The EU Digital Identity (EUDI) Wallet initiative presents a transformative vision for secure, cross-border digital identity. But for private companies aiming to participate, the path is complex, resource-intensive, and largely undefined. This blog from ZealiD outlines the core technical and commercial barriers and invites collaboration to address them.
Key Points:
The vision of a unified European Digital Identity (EUDI) Wallet is compelling: every EU citizen with a secure digital identity app to access public and private services across borders. But turning this vision into reality is proving far more challenging than anticipated – especially for private companies that aspire to become wallet providers. The road to an EU digital identity wallet is paved with strict regulations, high security bars, and unresolved questions. This blog post, from ZealiD’s perspective, examines the deep technical and commercial challenges private actors face in the EUDI Wallet ecosystem. We raise critical questions about viability, highlight technical bottlenecks, and invite dialogue on how to overcome these hurdles together.
One of the first hard truths is a commercial one: is the EUDI Wallet ecosystem only viable for state actors, or can private companies realistically compete? The EU’s approach heavily involves Member States. In fact, the European Commission is funding a standardized reference wallet that each country can offer to its citizens at no cost. Every EU citizen will be able to download a certified, free official wallet app, likely making it the default choice for most government services. This raises the bar for private providers – how do you convince users (and service providers) to choose a private wallet over a free government-backed alternative?
Compounding the challenge, the EUDI Wallet ecosystem will be heavily regulated, leaving limited room for traditional commercial models. Strong privacy protections mean that a wallet issuer cannot even see where or how often its credentials are used, which makes it hard to monetize transactions or charge relying parties. In other words, many familiar fintech business models don’t directly apply here. As Signicat’s digital identity experts noted, these “privacy-by-design” rules limit opportunities for commercial organizations to monetize in the wallet ecosystem1. For example, if your wallet issues a digital credential (attestation) to users, you have no visibility into when a bank or employer verifies it – so charging a per-verification fee is nearly impossible.
The business model question is so pressing it’s been called “the elephant in the room” in industry discussions. Some ideas, like introducing a standardized “billable event” for wallet transactions, are being explored, but no clear answer exists yet. It doesn’t help that each Member State may set its own policies for wallet certification, onboarding, and usage. These national differences will heavily influence adoption and economics, adding even more uncertainty. Without more clarity, private companies are left wondering whether they can find a sustainable role – or whether the EUDI Wallet will effectively become a state-only undertaking. We at ZealiD believe the private sector can play a pivotal role in adding value on top of the core wallet infrastructure, but the path to doing so remains unclear and will require creative thinking beyond traditional revenue models.
On the technical side, the security requirements for an EUDI Wallet are extremely high – arguably higher than anything most private identity providers have tackled before. Under the forthcoming eIDAS 2.0 regulation, any approved EUDI Wallet must qualify as an electronic identity at Level of Assurance “High” (the highest level ). This is not just a checkbox – it means stringent identity proofing of users and a robust binding between the user’s digital identity and a secure hardware element. In practice, achieving “LoA High” requires using tamper-proof, highly secure cryptographic devices to store and use keys. We’re talking about hardware security akin to what banks use for chip cards, not just software. The regulation explicitly demands that the wallet be tamper-proof and duplication-proof, which effectively necessitates using secure hardware elements so that identities cannot be cloned or compromised2.
What does this mean for a private wallet provider? It means you can’t just build a slick mobile app and call it a day. The wallet must be built on a certified secure hardware foundation. In EU terms, that entails undergoing Common Criteria security evaluation at EAL4+ or higher – a rigorous, time-consuming certification process usually reserved for things like smartcards, SIM chips, and government ID modules. In fact, the EU is treating wallets as if they were “bank chips” in terms of required security. This process can easily take 1–2 years of testing, audits, and code reviews, and it’s expensive. For “software-first” companies used to quick app release cycles, this is a whole new world. Few private actors have experience navigating Common Criteria evaluations, which involve detailed documentation, threat analysis, and often working closely with hardware security module (HSM) or chip vendors. ZealiD makes extensive use of HSMs that are common criteria certified, and living in the common criteria world involves many challenges related to patching, maintenance and capacity planning.
Simply put, building an EU-compliant wallet is not just a software project – it’s an intense hardware security project. A startup or tech company might need to partner with specialists or invest heavily in security expertise to even attempt this. The challenge is illustrated by the fact that today’s smartphones themselves are not typically certified to this level for such use. Some industry observers have pointed out that off-the-shelf Apple iPhones or Android devices are “not certified for the EUDI wallet system”, meaning wallet providers have to find ways to leverage or augment device security to meet the requirements. We’re starting to see initiatives to bridge this gap – for example, using mobile Secure Elements or secure enclaves in phones as the Wallet Secure Cryptographic Device (WSCD) – but accessing those as a third-party developer is non-trivial3. Apple only recently announced a program to allow limited third-party use of its Secure Element for NFC and key storage (with strict conditions). This is promising, but it underscores how dependent wallet providers are on device manufacturers opening up secure hardware access.
For a private provider focused on software, the takeaway is stark: to play in the EUDI Wallet arena, you must master hardware-based security and certifications on day one. There’s no shortcut around this. It’s a significant investment in time and money, and it raises the question of how many private companies will find it worthwhile or even feasible to pursue. The few that do will need to build security into their DNA and likely collaborate with hardware security experts and mobile OS platforms to succeed.
Related to the certification hurdle is a very practical technical bottleneck: managing keys in secure elements. The core of any digital identity wallet is cryptography – each wallet will hold private keys that are used to prove the user’s identity and sign credentials or authentication requests. For a LoA High wallet, these keys must reside in a secure element or equivalent (a hardened secure chip or enclave) so they can’t be extracted or tampered with2. This poses a few challenges:
In short, the technical plumbing of secure key handling is a bottleneck that requires coordination between many parties. Private wallet providers have to navigate OS-level restrictions, integrate with various national systems, and ensure an ultra-secure yet user-friendly way of storing keys. Any weakness here undermines the whole trust of the wallet. This is why the EU’s reference architecture strongly emphasizes the WSCD (Wallet Secure Cryptographic Device) as a cornerstone. It’s an active area of development and debate. For example, experts are discussing whether current smartphone hardware can even fully meet LoA High out of the box, or if new hardware modules will be needed – some fear that if devices don’t support required cryptography, it could “jeopardize the timeline” for rollout2. That brings us to our next topic: timelines.
Even if a private actor manages to build a wallet that ticks all the technical boxes, a pressing question remains: how do you onboard users at scale, especially in countries that lack a widely adopted national eID? The success of EUDI Wallets hinges on people actually obtaining and using them, which in turn depends on each member state’s infrastructure for issuing the necessary credentials.
Right now, many EU countries do not have universal digital ID cards or any “Level High” digital identity readily available for all citizens. Some large countries (like Germany) have electronic ID cards with chips, but adoption has been historically low – more than two-thirds of Germans have never used their eID function4. Others rely on bank-issued IDs or nothing more than passports and driver’s licenses. This means that when wallets become available, a lot of users will effectively be starting from scratch in terms of obtaining a digital identity credential to load into the wallet.
The regulation’s vision is that each wallet will be initialized with a Person Identification Data (PID) attestation issued by the state – essentially a government-certified electronic identity attribute for the citizen1. To get that PID, the user will likely have to authenticate with something of LoA High quality. If you already have a national eID (like an Estonian ID card or Swedish BankID at the right level), that might be straightforward. If you don’t, the state will need to offer a pathway, which could involve in-person verification at an office, or perhaps remote onboarding through a process that meets high assurance (maybe video identification plus a Qualified Electronic Signature issuance, a route companies like ZealiD are familiar with). However, these processes are yet to be defined clearly in many countries. Each Member State is responsible for setting up and certifying their onboarding process for wallets, and we anticipate a lot of variation. Some countries might scramble to upgrade their existing eID schemes; others might designate private trust service providers to perform identity proofing for wallets. Until these processes are operational, widespread wallet adoption remains theoretical.
There’s also the challenge of relying parties (RPs) – the services that will accept the wallet. A digital identity is only useful if many services accept it. Yet, the EUDI framework requires that every service provider (RP) must register and obtain a special certificate to interface with the wallet system. Banks, hospitals, e-commerce sites – any private sector service will need to go through a registration and compliance process to use wallet-based login or attribute sharing. This is a safeguard to ensure only trusted services can request your credentials, but it also means adoption will be slow. We likely won’t see thousands of services supporting wallets on day one. Government services will lead the way (because they are mandated to and have an interest in national rollouts). Private-sector RPs will join gradually, and only after they navigate new compliance hoops (getting certified, updating their systems, etc.). As a result, even if citizens download the wallet app, they might find relatively few places to use it initially – which is a classic chicken-and-egg problem for adoption.
The timeline for all this is ambitious. The EU’s goal is to have at least one wallet issued per member state by 2026, and to require acceptance of wallet IDs for online services by 2027. There’s even an official target of reaching 80% of EU citizens with a digital wallet by 20305. But these targets will be hard to meet if foundational issues aren’t solved. As of late 2024, major EU countries were still debating the technical standards and raising practical questions about implementation. And of course there are key differences between the technical recommended standards ARF, and what actually ends up in the implementing acts. Key infrastructure – like the trusted registries for RPs, or the systems to distribute attributes like digital driver’s licenses or diplomas – are not yet in place. Realistically, we might not see broad rollout or everyday usage of wallets until 2027–2028 or later in many countries. Early pilot wallets exist, but a lot remains undefined. This is not a bad thing per se; it’s normal for a project of this scale to take time to mature. However, it means private providers are staring at a moving target. How do you plan products and investments when the rules might change and the timeline might slip? It’s a dilemma: move too early and risk building the wrong thing; move too late and miss the boat if it suddenly takes off.
Finally, we need to talk about user experience (UX) and innovation, and how they intersect with the strict regulatory framework. One of the promises of digital identity wallets is a smooth, one-click experience to share your ID or sign a document, improving on the clunky logins and paper processes of today. But will the EUDI Wallet deliver a great UX? Or will the heavy security and compliance requirements result in a cumbersome tool that people only use when they must?
The truth is, strict requirements can be a double-edged sword. On one hand, they ensure security and trust – crucial for something as sensitive as your identity. On the other hand, they can inhibit flexibility and creativity. For instance, every official EUDI Wallet (state or private) must follow common standards for interfaces and data formats, and even the source code must be published openly. Transparency is excellent for security and interoperability, but it also means every wallet will be very similar. There’s little room to differentiate on core functionality or snazzy features, because anything truly useful could be copied by others (it’s open source, after all). Private companies can’t rely on proprietary technology advantages in the wallet itself – “innovation must happen at the service or platform level, not in the wallet code”. In practical terms, this may shift competition to things like who offers the best integration, customer support, or complementary services, rather than the wallet app experience alone.
Moreover, the need to meet high assurance and certification can impose friction on the user flow. Consider something like logging in with a wallet: it might require a biometric unlock plus entering a PIN (because high security might mandate two factors or a user consent step for each attribute shared). Compare that to, say, how easily people currently log in with a social media account or a low-security password – the wallet could feel a bit heavier. Another example: consent screens and privacy. The regulation emphasizes that users must have control and give explicit consent to share data. That’s great, but from a UX standpoint it means possibly more pop-ups or steps every time you use your wallet (“Do you agree to share X attribute with Y service?”). Designing this in a user-friendly way is possible, but it requires care; too much friction and users revert to familiar methods.
Strict regulatory frameworks also mean slower update cycles. If any change to the wallet needs re-certification, you’re not going to be pushing updates every week with new features. Contrast this with a typical startup approach of iterate-fast-and-break-things – in the digital identity world, you really can’t break things (especially security or compatibility things). This could slow down the pace of innovation in the official wallet space. We might see a scenario where the wallet standards lag behind what cutting-edge tech could do, simply because consensus and certification take time. For users, this might mean a somewhat static experience dictated by regulatory committees rather than rapid user-driven evolution.
That said, it’s not all doom and gloom for UX. There is a strong emphasis on privacy and user control, which is a positive principle. If done right, users will have a clear dashboard of what data they’ve shared and with whom, potentially increasing trust. And because all providers must meet common standards, users should get a consistent experience across services and countries – no more juggling dozens of login methods. The key will be involving UX design expertise in the implementation of these wallets, to ensure that the high security doesn’t translate into high annoyance. Innovation in this constrained environment might be less about flashy features and more about subtle improvements: smarter consent management, integration with devices (e.g. using biometrics elegantly), and educating users on how to use their new digital identity safely.
In highlighting these challenges – from business viability to hardware certification, from onboarding hurdles to UX constraints – our goal is not to throw cold water on the EUDI Wallet initiative. On the contrary, at ZealiD we are deeply invested in the vision of a secure, user-friendly digital identity for Europe. We have firsthand experience navigating eIDAS regulations, remote onboarding, and Qualified Trust Services, so we recognize both the obstacles and the opportunities. The hard truths discussed above should serve as a reality check and a call to action for everyone involved: policymakers, tech companies, and even end-user communities.
The EUDI Wallet ecosystem is too important to get wrong. If only government agencies participate and innovation stagnates, we risk ending up with a solution that people use grudgingly, or worse, ignore. If we rush ahead without solving core issues (security, standards, business models), we might face a backlash or a security incident that erodes trust. The time is now to tackle these foundational challenges head-on, together. Regulators should actively engage with private sector innovators – we need flexible policies that encourage competition (for example, allowing multiple certified wallets per country, not just one) and clear guidance on business models (so companies know how they can sustainably operate wallets or services around them). Industry players, for their part, should share their technical know-how and concerns openly – if there’s a roadblock with secure element access or an unclear certification guideline, bringing it up early can lead to collaborative problem-solving. Initiatives like the Large-Scale Pilots and the open-source reference wallet project are great forums for this, and we applaud those efforts.
At ZealiD, we’re positioning ourselves not just as a wallet provider, but as a partner in this digital identity journey. We’ve chosen a path of building on open standards and integrating with existing platforms (like Microsoft Entra) to ensure real-world usability from day one. Our approach has been to solve current problems (e.g., cross-border digital signing, global onboarding for businesses) in a way that complements the coming EUDI infrastructure. We see the EUDI Wallet not as a threat, but as an evolving opportunity – if we can iron out the foundational wrinkles.
Let’s focus on solving what’s foundational before scaling what’s still undefined. The aggressive timelines for EUDI Wallet rollout should not force us into deploying half-baked solutions; instead, they should galvanize us to prioritize the critical issues now. This blog is an open invitation for dialogue: What are your thoughts on making the EUDI Wallet commercially viable? How can we streamline Common Criteria certifications or make hardware security more accessible to developers? What’s the plan for countries where digital ID is nascent? How do we ensure users actually want to use these wallets? These are the questions we need to answer – and we believe we can only answer them together.
If you’re a policymaker, a tech leader, or simply a citizen interested in digital identity, join the conversation. The European digital identity framework will only succeed if we combine the strengths of the public sector (trust, authority, scale) with the creativity and agility of the private sector. Let’s collaborate, experiment, and share knowledge to build a foundation we all trust. Once that foundation is solid – security assured, standards agreed, value demonstrated – scaling up will be so much easier. In the meantime, we at ZealiD are committed to doing our part: innovating responsibly, voicing the hard questions, and contributing solutions. Europe has a chance to lead the world in digital identity. To do that, we must be frank about the challenges and fearless in addressing them. Let’s get to work, together, so that the promise of the EUDI Wallet can truly benefit everyone
(All sources cited above are referenced in the text, using the indicated reference codes.)
ZealiD is an EU Qualified Trust Service Provider offering identity wallets and qualified electronic signatures across Europe. We are a certified Microsoft ISV Partner and trusted by financial institutions, Fortune 500 companies, and national governments.
Take the next step
Contact ZealiD to implement a plug-and-play digital identity wallet for your organisation.
Stay up to date with news and trends on digital identity and Qualified Electronic Signature
.svg "ZealiD Logo New (1)"){kind=small}
