Readiness GuideEU

EUDI Wallet Readiness

A grounded readiness guide for organisations preparing to rely on European Digital Identity Wallets for authentication, person identification data, electronic attestations of attributes, pseudonyms, or qualified electronic signatures.

Use it to align legal, product, security, privacy, architecture, and onboarding work around the eIDAS wallet roles, ARF expectations, implementing acts, relying-party registration, and evidence needed for launch review.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

EUDI Wallet readiness is not just a login project. Under the amended eIDAS framework, a service provider or wallet-relying party has to understand which wallet role it plays, what attributes it intends to request, how the user will approve presentation, how relying-party authentication works, and what evidence shows that the request is limited to the registered purpose. This page focuses on practical readiness checks that are supported by the eIDAS text, the EUDI Wallet Architecture and Reference Framework, Commission wallet guidance, and the wallet implementing acts represented in the grounding sources.

Section 1

What EUDI Wallet readiness means for a service provider

Start by separating ordinary account login from a wallet-relying-party interaction. eIDAS defines a European Digital Identity Wallet as an electronic identification means that lets the user securely store, manage, validate, and present person identification data and electronic attestations of attributes to relying parties, and also sign or seal by qualified electronic signatures or seals.

For a service provider, the readiness question is whether the service will request wallet data before granting access, verifying eligibility, completing onboarding, accepting a document, applying a pseudonym, or triggering a signature flow. If yes, the integration should be treated as an EUDI Wallet relying-party capability with a registered purpose, a defined attribute set, wallet-user approval, and a verifiable technical interface.

  • Name the wallet use case: authentication, attribute presentation, document verification, pseudonymous access, qualified electronic signature, qualified electronic seal, or another supported wallet interaction.
  • Identify the actor role used in the ARF: relying party, intermediary, wallet provider, PID provider, EAA provider, QEAA provider, QES remote-creation provider, registrar, access certificate authority, or provider of registration certificates.
  • Record the exact attributes requested from the wallet and the service purpose for each attribute.
  • Keep wallet flows voluntary where the legal source requires user request or user approval, and preserve existing access routes where the service must remain available without wallet use.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS), as amended
Supports the legal definition of a European Digital Identity Wallet and the wallet functions that relying parties must design around.
EUDI Wallet Architecture and Reference Framework
Supports the readiness split between wallet ecosystem roles, including relying parties, registrars, access certificate authorities, wallet providers, PID providers, and attestation providers.
Section 2

Relying-party and service-provider registration checks

The Commission service-provider guidance says organisations that request data from EU Digital Identity Wallet users must register in the Member State where they are established. The same guidance lists practical obligations: provide registration information and contact details, specify the data requested and the purpose, request only the data specified during registration, and inform the Member State without delay when registration information changes.

The ARF explains the operational consequence: a relying party registers the attributes it intends to request from wallet units, and a wallet unit can verify whether the request is within that registered scope. If a registration certificate is available, the wallet can validate it; otherwise, the wallet can retrieve registered information from the relevant registrar's online service.

  • Create a relying-party registration inventory with establishment Member State, legal entity, contact details, service name, intended uses, requested attributes, and any intermediary relationship.
  • For each relying-party instance, record the access certificate expected to authenticate the requesting system to wallet units.
  • If using an intermediary, document which relying party the intermediary acts for, which attributes the intermediated relying party wants to request, and what evidence proves the intermediary relationship.
  • Add a change trigger for new attributes, new service purposes, new intermediaries, changed contact details, or changed registration jurisdiction.
Sources for this answer
European Commission - Wallet for service providers
Supports the service-provider registration and attribute-request obligations described for organisations that request data from wallet users.
EUDI Wallet Architecture and Reference Framework
Supports relying-party registration, registrar data, access certificates, registration certificates, and intermediary handling in the wallet ecosystem.
Section 3

ARF and implementing-act alignment

The Architecture and Reference Framework is the practical reference for wallet ecosystem roles, trust relationships, presentation flows, attestations, and certification concepts. It should be used as implementation architecture guidance, not as a substitute for the binding eIDAS text and implementing acts.

The Commission wallet implementing-regulation page identifies five implementing regulations covering integrity and core functionalities, protocols and interfaces, person identification data and electronic attestations of attributes, certification framework reference standards, and notifications to the Commission concerning the wallet ecosystem. A readiness file should map each wallet integration decision to the relevant source family rather than citing eIDAS in general.

  • Map wallet-unit, wallet-instance, wallet secure cryptographic application, and wallet secure cryptographic device assumptions to the integrity and core-functionality rules.
  • Map attribute issuance, PID handling, and electronic attestations of attributes to the person-identification-data and attestation rules.
  • Map interfaces, presentation requests, and relying-party authentication to the protocols-and-interfaces source family.
  • Map launch evidence for wallet solutions to certification and notification sources when the organisation provides or procures wallet components, not merely when it acts as a relying party.
Sources for this answer
European Commission - Implementing regulation for European Digital Identity Wallets
Supports the list of five wallet implementing-regulation topics adopted under the European Digital Identity Framework.
Commission Implementing Regulation (EU) 2024/2979
Supports wallet integrity and core-functionality checks, including wallet-unit definitions, wallet-relying-party access certificates, selective disclosure, pseudonyms, logs, and core wallet security concepts.
Commission Implementing Regulation (EU) 2024/2977
Supports readiness checks for person identification data and electronic attestations of attributes issued to European Digital Identity Wallets.
Commission Implementing Regulation (EU) 2024/2981
Supports readiness checks that depend on wallet certification reference standards, specifications, and procedures.
Section 4

Data minimization, selective disclosure, and user control

Readiness should include a privacy review of every requested attribute. eIDAS requires wallet functionality that allows selective disclosure of data, and Implementing Regulation 2024/2979 describes selective disclosure as enabling the owner of data to disclose only parts of a larger data set so the receiver obtains only what is necessary for the requested service.

The ARF treats excessive attribute requests as a specific ecosystem risk. It identifies three practical mitigations: selective disclosure and user control, mandatory relying-party registration of intended requested attributes, and embedded disclosure-policy enforcement by attestation providers. The service design should therefore show the user which data is requested, why it is requested, and whether the request matches registered relying-party scope.

  • Replace broad identity requests with purpose-specific attributes, such as age-over-threshold, entitlement status, membership status, licence category, or pseudonym where legal identity is not needed.
  • Do not store unique fixed elements from attestations longer than needed for the transaction or verification purpose, because the ARF identifies relying-party linkability as a privacy threat.
  • Where pseudonymous access is appropriate, check that the service does not require legal identity by law or service design before requesting person identification data.
  • Keep a user-facing request catalogue that matches registration scope: attribute, purpose, data-retention decision, fallback route, and owner.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS), as amended
Supports selective disclosure, user control, transaction logs, reporting suspicious requests, and pseudonym functionality in the wallet framework.
Commission Implementing Regulation (EU) 2024/2979
Supports wallet privacy controls including selective disclosure, wallet-relying-party specific pseudonyms, registration-data visibility, and limits on data requested beyond intended wallet use.
EUDI Wallet Architecture and Reference Framework
Supports the risk controls for excessive attribute requests, relying-party linkability, selective disclosure, user approval, and embedded disclosure-policy enforcement.
Section 5

Evidence to keep before launch review

A useful EUDI Wallet readiness record should prove more than technical connectivity. It should show that the organisation knows its role, has registered the intended attributes where required, can authenticate its relying-party instance, has limited data requests to the registered purpose, and has tested user approval, logs, fallback routes, and revocation or change handling.

For service-provider integrations, evidence should be reviewable by legal, privacy, security, architecture, product, and operations teams. For wallet providers or component providers, the evidence set is broader and should include certification, wallet-unit integrity, trusted-list or List of Trusted Entities dependencies, and incident or breach handling responsibilities.

Does every EUDI Wallet service-provider integration need a relying-party registration record?

A service provider that requests data from EU Digital Identity Wallet users should prepare for registration in the Member State where it is established and keep a record of the attributes it intends to request and the purpose for each request. The Commission service-provider guidance states that recognised service providers must register and must not request extra user data beyond what was specified during registration.

What is the main privacy risk in EUDI Wallet readiness for a relying party?

The main privacy risk is requesting or retaining more wallet data than the service reasonably needs. The ARF calls out excessive attribute requests and relying-party linkability, while eIDAS and the wallet implementing rules support selective disclosure, user control, pseudonyms, and transparency about registered relying-party data.

Can a relying party treat the EUDI Wallet as just another identity provider?

No. A wallet integration may involve registered requested attributes, user approval, access certificates, registration certificates or registrar lookups, selective disclosure, pseudonyms, transaction logs, and attestation validation. Readiness work should cover those wallet-specific controls rather than only a standard single sign-on checklist.

  • Role and scope record: organisation role, service purpose, Member State registration route, relying-party instances, intermediary use, and launch countries.
  • Attribute request register: each requested wallet attribute, the user-facing purpose, the registered intended use, minimization rationale, fallback route, retention choice, and deletion or erasure handling.
  • Trust and certificate evidence: access certificate plan, registration certificate handling if available, registrar lookup behavior if not available, and trust-anchor validation approach.
  • User-control evidence: screens or test logs showing the wallet request, requested attributes, approval or denial path, pseudonym handling where used, and transaction-log behavior.
  • Change and incident evidence: triggers for new attributes or purposes, changed registration data, revoked access certificates, wallet security breach notifications that affect relying parties, and privacy incident escalation.
Sources for this answer
European Commission - Wallet for service providers
Supports service-provider readiness evidence for registration information, contact details, requested data, purpose, no extra data requests, and registration-change notification.
EUDI Wallet Architecture and Reference Framework
Supports evidence needs for relying-party registration, access certificates, registration certificates, registrar verification, and wallet-unit trust interactions.
Regulation (EU) No 910/2014 (eIDAS), as amended
Supports evidence for wallet user control, transaction logs, reporting suspicious requests, relying-party authentication, wallet certification, and security-breach handling.
Recommended next step

Prepare registration, attribute requests, privacy controls, and evidence before wallet integration launch

Sorena can help convert the checks on this page into a cited readiness record for relying-party registration, requested attributes, ARF role mapping, selective disclosure, certificate evidence, and launch review.

Research workflow
Open Research Copilot for eIDAS

Ask source-linked questions about EUDI Wallet roles, relying-party registration, implementing acts, selective disclosure, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your wallet use case, requested attributes, registration assumptions, and launch evidence with Sorena.

Explore next step
Primary sources

References and citations

Commission Implementing Regulation (EU) 2024/2977
eur-lex.europa.eu
Referenced sections
  • Supports readiness checks for person identification data and electronic attestations of attributes issued to European Digital Identity Wallets.
"person identification data"
Commission Implementing Regulation (EU) 2024/2979
eur-lex.europa.eu
Referenced sections
  • Supports wallet privacy controls including selective disclosure, wallet-relying-party specific pseudonyms, registration-data visibility, and limits on data requested beyond intended wallet use.
"only such information as is necessary"
Commission Implementing Regulation (EU) 2024/2981
eur-lex.europa.eu
Referenced sections
  • Supports readiness checks that depend on wallet certification reference standards, specifications, and procedures.
"certification of European Digital Identity Wallets"
EUDI Wallet Architecture and Reference Framework
eu-digital-identity-wallet.github.io
Referenced sections
  • Supports evidence needs for relying-party registration, access certificates, registration certificates, registrar verification, and wallet-unit trust interactions.
"access certificate"
European Commission - Wallet for service providers
ec.europa.eu
Referenced sections
  • Supports service-provider readiness evidence for registration information, contact details, requested data, purpose, no extra data requests, and registration-change notification.
"Not request any extra user data"
Regulation (EU) No 910/2014 (eIDAS), as amended
eur-lex.europa.eu
Referenced sections
  • Supports evidence for wallet user control, transaction logs, reporting suspicious requests, relying-party authentication, wallet certification, and security-breach handling.
"access a log of all transactions"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.