ComparisonEU

eIDAS vs GDPR identity-data obligations

Separate eIDAS duties for electronic identification, trust services, qualified certificates, and EUDI Wallet relying parties from GDPR duties for personal-data processing.

Use this comparison to scope roles, lawful basis, minimisation, relying-party evidence, security controls, breach handling, and user-rights records without treating one regime as a substitute for the other.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

eIDAS and GDPR often meet in the same identity journey, but they answer different questions. eIDAS defines the EU framework for electronic identification, EUDI Wallets, trust services, signatures, seals, certificates, attestations, validation, and relying-party recognition. GDPR applies when identity attributes, wallet logs, signatures, certificates, contact details, authentication events, or support records are personal data processed by a controller or processor. The practical result is usually two linked records: one proving the eIDAS role, service, legal effect, or wallet requirement, and one proving the GDPR purpose, lawful basis, minimisation, security, retention, and rights handling for the same data flow.

Side-by-side comparison

eIDAS vs GDPR for identity data

Use these rows to decide which regime answers each operational question in an identity, wallet, or trust-service flow.

Review all sources
First framework
eIDAS and EUDI Wallet rules

Use this side to classify the identity means, wallet role, trust service, certificate, attestation, validation result, legal effect, and relying-party registration evidence.

Second framework
GDPR identity-data rules

Use this side to classify the controller or processor role, purpose, lawful basis, minimisation, transparency, rights, security, breach, retention, and accountability evidence.

Comparison row 1

Scope boundary

eIDAS and EUDI Wallet rules

eIDAS governs electronic identification schemes, EUDI Wallets, trust service providers, qualified trust services, electronic signatures, seals, timestamps, electronic registered delivery, website-authentication certificates, electronic attestations of attributes, and related legal effects.

Regulation (EU) No 910/2014 (eIDAS)Sources 1Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 2
GDPR identity-data rules

GDPR governs processing of personal data, including identity attributes, identifiers, authentication events, wallet connection logs, certificate-holder data, support records, and security records when they relate to an identified or identifiable natural person.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Start every project with two scope labels: the eIDAS role or artifact, and the GDPR processing activity. One does not automatically answer the other.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1
Comparison row 2

Covered actors

eIDAS and EUDI Wallet rules

Key eIDAS actors include Member States, wallet providers, relying parties, trust service providers, qualified trust service providers, issuers of electronic attestations, supervisory bodies, and conformity assessment bodies.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1
GDPR identity-data rules

Key GDPR actors are controllers, processors, joint controllers, data protection officers where required, representatives where required, recipients, and supervisory authorities.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

A relying party can also be a GDPR controller for its attribute request and retention. A trust-service provider can also be a controller or processor for certificate and validation data.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 3

Trigger

eIDAS and EUDI Wallet rules

eIDAS supplies identity and trust-service legal effects, such as recognition of notified eID schemes, qualified signature and seal effects, certificate validity checks, and wallet relying-party requirements.

Regulation (EU) No 910/2014 (eIDAS)Sources 1
GDPR identity-data rules

GDPR still requires a lawful basis for each personal-data processing purpose, such as consent, contract, legal obligation, public task, vital interests, or legitimate interests where available and not overridden.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Do not cite eIDAS status as the whole privacy justification. Keep a GDPR lawful-basis entry for each identity-data collection, validation, storage, sharing, monitoring, and deletion purpose.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 4

Core obligations

eIDAS and EUDI Wallet rules

EUDI Wallet relying parties must register their intended wallet use and indicate the data to be requested; they should not request data beyond that registered indication. Wallet design also supports selective disclosure.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1EUDI Wallet Architecture and Reference FrameworkSources 2
GDPR identity-data rules

GDPR requires personal data to be adequate, relevant, limited to what is necessary, and protected by design and by default so only necessary personal data is processed for each purpose.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Build the attribute-request review around the stricter practical result: ask only for registered, purpose-linked, necessary attributes, and prefer selective disclosure or a derived proof where it satisfies the use case.

EUDI Wallet Architecture and Reference FrameworkSources 1
Comparison row 5

Evidence record

eIDAS and EUDI Wallet rules

eIDAS evidence includes relying-party registration, intended wallet use, requested data, authentication and identification of the relying party, validation of person identification data or attestations, trusted-list checks, and certificate validity or revocation status.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1Regulation (EU) No 910/2014 (eIDAS)Sources 2
GDPR identity-data rules

GDPR evidence includes records of processing activities, notices, lawful-basis records, processor terms, retention rules, rights logs, DPIAs where high-risk processing requires one, and security control records.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Keep validation proof and personal-data proof linked but distinct. A successful wallet or certificate validation does not prove the retained data was necessary, transparent, or stored for an appropriate period.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 6

Timing and deadlines

eIDAS and EUDI Wallet rules

eIDAS focuses on reliability and security of identity means, wallets, trust services, certificates, validation services, and supervised qualified services; wallet breaches can trigger suspension, withdrawal, user and relying-party notifications, and supervisory handling.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1
GDPR identity-data rules

GDPR focuses on risk to natural persons from personal-data processing, including appropriate security measures and supervisory-authority notification where a personal-data breach is likely to create risk.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

For an identity incident, run both analyses: whether wallet or trust-service reliability is affected, and whether personal data was breached under GDPR.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 7

Enforcement

eIDAS and EUDI Wallet rules

eIDAS issues go through eIDAS supervisory bodies, wallet supervisory and certification routes, trusted-list and qualified-status mechanisms, and national implementation structures.

Regulation (EU) No 910/2014 (eIDAS)Sources 1Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 2
GDPR identity-data rules

GDPR issues go through data-protection supervisory authorities, corrective powers, administrative fines, complaints, compensation, and court remedies.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Route escalation by the failure type. Misleading wallet relying-party registration and unlawful personal-data collection may need both eIDAS and GDPR escalation paths.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1
Comparison row 8

Overlap and reuse

eIDAS and EUDI Wallet rules

EUDI Wallet rules include user-facing controls such as selecting, deleting, sharing, presenting, viewing relying-party connections and exchanged data, requesting erasure by a relying party, reporting suspicious data requests, and using data portability features.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1
GDPR identity-data rules

GDPR provides the broader rights framework for personal data, including transparency, access, rectification, erasure, restriction, portability, objection, complaint, and judicial remedy routes where applicable.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

Design user journeys so wallet controls and GDPR rights requests are routed coherently. A wallet dashboard action may need a GDPR fulfilment workflow behind it.

Regulation (EU) 2016/679 (GDPR)Sources 1
Comparison row 9

Practical decision rule

eIDAS and EUDI Wallet rules

Accept eIDAS evidence for what it proves: identity assurance, trust-service status, wallet role, relying-party registration, certificate validity, signature or seal validation, attestation status, or legal effect.

Regulation (EU) No 910/2014 (eIDAS)Sources 1
GDPR identity-data rules

Accept GDPR evidence for what it proves: purpose, lawful basis, transparency, minimisation, controller or processor accountability, security, retention, rights handling, breach handling, and transfer safeguards where relevant.

Regulation (EU) 2016/679 (GDPR)Sources 1
Operational implication

A compliant identity journey needs both columns when personal data is involved: eIDAS proof that the identity or trust artifact is valid, and GDPR proof that the processing around it is lawful and limited.

Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1
Practical decision rule

How to use this comparison

  • Name the eIDAS artifact or role before naming privacy controls: wallet provider, relying party, trust service provider, qualified certificate, attestation, signature, seal, validation service, or trusted-list check.
  • For each personal-data field, record the GDPR purpose, lawful basis, controller or processor role, retention rule, security measure, and rights route.
  • Reject attribute requests that are not registered for the relying-party use case or not necessary for the GDPR purpose.
  • Escalate incidents through both tracks when they affect trust-service or wallet reliability and personal-data confidentiality, integrity, availability, or rights.
Regulation (EU) 2024/1183 establishing the European Digital Identity FrameworkSources 1Regulation (EU) 2016/679 (GDPR)Sources 2
Section 1

The core distinction

Use eIDAS first to classify the identity or trust-service function: notified electronic identification scheme, EUDI Wallet, relying party, qualified trust service provider, qualified certificate, electronic signature, seal, timestamp, registered delivery, website authentication certificate, or electronic attestation of attributes.

Use GDPR next to classify the processing of personal data inside that function. The eIDAS text itself says the regulation is without prejudice to GDPR, so a valid eIDAS identity or trust-service flow still needs GDPR records when personal data is collected, stored, validated, shared, logged, or retained.

  • eIDAS evidence shows why the identity or trust-service artifact can be relied on.
  • GDPR evidence shows why each personal-data processing step is lawful, limited, secure, transparent, and reviewable.
  • Do not use a qualified certificate, wallet registration, or trusted-list entry as a blanket lawful basis under GDPR.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Supports the original eIDAS scope for electronic identification and trust services.
Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
Supports the EUDI Wallet additions to eIDAS, including wallet, relying-party, and user-control concepts.
Regulation (EU) 2016/679 (GDPR)
Supports the GDPR processing principles, controller and processor duties, rights, security, breach notification, and accountability requirements.
Section 2

Identity-data decisions to make before launch

For an EUDI Wallet or trust-service integration, the first product decision is not a generic privacy label. It is whether the product is acting as a wallet provider, relying party, trust service provider, certificate validator, issuer of attestations, processor, controller, or joint controller for each step.

The second decision is the exact data request. Under eIDAS wallet rules, relying parties register intended wallet uses and the data they request; under GDPR, controllers must keep personal data adequate, relevant, limited to the purpose, and protected by design and default. Those tests should be reviewed together before adding an attribute request, account-linking field, retention rule, or analytics event.

  • Record the relying-party purpose and requested attributes before requesting wallet data.
  • Map each identity attribute to a GDPR purpose and lawful basis; do not bundle unrelated purposes into the same request.
  • Keep separate records for certificate validity checks, signature validation, wallet-presented attributes, support logs, and fraud/security monitoring.
  • Test whether pseudonyms, selective disclosure, or proof of a fact can satisfy the use case without collecting the full attribute set.
Sources for this answer
Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
Supports relying-party registration, requested-data scoping, user control, and EUDI Wallet role requirements.
EUDI Wallet Architecture and Reference Framework
Supports implementation detail for selective disclosure, relying-party registration certificates, user approval, and linkability risks.
Regulation (EU) 2016/679 (GDPR)
Supports GDPR minimisation, lawful basis, privacy by design and default, and accountability obligations.
Section 3

Evidence that should not be merged

A single audit folder can hold both regimes, but the proof points should remain labelled. eIDAS evidence is about identity assurance, wallet registration, trusted-list status, certificate status, qualified service status, validation outputs, conformity assessment, and trust-service supervision. GDPR evidence is about processing purpose, lawful basis, controller or processor role, notices, records of processing activities, rights handling, security measures, breach assessment, and retention.

This separation matters when a relying party keeps wallet transaction data. The eIDAS-side record may show that the relying party registered the intended wallet use and identified itself to the user. The GDPR-side record must still explain why the stored attributes or logs are needed, who controls them, how long they are retained, who receives them, and how rights requests are handled.

  • Label each evidence item with the legal question it answers: eIDAS status, wallet role, trust-service validity, GDPR lawful basis, GDPR rights, or GDPR security.
  • Store certificate and attestation validation results separately from raw identity attributes where possible.
  • Keep a change log for new wallet attributes, relying-party registrations, processor terms, retention rules, and security controls.
  • Use data-protection review when eIDAS evidence contains personal data or creates persistent linkability risk.
Sources for this answer
Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
Supports EUDI Wallet relying-party registration, identification, validation, and user-facing data exchange requirements.
Regulation (EU) 2016/679 (GDPR)
Supports records of processing activities, controller accountability, security, and rights handling for identity-data processing.
Section 4

Security and rights overlap

Security duties overlap but are not identical. eIDAS focuses on the reliability of electronic identification means, EUDI Wallets, trust services, certificates, validation, and supervised qualified services. GDPR focuses on the risks to people from personal-data processing and requires appropriate technical and organisational measures for controllers and processors.

Rights handling also overlaps. The EUDI Wallet framework includes user-facing wallet capabilities such as viewing relying-party connections and requesting erasure from relying parties. GDPR supplies the broader rights framework, including access, rectification, erasure, restriction, portability, objection, and complaint routes where the processing falls within GDPR.

  • Treat a wallet or trust-service security incident as both a service-reliability question and a personal-data breach question when personal data is affected.
  • Give users a route to understand what identity data was requested, by whom, for what purpose, and how to exercise GDPR rights.
  • Use the EUDI Wallet ARF privacy guidance to test attribute minimisation, relying-party linkability, and whether fixed identifiers can be discarded after validation.
  • Escalate separately to the eIDAS supervisory path and the data-protection authority path when both regimes are implicated.
Sources for this answer
Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
Supports wallet functions for transaction logs, erasure requests, reporting suspicious relying-party data requests, and breach handling.
EUDI Wallet Architecture and Reference Framework
Supports the privacy risk discussion for selective disclosure, collection limitation, relying-party registration, and linkability.
Regulation (EU) 2016/679 (GDPR)
Supports GDPR security, breach-notification, data-subject-rights, and supervisory-authority obligations.
Recommended next step

Review wallet, relying-party, trust-service, and GDPR records together

Sorena can help teams keep eIDAS role evidence and GDPR processing evidence aligned without merging distinct legal duties.

Research workflow
Open Research Copilot for eIDAS

Ask source-linked questions about eIDAS, EUDI Wallet roles, relying-party data requests, trust services, and GDPR identity-data overlap using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your wallet, trust-service, or identity-data workflow against eIDAS and GDPR evidence requirements.

Explore next step
Primary sources

References and citations

Regulation (EU) 2016/679 (GDPR)
eur-lex.europa.eu
Referenced sections
  • Supports the parallel GDPR record for personal-data processing.
"the purposes of the processing"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Supports treating eIDAS evidence as proof of identity and trust-service status or legal effect.
"trust service providers established in the Union"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.