The EU's Digital Identity Wallet will track who you are, where you go, and what you do online — by design. Loopholes in the regulation hand companies like Facebook a skeleton key to your most sensitive data. This isn't a conspiracy theory. It's the law they're passing right now.
Sold as a simple, voluntary wallet on your phone, eIDAS 2.0 is, in practice, a continent-wide identity infrastructure. Here's what the fine print says.
The EUDI Wallet requires identity verification to access a growing list of services — from banking and healthcare to social platforms. Once every major online interaction is tied to your verified identity, anonymity online effectively ceases to exist in Europe.
"The system may eliminate anonymity online and offline, risking 'over-identification' — excessive identity verification requirements." — Civil Society Coalition Letter, 2023
The wallet architecture enables "relying parties" — companies and governments — to request your verified identity attributes for nearly any online interaction. Without tight enforcement, this becomes a universal tracking layer across the web.
Your digital identity will be issued, verified, and ultimately controlled by national governments and their chosen technology partners. This creates a single point of failure — and a single point of abuse.
Centralizing the verified identity of 450 million people creates an unprecedented honeypot for hackers, state actors, and criminal organizations. A breach doesn't mean your email is leaked — it means your legal identity is.
Citizens who cannot or will not participate — the elderly, the unhoused, undocumented residents, domestic abuse survivors — face systematic exclusion from essential services as the wallet becomes the de facto gateway.
Major platforms gain a EU-verified identity layer that makes targeted advertising, user tracking, and behavioral profiling more powerful and legally defensible than ever before.
In February 2025, a coalition of 15 civil society organisations exposed two critical loopholes in the implementing acts that undermine every privacy promise.
Every company using the wallet ("relying party") is supposed to register exactly which data attributes they're allowed to request. Your bank can ask for your name and address. An age-verification service can only confirm your age. That's the theory.
The reality? The Commission's proposal allows member states to issue optional registration certificates — meaning the wallet itself may not even know what a company is actually permitted to access.
Facebook Ireland, registered under Ireland's historically lax data enforcement regime, could obtain a "wildcard" registration — and request virtually any data attribute from users' wallets across all 27 EU member states.
Every member state must maintain a public registry of approved relying parties. The idea: any country can check whether a company operating in their territory is playing by the rules.
The problem: the regulation contains no harmonized specification for how these registries must be structured or accessed. Without a standard format, the registries become effectively useless — governments in privacy-protective countries like Germany or Austria cannot query Ireland's registry to verify what Facebook has been permitted to access.
A German citizen uses their EUDI Wallet with a service registered in Ireland. Germany has no technical mechanism to enforce its stricter standards. The system fragments into 27 different enforcement levels — and companies simply register in the weakest jurisdiction.
These aren't theoretical edge cases. They are known issues that 15 civil society organisations demanded be fixed in February 2025. The Commission has not yet acted.
Help Us Pressure Them →Real people face real harm. Here's what happens when verified identity becomes mandatory infrastructure.
When every online interaction is tied to your verified identity, whistleblowers, journalists, and activists lose the anonymity that protects them from state and corporate retaliation.
In countries where acceptance is partial or rights are under threat, forced identity verification of online activity creates a direct risk for LGBTQ+ individuals seeking community or information.
People escaping abusive situations depend on the ability to exist online without being traceable. A mandatory digital identity tied to every service access destroys this safety net.
As the EUDI Wallet becomes the gateway to essential services — banking, healthcare, transport — those unable to navigate digital systems face systematic exclusion from public life.
A state-issued digital identity creates a two-tier system where those without official national status are categorically locked out of services and public participation.
Investigative journalism and academic research often depend on the ability to access information without creating a traceable record tied to one's verified identity.
"Citizens will put no trust in the European Digital Identity Wallet without transparency and users being in control over their data."
— Coalition of 15 Civil Society Organisations, February 2025
A well-designed digital identity system could genuinely empower citizens. This one, as written, does the opposite. Here's what needs to change.
The EUDI Wallet must not become a prerequisite for accessing essential services. Participation must remain optional with no disadvantage for those who opt out. No citizen should be coerced into surrendering their privacy to access healthcare, banking, or public services.
Relying party registration certificates must be mandatory, not optional. The wallet must always know exactly what any company is authorized to request. No wildcard access. No jurisdiction-shopping. No blank checks for Big Tech.
All member state relying party registries must follow a common technical specification so that any EU data protection authority can query, cross-reference, and enforce against any registered entity — regardless of where they registered.
A centralised identity infrastructure for 450 million people must undergo a rigorous, independent technical and privacy audit before any deployment. The results must be published in full.
Any citizen who is denied access to services because of inability or unwillingness to use the wallet must have clear, accessible legal recourse. Exclusion from public life based on digital participation is discrimination.
Over 12,847 people have already signed. MEPs listen when constituents write. Show them this matters to you.
You've joined thousands of Europeans standing up for digital rights. Share this page to amplify our message.
Your elected representative in the European Parliament sits on committees that can force amendments to eIDAS implementing acts. A personal email from a constituent carries real weight.
Find Your MEP →Most people have never heard of eIDAS 2.0. Download our shareable explainer graphics and thread templates for X/Twitter, Mastodon, and Instagram.
Get the ToolkitConnect with the civil society organisations already doing this work. EDRi, epicenter.works, noyb, and Privacy International all have active campaigns and need support.
See PartnersLegal challenges, technical audits, Brussels lobbying, and public campaigns all cost money. Your donation directly funds the work that creates change.
Support UsStopEUID is a grassroots coalition of digital rights advocates, privacy researchers, civil society organisations, and concerned citizens across the European Union. We are not funded by any technology company, political party, or government.
We believe that digital identity systems can be built to empower rather than surveil — but only if citizens demand the right safeguards. Our goal is not to block digital transformation, but to ensure it happens on citizens' terms, not governments' and corporations'.
We work in coalition with established digital rights organisations including EDRi, epicenter.works, Privacy International, noyb, and the CADE Project. If your organisation wants to become a formal partner, get in touch.
Contact Us