The Importance of Digital Identity Control in the Age of Data Protection
Controlling one’s digital identity has become a cornerstone of modern data protection policy. As citizens increasingly interact with online services, both public and private, the need for a secure, standardized, and user-centric digital identity framework has never been more pressing.
The European Union (EU) has taken a major step forward with the introduction of eIDAS2, an updated regulation that significantly evolves its digital identity strategy. At the heart of this transformation is the European Digital Identity Wallet (EUDI Wallet), a mobile-based tool designed to give citizens seamless and secure control over their digital credentials.
What is eIDAS2?
The eIDAS2 Regulation (Regulation (EU) 2024/1183), adopted on April 11, 2024 and effective from May 20, 2024, is an amendment to the original eIDAS Regulation (EU No. 910/2014). The new version aims to:
- Strengthen digital identity interoperability across EU countries,
- Enhance user trust,
- Improve privacy protections, and
- Establish mandatory acceptance of digital identity credentials across Member States.
It addresses limitations of the original framework by introducing a more user-friendly, secure, and universally accepted system of digital identity management. One of its key advancements is ensuring mutual recognition of digital identities issued in any Member State, paving the way for truly cross-border digital interactions.
The European Digital Identity Wallet (EUDI Wallet)
The EUDI Wallet is the central instrument of eIDAS2. Every EU Member State must provide at least one version of this wallet by the end of 2026. It will enable citizens, residents, and businesses to:
- Store digital credentials and attributes (e.g., identity cards, diplomas, driver’s licenses),
- Authenticate their identity in a trusted way,
- Share only the necessary personal data with service providers,
- Use pseudonyms or selective disclosure where appropriate,
- Keep track of transactions for transparency and security.
The Wallet is designed to be voluntary, free of charge, and applicable to both public and private sector services. It integrates robust privacy-by-design principles and gives individuals granular control over their data.
Alignment with the GDPR: A Prerequisite for Trust
The eIDAS2 framework is explicitly aligned with the General Data Protection Regulation (GDPR). This alignment is crucial for ensuring:
- Transparency in how personal data is processed,
- Data minimization and purpose limitation,
- User rights such as access, deletion, and objection,
- Clear lines of responsibility and accountability.
The GDPR’s Recital 7 highlights that “natural persons should have control over their own personal data.” The concept of identity, as defined in Article 4(1) of the GDPR, is fundamental to this control. Furthermore, identity is recognized as a universal human right under Article 6 of the Universal Declaration of Human Rights.
In Spain, this principle is also protected under the Organic Law on the Protection of Citizen Security, reinforcing the legal and ethical mandate to empower citizens in the digital realm.
Architecture and Reference Framework (ARF): The Technical Backbone
To ensure consistency across the EU, eIDAS2 relies on a common Architecture and Reference Framework (ARF). This framework:
- Defines shared standards and specifications,
- Guides Member States in developing interoperable solutions,
- Ensures high levels of cybersecurity and privacy,
- Allows future updates and innovations.
The current version is ARF 1.4.1, but updates are expected in 2026 to align with emerging needs and challenges.
Implementing Acts: From Framework to Enforcement
The European Commission is in charge of translating eIDAS2’s principles into enforceable measures through Implementing Acts. The first set of these regulations was adopted in November 2024, providing:
- Technical specifications,
- Security requirements,
- Interoperability rules.
These implementing acts are binding for all Member States and will ensure that the design and deployment of digital wallets align with both eIDAS2 and the GDPR.
Ensuring Privacy, Accountability, and Transparency
To operationalize GDPR compliance, eIDAS2 includes a series of safeguards:
- Data Protection Impact Assessments (DPIAs) must be conducted by service providers when the data processing is likely to result in high risks to individuals.
- The wallet must log all transactions including date/time, counterpart identity, requested and shared data.
- Users must have access to a dashboard showing: Connected service providers, Data exchanged, The ability to request data erasure (per Article 17 of the GDPR) and the option to report illicit data requests to the national data protection authority.
- There must be logical separation between personal data held for wallet provision and other types of data held by the provider.
- The regulation prohibits identity credential issuers (called “trusted service providers”) from tracking usage of the attributes they provide, protecting non-linkability across services.
- Revocation mechanisms must be in place for both digital credentials and the wallet itself.
These elements are aimed at reinforcing user autonomy, reducing surveillance risks, and upholding European values around digital dignity.
Challenges and Outlook
Despite the ambitious framework, concerns remain. The current ARF does not fully cover all technical and regulatory requirements set by eIDAS2 and the GDPR. There is a strong consensus among data protection authorities, researchers, and industry experts that further work is needed to:
- Close existing gaps in the ARF,
- Translate privacy safeguards into concrete implementations,
- Certify wallets and digital identity solutions that are fully GDPR-compliant.
Ongoing oversight and updates from national data protection authorities and the European Data Protection Board (EDPB) will be essential to ensure that digital identity solutions do not become vectors of data misuse or surveillance, but rather instruments of empowerment and trust.
A Rights-Based, Privacy-Centric Digital Future
The launch of eIDAS2 and the EUDI Wallet represents a monumental shift in Europe’s digital landscape. By embedding privacy, control, and transparency into the fabric of digital identity, the EU is setting a global standard for how societies can modernize without compromising human rights.
As Europe’s digital transformation accelerates, the success of this initiative will depend not only on technological readiness but also on the ability to enforce robust protections and foster public trust in the digital infrastructure of tomorrow.