Biometrics regulations, misconceptions threaten to undermine EUDI Wallets

The European Digital Identity (EUDI) Wallet ecosystem is currently navigating a complex landscape of regulatory restrictions and privacy allegations that may impact its effectiveness. While Spanish regulators have limited the use of biometrics as a sole verification method, industry groups warn that such moves could undermine the high-assurance standards required for Qualified Electronic Signatures. These challenges emerge as member states like Denmark and Poland move forward with implementation, and private firms like Google and Itsme expand their digital credential offerings across the continent.
The Digital Identity & Verification sector is facing a period of intense scrutiny as researchers from Georgia Tech and UC Irvine recently alleged that Yoti shares biometric data with third parties. Yoti has publicly challenged these claims as "wholly false" and has called for an independent cybersecurity review to settle the matter. This conflict underscores the sensitivity surrounding biometric data handling as the market prepares for the potential launch of EUDI Wallets by the end of the year.
Simultaneously, the Spanish data protection regulator AEPD has ruled that biometric data cannot be the only option for verification within digital ID apps under GDPR. The Age Verification Providers Association (AVPA) has reacted by warning that this decision could compromise the entire EUDI Wallet framework, as alternative methods like PINs or device-bound identity may not meet the standards for high-value use cases. Viky Manaila, President of the Cloud Signature Consortium, emphasized that Qualified Electronic Signatures (QES) rely on KYC-grade identity verification to be legally recognized, making the role of biometrics critical for public utility.
Despite these hurdles, national implementations are proceeding, with Denmark launching its Altid wallet this week for online and in-person use. Developed by Nine and featuring Signicat’s NFC and biometric capabilities, the app utilizes zero-knowledge proofs for age verification and identity. In Poland, new digital reform laws requiring age checks for adult content have led the government to recommend EUDI Wallets as a primary tool for data minimization. These national moves are being mirrored by private sector expansion, such as Belgium’s Itsme acquiring Dutch firm iDIN to strengthen its cross-border reach ahead of the EUDI launch.
The broader ecosystem is also seeing significant participation from major technology platforms, with Google Wallet set to support digital IDs and age credentials in several EU Member States this summer. This expansion includes a partnership with German bank Sparkasse to facilitate digital age verification. As the market accelerates, the industry is looking to the European Data Protection Board (EDPB) for clarifying guidance to resolve the clash of interpretations between regulators and service providers, ensuring that the technical capabilities of biometrics can be legally and effectively utilized.
Summary generated by RabbitReport AI from public reporting. The full article and original reporting belong to Biometric Update.