ENISA invites feedback for EU Digital Identity Wallet cybersecurity certification

The European Union Agency for Cybersecurity (ENISA) has launched a public consultation on a draft cybersecurity certification scheme for European Digital Identity (EUDI) Wallets and electronic identities.

The publication covers certification of the cybersecurity of cloud services in accordance with the EU’s Cybersecurity Act. It is designed to ensure that digital ID wallets operate securely and uniformly across EU member states.

The consultation seeks feedback on the scheme’s principles, structure and proposed elements, with responses due by April 30th, 2026. ENISA will hold a webinar on the draft document on April 8th at 3 PM CEST.

EUDI Wallets will also be the topic of the upcoming 2026 European Cybersecurity Certification Conference, scheduled for April 15th, 2026, in Cyprus.

ENISA was tasked by the European Commission to develop the certification scheme in 2024 through an Ad Hoc Working Group. In February this year, the agency signed a two-year agreement worth 1.6 million euros (US$1.8 million) to support national EUDI Wallet certification schemes in EU member states.

Last year, the organization also held the 11th Trust Services and eID Forum in Split, Croatia, which discussed the details of EUDI Wallet implementation and the challenges of cybersecurity certifications.

Digital rights group identifies 5 privacy problems in EUDI Wallet

EU countries are required to have at least one certified EUDI Wallet by the end of 2026. Not everyone, however, is satisfied with the privacy safeguards introduced in the upcoming digital IDs.

Austria-based digital rights group Epicenter.Works says it has identified five data privacy concerns in the EUDI Wallet’s technical proposals, among which the most pressing are those related to biometrics. The organization also says that many private representatives have explicitly praised the EU Commission for its efforts to weaken data protection.

The European Commission has proposed including a mandatory biometric photo in the minimum data set that every EUDI wallet must contain. This, however, could mean that every time a person uses their digital ID wallet, whether for age verification, ordering books, or signing contracts, a facial image could potentially be transmitted.

“During the trilogue negotiations on the eIDAS Regulation, a clause explicitly intended to protect users from biometric processing was expressly removed from the text. The Commission now appears poised to introduce mandatory biometrics via an implementing act – thereby completely bypassing Parliament,” says the organization, which operates under the umbrella of European Digital Rights (EDRi).

Other issues include loopholes in registration certificates that allow for excessive data requests and weakened pseudonymity rights, enabling excessive identification. The current draft also makes certificates that allow the wallet to detect impermissible data requests optional rather than mandatory.​

Finally, the group says that current technical specifications allow existing passkey solutions, such as Google Passkeys or iCloud Keychain, to be used as a substitute for true EUDI wallet integration.​

“This means we’re stuck with the same proprietary options as before, while the regulation gives the impression of having solved the problem,” it says.​

Article Topics

biometrics  |  certification  |  cybersecurity  |  data privacy  |  digital identity  |  ENISA  |  EU Digital Identity Wallet  |  European Digital Rights (EDRi)