[{"data":1,"prerenderedAt":656},["ShallowReactive",2],{"eidas2/wallet-provider":3},{"id":4,"title":5,"author":6,"body":7,"description":641,"extension":642,"meta":643,"navigation":644,"path":645,"publishedAt":646,"seo":647,"stem":648,"tags":649,"updatedAt":646,"__hash__":655},"eidas2Articles/eidas2/wallet-provider.md","eIDAS 2 Wallet Provider Requirements: How to Build a Compliant EUDI Wallet","Tamino Baumann",{"type":8,"value":9,"toc":621},"minimark",[10,25,28,33,49,56,58,62,65,202,204,208,211,249,251,255,258,261,469,471,475,478,514,519,522,560,572,574,578,581,584,588,591,595,598,602,605,609,612,616,619],[11,12,13,14,18,19,24],"p",{},"An ",[15,16,17],"strong",{},"eIDAS 2 wallet provider"," is a member state or a certified organisation that delivers and operates an ",[20,21,23],"a",{"href":22},"/eidas2/eudi-wallet","EU Digital Identity Wallet (EUDI Wallet)"," for end-users — distributing the wallet application, ensuring it reaches Level of Assurance High, and issuing Wallet Unit Attestations (WUAs) that allow issuers and relying parties to trust the wallet. A separate market for non-certified wallets also exists, serving consumer and business use cases where formal certification is not required.",[26,27],"hr",{},[29,30,32],"h2",{"id":31},"what-is-an-eidas-2-wallet-provider","What is an eIDAS 2 wallet provider?",[11,34,35,36,40,41,44,45,48],{},"A wallet provider delivers the software and security infrastructure that turns a device into a compliant identity wallet. Under ",[20,37,39],{"href":38},"/eidas2","eIDAS 2"," (Regulation (EU) 2024/1183), every wallet provider is either a ",[15,42,43],{},"member state"," or a ",[15,46,47],{},"certified organisation"," authorised to offer certified wallets to citizens.",[11,50,51,52,55],{},"The wallet provider's core responsibility is to issue ",[15,53,54],{},"Wallet Unit Attestations (WUAs)"," — digital credentials that describe the technical capabilities of a specific wallet unit and enable issuers to establish trust before delivering credentials. Beyond WUA issuance, the provider manages the full lifecycle of each wallet unit: installation, activation, management, revocation, and migration. A separate market for non-certified wallets also exists for consumer and business use cases where formal certification is not required.",[26,57],{},[29,59,61],{"id":60},"eidas-2-wallet-provider-requirements-the-compliance-checklist","eIDAS 2 wallet provider requirements: the compliance checklist",[11,63,64],{},"The following checklist covers the mandatory obligations for a certified wallet provider under eIDAS 2.",[66,67,68,75,81,87,93,99,105,130,148,154,160,166,172,178,184,190,196],"ol",{},[69,70,71,74],"li",{},[15,72,73],{},"Publish the wallet through official app stores"," (Apple App Store, Google Play). If it is distributed any other way, give users a clear way to confirm the app is genuine.",[69,76,77,80],{},[15,78,79],{},"Require the user to unlock the wallet"," with the device's biometrics or a PIN before it can be used.",[69,82,83,86],{},[15,84,85],{},"Set up a user account with the wallet provider linked to the wallet",". The account can be pseudonymous and should use a sign-in method that does not depend on the device alone.",[69,88,89,92],{},[15,90,91],{},"Store the wallet's keys in certified secure hardware"," — the secure chip built into the phone, or a remote hardware security module (HSM) when the device cannot provide one. Every wallet's keys are kept isolated from each other.",[69,94,95,98],{},[15,96,97],{},"Activate the wallet only at the EU's highest security level (Level of Assurance High)"," — activation completes only once the keys are protected by hardware certified to that level.",[69,100,101,104],{},[15,102,103],{},"Issue a Wallet Unit Attestation (WUA) at activation"," — a digital certificate describing the wallet's security capabilities. Issuers check the WUA before sending any credential, and it can be used to revoke the wallet.",[69,106,107,110,111,117,118,123,124,129],{},[15,108,109],{},"Support the required exchange protocols"," — ",[20,112,116],{"href":113,"rel":114},"https://docs.walt.id/concepts/data-exchange-protocols/openid4vci",[115],"nofollow","OID4VCI"," to receive credentials and ",[20,119,122],{"href":120,"rel":121},"https://docs.walt.id/concepts/data-exchange-protocols/openid4vp",[115],"OID4VP"," to present them (both with the HAIP profile), plus ",[20,125,128],{"href":126,"rel":127},"https://docs.walt.id/community-stack/concepts/digital-credentials/mdoc-mdl-iso",[115],"ISO/IEC 18013-5"," and ISO/IEC 18013-7 for in-person and online document flows using the ISO/IEC 18013-5 standard.",[69,131,132,135,136,141,142,147],{},[15,133,134],{},"Support the required credential formats"," — ISO/IEC 18013-5 (mdoc) and ",[20,137,140],{"href":138,"rel":139},"https://docs.walt.id/concepts/digital-credentials/sd-jwt-vc",[115],"SD-JWT VC"," are mandatory; ",[20,143,146],{"href":144,"rel":145},"https://docs.walt.id/concepts/digital-credentials/verifiable-credentials-w3c",[115],"W3C VC"," is optional.",[69,149,150,153],{},[15,151,152],{},"Show a trust mark"," so users can confirm the wallet is officially certified.",[69,155,156,159],{},[15,157,158],{},"Pass a conformity assessment"," by an accredited body and obtain certification.",[69,161,162,165],{},[15,163,164],{},"Keep the EU Trusted Lists up to date"," so the wallet can recognise legitimate issuers and relying parties, and register the wallet provider on the official list so others can confirm the wallet is genuine.",[69,167,168,171],{},[15,169,170],{},"Support selective disclosure"," — show the user who is asking and exactly what data is requested, and let them approve or decline each item so only what is necessary is shared.",[69,173,174,177],{},[15,175,176],{},"Keep a transaction history"," the user can review, with the ability to delete entries or report a problem.",[69,179,180,183],{},[15,181,182],{},"Let users back up, restore, move, and revoke their wallet"," — including securely deleting all keys if the app is removed or the wallet is compromised.",[69,185,186,189],{},[15,187,188],{},"Support pseudonyms"," — give each relying party a unique pseudonym so the user can sign in without revealing their identity or being tracked across services.",[69,191,192,195],{},[15,193,194],{},"Let users sign documents"," with qualified electronic signatures (QES), which carry the same legal weight as a handwritten signature.",[69,197,198,201],{},[15,199,200],{},"Meet EU accessibility standards"," so the wallet is usable by people with disabilities.",[26,203],{},[29,205,207],{"id":206},"how-an-eudi-wallet-is-activated-under-eidas-2","How an EUDI Wallet is activated under eIDAS 2",[11,209,210],{},"Activation is the one-time setup that prepares a wallet to hold credentials securely. It follows a defined sequence that confirms the wallet meets the highest security level before any credential can be added:",[66,212,213,219,225,231,237,243],{},[69,214,215,218],{},[15,216,217],{},"Install and unlock"," — the user installs the wallet app and turns on biometric or PIN protection. A user account is created and linked to the wallet.",[69,220,221,224],{},[15,222,223],{},"Check the device's security"," — the wallet checks what secure hardware the device offers for protecting keys.",[69,226,227,230],{},[15,228,229],{},"Set up secure key storage"," — if the device's own secure hardware is not sufficient, the provider connects a remote hardware security module (HSM) instead. Each wallet receives its own isolated keys.",[69,232,233,236],{},[15,234,235],{},"Confirm the highest security level"," — activation completes only once the wallet's keys are protected by hardware certified to Level of Assurance High.",[69,238,239,242],{},[15,240,241],{},"Issue the Wallet Unit Attestation (WUA)"," — the provider creates and signs the WUA, the certificate that lets issuers trust this wallet, and delivers it to the wallet.",[69,244,245,248],{},[15,246,247],{},"Receive a Person Identification Data (PID) from a PID provider"," — to be seen as fully activated and capable of receiving other types of attestations, the wallet must obtain a PID credential from a certified PID provider. This first credential establishes the user's verified identity and unlocks the ability to request additional attestations from issuers.",[26,250],{},[29,252,254],{"id":253},"non-certified-wallets-an-alternative-path","Non-certified wallets: an alternative path",[11,256,257],{},"Certification is required for any wallet that holds PID, PuB-EAA, or QEAA credentials. For consumer or business use cases where those credential types are not needed — such as loyalty cards, membership cards — formal certification is not required. Organisations with an existing user base in banking, telecoms, travel, or healthcare can embed wallet capabilities into existing iOS and Android apps without undergoing a conformity assessment.",[11,259,260],{},"The table below shows which obligations are mandatory for a certified provider and which become optional on the non-certified path.",[262,263,264,280],"table",{},[265,266,267],"thead",{},[268,269,270,274,277],"tr",{},[271,272,273],"th",{},"Requirement",[271,275,276],{},"Certified",[271,278,279],{},"Non-Certified",[281,282,283,294,304,313,322,331,340,350,360,369,379,388,397,406,415,424,433,442,451,460],"tbody",{},[268,284,285,289,292],{},[286,287,288],"td",{},"Distribute wallet via official OS app stores",[286,290,291],{},"Required",[286,293,291],{},[268,295,296,299,301],{},[286,297,298],{},"Enforce OS-level user authentication",[286,300,291],{},[286,302,303],{},"Optional",[268,305,306,309,311],{},[286,307,308],{},"Prompt user to set up a provider account linked to the Wallet Unit",[286,310,291],{},[286,312,303],{},[268,314,315,318,320],{},[286,316,317],{},"Store keys in certified secure hardware (device chip or remote HSM)",[286,319,291],{},[286,321,291],{},[268,323,324,327,329],{},[286,325,326],{},"Activate only at the highest security level (Level of Assurance High)",[286,328,291],{},[286,330,303],{},[268,332,333,336,338],{},[286,334,335],{},"Issue Wallet Unit Attestation (WUA) during activation",[286,337,291],{},[286,339,303],{},[268,341,342,345,347],{},[286,343,344],{},"Support ISO/IEC 18013-5, SD-JWT VC, and W3C VC VCDM 2.0",[286,346,291],{},[286,348,349],{},"No requirement for all types",[268,351,352,355,357],{},[286,353,354],{},"Support OID4VCI / ISO 18013-7 issuance protocols",[286,356,291],{},[286,358,359],{},"No requirement for all standards",[268,361,362,365,367],{},[286,363,364],{},"Support OID4VP / ISO 18013-7 presentation protocols",[286,366,291],{},[286,368,359],{},[268,370,371,374,376],{},[286,372,373],{},"Provide Trust Mark view (user can verify certification status)",[286,375,291],{},[286,377,378],{},"—",[268,380,381,384,386],{},[286,382,383],{},"Ingest and use Trusted Lists",[286,385,291],{},[286,387,303],{},[268,389,390,393,395],{},[286,391,392],{},"Publish wallet provider trust anchor",[286,394,291],{},[286,396,303],{},[268,398,399,402,404],{},[286,400,401],{},"Present relying party identity and requested attributes to the user",[286,403,291],{},[286,405,303],{},[268,407,408,411,413],{},[286,409,410],{},"Maintain a user-accessible transaction log",[286,412,291],{},[286,414,303],{},[268,416,417,420,422],{},[286,418,419],{},"Provide backup, recovery, and migration",[286,421,291],{},[286,423,303],{},[268,425,426,429,431],{},[286,427,428],{},"Support pseudonyms auth",[286,430,291],{},[286,432,303],{},[268,434,435,438,440],{},[286,436,437],{},"Enable qualified electronic signatures (QES/QSeal)",[286,439,291],{},[286,441,303],{},[268,443,444,447,449],{},[286,445,446],{},"Revocation and suspension management",[286,448,291],{},[286,450,303],{},[268,452,453,456,458],{},[286,454,455],{},"Undergo conformity assessment and obtain certification",[286,457,291],{},[286,459,378],{},[268,461,462,465,467],{},[286,463,464],{},"Meet accessibility requirements",[286,466,291],{},[286,468,303],{},[26,470],{},[29,472,474],{"id":473},"build-vs-buy-how-to-meet-eidas-2-wallet-provider-requirements","Build vs buy: how to meet eIDAS 2 wallet provider requirements",[11,476,477],{},"Becoming a compliant wallet provider means implementing key management, credential formats, exchange protocols, trust list management, revocation, certification, and WUA issuance — and keeping all of them current as the ARF and Implementing Acts evolve. There are three paths:",[479,480,481,497,508],"ul",{},[69,482,483,486,487,491,492,496],{},[15,484,485],{},"Build apps, buy infrastructure"," ",[488,489,490],"em",{},"(recommended)"," — build only the application layer and user experience; use a wallet provider service provider (such as the ",[20,493,495],{"href":494},"/eidas2#infrastructure","walt.id Enterprise Stack",") for the technical implementation. Fastest time to market, lowest regulatory and technical risk.",[69,498,499,502,503,507],{},[15,500,501],{},"Build apps, own infrastructure"," — use open-source wallet solutions (such as the ",[20,504,506],{"href":505},"/community-stack","walt.id Community Stack",") to retain full control while avoiding implementing key management, OID4VCI/VP, and credential formats scratch.",[69,509,510,513],{},[15,511,512],{},"Build everything in-house"," — implement and maintain the full stack internally. Viable only for organisations with a dedicated identity engineering team.",[515,516,518],"h3",{"id":517},"how-waltid-helps-wallet-providers-comply","How walt.id helps wallet providers comply",[11,520,521],{},"The walt.id Wallet / Wallet Provider offering delivers what the requirements demand, out of the box:",[479,523,524,530,536,542,548,554],{},[69,525,526,529],{},[15,527,528],{},"Managed Wallet Provider service"," — WUA issuance, activation, and revocation; WUA status list creation, management, and publication; wallet provider admin for provisioning, monitoring, and managing wallet units via API.",[69,531,532,535],{},[15,533,534],{},"Custodial and non-custodial Wallet Units"," — both models are embeddable into existing iOS and Android applications, giving organisations full control over the end-user experience without rebuilding wallet core functionality.",[69,537,538,541],{},[15,539,540],{},"Full credential receive and present over OID4VCI / OID4VP with HAIP"," and ISO/IEC 18013-5/7 — covering remote and offline flows, batch issuance, re-issuance, and selective disclosure.",[69,543,544,547],{},[15,545,546],{},"Key management via device Secure Enclave, external HSM, or hybrid"," — the non-custodial model uses on-device Secure Enclave or hardware-backed keystore; the custodial model integrates with HSM providers (AWS, Azure, Oracle, and others); a hybrid model is also supported for keys stored both on-device and in the cloud.",[69,549,550,553],{},[15,551,552],{},"Automated mutual authentication with attestation providers and relying parties"," via the shared Trust Service — access certificate checks, trust anchor validations, and registration certificate verification are handled automatically.",[69,555,556,559],{},[15,557,558],{},"Qualified electronic signatures via the QES service integrations"," — wallet users can create PAdES signatures and electronic seals.",[11,561,562,563,566,567,571],{},"Explore the ",[20,564,565],{"href":494},"eIDAS 2 infrastructure layer"," or ",[20,568,570],{"href":569},"/contact","talk to the team"," about a specific wallet use case.",[26,573],{},[29,575,577],{"id":576},"frequently-asked-questions","Frequently asked questions",[515,579,32],{"id":580},"what-is-an-eidas-2-wallet-provider-1",[11,582,583],{},"An eIDAS 2 wallet provider is a member state or a certified organisation that delivers and operates an EU Digital Identity Wallet for end-users. The provider is responsible for distributing the wallet application, ensuring it reaches Level of Assurance High, issuing Wallet Unit Attestations (WUAs) that allow issuers to trust the wallet, and managing the full lifecycle of each wallet unit from activation through revocation.",[515,585,587],{"id":586},"what-is-the-difference-between-a-certified-and-non-certified-wallet-provider","What is the difference between a certified and non-certified wallet provider?",[11,589,590],{},"A certified wallet provider operates within the formal eIDAS 2 trust framework, must undergo a conformity assessment by an accredited body, issue WUAs, enforce LoA High, ingest Trusted Lists, and publish a trust anchor. A non-certified wallet provider is a private-sector organisation that adds wallet capabilities to existing apps for consumer or business use cases where formal certification is not required — most obligations are optional, though protocols and formats must still be supported for the chosen use cases.",[515,592,594],{"id":593},"what-are-the-requirements-to-build-an-eidas-2-compliant-wallet","What are the requirements to build an eIDAS 2 compliant wallet?",[11,596,597],{},"A certified wallet provider must: distribute via official app stores; enforce OS-level user authentication; activate wallet units only at LoA High; issue WUAs during activation; implement OID4VCI v1 and OID4VP v1 with the HAIP profile plus ISO/IEC 18013-5/7; support mandated credential formats; ingest and use Trusted Lists; publish a trust anchor; provide selective disclosure, a transaction log, revocation, backup, recovery, migration, pseudonyms, and QES; undergo conformity assessment; and meet accessibility standards.",[515,599,601],{"id":600},"what-is-a-wallet-unit-attestation-wua","What is a Wallet Unit Attestation (WUA)?",[11,603,604],{},"A Wallet Unit Attestation is a digital certificate the wallet provider issues to each wallet during activation. It describes the wallet's security capabilities and the secure hardware protecting its keys, letting issuers confirm the wallet is genuine and meets the required security level (Level of Assurance High) before delivering any credential. It can also be used to revoke the wallet.",[515,606,608],{"id":607},"does-a-wallet-provider-have-to-be-certified","Does a wallet provider have to be certified?",[11,610,611],{},"Certification is mandatory for wallet providers that wish to operate within the official eIDAS 2 trust framework and allow users to receive PID, PuB-EAA, and QEAA credentials. However, a separate market exists for non-certified wallets serving everyday consumer and business use cases — such as loyalty programmes, or employee credentials — where formal certification is not required and most obligations are optional.",[515,613,615],{"id":614},"which-protocols-and-formats-must-an-eidas-2-wallet-support","Which protocols and formats must an eIDAS 2 wallet support?",[11,617,618],{},"A certified wallet must implement OID4VCI v1 and OID4VP v1 with the HAIP profile for remote credential issuance and presentation, and ISO/IEC 18013-5 / ISO/IEC 18013-7 for offline and mdoc remote flows. Mandatory credential formats are ISO/IEC 18013-5 (mdoc) and SD-JWT VC (IETF); W3C VC VCDM 2.0 is optional for wallet use.",[26,620],{},{"title":622,"searchDepth":623,"depth":623,"links":624},"",2,[625,626,627,628,629,633],{"id":31,"depth":623,"text":32},{"id":60,"depth":623,"text":61},{"id":206,"depth":623,"text":207},{"id":253,"depth":623,"text":254},{"id":473,"depth":623,"text":474,"children":630},[631],{"id":517,"depth":632,"text":518},3,{"id":576,"depth":623,"text":577,"children":634},[635,636,637,638,639,640],{"id":580,"depth":632,"text":32},{"id":586,"depth":632,"text":587},{"id":593,"depth":632,"text":594},{"id":600,"depth":632,"text":601},{"id":607,"depth":632,"text":608},{"id":614,"depth":632,"text":615},"A complete guide to eIDAS 2 wallet provider requirements: what a wallet provider is, the full compliance checklist for certified wallet providers, Wallet Unit Attestation (WUA) issuance, the wallet activation flow, and how to build a compliant EUDI Wallet.","md",{},true,"/eidas2/wallet-provider","2026-06-10",{"title":5,"description":641},"eidas2/wallet-provider",[650,651,652,653,654],"eidas 2 wallet provider","eudi wallet","wallet unit attestation","build eudi wallet","eidas2","_WRSf8ImuGkpwhc3GWCgCg1ll4rhsoU6SwuezXUZeNI",1781592066368]