a consultation earlier this month to shape its 2026 Strategic Roadmap on digitalisation and AI in energy. That initiative aims to scale up innovative technologies to accelerate decarbonisation.

Meanwhile, under President Lee Jae-Myung, South Korea is pursuing its own AI-driven growth strategy, investing in ‘AI highways’ and a national coordination body to support the energy transition.

The seminar underscores the EU–Korea Green Partnership’s vision: building a clean, competitive, and digitally empowered energy future by bringing together policymakers, researchers, and industry innovators.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot!