A Critical Step Toward Trusted Digital Identity Across Europe
The European Union Agency for Cybersecurity (ENISA) has launched a public consultation on the draft candidate cybersecurity certification scheme for European Digital Identity (EUDI) Wallets. Released at the end of March and formally announced on April 3, this consultation marks a pivotal moment in the EU’s push to create secure, interoperable digital identity tools that citizens and businesses can actually trust.
The EUDI Wallet is more than just another app. It is designed to let Europeans store and share official documents — driver’s licenses, diplomas, medical records, or tax certificates — securely on their phones while proving their identity online and offline without handing over unnecessary personal data. The goal is seamless cross-border access to services while keeping privacy and security at the core. But none of that works if the underlying technology isn’t demonstrably secure. That’s where the new certification scheme comes in.
Following the adoption of the revised eIDAS Regulation that established the European Digital Identity Framework, the European Commission asked ENISA to develop a candidate European cybersecurity certification scheme under the Cybersecurity Act. The agency worked with a dedicated Ad Hoc Working Group of experts to prepare the draft. Now, stakeholders have until April 30, 2026, to review the document, comment on its principles, structure, and annexes, and help shape the final version.
ENISA is also hosting a webinar on April 8 (today) from 15:00 to 16:30 CEST to walk through the draft and answer questions. The draft itself, version 0.4.614, is available on the ENISA certification portal along with supporting materials.
Why Certification Matters for the EUDI Wallet
Until now, most digital wallet implementations in Europe have operated without formal, harmonized cybersecurity certification. That created uneven security levels and made it harder for users, service providers, and relying parties to know whether a particular wallet met rigorous standards. The proposed scheme addresses this gap by establishing clear, testable requirements for the wallets themselves and the electronic identity schemes that support them.
The certification will focus on key areas such as secure storage of credentials, protection against tampering, strong authentication mechanisms, data minimization, and resilience against common attacks. It also covers the broader ecosystem, including how wallets interact with issuing authorities and relying parties across borders. By requiring independent evaluation and certification, the scheme aims to build confidence that EUDI Wallets are not just convenient but genuinely resistant to sophisticated threats.
This is especially important because the wallets will handle highly sensitive personal data. A compromise could expose identities on a massive scale or enable fraud across the entire EU. At the same time, overly burdensome requirements could slow adoption or discourage smaller member states and private-sector partners from participating. The consultation is therefore a chance to strike the right balance between security and practicality.
National Certification Efforts and the Push to 2026 Deadline
In February 2026, ENISA signed a €1.6 million Contribution Agreement with the European Commission, funded through the Digital Europe Programme (2025–2027). The two-year project supports member states in developing their own national certification schemes for EUDI Wallets while preparing for a smooth transition to the European-level scheme.
The agreement focuses on four main clusters of activities:
- Development of national certification schemes by individual Member States
- Increased knowledge, skills, and mutual trust among Member States and the broader certification ecosystem
- Building capacity and improving operational effectiveness for national authorities and certification bodies
- Initiating alignment and an effective transition from national schemes toward the unified European cybersecurity certification scheme
Member States are under pressure: each must make at least one certified EUDI Wallet available to citizens by the end of 2026. Some countries are further along than others. A few have already piloted wallet solutions, while others are still finalizing technical architectures. The ENISA support is intended to help close those gaps and ensure that wallets issued in one country can be reliably used in another.
The timeline is tight. With the public consultation closing at the end of April and a full European scheme expected later in 2026, national implementations must move quickly. The certification framework will play a central role in making sure those national wallets meet a common high bar for security.
The EU’s Digital Identity Ambition
The EUDI Wallet sits at the intersection of several EU priorities: digital sovereignty, cross-border services, privacy protection, and cybersecurity resilience. The revised eIDAS framework aims to replace fragmented national electronic ID systems with a more unified, user-centric approach. Instead of creating separate accounts for every government service or private platform, citizens will control their digital identity through a single wallet.
Use cases go well beyond basic login. The wallet is expected to support qualified electronic signatures, age verification without revealing exact birthdates, sharing of selective attributes (such as “over 18” or “resident of this city”), and secure storage of credentials from both public and private issuers. For businesses, it promises easier customer onboarding, reduced fraud, and smoother operations across the single market.
However, these benefits depend on robust security. If wallets become targets for state-sponsored attackers or sophisticated criminal groups, public trust could collapse quickly. Certification helps mitigate that risk by requiring manufacturers and providers to prove — through independent assessment — that their implementations meet defined assurance levels.
The scheme also reflects lessons learned from earlier digital identity efforts. Previous eIDAS implementations suffered from limited uptake in some sectors because of interoperability problems and varying trust levels. The new approach, backed by mandatory certification, seeks to avoid those pitfalls.
Key Elements Likely Addressed in the Draft Scheme
Although the full draft is technical, the consultation focuses on validating core principles and the overall organization of the scheme. Stakeholders are being asked for input on:
- The scope of certification (wallets, supporting identity schemes, and related components)
- Assurance levels and how they map to different risk scenarios
- Requirements for secure hardware and software environments
- Protection against side-channel attacks, malware, and unauthorized extraction of credentials
- Privacy-enhancing technologies and data minimization controls
- Rules for conformity assessment, surveillance, and handling of vulnerabilities
- Transition mechanisms from national to European certification
Annexes to the draft are expected to include more detailed security requirements for wallet providers and related service providers. Feedback on these technical elements will be especially valuable for organizations that plan to develop or integrate with EUDI Wallets.
Challenges and Stakeholder Perspectives
Implementing a harmonized certification scheme across 27 member states is no small task. Differences in national legal frameworks, technical maturity, and procurement processes could create friction. Smaller member states may struggle with the resources needed to establish national certification capacity, while larger ones might push for stricter requirements that raise costs for industry.
Private-sector players — banks, telecom operators, technology providers, and identity service companies — have a keen interest in the outcome. They want clarity on what will be required for their solutions to be accepted as part of the EUDI ecosystem. Overly rigid rules could stifle innovation; overly loose ones could undermine trust.
Privacy advocates, meanwhile, are watching closely to ensure the certification scheme genuinely protects user data and prevents function creep. The wallet’s success will depend on whether citizens feel confident that their information remains under their control.
The upcoming European Cybersecurity Certification Conference on April 15 in Cyprus, titled “Building trust through Certification: Security Claims must be proven – not promised,” will provide another forum to discuss these issues. The EUDI Wallet is expected to feature prominently in the agenda.
What Happens After the Consultation?
ENISA will review all feedback received by April 30 and use it to refine the candidate scheme. The final version will feed into the European Commission’s process for adopting the scheme as an implementing act. Once in place, the European certification framework should facilitate mutual recognition across member states and reduce the fragmentation that has plagued earlier digital identity initiatives.
For organizations involved in digital identity — whether as wallet providers, issuers, relying parties, or conformity assessment bodies — the coming months will be critical. Those who engage now through the consultation and webinar can help shape requirements that are both secure and workable in practice.
The EUDI Wallet project represents one of the most ambitious attempts yet to build a privacy-preserving, user-centric digital identity infrastructure at continental scale. Getting the cybersecurity certification right is not a technical footnote — it is foundational to the entire effort. If the scheme delivers clear, enforceable security guarantees without creating unnecessary barriers, it could accelerate adoption and set a global benchmark for trusted digital identity.
With the 2026 deadline for national wallet availability approaching fast, the public consultation is more than a bureaucratic step. It is a genuine opportunity for the cybersecurity community, industry, and civil society to help ensure that Europe’s digital identity future is both innovative and secure.
