Embedding a Harmonised EU Identity System into a Mature National E-State: An Estonian Case Study

Vol.20,No.1(2026)

Abstract

The implementation of the European Digital Identity (EUDI) Wallet is among the EU’s most ambitious cross-border digital identity initiatives undertaken within the EU. Estonia, a country often regarded as a digital frontrunner, received an EUDI Wallet Minimum Viable Product (MVP) from the private Estonian company, Cybernetica, in June 2024, enabling credential issuance independent of physical ID cards, selective disclosure supported by privacy-preserving cryptography, and a modular design aligned with the EU Architecture and Reference Framework (ARF). While Estonia’s existing identity and interoperability infrastructure provides strong continuity in trust, assurance, and security, the transition produces frictions centred on the redistribution of control, data minimisation and presentation, portability, and cross-border interoperability. The analysis therefore indicates that the principal challenge is not establishing baseline legal compliance, but aligning governance, supervision, liability, and recovery support with a wallet-mediated transaction chain during a period of channel coexistence.


Keywords:
EUDI Wallet; Digital Identity; Trust Services; Interoperability

Pages:
119 – 142
References

[1] Aavik, G. and Krimmer, R. (2016) Integrating Digital Migrants: Solutions for Cross-Border Identification from E-Residency to eIDAS. A Case Study from Estonia. In: Scholl, H. J. et al. (eds.) Electronic Government (EGOV 2016). Lecture Notes in Computer Science, vol. 9820. Cham: Springer, pp. 151-163. Available from: https://doi.org/10.1007/978-3-319-44421-5_12 [Accessed 3 June 2026].

[2] Álvarez, I. A., Hölzmer, P. and Sedlmeir, J. (2025) Privacy Evaluation of the European Digital Identity Wallet’s Architecture and Reference Framework. Computers & Security, 160, 104707. Available from: https://doi.org/10.1016/j.cose.2025.104707 [Accessed 3 June 2026].

[3] Babel, M. et al. (2025) Self-Sovereign Identity and Digital Wallets. Electronic Markets, 35, art. 28. Available from: https://doi.org/10.1007/s12525-025-00772-0 [Accessed 3 June 2026].

[4] Council Directive 93/13/EEC of 5 April 1993 on Unfair Terms in Consumer Contracts. Official Journal of the European Communities L 95, 21 April 1993, pp. 29-34. Available from: https://eur-lex.europa.eu/eli/dir/1993/13/oj [Accessed 3 June 2026].

[5] Degen, K. and Teubner, T. (2024) Wallet Wars or Digital Public Infrastructure? Orchestrating a Digital Identity Data Ecosystem from a Government Perspective. Electronic Markets, 34, art. 50. Available from: https://doi.org/10.1007/s12525-024-00731-1 [Accessed 3 June 2026].

[6] Dumortier, J. (2016) Regulation (EU) No 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS Regulation). [online] Available from: https://ssrn.com/abstract=2855484 [Accessed 3 June 2026].

[7] European Commission. (n.d.) Estonia. [online] eIDAS Community. Available from: https://ec.europa.eu/digital-building-blocks/sites/spaces/EIDCOMMUNITY/pages/62885749/Estonia [Accessed 3 June 2026].

[8] Gakh, V. et al. (2024) Enhancing Privacy Risk Modeling in Practice: A Case Study of an E-Justice System. IEEE Access, 12, pp. 183851-183874. Available from: https://doi.org/10.1109/ACCESS.2024.3509332 [Accessed 3 June 2026].

[9] Hölzmer, P., Schönrich-Sedlmeir, J. and Imeri, A. (2025) A Taxonomy of Modern User-Centric Identity Management: From Theory to Practice. In: European Conference on Information Systems (ECIS 2025), Amman, Jordan, 11-13 June. [online] AIS Electronic Library. Available from: https://aisel.aisnet.org/ecis2025/datamgmt/datamgmt/8/ [Accessed 3 June 2026].

[10] id.ee. (2024) Trust Services: Authentication Services. [online] Tallinn: id.ee. Available from: https://www.id.ee/en/article/trust-services-authentication-services/ [Accessed 3 June 2026].

[11] Isikut Tõendavate Dokumentide Seadus [Identity Documents Act]. Republic of Estonia. Tallinn: Riigi Teataja. In Estonian. Available from: https://www.riigiteataja.ee/akt/102072013047?leiaKehtiv= [Accessed 3 June 2026].

[12] Kaplane, A. (2025) The European Digital Identity Wallet: A New Human Right Unlocked? Nordic Journal of Human Rights, 43 (3), pp. 304-316. Available from: https://doi.org/10.1080/18918131.2025.2551458 [Accessed 3 June 2026].

[13] Kattel, R. and Mergel, I. (2019) Estonia’s Digital Transformation: Mission Mystique and the Hiding Hand. In: Compton, M. E. and ’t Hart, P. (eds.) Great Policy Successes. Oxford: Oxford University Press, pp. 143-160. Available from: https://doi.org/10.1093/oso/9780198843719.003.0008 [Accessed 3 June 2026].

[14] Laud, P. and Roos, M. (2009) Formal Analysis of the Estonian Mobile-ID Protocol. In: Jøsang, A., Maseng, T. and Knapskog, S. J. (eds.) Identity and Privacy in the Internet Age (NordSec 2009). Lecture Notes in Computer Science, vol. 5838. Berlin, Heidelberg: Springer, pp. 271-286. Available from: https://doi.org/10.1007/978-3-642-04766-4_19 [Accessed 3 June 2026].

[15] Lips, S., Bharosa, N. and Draheim, D. (2020) eIDAS Implementation Challenges: The Case of Estonia and the Netherlands. In: Chugunov, A. et al. (eds.) Electronic Governance and Open Society: Challenges in Eurasia (EGOSE 2020). Communications in Computer and Information Science, vol. 1349. Cham: Springer, pp. 75-89. Available from: https://doi.org/10.1007/978-3-030-67238-6_6 [Accessed 3 June 2026].

[16] Lips, S. et al. (2023) Management of National eID Infrastructure as a State-Critical Asset and Public-Private Partnership: Learning from the Case of Estonia. Information Systems Frontiers, 25, pp. 2439-2456. Available from: https://doi.org/10.1007/s10796-022-10363-5 [Accessed 3 June 2026].

[17] Rahvastikuregistri Seadus [Population Register Act]. Republic of Estonia. Tallinn: Riigi Teataja. In Estonian/English. Available from: https://www.riigiteataja.ee/en/eli/ee/511012023005/consolide/current [Accessed 3 June 2026].

[18] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union L 119, 4 May 2016, pp. 1-88. Available from: https://eur-lex.europa.eu/eli/reg/2016/679/oj [Accessed 3 June 2026].

[19] Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a Single Market for Digital Services and Amending Directive 2000/31/EC (Digital Services Act). Official Journal of the European Union L 277, 27 October 2022, pp. 1-102. Available from: https://eur-lex.europa.eu/eli/reg/2022/2065/oj [Accessed 3 June 2026].

[20] Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 Amending Regulation (EU) No 910/2014 as Regards Establishing the European Digital Identity Framework. Official Journal of the European Union L 2024/1183, 30 April 2024. Available from: https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng [Accessed 3 June 2026].

[21] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act). Official Journal of the European Union L 2024/1689, 12 July 2024. Available from: https://eur-lex.europa.eu/eli/reg/2024/1689/oj [Accessed 3 June 2026].

[22] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC. Official Journal of the European Union L 257, 28 August 2014, pp. 73-114. Available from: https://eur- lex.europa.eu/legal- content/EN/TXT/?uri=CELEX:32014R0910 [Accessed 3 June 2026].

[23] Riigi Infosüsteemi Amet. (2023) RIA ja Cybernetica Alustavad Eesti Digiidentiteedi Kukru Väljatöötamist. [online] 14 November. Tallinn: RIA. Available from: https://www.ria.ee/uudised/ria-ja-cybernetica-alustavad-eesti-digiidentiteedi-kukru-valjatootamist [Accessed 3 June 2026].

[24] Riigi Infosüsteemi Amet. (n.d.) Central Authentication Services. [online] Tallinn: RIA. Available from: https://www.ria.ee/en/state-information-system/electronic-identity-eid-and-trust-services/central-authentication-services [Accessed 3 June 2026].

[25] Riigi Infosüsteemi Amet. (n.d.) Data Exchange Layer X-tee. [online] Tallinn: RIA. Available from: https://www.ria.ee/en/state-information-system/data-exchange-platforms/data-exchange-layer-x-tee [Accessed 3 June 2026].

[26] Riigi Infosüsteemi Amet. (n.d.) Eesti App. [online] Tallinn: RIA. Available from: https://www.ria.ee/en/state-information-system/personal-services/eesti-app [Accessed 3 June 2026].

[27] Riigi Infosüsteemi Amet and Cybernetica. (2023) Digikukru I Etapi Analüüs. Version 1.0.1, 21 December. [online] Tallinn: RIA. Available from: https://www.ria.ee/sites/default/files/documents/2024-01/Digikukru-I-etapi-analuus.pdf [Accessed 3 June 2026].

[28] Tsap, V., Lips, S. and Draheim, D. (2020) Analysing eID Public Acceptance and User Preferences for Current Authentication Options in Estonia. In: K˝o, A. et al. (eds.) Electronic Government and the Information Systems Perspective (EGOVIS 2020). Lecture Notes in Computer Science, vol. 12394. Cham: Springer, pp. 159-173. Available from: https://doi.org/10.1007/978-3-030-58957-8_12 [Accessed 3 June 2026].

[29] Võlaõigusseadus [Law of Obligations Act]. Republic of Estonia. Tallinn: Riigi Teataja. In Estonian/English. Available from: https://www.riigiteataja.ee/en/eli/ee/506112024004/consolide/current [Accessed 3 June 2026].

[30] Wong-Toropainen, S. (2024) Problematising User Control in the Context of Digital Identity Wallets and European Digital Identity Framework. In: Prifti, K. et al. (eds.) Digital Governance. Information Technology and Law Series, vol. 39. The Hague: T.M.C. Asser Press, pp. 115-136. Available from: https://doi.org/10.1007/978-94-6265-639-0_6 [Accessed 3 June 2026].

Metrics

0

Crossref logo

0


0

Views

0

PDF views