EU Wallet Push Masks Surveillance State With Sovereignty Rhetoric
The EU promotes a digital identity wallet as voluntary, yet German lawmakers move to mandate it for social media access while cryptographers warn the system cannot deliver the privacy its own regulation requires.
Over 800 people filled the Charlemagne Building in Brussels on May 28 as European Commission officials promoted a digital identity wallet that will reshape how Europeans prove who they are. The system carries an official "voluntary" label, but German lawmakers are already moving to require it for social media access. Cryptographers who examined the wallet's architecture concluded it cannot deliver the privacy protections its own regulation demands. The European Commission pressed ahead anyway, planning mandatory infrastructure for banking, healthcare, and major online platforms by 2027.
Henna Virkkunen, executive vice-president for technological sovereignty, security and democracy, framed the EUDI Wallet as foundational infrastructure for the digital single market. "Europe stands at a pivotal moment – one where digital autonomy, reduced dependencies, and global leadership in internet governance must go hand in hand," she told attendees at EuroDIG 2026. Norbert Sagstetter, head of unit for digital identity and trust, confirmed all member states must offer at least one certified wallet by year-end.
The wallet stores government-issued identification data alongside optional credentials like driving licenses and professional qualifications. Regulation EU 2024/1183 requires every member state to launch a certified version by December 2026. By late 2027, regulated sectors including banking, healthcare, telecoms, energy, transport, and education must accept the wallet for authentication. Platforms serving 45 million or more EU users face the same requirement. The EU's Digital Decade Programme then targets 80 percent adoption by 2030, a figure that contradicts the "voluntary" designation entirely.
Sixteen leading cryptographers including Anja Lehmann of Hasso-Plattner-Institute, Anna Lysyanskaya of Brown University, and Bart Preneel of KU Leuven published feedback concluding the design fails to meet eIDAS 2.0's unlinkability requirements. Their June 2024 document stated plainly: "We do not see a way to fix the proposed solution to meet all the privacy features as required by the regulation; we believe that a larger redesign is in order." The wallet reportedly includes a "phone home" feature that allows issuers to link a holder's transactions to their ID every time the wallet is scanned.
Thomas Lohninger of Epicenter.works warned at CCC 38C3 that the entire security concept rests on certification. The same member state that will issue the wallet will also certify its security. "You can see why that's wrong," he said. The cryptographers recommended BBS signatures for anonymous credentials, but these are not currently allowed under the EU's list of approved cryptographic technologies. A 2025 academic study in Computers & Security identified multiple privacy risks, including linkability, identifiability, and excessive attribute data disclosure.
Despite the official "voluntary" label, Germany's Social Democratic Party has proposed making the EUDI Wallet mandatory for social media access for all persons aged 16 and older. SPD Secretary General Tim Klüssendorf confirmed the proposal is advancing in coalition talks with the CDU. Every login, account creation, and platform signup would pass through a government-issued digital identity. Klüssendorf said the goal must include preventing workarounds "such as via a VPN tunnel" — a requirement that would force deep packet inspection or identity verification at VPN providers.
The sovereignty argument faces practical complications. Sebastiano Toffoletti of the European DIGITAL SME Alliance warned at EuroDIG that wallet deployment still depends heavily on US-controlled mobile operating systems and hyperscale cloud providers. Vittorio Bertola of Open-Xchange identified two risks: either the wallet fails to achieve adoption, or it succeeds but becomes dependent on large non-European firms capable of operating identity services at scale. Fabrizia Benini of DG CONNECT argued Europe's dependencies result from years of buying rather than building domestic technologies.
The European Decentralization Institute's May 2026 policy paper argues the EUDI Wallet, Swiyu, and the UK trust framework "all move in this direction" toward concentration. The paper warns that credential infrastructure must "not be concentrated in a small number of operators, whether public authorities or private organizations, whose governance falls short of adequate democratic accountability." The authors note that decisions taken now about who controls the credential infrastructure, how issuance is administered, what verification may request, and how governance rules can change will be difficult and expensive to undo once infrastructure has hardened and vendor relationships have locked in.
France, Austria, and Italy have launched national implementations ahead of the deadline. The Netherlands and other member states remain in development. The wallet must be free of charge to ensure broad accessibility. The EU frames the project as citizen-controlled, yet the architecture and governance model centralize control in ways that civil society groups including Reclaim The Net have warned could facilitate extensive tracking of individuals' online behaviors.
Manu Sporny, CEO of Digital Bazaar and chairman of W3C initiatives, summarized the concern: "If you have a government-issued credential and you have no choice but to put it in a government-issued digital wallet, that is a very bad outcome." As the late 2026 implementation deadline approaches, European citizens face a digital identity system combining mandatory acceptance requirements with technical flaws that cryptographers say cannot guarantee privacy. The architecture will shape how Europeans navigate the digital world for decades to come.