eIDAS 2.0: Governments should stop thinking of digital wallets as products

Governments risk making a strategic mistake if they treat the European Digital Identity (EUDI) Wallet as merely another digital identity app, according to Partisia’s chief product officer Mark Medum Bundegaard.

The emerging wallet ecosystem is expected to shape how credentials, public services and digital trust operate across borders, influencing everything from procurement and regulation to citizen services and business onboarding.

Bundegaard argues that the initiative is being widely misunderstood if framed purely as an identity product rather than infrastructure.

“At Partisia, we see the EUDI Wallet less as an ‘identity product’ and more as shared public digital infrastructure, comparable to payment rails or public key infrastructure. That distinction matters because infrastructure has to be neutral, reusable and resilient over decades, not optimised for a single service or political objective.”

Danish software firm Partisia develops privacy-preserving infrastructure that seeks to enable verifiable digital identity and trust across jurisdictions without centralised data control.

From digital identity product to infrastructure layer

The EU’s eIDAS 2.0 regulation, which underpins the EUDI Wallet, aims to provide citizens and businesses with a secure way to store and share digital credentials across borders, including identity attributes, qualifications, licences and organisational data. Unlike earlier identity schemes centred on databases and portals, the wallet model is built around verifiable credentials and cryptographic trust mechanisms.

For governments, Bundegaard said, this reframing fundamentally changes how digital identity programmes should be designed and governed.

“Framing it this way shifts the focus from who runs the wallet app to how trust is established and verified across many independent actors. For governments, it means designing systems that allow credentials to be issued once and safely reused across borders and sectors. For citizens and businesses, it means less duplication, fewer repeated disclosures, and far more control over how credentials are used.”

Interoperability without centralised databases

A design challenge for cross-border digital identity is interoperability between jurisdictions with different legal frameworks, technical systems and governance models. Traditionally, this has led to proposals for shared databases or central hubs – approaches that raise privacy, resilience and sovereignty concerns.

Bundegaard said the EUDI architecture offers an alternative model based on shared cryptographic standards rather than shared data stores.

“Interoperability does not require shared databases – it requires shared cryptographic standards. In the EUDI model, information is attested into Verifiable Credentials signed by an issuer. A relying party can validate those credentials locally by checking the signature, without querying the issuer or a central system.”

He added that this model is particularly relevant for governments seeking to maintain national sovereignty while enabling cross-border recognition of credentials.

“This is a core principle for Partisia: trust should be verifiable, not observable. Issuers should not see where credentials are used, and interoperability should not depend on a single operational authority. This approach scales across jurisdictions, preserves national sovereignty, and dramatically improves privacy compared to centralised or hub-based models.”

Trust-by-design and the role of cryptography

eIDAS 2.0 places strong emphasis on privacy-enhancing technologies, including anonymous credentials and zero-knowledge proofs, which allow users to prove specific attributes without disclosing full identity data.

Bundegaard described this as a significant departure from traditional identity systems built around central data collection.

“One of the most encouraging aspects of eIDAS 2.0 is that many of the right privacy and security principles are already built into the legislation and emerging technical standards. In particular, the move toward anonymous credentials and zero-knowledge proofs allows users to prove specific facts – such as eligibility or status – without exposing unnecessary personal data.”

However, he cautioned that implementation choices will ultimately determine whether those protections are realised in practice.

“Public sector leaders should prioritise architectures that minimise data exposure, avoid creating central points of visibility, and allow credentials to be verified independently rather than constantly checked against central systems. When trust is enforced cryptographically rather than operationally, it becomes far more resilient – and far easier for citizens and businesses to trust the system itself, not just the institution running it.”

Beyond individuals: the rise of business wallets

Alongside citizen identity, policymakers are increasingly exploring organisational and business credentials as part of the broader wallet ecosystem. Proposed EU business wallets could automate currently manual, paper-heavy administrative processes across both public and private sectors.

“Business wallets and verifiable credentials would let companies and public authorities automate many currently manual, paper heavy tasks – reducing delays and costs and making cross border transactions far easier.”

Potential applications include automated company verification, faster KYC and onboarding, streamlined VAT reporting and more efficient public procurement checks – areas that align closely with digital government efficiency agendas.

Centralisation risks and resilience concerns

Despite strong regulatory oversight, Bundegaard warned that centralised identity infrastructure can introduce systemic vulnerabilities even when well intentioned.

“A centralised architecture is by nature more vulnerable to DDoS attacks, for example, than a decentralised one. Such systems simply constitute a single point of failure and are therefore obvious targets.”

He also highlighted the surveillance risks associated with architectures that allow identity providers to observe how credentials are used.

“A decentralised architecture makes it significantly more difficult to trace and survey users thereby protecting them from malicious or malfunctioning identity providers that try to learn the actions of users in the system.”

Implications for UK trust frameworks and cross-border alignment

For the UK, which is developing its own digital identity and trust frameworks while remaining outside eIDAS, alignment with emerging technical standards may become a pragmatic route to interoperability.

Bundegaard noted that open specifications and reference implementations are already publicly available, enabling technical compatibility without full regulatory participation.

“Rather than fully joining the eIDAS regulatory framework, third countries such as the UK could choose to align with specific technical standards, allowing credentials issued in one jurisdiction to be recognised and verified in another.”

Avoiding lock-in in national digital identity programmes

With implementation timelines tightening across Europe, Bundegaard’s central message to digital government leaders is to prioritise open standards and cryptographic verification now to avoid future lock-in and fragmentation.

“The most important step is to align early with open standards such as those defined under eIDAS 2.0, even before full deployment. This ensures that identity systems are interoperable across providers and borders, and avoids dependency on proprietary solutions that are difficult or costly to replace later.”

He added that designing around verifiable credentials rather than centralised data access will be key to sustaining trust as digital wallet ecosystems scale across borders and sectors.

“Taking a standards-first approach now makes it far easier to adapt in the future and prevents fragmentation that would otherwise undermine cross-border interoperability and public trust.”