Who Governs the EUDI Ecosystem?

When people first hear about the European Digital Identity (EUDI) wallet, they usually fall into one of three camps.

For some, it sounds beautifully simple: you open a mobile wallet, scan a QR code, and share your ID for all kinds of use cases. Done.

For others, it’s immediately overwhelming — a maze of regulation, standards, cryptographic protocols, and acronyms that seem designed to obscure rather than clarify.

And then there are the sceptics, the ones who aren’t dazzled or confused but simply wary. They worry that a pan-European identity system is just a more elegant way to centralise data, expand state visibility, or create new forms of dependency. Their question isn’t “how does it work?” but “why should I trust it at all?”

All three reactions are true. The establishment of this ecosystem forces Europe to confront some of the hardest questions it’s asking itself right now: how do you legislate decentralised trust? How do you turn open standards into binding law? How do you preserve privacy while ensuring technological sovereignty?

The Architecture Behind the Wallet

The European Commission’s Architecture and Reference Framework (ARF) sets out which protocols, data models, and standards the EUDI wallets and the ecosystem must use to ensure interoperability across Europe. But the ARF didn’t invent these standards — it references them.

The underlying protocols, such as OpenID4VCI, OpenID4VP, SD-JWT, W3C Verifiable Credentials, and ISO/IEC 23220, have been developed over years by global standards bodies (IETF, W3C, ISO) and the wider digital identity community. The ARF simply defines how those building blocks fit together in a European context. It’s a real puzzle of best practices.

It acts as a blueprint, not directly as a law. Its requirements are descriptive and technical — explaining how a compliant wallet should behave — but they hold no legal force without eIDAS 2.0 and the implementing acts under Article 6a(11) of the revised eIDAS Regulation make them binding.

Those implementing acts contain the mandatory technical and operational specifications for certification. They define what conformity assessment bodies (CABs) must test against and which cybersecurity standards (under the EU Cybersecurity Act) wallets must meet. In short:

• The ARF defines the architecture — the recommended stack of protocols and trust flows.

• The implementing acts define the obligations — the enforceable rules for certification and market entry.

  
  

A Federation of Trust

The regulation and its implementing acts apply uniformly across all Member States. They set common technical, operational, and security requirements that everyone must follow. But within that shared legal frame, even if the regulation is binding for all EU Member States, each Member State decides how to implement—who can provide wallets, how certification is organised, and which public or private infrastructures connect to the network.

• Some governments will only allow a state-run wallet: straightforward, predictable, tightly controlled.

• Others will open the market to private providers—banks, telcos, fintechs—competing under the same interoperability and assurance rules - in addition to the state-run wallets.

Centralisation is fast and tidy on paper, but brittle in practice. Decentralisation on the other hand is slower, often messy, but more resilient — it leaves space for adaptation, and that’s where good design tends to emerge.

The chain of trust has to hold together though. A break anywhere—an inconsistent standard, a failed certification, a non-compliant wallet—can compromise trust (or at least interoperability) across the entire system.

That’s the hard part: not building one good wallet, but ensuring that 27 countries’ worth of wallets all work together without anyone having to think about it.

Why This Matters

What’s striking about Europe’s approach is that it’s taking ideas born in open-source and further developed in Web3 communities—decentralised identifiers, selective disclosure, verifiable credentials—and grounding them in law.

It isn’t pure decentralisation. But it’s a deliberate shift away from identity systems owned entirely by governments or platforms. Trust moves more towards the nodes, the different players, and the various trust lists that are being established.

Citizens gain more agency over what they share, with whom, and when. Not total autonomy—issuers and verifiers still exist, and regulation still defines the boundaries—but a more balanced relationship of trust than today’s login-by-consent models.

There are different types of credentials or attestations that can be held in the wallet. We have what we might call foundational identity credentials: passports, driving licences, health insurance entitlements—things already issued by the state or private organisations, now made digital and portable across borders.

It might well be that every other attestation is where it becomes more interesting. These will include functional attestations—education certificates, employment, professional status, and more.

When wallets start to hold payment instruments, credit data, or proof of solvency credentials alongside identity attributes, the line between identification and transaction begins to blur.

That’s where the real design challenge emerges:

• How do identity and payments protocols interoperate without collapsing privacy?

• How does an agent—human or AI—negotiate trust and value in real time across borders?

• And who decides what counts as “verified” enough to participate?

Those questions will define the next phase of Europe’s digital economy, and likely the world.

What Happens Next

The most exciting and hopeful part is that Europe is attempting to codify trust. To turn abstract values—transparency, accountability, privacy—into shared technical rules that actually work.

It's idealistic. Maybe a bit utopian. But it's also one of the few country spanning projects taking decentralisation seriously.

Whether it works depends on collaboration. Between regulators who write the rules; the companies turning those rules into real products—wallets, trust services, secure infrastructure; and the protocol communities whose standards underpin the whole system but remain invisible to most citizens.

As you can see, EUDI is certainly not only a wallet. It's a slow, collective attempt to build digital infrastructure that lasts longer than the political cycles that create it.

That's worth paying attention to.

The Role of etonec

etonec helps organizations navigate this evolving landscape—turning regulatory complexity into workable strategy.

What we do:

• Assessment – Understanding how EUDI and eIDAS 2.0 impact your operations and compliance roadmap

• Design – Crafting solutions that align regulation, technology, and user experience

• Integration – Connecting your systems with trusted wallet providers

We think digital trust is a public good. We're here to help build it. Reach out if you want to talk.