Trend watch: Digital identity & trust frameworks in 2026 — signals, winners, and red flags

The European digital identity landscape is undergoing its most significant transformation since the original eIDAS regulation in 2014. As of February 2026, the EU Digital Identity Wallet (EUDI Wallet) is in advanced pilot across all 27 member states, with over 45 million citizens enrolled in national wallet programmes. The revised eIDAS 2.0 regulation mandates that all EU member states offer at least one digital identity wallet to citizens by September 2026, creating the largest coordinated digital identity deployment in history. For executives navigating this transition, understanding which signals indicate genuine progress, which actors are positioned to win, and which developments warrant caution is essential for strategic planning.

Why It Matters

Digital identity infrastructure is rapidly becoming a prerequisite for participating in regulated European markets. The eIDAS 2.0 framework requires that large online platforms accept EUDI Wallet credentials for age verification, strong customer authentication, and qualified electronic signatures by late 2026. Financial institutions operating under PSD3 (Payment Services Directive 3) face new requirements for identity verification that favour wallet-based credentials over legacy document-checking processes. The Anti-Money Laundering Authority (AMLA), operational since January 2025, has signalled that digital identity wallets meeting eIDAS 2.0 standards will become a preferred mechanism for customer due diligence across the EU.

The commercial implications are substantial. McKinsey estimates that digital identity verification costs European businesses approximately 3.2 billion euros annually through manual processes, document fraud losses, and compliance overhead. Wallet-based identity verification could reduce these costs by 60-75% while simultaneously improving user experience and reducing onboarding abandonment rates that currently average 30-40% for online financial services.

Beyond compliance, digital identity frameworks are becoming foundational infrastructure for sustainability reporting and supply chain transparency. The EU Digital Product Passport (DPP) initiative, mandated under the Ecodesign for Sustainable Products Regulation (ESPR), requires verifiable digital identities for both products and the organisations across their supply chains. Companies that lack interoperable digital identity infrastructure will face significant barriers to DPP compliance beginning in 2027. The Corporate Sustainability Reporting Directive (CSRD) similarly benefits from robust identity frameworks that enable verified data exchange between reporting entities and their value chain partners.

For European executives, the question is no longer whether digital identity frameworks will reshape business operations but how quickly the transition will occur and which strategic positions will prove most advantageous. The signals emerging in early 2026 provide critical guidance.

Key Concepts

Self-Sovereign Identity (SSI) places control of identity credentials with the individual rather than centralised identity providers. In the SSI model, users store verifiable credentials in digital wallets and selectively disclose attributes (such as age, nationality, or professional qualifications) without revealing unnecessary personal data. The EUDI Wallet architecture adopts SSI principles, enabling citizens to hold government-issued credentials alongside private-sector attestations in a single interoperable wallet. The W3C Verifiable Credentials standard and the Decentralised Identifier (DID) specification provide the technical foundations.

Trust Frameworks establish the rules, standards, and governance structures that determine which credentials are accepted by which verifiers and under what conditions. The eIDAS 2.0 trust framework defines four assurance levels (low, substantial, high, and qualified) with corresponding requirements for identity proofing, credential issuance, and wallet security. Trust frameworks determine interoperability: a credential issued under one national scheme must be recognised across all 27 member states if it meets the framework's requirements. Without harmonised trust frameworks, digital identity deployments fragment into incompatible silos.

Qualified Electronic Attestations of Attributes (QEAAs) are a new credential category under eIDAS 2.0 that enables qualified trust service providers to issue verifiable attestations about identity attributes beyond core identity data. Examples include professional qualifications, company registrations, health insurance status, and educational credentials. QEAAs represent a significant expansion of the digital identity ecosystem beyond government-issued ID, creating new markets for credential issuance and verification services.

Zero-Knowledge Proofs (ZKPs) allow identity holders to prove specific attributes (such as being over 18 or holding a valid professional licence) without revealing the underlying data. Several EUDI Wallet implementations are integrating ZKP capabilities to enable privacy-preserving age verification and credential checks. This technology addresses the fundamental tension between identity verification requirements and data minimisation obligations under GDPR.

Signals That Matter

EUDI Wallet Pilot Results Reveal Interoperability Challenges

The Large Scale Pilot (LSP) programme, encompassing four consortia (POTENTIAL, EWC, NOBID, and DC4EU) covering all EU member states plus associated countries, has produced instructive results through early 2026. Cross-border credential verification success rates have improved from 62% in mid-2025 to 84% by January 2026, indicating genuine technical progress. However, the remaining 16% failure rate stems primarily from divergent national implementations of the Architecture and Reference Framework (ARF), particularly around credential format handling and trust list synchronisation. Germany's AusweisApp-based wallet and France's France Identite wallet achieved 94% bilateral interoperability, but interoperability between Nordic implementations and Southern European wallets remains below 80%. The signal here is clear: technical interoperability is achievable but requires sustained investment in conformance testing and harmonisation beyond what current timelines allow.

Financial Services Leading Enterprise Adoption

European banks and insurers are the most aggressive enterprise adopters of wallet-based identity verification. ING, BNP Paribas, and Deutsche Bank have launched pilot programmes accepting EUDI Wallet credentials for customer onboarding, with reported 45-55% reductions in verification processing time and 70% reduction in manual document review. The European Banking Authority's 2025 guidelines on remote onboarding explicitly endorse wallet-based identity verification as meeting Strong Customer Authentication requirements under PSD2 (and forthcoming PSD3). Visa and Mastercard have integrated wallet credential acceptance into their European payment infrastructure, enabling identity-linked payment authorisation. The financial services signal suggests that wallet adoption will be demand-driven by institutions seeking compliance efficiency rather than supply-driven by government mandates alone.

Nordic Countries Setting the Pace

Sweden's BankID system, already used by 8.5 million citizens (approximately 98% of the adult population), is integrating eIDAS 2.0 compatibility while maintaining its existing high adoption rates. Estonia's e-Residency programme has expanded to include wallet-compatible credentials for its 100,000+ e-residents, creating a template for cross-border digital identity that pre-dates eIDAS 2.0. Finland's Suomi.fi wallet integration has achieved 72% citizen activation rates within six months of launch. These Nordic deployments demonstrate that high adoption is achievable when wallet functionality delivers immediate practical value (such as healthcare access, tax filing, and banking) rather than serving as abstract identity infrastructure.

Winners and Losers

Emerging Winners

Thales Group has secured EUDI Wallet technology contracts with seven EU member states, positioning itself as the dominant infrastructure provider. Their Gemalto heritage in secure element technology gives them advantages in hardware-backed wallet security that pure software providers cannot easily replicate. Revenue from digital identity services grew 34% year-over-year in 2025.

iProov has become the leading biometric verification provider for EUDI Wallet enrolment processes, with contracts spanning 12 national implementations. Their Genuine Presence Assurance technology addresses the critical challenge of ensuring that the person enrolling in a wallet is physically present and matches their identity document, a requirement that has proven difficult for competitors to meet at eIDAS "high" assurance levels.

SPRIND (German Federal Agency for Disruptive Innovation) funded the development of the OpenWallet Foundation's reference implementation, which four member states have adopted as their base wallet architecture. This open-source approach has created a viable alternative to proprietary vendor lock-in and demonstrated that government-funded R&D can shape commercial markets.

Under Pressure

Legacy KYC/AML Providers face structural disruption as wallet-based verification reduces demand for document-checking services. Companies built around optical character recognition of identity documents and database cross-referencing will see their core revenue streams erode as reusable digital credentials replace single-use document verification. Incumbents that fail to pivot toward wallet-compatible verification services face 30-50% revenue declines over three to five years.

National Identity Scheme Operators that built proprietary, non-interoperable systems before eIDAS 2.0 face expensive retrofitting. Italy's SPID system, with 38 million registered users, requires significant architectural changes to achieve full eIDAS 2.0 compliance, creating transitional costs estimated at 180-220 million euros.

Red Flags to Monitor

Privacy Erosion Through Selective Disclosure Gaps

Several national wallet implementations have launched without full selective disclosure capability, meaning users must share complete credentials rather than specific attributes. A wallet that requires sharing a full date of birth for age verification, rather than a simple "over 18" attestation, violates the data minimisation principle that justifies wallet-based identity in the first place. Executives should verify that wallet implementations they accept support attribute-level selective disclosure before integrating them into customer-facing processes.

Vendor Concentration Risk

The EUDI Wallet ecosystem shows early signs of dangerous vendor concentration. Three companies (Thales, Idemia, and IN Groupe) collectively hold wallet infrastructure contracts for 18 of 27 member states. If any of these providers experiences a security breach, service disruption, or commercial failure, the cascading impact could affect digital identity services for hundreds of millions of citizens. Diversification of the wallet supply chain, including greater adoption of open-source implementations, should be a strategic priority for national authorities and a risk factor that enterprise customers monitor.

Deepfake Threats to Biometric Enrolment

The rapid improvement in synthetic media generation (deepfakes) poses an escalating threat to biometric identity verification during wallet enrolment. Testing by the European Union Agency for Cybersecurity (ENISA) in late 2025 found that 23% of commercial liveness detection systems could be bypassed using commercially available deepfake tools, up from 8% in 2024. Wallet implementations relying solely on selfie-based verification without hardware-backed liveness detection (such as near-infrared sensors or structured light) face growing vulnerability. This threat could undermine public trust in digital identity systems if high-profile fraud cases emerge.

Governance Framework Fragmentation

Despite eIDAS 2.0's harmonisation ambitions, national trust frameworks are developing divergent rules around credential validity periods, revocation mechanisms, and liability allocation. Germany's trust framework assigns liability for credential misuse to the issuing trust service provider, while France's framework places greater responsibility on the relying party. These differences create compliance complexity for multinational enterprises that must navigate varying liability regimes across markets. Until the European Commission's implementing acts fully harmonise these frameworks, cross-border credential acceptance will remain legally uncertain.

Action Checklist

• Assess current identity verification processes against eIDAS 2.0 wallet acceptance requirements and identify gaps
• Evaluate EUDI Wallet integration options for customer onboarding, age verification, and strong authentication use cases
• Conduct vendor due diligence on wallet technology providers, prioritising those with cross-border interoperability testing results
• Review privacy impact assessments for wallet-based credential acceptance, ensuring selective disclosure capabilities are available
• Engage with national wallet pilot programmes to gain early implementation experience before mandatory deadlines
• Assess supply chain readiness for Digital Product Passport requirements that depend on organisational digital identity
• Monitor deepfake threat developments and ensure biometric verification partners maintain current countermeasures
• Establish cross-functional working groups spanning legal, compliance, technology, and customer experience to coordinate wallet integration strategy

FAQ

Q: When will EUDI Wallets become mandatory for businesses to accept? A: The eIDAS 2.0 regulation requires member states to offer wallets by September 2026, but mandatory acceptance obligations for private-sector entities phase in over 2026-2027. Very large online platforms (those designated under the Digital Services Act) face the earliest acceptance deadlines. Financial institutions will face requirements aligned with PSD3 implementation timelines. Most other businesses will encounter wallet acceptance requirements through sector-specific regulations rather than a single mandate. Executives should plan for voluntary early adoption in 2026 with mandatory compliance by 2027-2028 depending on sector.

Q: How will EUDI Wallets affect GDPR compliance? A: Wallet-based identity verification can simplify GDPR compliance by enabling data minimisation through selective disclosure. Rather than collecting and storing copies of identity documents (which creates data protection obligations), organisations can verify attributes in real time without retaining personal data. However, organisations must ensure their wallet integration supports genuine selective disclosure rather than requiring full credential presentation. The interaction between eIDAS 2.0 and GDPR is addressed in the European Data Protection Board's 2025 guidelines, which executives should review with their data protection officers.

Q: What is the cost of integrating EUDI Wallet acceptance into existing systems? A: Integration costs vary significantly based on existing infrastructure. Organisations with modern API-based identity verification can add wallet credential acceptance for 50,000-150,000 euros through SDK integration with wallet providers. Organisations with legacy identity systems requiring architectural changes face costs of 500,000-2 million euros. Ongoing costs include trust list synchronisation, credential verification API fees (typically 0.05-0.15 euros per verification), and compliance monitoring. ROI typically materialises within 12-24 months through reduced manual verification costs and lower onboarding abandonment rates.

Q: Should organisations build wallet integration in-house or use third-party services? A: For most organisations, third-party integration through established identity verification providers (such as Signicat, Onfido with iProov, or IDnow) offers the fastest path to wallet acceptance with manageable risk. In-house development is justified only for organisations with existing identity platform teams and requirements for deep customisation. The critical consideration is avoiding vendor lock-in: ensure that integration architecture supports multiple wallet providers and credential formats, as the ecosystem remains fluid and dominant providers may shift as national implementations mature.

Q: How do digital identity frameworks support sustainability reporting requirements? A: Digital identity frameworks enable verified data exchange critical for CSRD and DPP compliance. Organisational identity credentials (such as Legal Entity Identifiers linked to wallet-based attestations) allow automated verification of supply chain partners' sustainability claims. Product identity credentials support Digital Product Passport requirements by creating tamper-evident records of materials, manufacturing processes, and environmental attributes. Companies that invest in digital identity infrastructure now will have significant advantages when DPP requirements take effect in 2027, as the identity layer is foundational to the entire product data architecture.

Sources

• European Commission. (2025). European Digital Identity Framework: Architecture and Reference Framework v1.3. Brussels: EC Publications Office.
• European Banking Authority. (2025). Guidelines on Remote Customer Onboarding Using Digital Identity Wallets. Paris: EBA Publications.
• European Union Agency for Cybersecurity. (2025). Threat Landscape for Digital Identity: Deepfake and Synthetic Identity Risks. Athens: ENISA Publications.
• McKinsey & Company. (2025). Digital Identity in Europe: Economic Impact Assessment and Market Sizing. Brussels: McKinsey Global Institute.
• European Data Protection Board. (2025). Guidelines on the Interplay Between eIDAS 2.0 and the GDPR. Brussels: EDPB Secretariat.
• OpenWallet Foundation. (2025). Reference Implementation Technical Report: Interoperability Testing Results. Linux Foundation Publications.
• Thales Group. (2025). Digital Identity Services Annual Report: European Wallet Deployments. Paris: Thales Investor Relations.