Securing the European Digital Identity Wallets: Meeting the challenges of technology, sovereignty, and certification

Making a digital identity wallet available to every citizen is one of the European Union’s key near-term objectives. By December 2026, each of the 27 member states must provide a digital identity wallet that is compliant with the European Digital Identity Regulation, known as eIDAS 2.0.

Member states face the twin challenges of ensuring a high security level for their wallet solution, which is crucial for establishing trust for all stakeholders, while offering an accessible and seamless user experience for citizens. Additionally, each member state will need to operate a transitional national security certification scheme to validate that their wallet meets the security requirements laid out in the regulation.

Secure elements (SE) are regarded as the best technology to help member states achieve the highest levels of security and usability when deploying their wallets to smartphones. Importantly, SEs are already standardized by GlobalPlatform and certified to stringent functional and security requirements. They provide a route to market via a widely-adopted technology and with minimal risk, enabling convenient and secure EUDI implementations that also support offline mode use cases when there is no active network connection.

SEs are widespread in smartphones and will very soon be ubiquitous. While wallet security with SEs can be achieved on today’s smartphones, work is in progress to optimize scalability. This is because SEs are currently controlled by smartphone manufacturers or mobile network operators, meaning third parties, like member states, cannot independently access or modify them, limiting scalability and ease use for securing EUDIWs.

The device security industry is therefore collaborating to enable the universal and independent use of SEs for member states to protect their wallets – and citizens’ identities – with the highest level of security. Industry association GlobalPlatform and its members are leading this initiative, in collaboration with major security stakeholders.

This position paper presents two standardized and interoperable frameworks from GlobalPlatform that can solve these challenges:

• Secured Applications for Mobile (SAM) – to enable member states to deploy and manage applications on embedded SE and embedded SIM across devices independently of smartphone manufacturers or mobile network operators.

• Cryptographic Service Provider (CSP) – to streamline the certification process for member states by allowing a single applet certificate for all smartphone and SE platforms supporting this technology, reducing time and costs associated with security assessment.

The paper also presents a number of steps that should be taken now by The EU Commission, member states, wallet developers, Large Scale Pilots and smartphone manufacturers. By taking these actions, each stakeholder group can make a significant contribution to ensure a secure, interoperable, and widely adopted digital identity solution across the European Union.