European Digital Identity: The Arrival of the EDI Wallet

SUPERVISORY REPORT MARCH 2025 European Digital Identity: The Arrival of the EDI Wallet

In Brief Financial services are digitalizing at a rapid pace. By the end of 2026, all EU Member States must provide their citizens with a digital identity and an associated wallet in accordance with the eIDAS 2.0 regulation. This European Digital Identity wallet can be used as an online identification tool, for information exchange, and for digitally signing documents. Naturally, a digital identity presents both opportunities and risks for citizens and businesses. In preparation for the arrival of the identity wallet and its associated trust services (eIDAS 2.0), this report provides insight into this development and its potential impact on the financial sector.

SUPERVISORY REPORT Table of Contents

1. European Digital Identity from 2026 – Summary 3
2. Introduction and Guide 5
3. The Regulatory Framework eIDAS 2.0 and the Arrival of the EDI Wallet 7 3.1 European Regulation for a Digital Identity (eIDAS) 7 3.2 eIDAS 2.0 7 3.3 EDI Reference Architecture 8
4. The EDI Wallet and Its Functions 9
5. Development of Use Cases – Large Scale Pilots 11
6. Impact of EDI Wallet 12 6.1 Impact on (Financial) Services 12 6.2 Impact on Supervision 13
7. Annex I - The EDI Wallet Ecosystem 15 7.1 Wallet Provider 16 7.2 User - PID (Personal Identification Data) 17 7.3 Attribute Provider 17 7.4 Relying Party 18 7.5 Validity Information 19 7.6 The Reliability of a Wallet 19

European Digital Identity: The Arrival of the EDI Wallet 3 SUPERVISORY REPORT

1. European Digital Identity from 2026 – Summary From the end of 2026, all EU Member States must offer a free and certified European Digital Identity (EDI) wallet to their citizens and residents. This wallet contains the digital identity needed to identify yourself online for both public and private services within the EU. This digital identity is available via a wallet app on your mobile phone and is also equivalent to an identity document in the physical world. Furthermore, the user must be able to request and share (personal) data with various parties via the wallet. Finally, the wallet will offer the ability to provide documents with an electronic signature.

We expect that the EDI wallet can have a significant impact on the acquisition of financial services and products. We illustrate this using an example of the customer process for applying for a loan at a bank.

Figure 1 shows a representation of a traditional customer process, i.e., without the EDI wallet, where the consumer makes a physical appointment at a bank branch for identification and authentication with a valid identity document (step 1). After onboarding, the customer must collect the required documents and send them via post or email (step 2). Finally, the consumer makes another physical appointment to sign the agreement (step 3).

Figure 1 also shows that the use of the EDI wallet makes it possible to perform identification and authentication as a customer via an online portal. Subsequently, the wallet also offers the possibility to collect the required (personal) data from public or private services (e.g., mijnoverheid.nl) (step 1). In addition, users can fully digitally select and share the requested data via the wallet. The EDI wallet thus makes it possible to share verified source data with service providers (step 2). Ultimately, the user can also digitally sign the resulting agreement with an electronic signature using the EDI wallet (step 3).

Figure 1: Example application for a bank loan

The arrival of the EDI wallet has an impact on important themes for AFM supervision. Therefore, in this exploration, we address the opportunities and risks of the arrival of the EDI wallet:

• Digitalization: The EDI wallet makes it possible to further digitalize financial services with a high level of reliability. Examples include onboarding customers and providing the required customer data for acquiring a service. Sharing verified source data can also lead to further digitalization of file formation for fulfilling the gatekeeper role. The wallet also offers convenience to consumers by collecting financial data in one place. This provides consumers with more insight into their financial situation and may reduce the risk of over-indebtedness. Despite the fact that the wallet can lead to more efficient digital processes, this could also lead to a form of forced use for financial services. Furthermore, consumers may find the use of the wallet complex. Moreover, the wallet potentially makes consumers vulnerable to new forms of identity fraud and misuse.

• Embedded finance: The EDI wallet makes it easier for the holder to share data with various parties. It also stimulates innovation through the integration of (financial) services. Furthermore, the EDI wallet reduces some (physical) barriers to acquiring financial products, making digital service provision as frictionless as possible. However, this increases the risk of unsafe behavior if users do not sufficiently consider the long-term consequences of entering into financial services. With the integration of data and services on the wallet, there is also an increased risk that service providers may request additional personal data to gain insight into their customers' (historical) behavior.

• Internationalization: The EDI wallet can essentially be used throughout the entire EU, thereby removing barriers for cross-border financial services. By using verified data, the EDI wallet can lead to better customer files for fraud supervision or AML/CFT supervision. The wallet can also lower barriers to acquiring foreign financial products, for which supervision from the Netherlands may be less effective.

European Digital Identity: The Arrival of the EDI Wallet 4 SUPERVISORY REPORT

European Digital Identity: The Arrival of the EDI Wallet 5 SUPERVISORY REPORT 2. Introduction and Guide The digitalization of the financial sector and the offering of products and services via online platforms are steadily progressing. To date, the onboarding process for new customers has often lagged behind, namely the online identification and authentication of a potential customer. This step is often still performed based on sharing a (copy of an) identity document or via derived identity verification, such as transferring 1 cent to a bank account. There are also online identification processes that use video identification. For this, users must take a photo of their identity document and scan their face with a selfie video. Subsequently, the facial features are (automatically) checked against the features of the photo on the identity document.

To improve these digital identification processes, the European Union, after an evaluation of the current eIDAS regulation (Electronic Identities And Trust Services, from which login tool DigiD originated), renewed this legislation. Part of this is the initiative to develop a 'European Digital Identity Wallet' (EDI wallet).

The European Commission defines the 'European Digital Identity Wallet' as follows in the regulation: 'a product and service that enables the holder to store identity data, login credentials, and attributes linked to their identity. A holder can provide these to trusted parties upon request and use them for identification, authentication, and authorization in online and offline situations. It is also possible to apply qualified electronic signatures.'

In short, the EDI wallet is therefore a mobile app in which the user can store digital personal data and other digital proofs about themselves to use at a later time.

The phenomenon of a digital wallet is not new. We know this phenomenon via crypto or payment wallets, such as Google Pay or Apple Pay. There are also already several digital ID wallets on the market to collect and share (personal) data, such as Ockto, Datakeeper, Digidentity, and Yivi. These ID wallets from third-party providers, often also called data-sharing apps, are becoming increasingly important for digitally sharing data with, for example, a government organization or a mortgage provider. These wallets do not have the status of an identity document and are often only usable "locally," i.e., only in a specific country or at a specific organization. It is worth noting that the Dutch Data Protection Authority (AP) has recently spoken critically about these data-sharing apps from third-party providers. They express concerns about the consequences of using these apps for the protection of personal data of the citizens using them. In this report, we do not go further into these data-sharing apps.

From the end of 2026, all EU Member States must offer a free and certified European Digital Identity (EDI) wallet to their citizens and residents. This wallet is more than just an identification tool and forms the basis for an electronic wallet with which the user: • Can collect and share verified personal data; • Can issue attestations of personal characteristics without sharing the underlying (personal) data; • Can apply electronic signatures, with which users can potentially also authorize transactions.

These functionalities are currently being worked out and tested in ongoing 'Large Scale Pilots'.

This exploration focuses on developments surrounding the EDI wallet and its impact on the supervision of financial services. The EDI wallet is high on the agenda of the European Commission (EC), and development has thus accelerated. Recently, the EC also launched an extensive website to further promote the EDI wallet.

On May 21, 2021, the draft version of the European e-ID Regulation was published as an amendment to the existing eIDAS (Electronic Identities And Trust Services) regime. Below is the current timeline for the EDI wallet with key milestones:

Figure 2: Timeline EDI Wallet

The Digital Identity regulation is an amendment to eIDAS and has been in force since May 20, 2024. It states that EU Member States must certify at least one EDI wallet and make it available free of charge to their citizens from the end of 2026. The user can thus potentially choose from various wallets provided they meet the eIDAS architecture requirements and are certified by the national competent authority, most likely the National Inspectorate for Digital Infrastructure (RDI) in the Netherlands.

The potential impact of the EDI wallet on the financial sector is large and can give digital service provision a huge boost. The wallet aims to offer a high level of reliability for access to their digital services. Furthermore, it offers the possibility for data sharing between financial service providers by the user, as prescribed by, for example, the European FIDA regulation. This digitalization step also brings risks and therefore simultaneously influences the supervision of financial institutions. This exploration therefore aims to provide insight into the functionalities of the EDI wallet, the potential impact on digital service provision, and the intersections with behavioral supervision of financial institutions.

Regarding the potential impact for AFM supervision, this exploration is intended as a first initiative. Furthermore, eIDAS 2.0 envisions the arrival of a business wallet and a number of new trust services. Although these may also have an impact on the financial sector, we leave these out of consideration in this report.

Guide This is a concise exploration by the AFM regarding the changes that a European ID wallet can bring about. This includes an explanation of the regulatory framework of the EDI wallet (Chapter 3), the functions of the wallet (Chapter 4), the development of use cases to test functionalities (Chapter 5), and the impact of the wallet on financial services and supervision (Chapter 6).

The AFM places digitalization as a central theme in its strategy. From that perspective, the AFM regularly conducts explorations into the meaning of digitalization for financial institutions and for AFM supervision. A recent example of this is the exploration into "Opportunities and risks of digitalization of the insurance market over the next 10 years." In this context, this exploration should also be seen as a first inventory of a digitalization trend that potentially has large consequences for the service provision of financial institutions and thus for the supervision of the AFM.

This exploration was created with the help of conversations with colleague supervisors, government parties, and commercial organizations.

European Digital Identity: The Arrival of the EDI Wallet 6 SUPERVISORY REPORT

European Digital Identity: The Arrival of the EDI Wallet 7 SUPERVISORY REPORT 3. The Regulatory Framework eIDAS 2.0 and the Arrival of the EDI Wallet In this chapter, we discuss the European regulation that lays the foundation for the creation of the EDI wallet. Subsequently, we describe the role of the architecture and reference framework of the EDI wallet.

3.1 European Regulation for a Digital Identity (eIDAS) The eIDAS regulation entered into force in 2014 and provides a framework for the European use of digital identification tools for digital services. This regulation provides a basis for reliable service provision through agreements on concepts, reliability levels, and the use of mutual digital infrastructure. In the Netherlands, citizens are primarily familiar with this via login tools DigiD for citizens and eHerkenning for businesses.

The eIDAS 2014 regulation did not bring about what was expected. Implementation by Member States left much to be desired, and too few Member States had their developed electronic login tool connect to the eIDAS infrastructure. Also, too few service providers were connected to the eIDAS infrastructure, resulting in insufficient private services being connected. This was evaluated, and in 2021, a proposal was made for the revision of eIDAS.

3.2 eIDAS 2.0 Following the evaluation of eIDAS, a proposal was made for the further definition of a framework for a European digital identity. This eIDAS 2.0 regulation also includes the ambition to make an associated identity wallet available. The regulation also allows commercial parties to develop wallets based on the reference architecture.

The goal of the European Commission (EC) is that each Member State makes a free and certified wallet available to its citizens and residents. The condition is that this certified wallet meets the architecture and reference framework in which technical and functional specifications are included. Furthermore, the wallet must be certified by a national supervisor. In the Netherlands, this certification will most likely be issued by the National Inspectorate for Digital Infrastructure (RDI), as they are already supervisors of electronic trust services. After certification of a wallet by the designated supervisor of a Member State, wallet holders from other Member States can also use this wallet in the future.

The Ministry of the Interior is currently building a reference wallet called the NL-Wallet. The source code of the NL-Wallet is available in their GitHub repository. It is expected that the NL-Wallet will be the first certified EDI wallet that Dutch citizens and residents can use. Later, a system of open admission will come into effect, allowing wallets from commercial parties to enter the market if they are certified. Ultimately, the EC aims for 70% of citizens to use the EDI Wallet on a daily basis by 2030. This means that the EDI Wallet could make DigiD and eHerkenning redundant as login tools for public services in the future. This does not mean that DigiD and eHerkenning will disappear from the market, but that their role as login tools may be taken over by the EDI wallet.

European Digital Identity: The Arrival of the EDI Wallet 8 SUPERVISORY REPORT

3.3 EDI Reference Architecture On June 3, 2021, the European Commission adopted a recommendation urging Member States to jointly create a reference architecture for the construction of EDI wallets. The Architecture and Reference Framework (ARF) is a set of (technical) standards, common guidelines, and best practices for the EDI wallet. The ARF developed by Member States was further developed by the eIDAS expert group and presented in January 2023, the so-called European Digital Identity Wallet Architecture and Reference Framework (EU ARF). With the acceptance of eIDAS 2.0, a requirement arose for European Member States to further develop the ARF. The ARF is incorporated into the eIDAS regulation via so-called implementing acts.

The current publication of the ARF for the EDI wallet is not the final version. Improvements to the ARF are subsequently implemented through a process of Large Scale Pilots (LSPs). Experiences with the use of the EDI wallet, built according to the then applicable ARF, can lead to improvements and additions to this ARF. Through this process of additions and improvements, the EU will arrive at a final version of the ARF. Ultimately, each Member State must make a free EDI wallet available that meets this ARF. In the subsequent process, after eIDAS 2.0 enters into force, updates and new versions will appear as necessary. With the delivery of the ARF, this iterative process has thus not come to an end.

In Annex I, we have added a brief explanation of the intended ecosystem of the EDI wallet. Here we pay more attention to the various roles and components of the EDI system. We also provide more background on the reliability levels of a digital identity. Digital security is essential for the consumer and institution to gain and maintain trust in this form of digitalization. In short, besides the functionalities of the wallet, is the question of whether we trust this as well or better than the use of our physical identity documents.

European Digital Identity: The Arrival of the EDI Wallet 9 SUPERVISORY REPORT

4. The EDI Wallet and Its Functions The EDI wallet must be available to citizens and residents in EU Member States from the end of 2026. Below we distinguish the various functionalities of the intended wallet:

Figure 3: The Function of the EDI Wallet

Digital Identification & Authentication Once an EDI wallet is linked to a verified holder, the wallet must be usable without additional means to identify this holder in the online and physical world. For this, it is important that the identifying party can authenticate the identification data of the wallet holder.

The identification of the holder and the authentication of this (personal) data will cause many technical challenges. The reliable storage of personal data is one of them. At present, the identification and authentication (verification of identity claim) of a person is often only possible with the help of physical documents such as a passport, ID card, or driver's license. Even with the current login tool DigiD, identification with the highest reliability level is only possible with an extra means, for example, by reading the RFID chip in a passport (eNIK) via NFC.

The possibility of digital identification/authentication via the EDI wallet is in the interest of the financial sector, such as when onboarding new customers or employees. In the financial sector, identification and authentication of persons is important when providing a bank account, closing an insurance policy, or opening an investment account to, for example, prevent money laundering, fraud, or terrorism financing. Furthermore, identification/authentication is relevant for internal business operations when hiring new employees.

The EDI wallet can also be useful in the physical world for digitally storing a driver's license or identity document in the wallet, so that holders no longer need to carry their physical documents for identification.

European Digital Identity: The Arrival of the EDI Wallet 10 SUPERVISORY REPORT

Digital Authorization Once a digital identity is linked to a wallet, wallet holders can subsequently store additional personal data or attributes in the EDI wallet. These verified qualifications can give the holder access (authorization) to certain services.

Authorization means granting access to a specific person, such as access to an investment account or making investments. This can also be, for example, physical access to a business premises. Another example is checking the identity for opening a bank account and then granting access to the bank account via a bank card or an app on a mobile phone.

The authorization function can also make the EDI wallet suitable for receiving and sending digital money. Expectations are that in the upcoming proposal of the European Commission regarding the digital euro, the EDI wallet may also be mentioned as a possible means for authorizing payments.

Electronic Signatures Applying an electronic signature is also an intended functionality of the EDI wallet. The wallet holder can use this to add a legally valid signature to a digital document. A wallet holder can also confirm via applying an electronic signature that they are the one who shared certain data. This functionality also makes it possible for a data provider to provide documents with a signature to guarantee their authenticity, as we explain in the next paragraph.

Sharing (Personal) Data Another application of the EDI wallet is the selection and sharing of verified (personal) data or attributes by the holder. When this data is certified by means of an electronic signature, this certification is called the attestation of the attribute, also known as a 'verifiable credential'. The accompanying electronic signature makes it verifiable who shared the data. But the provider of the source data (e.g., work history and salary data by UWV) can also confirm as an organization via an electronic signature that they provided this data and that this data is therefore authentic. Via the wallet, the holder can choose which additional data to share with a public or private organization. The EDI wallet thus makes it possible, for example,

European Digital Identity: The Arrival of the EDI Wallet 11 SUPERVISORY REPORT

5. Development of Use Cases – Large Scale Pilots The European Commission has launched Large Scale Pilots (LSPs) to test the functionalities of the EDI wallet and the ARF. These pilots involve various stakeholders, including financial institutions, government bodies, and technology providers. The goal is to identify practical challenges, refine the technical standards, and ensure interoperability across borders. The findings from these pilots will directly inform the final version of the ARF and the implementation strategies for Member States.

European Digital Identity: The Arrival of the EDI Wallet 12 SUPERVISORY REPORT

6. Impact of EDI Wallet 6.1 Impact on (Financial) Services The introduction of the EDI wallet will fundamentally alter the customer journey in financial services. By enabling seamless, secure, and verified digital identification, banks and insurers can significantly reduce the friction associated with onboarding. This leads to faster service delivery and improved customer experience. Furthermore, the ability to share verified attributes (such as income or employment status) directly from the wallet reduces the administrative burden on both providers and customers, minimizing the need for manual document verification.

6.2 Impact on Supervision For supervisors like the AFM, the EDI wallet presents both opportunities and challenges. On one hand, the use of verified data can enhance the quality of customer files, aiding in Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) supervision. On the other hand, the ease of cross-border transactions and the potential for embedded finance may complicate jurisdictional oversight. Supervisors must adapt their frameworks to monitor risks related to data privacy, identity fraud, and consumer protection in a digital-first environment. The shift towards digital-only interactions also requires enhanced digital literacy among consumers to prevent misuse.

European Digital Identity: The Arrival of the EDI Wallet 13 SUPERVISORY REPORT

7. Annex I - The EDI Wallet Ecosystem The EDI ecosystem involves several key actors:

7.1 Wallet Provider Entities responsible for developing and maintaining the EDI wallet software, ensuring it meets eIDAS 2.0 standards.

7.2 User - PID (Personal Identification Data) The natural person who holds the wallet and controls their personal identification data.

7.3 Attribute Provider Organizations that issue verified attributes (e.g., universities issuing diplomas, employers issuing income statements) which are stored in the wallet.

7.4 Relying Party Services or organizations that request and verify the identity or attributes from the EDI wallet to provide a service.

7.5 Validity Information Data that confirms the current status and validity of the credentials stored in the wallet.

7.6 The Reliability of a Wallet Trust in the EDI wallet relies on robust security measures, clear legal frameworks, and user control over data. The certification process by national authorities ensures that wallets meet high security and privacy standards, fostering confidence among users and service providers.

European Digital Identity: The Arrival of the EDI Wallet 14 SUPERVISORY REPORT

[End of Document]