By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. More info
DenyAccept

EUDI in Practice: Inside Germany’s Digital Identity Strategy [Video and Takeaways]

Published
December 15, 2025
Table of content
This is also a heading
This is a heading

Join 14,000+ identity enthusiasts who subscribe to our newsletter for expert insights.

By subscribing you agree to with our Privacy Policy.
Success! You’re now subscribed to the newsletter.
Oops! Something went wrong while submitting the form.

As the European Digital Identity Wallet (EUDI) moves from policy to implementation, many organizations are trying to understand what it will actually look like in practice, especially at the national level.

In a recent webinar, we spoke with Mirko Mollik, Identity Architect at SPRIND (Germany’s Federal Agency for Breakthrough Innovation), to unpack how Germany is approaching the rollout of the EUDI ecosystem. The conversation went beyond high-level regulation and focused on the realities of implementation: how wallets will be certified, how issuers and verifiers will onboard, how privacy is enforced in practice, and which standards are truly mandatory.

Mirko shared firsthand insight from SPRIND’s work building Germany’s EUDI blueprint, contributing to standards, running large-scale pilots, and launching the next phase of sandbox testing. The discussion provided a rare, concrete look at how the European Digital Identity framework is being translated into real infrastructure, and what companies should prepare for next.

Below are the key takeaways from that conversation, organized around the areas that matter most for anyone planning to issue, verify, or integrate with the European Digital Identity Wallet.

Germany’s challenge is ecosystem-wide, not just a wallet

  • Germany is working toward the EUDI deadline of Christmas 2026, but the task goes far beyond building a single app.
    • Mirko emphasizes that the real work is building the full ecosystem: wallet(s), issuers, relying parties, trust infrastructure, standards alignment, testing, and governance.
  • SPRIND’s role is to build and coordinate that ecosystem.
    • This includes defining the blueprint, contributing to standards, running pilots and sandboxes, and engaging civil society and minority groups to ensure no one is left behind.
  • Germany plans to support multiple wallets.
    • In addition to a government-provided wallet, non-government wallets will be allowed if they meet legal, privacy, security, and certification requirements.

Standards are central, but were still evolving during the pilots

  • Large-scale pilots demonstrated cross-border interoperability, such as:
    • Wallets from one country working with issuers from another and verifiers from a third.
  • A major challenge was that many standards were not yet final.
    • Mirko notes frequent breaking changes, which made real testing difficult.
  • SPRIND contributes across multiple standards bodies, because no single organization covers the entire EUDI stack.
    • Examples mentioned include:
      • OpenID for Verifiable Credential Issuance (OpenID4VCI), now at version 1.0
      • IETF work on SD-JWT
      • OAuth status lists
      • ETSI work related to certificates and regulatory alignment

After the pilots, the path forward is standards compliance and testing

  • Organizations that missed the large-scale pilots can still prepare today.
    • Mirko highlights the OpenID conformance suite as a practical way to:
      • Emulate issuers, verifiers, or wallets
      • Check alignment with specifications
      • Identify exactly where implementations diverge from standards
  • Germany is introducing a staged sandbox approach.
    • An initial sandbox (starting mid-December, as stated in the webinar) is limited to selected German relying parties and PID-based use cases.
    • The sandbox uses mock personal data, but real protocols and standards.
    • The stated goal is to expand scope over 2025–2026, with broader production access around the end of 2026 / early 2027.

The three credential categories that matter in practice

  • Personal Identity Data (PID)
    • Considered the highest-value credential, enabling actions like opening bank accounts or applying for loans.
    • Can be issued as ISO 18013 mdoc or SD-JWT VC, as described in the ARF.
    • Only PID must be stored in a certified EU Digital Identity wallet, according to Mirko.
  • Qualified Electronic Attestations of Attributes (QEAAs)
    • Issued by qualified providers that meet stricter requirements.
    • The issuer must properly identify the holder and is liable if that identification is insufficient.
    • QEAAs can be stored in non-EUDI wallets as well.
    • They offer higher assurance, but also higher cost, due to certified processes and hardware.
  • Public electronic attestations (public EAAs)
    • Used where national law explicitly authorizes specific institutions to issue certain attributes (e.g., universities issuing degrees).
    • Authorization is based on a legal mandate, not just technical qualification.
    • These issuers and their roles are published in trust lists.

Privacy and GDPR shape verifier behavior

  • GDPR limits what can be requested and how.
    • If there is no legal requirement to identify a person, services must allow the use of pseudonyms.
    • Mirko contrasts regulated use cases (e.g., banking) with social platforms.
  • Germany’s verifier registry is designed for transparency, not pre-approval at scale.
    • Verifiers must register who they are and what data they intend to request.
    • The registry does not approve each request, because that would not scale.
    • Instead, it creates:
      • Strong business identification (KYB/KYC)
      • Public transparency of declared purposes
      • A basis for legal enforcement if misuse occurs

Peer-to-peer data exchange is a core design principle

  • The registry is not a proxy for credential presentations.
    • Credential presentation happens peer-to-peer between wallet and relying party.
  • The registry supports trust, not surveillance.
    • It provides verifier certificates, revocation information, and trust anchors.
    • It is explicitly designed to avoid centralized tracking of who interacts with whom.

Trust lists, keys, and revocation

  • Trust is anchored through the EU “List of Trusted Lists” (LOTL).
    • The LOTL links national trust lists from all member states.
    • This model extends what already exists under eIDAS for qualified electronic signatures.
  • Verification relies on standard X.509 validation flows.
    • Verifiers use the credential’s country indicator to locate the correct trust list and issuer keys.
  • Revocation approaches discussed include:
    • OAuth status lists for SD-JWT-based credentials
    • CRLs for X.509 certificates (preferred over OCSP due to privacy concerns)
  • Security hardening measures are anticipated.
    • For example, PID issuers may use separate keys for credential signing and revocation lists.

Rulebooks enable ecosystem-level governance

  • Rulebooks define credential schemes and authorized issuers in a machine-readable way.
  • Anyone can publish a rulebook, but publishing does not create trust by itself.
    • Trust emerges when verifiers choose to rely on a given rulebook.
    • This mirrors how domain names or other open registries work today.

Cross-border operation and non-EU participation

  • Each member state runs its own registry.
    • Companies register in the country where they are legally based.
    • Once registered, they can interact with EUDI wallets across Europe.
  • Non-EU companies must establish an EU presence to participate.
    • Mirko highlights the risk of “weakest-policy” dynamics, where companies may choose jurisdictions with the lowest onboarding requirements.

Big-tech wallets and certification

  • Samsung and Google have publicly expressed interest in becoming EUDI wallet providers.
  • They must meet the same legal, privacy, and security requirements as any other wallet.
    • Certification is performed at the member-state level.
  • Consumer EUDI wallets must be free of charge to users, as stated for Germany.
    • This constrains monetization for non-government wallet providers.

DIDs, DIDComm, and advanced cryptography are optional, not mandated

  • The EUDI baseline mandates a limited, well-analyzed stack.
    • OpenID-based protocols and proximity flows are required.
  • Wallets may support DIDs or DIDComm as additional layers.
    • However, relying parties are not required to support them.
  • Germany prioritizes crypto agility and long-term security.
    • Instead of range proofs, common age checks are implemented as explicit boolean attributes.
    • Zero-knowledge proofs are being researched to mitigate risks like issuer–verifier linkability over time.

Create your first digital ID credential today

The Truvera platform helps you integrate reusable ID credentials into your existing identity workflows to support a variety of goals: reduce onboarding friction, connect siloed data, verify trusted organizations and customers, and monetize credential verification.

Sign up for free
Request Free Consultation

Ready to get started?

Sign up to TruveraRequest Free Consultation

Company

Truvera Platform

Developers

Use Cases

Resources

Copyright © 2024 Dock Labs AG