EUDI Digital Wallet: Technical Requirements and EU Regulations

Digital wallets (e-wallets) are now among the most important tools in the digital world. With the EUDI Wallet (European Digital Identity Wallet) initiative, the European Union is creating a unified standard for citizens’ digital identity. The new wallet enables secure login to public and commercial services, document signing and controlled data sharing — all fully aligned with privacy principles and with the user in control of the scope of disclosed information (so-called selective disclosure). In this article, we present a complete technical and regulatory picture of the EUDI Wallet — from architecture and standards to the future of deployments across the EU.

1. Regulatory framework: eIDAS → EUDI Wallet

eIDAS 2.0 — the legal foundation for digital identity — is Regulation (EU) 2024/1183, which expands the original 2014 framework and requires each Member State to provide at least one digital identity wallet — the EUDI Wallet. This regulation establishes coherent rules that ensure citizens can access services across the European Union using a single, secure tool.

The new implementing acts — in particular 2024/2977 (on PID/EAA and data formats), 2024/2980 (notifications, registers, trusted lists) and 2024/2982 (interfaces and protocols) — specify the technical requirements for wallets: certification process, the format of identification data (PID), rules for storing and exchanging attestations (EAA), and security levels. The EUDI Wallet is therefore not only a technological initiative but also a legal obligation designed to strengthen Europe’s digital sovereignty.

2. Architecture and Reference Framework (ARF) — components and roles

The Architecture and Reference Framework (ARF) is the technical centerpiece of the EUDI initiative. It provides guidance on structure, interfaces, security standards and interoperability that all national wallet implementations must meet.

Key roles in the system

• Wallet Holder (User) — the person or entity that uses the wallet and controls their data.
• Wallet Provider — an organization (typically under state oversight) that delivers and maintains the wallet application and obtains certification at the “High” assurance level.
• PID Provider — the institution that issues identification data, e.g., a public administration authority, in line with Implementing Regulation 2024/2977.
• EAA / QEAA Provider — the provider of electronic attestations of attributes, including qualified trust services (QEAA).
• Relying Party — a service or company that relies on wallet data (e.g., a bank, university, or digital platform) and integrates via OpenID4VP standards.

All these actors communicate using defined protocols and trust levels, allowing the system to operate coherently at the European scale.

Wallet structure and safeguards

• WSCD (Wallet Secure Cryptographic Device) — a hardware component that stores private keys and is tamper-resistant.
• WSCA (Wallet Secure Cryptographic Application) — the application that performs cryptographic operations, signatures and authentication.
• Wallet Unit Attestation — a mechanism that confirms the authenticity and integrity of a specific wallet instance, supporting certification requirements at the “High” level.

3. Data and attestations: PID and EAA

At the heart of every EUDI Wallet are two types of data: a person’s identification data PID (Person Identification Data) and EAA (Electronic Attestations of Attributes).

Person Identification Data (PID)

PID is a set of core identification data such as given name, family name, date of birth, nationality or an identification number. These data are issued by an authorized authority after verification at the highest assurance level, and their format is described in detail in the annexes to Implementing Regulation 2024/2977 and must be interoperable throughout the Union.

Electronic Attestations of Attributes (EAA)

EAA are digital attestations confirming specific user attributes, e.g., professional entitlements, diplomas, driving licences or student status. They may be issued by a range of organizations, both public and private, provided they comply with the ARF standards and W3C Verifiable Credentials 2.0 data models. EAA issued by a Qualified Trust Service Provider (QTSP) have the status of QEAA — a qualified attestation equivalent to official documents.

4. Communication standards and protocols

A key element of interoperability in the EUDI Wallet is a common set of communication standards. The most important is the OpenID for Verifiable Credentials family — OIDC4VCI (defines credential issuance to the wallet) and OIDC4VP (describes presenting credentials to a relying party). By building on OpenID Connect foundations, the wallet integrates easily with existing authentication systems.

ISO/IEC 18013-5 — offline communication

The ISO/IEC 18013-5 standard enables presenting credentials offline (mDL), e.g., during roadside checks. Data are transmitted via NFC, Bluetooth or QR codes, allowing identity verification without an internet connection. For remote verification, this is complemented by ISO/IEC 18013-7.

5. Security and privacy

Security and data protection are the foundation of the EUDI Wallet project. Every component — from the application to the device — must meet strict certification requirements and remain aligned with the EU’s overarching cybersecurity and data protection regulations. The project follows the principle of privacy-by-design, i.e., embedding privacy protections into the architecture from the outset. In practice, this means applying mechanisms described in eIDAS and its implementing acts while also respecting horizontal frameworks such as NIS2, DORA, PSD2, Data Act, AI Act and the Cyber Resilience Act (CRA).

• Selective disclosure — the user reveals only the data required (e.g., proof of majority without date of birth), which aligns with the W3C VC 2.0 model.
• Pseudonymization — each service provider sees a different user identifier, limiting cross-service tracking.
• WSCD and WSCA — secure environments for key storage and signature operations.
• Wallet Unit Attestation — ensures the wallet has not been tampered with or modified; a basis for enforcing compliance at the “High” level.

6. Interoperability and acceptance obligations

The EUDI Wallet is intended to be fully interoperable across the European Union. Public services and Very Large Online Platforms (VLOPs) are obliged to accept the wallet immediately upon its availability, while the private sector must do so within defined timelines up to 2027. Interoperability covers both common data formats (PID, EAA) and unified exchange protocols (OpenID4VC), meaning a citizen of Germany will be able to use the same wallet seamlessly in France or Poland.

7. Implementation and technical challenges

Implementing the EUDI Wallet is a complex process that requires close cooperation between governments, technology providers and the private sector. Although the architecture is unified, each Member State must adapt solutions to its own technical and legal environment.

Data storage model

• Local — all data are stored on the user’s device; this ensures greater privacy but complicates data recovery.
• Hybrid — some data are stored remotely in secure infrastructure; more convenient, but requires additional safeguards and strict compliance with data minimization principles.

Scalability and performance

• Systems must handle millions of transactions and queries in near real-time (distributed architectures, caching, high SLAs, fault tolerance).

Regulatory compliance

• Wallet and service providers must meet GDPR and NIS2 requirements, implement incident reporting, auditing and risk management procedures, and undergo required conformity assessments (including for cryptographic components and devices).
• The European Commission foresees certification and interoperability testing programs to prevent market fragmentation and uneven security levels between countries; notification regimes and trusted lists are defined, among others, in Implementing Regulation 2024/2980.

8. The future of the EUDI Wallet

The EUDI Wallet is only the beginning of Europe’s path towards fully digital identity. Over the coming years, the project will develop along several parallel lines.

• Extending interoperability beyond the EU — thanks to open standards (OpenID4VCI, OpenID4VP, W3C VC), EUDI can become a model across borders.
• Zero-knowledge proofs (ZKP) — confirming facts without revealing full data (e.g., proving an entitlement without disclosing a document number).
• Integration with new platforms — browsers, operating systems and mobile APIs for credentials.
• Social adoption and UX — simplicity akin to “one-click login,” full user control over data and transparent logs.

9. Conclusions

The EUDI Wallet is not just another digitization step but a strategic investment in the trust, privacy and security of Europe’s citizens. It brings together law (eIDAS 2.0), technology (ARF, OpenID4VCI/OpenID4VP, W3C VC, ISO/IEC 18013-5) and practical applications, creating a unified ecosystem that will define the future of digital identity in the EU.

As a result, Europeans will gain real control over their data, and organizations will gain new opportunities for secure customer verification.

Our experts at IDENTT will help you prepare for a secure, modern digital identity rollout. We are the only company in Poland that has obtained full access to mObywatel services and can integrate them with our clients’ systems. Contact us to learn more.