The European Digital Identity Wallet explained: what financial institutions need to know

07 July 2026

The European Digital Identity Wallet is widely presented in mainstream media as a practical tool for citizens: an app for storing your ID card, driving licence, or diplomas. That view is accurate on the surface, but it misses the architectural change the wallet introduces for financial institutions. The wallet is not a container of digitised documents. It is a system that produces verifiable attestations, and that single fact reshapes how organisations build identity trust into their KYC processes.

European Digital Identity Wallet banner


💡 Key takeaways

  • The European Digital Identity Wallet is not a digitised document store. It produces cryptographically signed, machine-readable attestations issued by accredited authorities.
  • Selective disclosure lets a client prove a single attribute, such as being of legal age, without revealing the underlying document, which directly reduces data-breach exposure.
  • Qualified Trust Service Providers issue and stand behind EUDIW credentials, so the initial verification risk is borne at source rather than repeated by every institution.
  • A high level of assurance means most of the initial impersonation risk is already controlled, allowing institutions to lighten redundant checks while raising real trust.
  • By December 2027, banks, payment institutions, and crypto-asset service providers must accept EUDIW credentials for identification and strong authentication.

What the European Digital Identity Wallet actually contains: attested attributes, not document copies

The European Digital Identity Wallet is a member-state-issued app that holds cryptographically signed attestations of a person's verified identity attributes, issued by accredited trust providers, which financial institutions can verify in real time rather than collecting and re-checking document copies. That is the definition worth anchoring on, because everything else follows from it.

The fundamental difference between a scanned PDF and a wallet attestation lies in the nature of the information carried. A traditional document, even an authentic one, remains a visual representation designed to be read by a human. It can be copied, falsified with generative AI tools, or reused out of context, and its validity rests on the ability of whoever checks it to spot anomalies.

A wallet attestation works differently. It is issued by a qualified authority, cryptographically signed, time-stamped, and structured as machine-readable data. It does not contain a photo of your passport, but the verified attributes that passport certifies: surname, first name, date of birth, nationality, document validity. Each attribute is digitally signed, creating a cryptographic proof that artificial intelligence, however sophisticated, cannot forge.

This architecture addresses a vulnerability the financial industry knows well: the industrialisation of document fraud. Generative AI has lowered the technical and financial barriers to forgery to the point where mass-producing visually flawless fake documents, even deepfakes that bypass biometric verification, has become trivial. In that context, verifying a document's appearance no longer guarantees anything. What makes the difference is the ability to verify a cryptographic signature issued by a trusted authority, which is exactly what the EUDIW provides.

Selective disclosure: minimising exposure to data breaches

The wallet introduces a mechanism rarely present in current KYC journeys: selective disclosure. Instead of transmitting an entire document with all the information it contains, including data not needed for the transaction, the user can choose to share only the attributes strictly required.

A concrete example: a financial institution must verify that a client is of legal age to open an account. With a traditional document, the client transmits their exact date of birth, place of birth, and often their full address. With the wallet, they can transmit only a cryptographic proof of being of legal age, without revealing their precise date of birth.

This is no minor detail. It directly addresses one of the major blind spots of traditional KYC: the over-collection of personal data. The more data an institution collects and stores, the more it exposes itself to breach risk. And in the current environment, marked by massive breaches affecting tens of millions of French citizens (Viamedis, Cegedim Santé, Free Mobile, SFR), that exposure becomes systemic.

Exfiltrated data does not disappear. It circulates, is resold, and accumulates on criminal marketplaces to form identity kits: coherent sets of real attributes, complete enough to pass a classic document check months or years after the initial incident. Selective disclosure reverses this logic. Less data collected means less exposure surface, which means less vulnerability to post-breach impersonation, and stronger alignment with GDPR data-minimisation principles.

Who issues and validates EUDIW credentials: the role of qualified trust service providers

Trust in a wallet attestation rests on the issuance chain. Credentials are not self-declared by the user. They are issued by Qualified Trust Service Providers (QTSPs), accredited and supervised at national level. These providers play a role equivalent to certification authorities in the eIDAS 2.0 regulation (Regulation (EU) 2024/1183) and its electronic-signature lineage: they certify that the attributes in the wallet have been verified according to procedures consistent with the required levels of assurance.

For a financial institution that accepts an EUDIW credential, this means the initial verification risk has already been borne by an accredited trusted authority. The institution no longer has to redo the full set of document checks. It cryptographically verifies that the attestation is valid, not revoked, issued by an accredited QTSP, and matched to the level of assurance required for the intended operation.

This redistribution of risk is fundamental. It moves the industry from a model where each player independently verifies the same documents, with duplicated effort, inconsistencies, and delays, to one where initial verification is pooled through a common trust infrastructure. This is precisely the native-compliance model: trust is built at the source, into the architecture, rather than added afterwards through redundant KYC controls.

How financial institutions interact with the wallet during onboarding

The interaction between a financial institution, the relying party, and the European Digital Identity Wallet follows a standardised pattern currently being finalised at European level. The typical onboarding flow unfolds in four steps:

  1. Attribute request. The institution specifies which attributes it requires, for example civil identity, proof of residence, and a minimum level of assurance.
  2. User authorisation. The wallet holder receives the request in their app, sees which attributes are being requested, and authorises or refuses the sharing.
  3. Cryptographic transmission. If the user accepts, the selected attributes are transmitted as signed credentials, accompanied by cryptographic proofs of their validity.
  4. Automated verification. The institution verifies the signature of the issuing QTSP, checks that the credential has not been revoked, and validates that the level of assurance matches the risk of the operation.

The EU Digital Identity Wallet onboarding flow: the institution requests attributes, the holder authorises, signed credentials are transmitted, and the institution verifies them automatically.

What fundamentally changes compared with a classic document-based journey is the input itself: the institution receives structured, machine-readable data that is verifiable in real time. There is no more manual re-keying, visual comparison, or interpretation of heterogeneous formats. The control becomes automatable without loss of reliability. On the contrary, reliability increases, because it rests on cryptographic proof rather than on necessarily fallible human judgement.

High assurance: what it means concretely for KYC

The levels of assurance defined under the regulation, low, substantial, and high, are not abstract categories. They operationally translate the degree of trust an institution can place in a verified identity, and therefore the level of additional due diligence required.

A credential at a high level of assurance certifies that the identity was verified in physical presence, with a check of an authentic document and a biometric capture including liveness detection to detect deepfakes and presentation attacks. For a bank or payment institution, accepting a high-assurance credential means that most of the initial impersonation risk is already controlled by the issuing authority.

The direct consequence: institutions can considerably lighten redundant controls. There is no need to ask again for a selfie with an ID if a biometric verification with liveness has already been carried out by an accredited QTSP. At the same time the real level of trust increases. This equation, reduced documentation combined with increased evidentiary value, is exactly what the AMLR's risk-based due diligence framework (Regulation (EU) 2024/1624) calls for: controls that are proportionate to risk, demonstrable, and effective.

The 2027 acceptance obligation: technical and organisational implications

The December 2027 deadline requires regulated-sector entities, banks, payment institutions, and crypto-asset service providers, to accept EUDIW credentials as a means of identification and strong authentication. This obligation is not optional. It applies within the framework of the Strong Customer Authentication (SCA) requirements already in force for payment services.

Concretely, institutions must adapt four things:

  • Their onboarding journeys, to integrate the wallet as an identity-verification channel alongside traditional document-based means for clients who are not yet equipped.
  • Their strong authentication systems, to accept wallet credentials during logins, changes to sensitive contact details, or high-risk operations.
  • Their back-office architectures, to process structured data from credentials rather than scanned documents requiring re-keying and manual interpretation.
  • Their risk policies, to integrate levels of assurance into their assessment grids and adjust additional due diligence according to the level of credential presented.

This transformation cannot be treated solely as an IT project. It requires rethinking how organisations conceive of identity trust: moving from a "collect, archive, verify" logic to one that receives verifiable proofs, orchestrates the signals, and maintains consistency over time.

Conclusion

The institutions that grasp the European Digital Identity Wallet will not treat it as one more document to check. They will see the architectural shift it enables: from document-based compliance to compliance built into the infrastructure. The wallet is not an additional channel bolted onto an existing process. It is the layer that finally makes proportionate, automated, and demonstrable compliance possible. With the acceptance obligation arriving in December 2027, the institutions that prepare now will convert a regulatory requirement into an operational advantage.


Frequently asked questions about the European Digital Identity Wallet

What is the European Digital Identity Wallet?

The European Digital Identity Wallet (EUDIW) is an app that each EU member state must make available, allowing citizens and businesses to store and share cryptographically signed proofs of their identity attributes. For financial institutions, it provides verified, machine-readable identity data that can be checked in real time instead of relying on scanned documents.

How is a wallet attestation different from a scanned document?

A scanned document is a visual representation that can be copied or forged, and its validity depends on a human spotting anomalies. An EUDIW attestation is cryptographically signed, time-stamped, and machine-readable, issued by an accredited authority. Its origin is provable, which is something a PDF or photo can never offer.

When must financial institutions accept the wallet?

By December 2027, regulated entities including banks, payment institutions, and crypto-asset service providers must accept wallet credentials for identification and strong authentication. The obligation sits within the existing Strong Customer Authentication requirements and is not optional.

Does accepting wallet credentials reduce KYC work?

Yes, when the credential carries a high level of assurance. Because the initial identity verification has already been performed and guaranteed by a qualified provider, institutions can remove redundant controls such as repeat selfie checks while the real level of trust increases.

Who issues and guarantees wallet credentials?

Qualified Trust Service Providers (QTSPs), accredited and supervised at national level, issue and stand behind wallet credentials. They certify that the attributes have been verified to the required level of assurance, so the verification risk is borne at source rather than repeated by every institution.

Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details or stay in touch via our newsletter ⬇️.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Latest articles