Latest Posts:
Search for:

Analyzing critical legal trends and developments across data, cyber, AI and digital regulations from around the world and beyond borders

In Cybersecurity, Data and Tech Data Digital Evolution EU Data Privacy

European Union: EUDI Wallet – The EU harmonizes identification and age gating

by 9 Mins Read

In brief

The EUDI Wallet will have significant impact on VLOPs, app stores, social media services, video-sharing platforms, regulated services such as gambling or adult media, healthcare providers, financial and banking services, public sector bodies and everyone who is obliged either by contract or law to implement two-factor authentication to identify their users.

Intro – Obligations and Opportunities

On 20 May 2024, Regulation (EU) 2024/1183 entered into force. The Regulation implements, among other things, the new EU digital identification wallet (“EUDI Wallet“), which is supposed to harmonize user identification and age gating in the EU. As such it will likely have significant impact on the digital world and businesses ranging from financial services to media companies to social networks.

The law aims at establishing a legally recognized way of identification that does not require more than a few clicks on the end user’s device. Identification will be as easy as paying a bill with a phone in a restaurant. Certain public bodies, practically all VLOPs and several other private parties will be required to implement and accept the EUDI Wallet to verify their users’ identities. However, the wallet also presents an opportunity for platforms, VLOPs and regulated sectors (e.g. banking and telecommunications) to drive revenue.

Not just one app – What is the EUDI Wallet?

The EUDI Wallet will work as an app that can be installed on common user devices such as smartphones. However, there is not just one EUDI Wallet app. A common misconception is that the EUDI Wallet will be one central app that is provided by the EU and can be used by everyone. This is incorrect. Instead, the term “EUDI Wallet” refers to the technical and legal standard established by the eIDAS 2.0 Regulation.

While it is correct that each EU member state must offer at least one wallet solution by late 2026, the legal framework of the eIDAS 2.0 Regulation was intentionally left open to everyone to enable private parties the creation of their own wallet through complying with the technical standards set out in the Regulation.

Thus, multiple wallets can and very likely will co-exist. The goal of opening the regulatory framework to everyone is to promote technical innovation and acceptance of the wallet. Big tech and platforms will be able to establish their own wallet and integrate it into their platform eco system or world of services.

The eIDAS 2.0 Regulation stipulates three different means how EUDI Wallets can be provided:

Means of provisionExplanation
1.Directly by a member stateIn this scenario the provider of the EUDI Wallet app is the respective member state. Each Member State must provide at least one EUDI Wallet until 21 Nov. 2026.
2.Under a mandate from a member stateIn this scenario, the provider of the EUDI Wallet app is a third party (e.g. a private company), which is providing the app on behalf of the respective member state.
3.Independently of a member state (incl. by private parties) but recognized by that member stateIn this scenario, the provider of the EUDI Wallet app can be everyone. Private parties can design the app based on their own needs, e.g. as part of their world of services or platform economy. However, they have to meet certain objective design criteria (e.g. technical standards) and go through an official recognition process.

Who is required to implement the EUDI Wallet?

The following parties are statutorily required to implement the EUDI Wallet and accept it as a means of identification:

  • Providers of very large online platforms (“VLOPs”) under the DSA are required to accept the EUDI Wallet as a means of identification, if they require user authentication for access to their online services.
    • Since there are currently no VLOPs which function without authentication (i.e. with user accounts, login, etc.) the requirement to implement and accept the EUDI Wallet in practice applies to all VLOPs.
  • Private parties which are required by law to use strong user authentication for online identification.
    • Strong user authentication means two-factor authentication, e.g. by using a smart phone (factor 1) with touch ID or face ID (factor 2) to log into online banking or execute a payment.
    • Typical examples of private parties which are legally required to implement two-factor authentication for their users and are therefore mandated to accept the EUDI Wallet include healthcare providers managing electronic records, banking institutions processing digital payments, and telecommunication companies verifying user identities for mobile contracts.
  • Private parties where strong user authentication for online identification is a contractual obligation imposed by another party.
    • Private parties are required to accept the EUDI Wallet if they are contractually obliged by a business partner to use strong user authentication (i.e. two-factor authentication) to identify their users.
    • This may occur through B2B agreements, insurance requirements, industry-specific service level agreements (SLAs) or where two-factor authentication is required by contract as a technical and organisational measure (TOM) to comply with the GDPR.
    • While the eIDAS 2.0 Regulation explicitly lists 12 key sectors (such as digital infrastructure, energy, transport, and telecommunication) as primary obligors, this list is not exhaustive. The obligation to accept the EUDI Wallet extends to any private party – regardless of the sector – as long as a contractual obligation for strong user authentication exists.
  • Public sector bodies which provide an online service that requires electronic identification and authentication (e.g., vehicle registration, address registration, business registration, pension insurance, health insurance, tax authorities, student loans/grants, universities, criminal record certificates, driving records.

Driving revenue – What are the most significant business cases?

When a new regulation comes into effect, the initial reaction is usually to consider how it can be avoided or how its impact on business can be mitigated. The EUDI Wallet represents a rare exception in this regard, as it will very likely lead to a significant and measurable increase in revenue for numerous service providers.

Since all VLOPs, nearly all public bodies that require identification, and numerous private companies are required to adopt the wallet, it can be assumed that it will become widely established across the EU in a short period of time. This will open up numerous opportunities.

To name just a few:

  • Telecommunications providers, banks, and financial service providers no longer need to engage and pay third-party providers to verify a customer’s identity via video chat when concluding a contract online. Instead, all it takes is 2–3 clicks via the EUDI Wallet. With the same process, users can also sign the contract in a legally valid manner. This significantly speeds up the process, increases the conversion rate, and reduces costs.
  • Social networks and video sharing platforms will have access to a harmonized and established age gating and identification tool which they can leverage to fully comply with their DSA age gating obligations.
  • App stores and platforms (many of which must adopt the wallet anyway) can integrate the EDUI Wallet into their platform ecosystem (e.g., into existing payment wallets). These (enhanced) wallets can then in turn be made available to app providers and other third-party services (just like payment wallets already are). Third-party providers can then identify their users with just 2–3 clicks or verify their age for age verification purposes. The platform, in turn, can either monetize the use of the wallet (e.g., 5 cents per identification to be paid by the third party service/app) or benefit from a larger platform economy (more apps, more content, more in-app purchases, more revenue share). Just consider the following services, which can identify their users or verify their age in seconds, allowing them to offer their products and services completely legally in most member states:
    • Gambling services can identify customers within seconds. There is no conversion loss and no extensive costs for third-party identification services.
    • 18+ movies and video games, or so-called ‘indexed’ media in Germany, can be legally sold in physical and digital formats, without conversion loss or the need to meet country-specific age-gating requirements.
    • Sellers of regulated products such as alcohol, tobacco, drugs and marijuana can legally age-gate and sell within seconds.
    • Adult media, which is economically a significant sector that so far largely operates in a grey zone, can be provided fully legally while appropriate age-gating is ensured.

Timing – Until when does the EUDI Wallet need to be implemented?

The eIDAS 2.0 Regulation officially came into force on 20 May 2024, but the timeline for implementation depends on when the first technical implementation acts were published and on who has to comply with them.

The technical implementation acts were already published on 4 December 2024. Based on this date, the following timelines apply:

  • Member States: 24 months after the technical implementation acts were adopted, every EU Member State has to provide at least one EUDI Wallet to its citizens (whether operated by the member state or by another body on its behalf). So, the first wallet needs to be ready by 6 December 2026. However, Germany’s official EUDI Wallet website states that “[b]y early 2027, at least one EUDI […] is to be available in every Member State.”
  • Similarly,public sector bodies must accept the EUDI Wallet 24 months after the technical implementation acts were adopted, i.e. 6 December 2026.
  • VLOPs: The eIDAS Regulation 2.0 does not specifical name a timeline until when VLOPs need to accept the EUDI Wallet as a means of identification. However, the regulation states that VLOPs shall accept and facilitate the use of the EUDI Wallets “that are provided in accordance with this Regulation”. The common interpretation seems to be that this means, when member states provide the first wallet. Hence, this would December 2026 / early 2027.
  • Private parties which are required by law to use strong user authentication for online identification and for which strong user authentication for online identification is a contractual obligation imposed by another party must accept the EUDI Wallet 36 months after the technical implementation acts were adopted, i.e. 6 November 2027.
Categories:
Author

Sebastian Schwiddessen is a counsel and a member of Baker McKenzie's TMT Practice in Berlin. Sebastian’s clients range from various platform providers over market leading video gaming, film, video on demand and entertainment companies to indie publishers. Sebastian is well-known as an advisor in the video games and entertainment sector. He also regularly advises a wide range of leading social media companies and video-sharing platforms on regulatory and copyright related matters.

Related Posts