Germany's cabinet approved the Digital Identities Act on 20 May 2026, advancing the EUDI wallet. Here is what the new law means for KYC and onboarding teams.
Table of contents
Germany's cabinet approved the Digital Identities Act on 20 May 2026, giving the EUDI wallet its national legal basis. Every EU Member State must make a wallet available by 24 December 2026, and regulated firms must accept it by December 2027, so for KYC teams the move fixes a clear timeline for user held, selectively disclosed identity.
- Germany's Bundeskabinett approved the Digital Identities Act on 20 May 2026, after a ministerial draft on 26 March and a consultation that closed on 15 April 2026.
- The law implements the amended eIDAS Regulation and makes the EUDI wallet voluntary, free to citizens, and built to assurance level high.
- Every EU Member State must make a wallet available by 24 December 2026, and Germany plans nationwide provision from January 2027.
- Banks, payment firms and other regulated relying parties, plus very large online platforms, must accept the EUDI wallet by December 2027.
- The wallet's selective disclosure lets a user prove a single fact, such as being over 18, without handing over a full identity document.
What did Germany's cabinet approve?
On 20 May 2026 the German cabinet approved the Digital Identities Act, the Digitale-Identitäten-Gesetz. It followed a ministerial draft published on 26 March 2026 and a consultation that ran in a single round to 15 April 2026. The act translates the amended eIDAS Regulation (EU) 2024/1183 into national law and sets the rules for how the EUDI wallet is issued, recognised and supervised in Germany. Federal Minister Karsten Wildberger framed the wallet as voluntary and held to "high security and data protection standards". The bill now moves to the Bundestag. For compliance leaders the signal is the direction of travel: Germany is committing to a model where the citizen holds verified credentials and presents them on demand, the same principle behind decentralised KYC.
| Milestone | Date | Source |
|---|---|---|
| Ministerial draft published | 26 March 2026 | BMDS |
| Consultation closed | 15 April 2026 | BMDS |
| Cabinet approval | 20 May 2026 | BMDS press release |
| EU wallet availability deadline | 24 December 2026 | Regulation (EU) 2024/1183 |
| German nationwide rollout | From January 2027 | BMDS |
| Relying parties must accept | December 2027 | Regulation (EU) 2024/1183 |
How will Germany actually provide the wallet?
The eIDAS Regulation does not force a single national app. It gives each Member State three routes, and the German act builds the legal basis to use them. A Member State can develop and operate the wallet itself, entrust a private provider to build and run one on its behalf, or recognise a wallet a private provider has developed independently. That flexibility matters, because it means the EUDI wallet is a standard and an acceptance obligation, not one piece of government software. Several providers can issue compliant wallets, and a relying party must accept any wallet that meets the required assurance level. For a firm that already runs identity verification, the takeaway is to design for the wallet standard, not for a single national app that will differ across the 27 Member States.
When must banks and platforms accept the EUDI wallet?
Availability and acceptance are two separate clocks. Member States must make a wallet available to citizens by 24 December 2026. The duty on businesses to accept it lands later, by December 2027, 36 months after the relevant EU implementing acts take effect. The acceptance duty is broad. Regulated sectors including banking, payments, financial services, healthcare, telecommunications and transport must accept the EUDI wallet, as must very large online platforms, meaning those with at least 45 million monthly EU users. For a regulated firm this is concrete: by December 2027 it must be able to accept Person Identification Data, verified attributes and a qualified electronic signature presented directly from the wallet, whenever a customer chooses to use one.
What does the EUDI wallet change for your KYC obligations?
The wallet does not repeal anti money laundering law, it changes how you discharge it, so map it duty by duty. For customer due diligence, the wallet's Person Identification Data is high assurance identity evidence that can satisfy the identity-verification element of CDD, but the rest of the obligation stays: risk assessment, beneficial ownership, source of funds and ongoing monitoring are still yours to perform. For record-keeping, selective disclosure means you receive specific attributes rather than a full document image, so you must still evidence that a verification happened while holding far less raw personal data. For sanctions and PEP screening, receiving a verified attribute does not remove the duty to screen the identified person against the relevant lists. And for authentication, the wallet can supply strong customer authentication, which folds an existing payments requirement into the same credential. The net effect is that identity becomes a high quality input you accept rather than a document you collect, store and defend.
What is still uncertain or at risk?
The deadlines are firm, but several things are not, and they are where the planning risk sits. Liability allocation between the wallet provider and the relying party is still being worked out in the implementing acts, so it is not yet settled who carries the loss if a credential is later shown to be wrong or fraudulently obtained. Timelines are slipping at the edges: Germany itself targets nationwide provision in January 2027, just past the EU's 24 December 2026 date, and some Member States have signalled delays or limited functionality at launch. Interoperability across 27 national wallets is a genuine engineering question, not a given, despite the common standard. There is a cost and effort burden too, because accepting wallet credentials, qualified signatures and selective disclosure is real integration work that firms have roughly eighteen months to complete. And acceptance is mandatory while citizen use is voluntary, so firms must build for volumes that may be low at first, which makes the business case a matter of timing rather than principle.
Where do other EU countries stand?
Germany is one of the stronger national programmes, but readiness varies widely across the bloc, and a firm operating in several markets should plan for a patchwork through 2027 rather than a single switch on date.
| Member State | Wallet | Status |
|---|---|---|
| Germany | Digital Identities Act framework | Cabinet approved 20 May 2026; nationwide from January 2027 |
| France | France Identité | Live, linked to the national ID card by NFC, 1,800+ services via FranceConnect |
| Italy | IT-Wallet | Public beta testing early 2026 |
| Spain | National eID based wallet | Expected to move quickly on high existing eID penetration |
| Netherlands | National wallet | Signalled delays or limited functionality at launch |
Designing to the shared EUDI wallet standard, rather than to any one national app, is what keeps an onboarding flow working in every market at once.
How should compliance teams prepare now?
Teams do not need to wait for every implementing act to start. Map where onboarding collects more personal data than a decision actually needs, and decide which attributes you would accept from a wallet for each check. Favour verification the user can reuse across providers, keep an exportable audit trail a supervisor can read, and treat acceptance as an additional method rather than a rip and replace, since the wallet is mandatory to accept but voluntary to use. The breach record shows why minimisation matters: the IDMerit data leak exposed roughly one billion records, and the Discord age verification backlash followed the collection of full identity documents that a single attribute could have replaced. This is the model Zyphe runs: identity verified by reading the NFC chip to ICAO 9303 and eIDAS standards with no image upload, a reusable credential rather than a stored honeypot, and an exportable audit trail. See the how it works page, or book a demo to test it against your onboarding.
The bottom line
Germany's Digital Identities Act is one national step, but it sets a clear destination for the whole bloc: identity that the user holds and discloses selectively, verified to a high standard and reused across services. The deadlines are now firm, with wallets available across the EU around the end of 2026 and mandatory acceptance by December 2027, while liability, interoperability and adoption are still being settled. Compliance teams that map their obligations to the wallet now, and move toward reusable, data minimising verification, will meet the EUDI wallet on their own terms rather than scrambling when acceptance becomes mandatory.
Cited sources
Michelangelo Frigo(Co-Founder at Zyphe)Michelangelo Frigo is a privacy and identity infrastructure expert and co-founder of Zyphe.