eIDAS2, the EUDI wallet and the GDPR (V)
Several key data protection challenges are associated with the eIDAS 2 regulation, particularly regarding the implementation of EUDI wallets. These challenges arise from reconciling functionality, privacy and security. The following post analyses how different exclusion threats could materialise in EUDI wallets.
Photo by Markus Spiske on Unsplash.
Building on previous discussions about threats to EUDI Wallets, this post addresses a crucial question: Can the EUDI Wallet ecosystem, intentionally or unintentionally, fail to adequately serve a data subject, hindering their participation in physical or digital life?
To answer this question, we need to analyse Exclusion threats within the EUDI Wallet ecosystem. Despite its citizen-centric framing, eIDAS2 and the ARF contain significant gaps that enable the materialisation of this threat. The configuration of the EUDI Wallet as a public service may have repercussions under applicable national law. However, providing the wallet is only the first step; for it to function properly, a set of rights, obligations, and guarantees for core ecosystem participants must be defined. This statute remains insufficiently developed, particularly regarding protection for those unable or unwilling to use the wallet.
Member States (MS), acting as issuing authorities for wallets and/or credentials, can inadvertently or deliberately exclude populations through implementation choices. One critical mechanism involves biometric authentication to perform operations with the EUDI Wallet or to perform remote onboarding in the ecosystem. When a MS mandates facial recognition or fingerprint authentication without offering alternative authentication methods, certain demographic groups may face systematic exclusion: facial recognition algorithms may perform poorly on women, people with darker skin tones or facial asymmetry, elderly individuals whose facial features have changed over time may struggle with liveness detection systems, people with physical disabilities may find it difficult to position themselves correctly for camera-based authentication, etc. Those unable to complete identity proofing through biometric processing can be effectively excluded from the entire ecosystem, unable to access any services requiring the EUDI Wallet.
Documentation barriers represent another exclusion mechanism. Although the regulation states that the wallet should be free, some MS may require specific physical identity documents, such as national ID cards or passports, to register. This requirement excludes undocumented migrants, homeless individuals, or those who have lost their documents. The regulation's voluntary principle becomes meaningless when the practical barriers to registration are insurmountable for certain populations. Those without traditional identification cannot access the EUDI Wallet and therefore may not be able to participate in digital life activities requiring identity verification, including accessing public services, opening bank accounts, or applying for jobs online.
Wallet providers, as technical implementers of the ecosystem, introduce exclusion through device requirements and user experience design choices. The EUDI Wallet requires secure storage mechanisms, such as a Secure Element or a hardware-backed keystore, to protect biometric data and authentication credentials. This technical requirement creates a fundamental barrier: providers may support only recent operating system versions with specific hardware capabilities, without optimising for older devices or low-cost smartphones. Planned obsolescence, increasingly common within the mobile ecosystem, may impose an undue financial burden on individuals and families.
The consequence is the systematic exclusion of low-income users with older devices, rural populations in developing EU regions with limited access to recent technology, and individuals who cannot afford to upgrade their smartphones. The gap between security requirements and accessibility may create a digital divide where economic status determines access to fundamental digital identity services.
Complex user experience design compounds this exclusion. Wallet providers designing registration flows without clear language options, assisted onboarding via phone support or in-person help, and simple interfaces for users with low digital literacy, create barriers for elderly users, migrants, people with cognitive disabilities, and those unfamiliar with smartphone technology. The registration process may require multiple steps, biometric verification, and document upload without offering alternative pathways. Users who cannot navigate these complex flows are excluded before they can even attempt to use the wallet, preventing participation in digital life from the outset.
Relying Parties (RPs), including banks, e-commerce platforms, and public service providers, can produce exclusion through design choices that implicitly discriminate against non-wallet users or those unwilling to share additional data. The regulation requires that service providers may not refuse access solely because a user does not present an EUDI Wallet. However, this prohibition on explicit refusal does not prevent implicit discrimination through user experience design or service tiering.
Deceptive opt-in design represents a significant exclusion mechanism. For example, an account-opening process might automatically share the wallet's address and employment data unless the user manually deselects these options, which may be hidden on a third screen or presented in confusing language. Users unwilling to share extra data may face longer verification processes, additional documentation requirements, or outright denial of fast-service options. This creates a system in which privacy-conscious individuals are effectively excluded from streamlined services, forcing them into slower, more cumbersome alternatives that hinder their participation in economic life, for example.
Implicit wallet preference emerges when RPs make the wallet the only option for premium services, while offering significantly degraded experiences for non-wallet users. An RP might design its user experience so that wallet-based verification takes three minutes while non-wallet verification takes three days. Although the RP does not explicitly refuse service to non-wallet users, the practical effect is that non-wallet users experience systemic service degradation. They are excluded from time-sensitive opportunities such as urgent financial transactions, rare-item purchases, rapid job applications, or emergency public service access. This creates a two-tier system where wallet access determines service quality, undermining the equality principles established by the regulation.
Financial institutions face specific challenges under eIDAS2. From December 2027, banks must accept EUDI Wallets for strong authentication in customer onboarding procedures and compliance frameworks. However, if banks require biometric authentication within the wallet without offering alternative KYC (Know Your Customer) methods, they exclude people who cannot use it due to device limitations or biometric bias. The regulation's requirement for strong authentication becomes a barrier when the only implemented strong authentication method is inaccessible to certain populations.
Exclusion can also arise from collaborative failures among the actors in the eIDAS2 ecosystem, particularly regarding support infrastructure for users with low digital competence. The regulation mandates free wallet access but does not specify support infrastructure for users struggling with registration or use. When no public help centers exist for registration assistance, no phone-based onboarding options are available, and only a smartphone app is offered without a web alternative, those with low digital literacy cannot participate in digital life. Without assisted onboarding infrastructure, the wallet becomes inaccessible to populations that public services should most actively support.
Transaction log privacy failures represent another collaborative failure. If transaction logs contain linkable or identifiable data, users concerned about privacy may avoid using the wallet for sensitive transactions, such as accessing adult content, visiting healthcare providers, or making political donations. Privacy-aware users may self-exclude from services to avoid potential linking or identification, hindering their participation in digital society. This self-exclusion represents a form of exclusion produced by the ecosystem's failure to guarantee privacy, even though the regulation theoretically requires unlinkability.
The exclusion threats described above produce multiple categories of impact on data subjects. Physical life exclusion occurs when individuals cannot access healthcare services that require identity verification, thereby preventing them from receiving medical care. Digital life exclusion manifests when people cannot open bank accounts, apply for jobs online, or access e-government services, removing them from essential digital infrastructure.
Furthermore, economic exclusion emerges through higher-cost financial products for non-wallet users, denial of instant transactions, and longer verification times that prevent participation in time-sensitive economic opportunities. Social exclusion disproportionately affects groups including migrants, disabled individuals, and elderly populations who cannot participate in digital society, creating generational and socioeconomic divides. Privacy-based self-exclusion occurs when users avoid services due to fear of linking or identification, voluntarily withdrawing from digital participation to protect their privacy.
These impacts are not isolated but interconnected. Economic exclusion reinforces social exclusion, as those unable to access financial services face greater barriers to employment and housing. Digital life exclusion prevents participation in physical life opportunities, as many jobs, services, and transactions now require digital access. In summary, the cumulative effect is a systematic hindering of participation in both physical and digital life for vulnerable populations.
Trust underpins the entire EUDI Wallet ecosystem. Yet, several factors threaten that trust: end users may feel compelled to use vulnerable mobile devices and apps that harvest excessive personal data; concerns remain about the privacy and security of online access; information requests may appear intrusive; and transparency, citizen engagement, and attention to diversity and inclusion often remain insufficient during wallets’ design and implementation. Furthermore, the perception that citizens are being coerced into adoption, potentially enabling government surveillance, further jeopardises the ecosystem's foundational trust.
Addressing these exclusion threats requires regulatory and technical amendments mandating alternative authentication methods, technical requirements ensuring support for older devices, explicit anti-discrimination provisions for non-wallet users and opt-out choosers, and mandated support infrastructure for low digital competence populations. Without such measures, the EUDI Wallet risks becoming a source of digital division rather than harmonisation. Future posts will analyse and illustrate other threats.
This post is related to some other materials published by the Innovation and Technology Division of the AEPD, such as:
- eIDAS2, the EUDI wallet and the GDPR (IV) [december 2025]
- eIDAS2, the EUDI wallet and the GDPR (III) [october 2025]
- eIDAS2, the EUDI wallet and the GDPR (II) [june 2025]
- eIDAS2, the EUDI wallet and the GDPR (I) [january 2025]