EUDI Wallet by December 2026: how business document certification changes in Europe

Since Regulation (EU) 2024/1183 entered into force on 20 May 2024, Europe has had a common framework for digital identity. Every Member State will have to make at least one European digital identity wallet, the EUDI Wallet, available to its citizens and businesses, and under the European Commission roadmap that availability is expected by the end of 2026. For anyone running onboarding, contract signing or document management inside a company, that shifts the ground.

There is one point, though, that almost nobody is addressing. The EUDI Wallet business case establishes with a high level of assurance who performs an action: who opens an account, who signs a mandate, who accesses a service. What the wallet does not attest is that a photo, a video, a screenshot or a document uploaded during that action faithfully represents reality at the moment it was captured. Between "data presented by the wallet holder" and "data certified as authentic" there is an evidentiary gap. So the question is a plain one: is verified identity enough to make the content that identity presents authentic too?

The answer is no, and this article explains why. The wallet covers identity. The authenticity of the content comes from certification at source: controlled capture of the data plus a qualified electronic seal issued by a third-party QTSP plus an eIDAS timestamp. The two layers are complementary. Together they cover both who presents and what is presented.

Key takeaways

  • The EUDI Wallet is expected to be available across Europe by the end of 2026 under the Commission roadmap, and from 24 December 2027 regulated sectors will have to accept it.
  • The wallet certifies the identity of who presents data, not the authenticity of the captured data (photos, video, screenshots, documents, video calls).
  • Certification at source closes that gap by applying a qualified electronic seal from a third-party QTSP and an eIDAS timestamp at the moment of capture.
  • For banks, insurers, healthcare, real estate and law firms, the two layers should be integrated, not confused.

What the EUDI Wallet is and what changes from December 2026

The EUDI Wallet is the European digital identity wallet that every Member State must provide so that citizens and businesses can identify themselves, authenticate and share verified attributes securely across the Union. For companies, one operational fact changes: from 2026 a growing share of customers and counterparties will be able to present their identity at a high level of assurance straight from the wallet, and from 24 December 2027 regulated sectors will be required to accept it.

The wallet is governed by Regulation (EU) 2024/1183, which amends Regulation (EU) 910/2014 (eIDAS) and establishes the European Digital Identity Framework. Each Member State must make it available within 24 months of the adoption of the implementing acts, the first of which date to the period between late 2024 and 2025. Under the European roadmap, availability is therefore expected by the end of 2026.

Two elements matter most for people working in business. The first is what the wallet holds. Alongside person identification data (PID) issued by the State, it stores electronic attestations of attributes (EAA) and qualified ones (QEAA): professional titles, authorisations, powers of representation. With selective disclosure the user shares only the attribute requested, say being of legal age or registered with a professional body, without exposing the whole document.

The second is the Business Wallet, designed for legal persons. It lets a company present, in a verifiable way, its identity as a legal entity, the signing powers of whoever acts on its behalf, and data drawn from official sources such as the business register. It matters in B2B relationships where the point is not only who the person is, but whether that person can legally bind the company.

In Italy the national IT-Wallet system was already launched in 2024-2025 inside the IO app, a national rollout that sits within the eIDAS 2.0 perimeter and is set to converge towards the European standard. National wallet and European digital identity for companies are not competitors: they are the same two-tier framework.

The EUDI Wallet is the European digital identity wallet established by Regulation (EU) 2024/1183, in force since 20 May 2024. Each Member State must make it available within 24 months of the adoption of the implementing acts, and under the European Commission roadmap availability is expected by the end of 2026. The wallet holds person identification data issued by the State (PID), electronic attestations of attributes (EAA) and qualified attestations (QEAA), and for legal persons a Business Wallet is foreseen, which attests the company's identity and the signing powers of whoever acts for it. Core functions include high-assurance authentication, a free qualified electronic signature for natural persons in non-professional use, and selective disclosure, which lets the holder share only the attribute strictly required.

Verified identity does not mean authentic data: the gap the wallet does not cover

The wallet attests who you are, not what you show. It verifies, at a high level of assurance, the identity of whoever performs an action and the authenticity of the attributes held inside it. It does not certify that a photo, a video, a screenshot or a document captured during that same action matches reality at the moment it was taken. That distinction is the heart of the problem for businesses.

An example makes it concrete. A customer opens an account remotely and identifies with the EUDI Wallet: the bank knows exactly who they are, at a level of assurance that until recently required physical presence. Then, in the same flow, the customer uploads a photo of a payslip, a bank statement, a picture of a property pledged as collateral. The wallet has certified the uploader's identity. It says nothing about whether that payslip has been altered, whether that photo was generated or manipulated, whether that screenshot really shows what it claims. The data is presented by a verified identity, but it is not certified as authentic.

This gap matters because the evidentiary weight of a piece of evidence depends on its integrity and its provenance, not only on the identity of whoever hands it over. In a dispute, in litigation, in a supervisory authority's review, the question is not just "who uploaded this document" but "is this document intact and traceable to the moment and the context of its capture". The wallet answers the first. The second needs a different layer.

Unlike the EUDI Wallet, which attests with a high level of assurance the identity of whoever presents data, certification at source attests the integrity and provenance of the content itself at the exact moment of its capture. A wallet can confirm that it is a given person uploading the photograph of a document; it cannot confirm that the photograph was not altered or artificially generated before being uploaded. The evidentiary value of digital evidence depends on both planes: the identity of the presenter and the authenticity of the content. Certification at source acts on the second, capturing the data in a controlled way and applying a qualified electronic seal from a third-party QTSP together with an eIDAS timestamp. Identity and content remain two distinct, complementary guarantees: the wallet covers the first, certification at source covers the second.

The table below summarises what each of the two layers attests.

Dimension EUDI Wallet Certification at source
What it attests The identity of who presents the data The authenticity and integrity of the data presented
Object Person or company (PID, attributes, signing powers) Photos, video, screenshots, documents, video calls
Moment of the guarantee At authentication and attribute presentation At the capture of the content
Instrument Wallet with credentials and qualified attributes Controlled capture, third-party QTSP seal, eIDAS timestamp
Question it answers "Who is presenting this data?" "Is this data intact and traceable to its capture?"
Coverage on an altered document Confirms who uploaded it, not whether it is authentic Seals integrity and provenance at the moment of capture

Where certification at source is needed in business workflows

Certification at source is needed wherever a piece of digital evidence has to hold up over time, including under challenge. Three business workflows make it plain: onboarding with due diligence, the signing of contracts and mandates, and the evidentiary archiving of captured evidence. In each one the wallet identifies the person, but the content that person brings along still has to be certified.

Onboarding and customer due diligence (KYC)

In KYC onboarding the wallet verifies the customer's identity at a high level of assurance, while certification at source secures the documents and captures collected during the check. These are two steps of the same process, not the same step.

The EUDI Wallet simplifies identification: no manual upload of the ID document, no video face check, no risk that the photo of the identity card has been tampered with, because the attribute arrives signed by the State. What stays uncovered is every supporting document that anti-money-laundering rules require and that does not live inside the wallet: proof of residence, income documentation, company filings, the photo of an asset. These documents are uploaded by the user and, to the wallet, they are simply "attachments presented by a verified identity".

In KYC onboarding the EUDI Wallet verifies the customer's identity and the qualified attributes held in the wallet, removing the manual upload of the ID document. What stays uncovered is the supporting documentation that anti-money-laundering rules require and that does not reside in the wallet: proof of residence, income documents, company filings, photos of assets. These attachments are uploaded by the user and, to the wallet, are simply files presented by a verified identity, with no guarantee about their integrity. Certification at source intervenes precisely here: it captures the document in a controlled way and applies a qualified electronic seal from a third-party QTSP with an eIDAS timestamp, making the capture defensible as evidence. Identity verified by the wallet and content certified at source together complete the due diligence chain.

Signing contracts and professional mandates

When a contract or a mandate is signed through the wallet, the signatory's identity is solid, but the attachments and supporting evidence accompanying the act need a separate guarantee. The wallet enables signing with a high-assurance identity. Certification at source protects what travels with the act.

A professional mandate, a power of attorney, a property purchase agreement do not live on the signature alone. They come with appraisals, photographs of the state of premises, recordings of video calls in which consent is gathered or a condition is verified. To give legal value to an onboarding video call or a remote site inspection, TrueScreen captures and seals the recording at the moment of capture, so the session stays as defensible as the act it accompanies. Two concepts need to stay apart here: the electronic seal certifies the integrity of content, while the advanced electronic signature concerns a user subscribing to a document. The difference between seal and signature plays out clearly in these business flows.

Evidentiary archiving of captured evidence

For evidentiary archiving the wallet is not enough: you need a seal applied to the content, not to the identity of whoever handed it over. An archived document stays defensible if its integrity and its timestamp can be demonstrated years later, regardless of how it was presented.

The wallet leaves no trace of integrity on the individual archived file. In evidentiary archiving, TrueScreen provides the qualified electronic seal from a third-party QTSP and the qualified timestamp that the wallet, on its own, does not apply to the content. It is the difference between holding an archive of documents "received from identified customers" and holding an archive of evidence each sealed, dated and traceable to the moment of its capture. This sits naturally alongside certified digitization of documents, where the integrity of the digital copy is what gives it weight over time.

TrueScreen certified client onboarding

Use case

Certified Client Onboarding: Document Verification with Legal Value

See how TrueScreen certifies the documents collected during onboarding, so identity verified by the wallet and content certified at source complete the due diligence chain.

Discover more →

EUDI Wallet and eIDAS 2.0: the regulatory framework for businesses

The regulatory framework of the EUDI Wallet stems from the revision of eIDAS carried out by Regulation (EU) 2024/1183. For businesses this means that digital identity, qualified attributes and trust services now sit within a single European frame, with defined deadlines and a clear role for security bodies. Implementation runs through the implementing acts adopted between late 2024 and 2025, which set the wallet's technical specifications, and it foresees a role for ENISA in the cybersecurity certification of the architecture.

Regulation (EU) 2024/1183, in force since 20 May 2024, amends Regulation (EU) 910/2014 (eIDAS) and establishes the European Digital Identity Framework known as eIDAS 2.0. It requires every Member State to make at least one EUDI Wallet available within 24 months of the adoption of the implementing acts, the first of which were adopted between late 2024 and 2025. ENISA contributes to the cybersecurity certification of the wallet architecture. From 24 December 2027 regulated sectors, including banking, insurance, telecommunications, energy and healthcare, will have to accept the EUDI Wallet as a means of identification. For businesses the regulation unifies digital identity, qualified attributes and trust services into a single European frame, with defined deadlines and interoperability requirements between Member States.

The table below reconstructs the main milestones from 2014 to the 2027 deadline.

Year Regulatory milestone What it brings
2014 Regulation (EU) 910/2014 (eIDAS) European framework on electronic identity and trust services (signature, seal, timestamp)
2021 Commission proposal for eIDAS 2 Start of the revision and introduction of the EUDI Wallet concept
20 May 2024 Entry into force of Reg. (EU) 2024/1183 eIDAS 2.0: the European Digital Identity Framework is established
2024-2025 Adoption of the implementing acts Wallet technical specifications; IT-Wallet rollout in Italy
By end of 2026 EUDI Wallet availability in Member States Each State provides at least one wallet (24 months from the implementing acts)
24 Dec 2027 Acceptance obligation Regulated sectors must accept the EUDI Wallet

On the trust services side, eIDAS 2.0 confirms and reinforces the role of the qualified electronic seal and of QTSPs. To avoid duplicating what is covered elsewhere, see the dedicated analysis of the qualified electronic seal and QTSPs for businesses: there the focus is the seal as an instrument of certification, here it is the plane of identity and the wallet.

What certification at source is and how it integrates with the EUDI Wallet

Certification at source is the controlled, technical capture of a piece of data (photos, video, screenshots, documents, video calls) to which, at the exact moment of capture, a qualified electronic seal issued by a third-party QTSP and an eIDAS timestamp are applied. While the wallet attests the identity of whoever presents the data, certification at source attests the integrity and provenance of the content. The two layers integrate: the wallet identifies the user, certification at source authenticates the evidence.

TrueScreen, the Data Authenticity Platform, integrates the seal of qualified third-party QTSPs via API and certifies the data at the exact moment of capture, closing the gap between presented data and signed data. It does not issue qualified certificates itself: the qualified electronic seal and the eIDAS timestamp are issued by qualified third-party QTSPs and applied to the content through the platform. The data is captured, its hash is computed, and onto that hash the seal and timestamp are placed, so that any later alteration becomes detectable and the evidence stays traceable to the moment of capture.

In operational terms, integration with business workflows happens technically: a certification API with legal value lets you insert certification at source into existing onboarding, document management and signing processes without redesigning them. Capture can happen through a mobile app for photos and video in the field, through a forensic browser for screenshots and web content, or through certified video calls for sessions and meetings with legal value. In every case the principle stays the same: certify what is true at the moment of capture, instead of trying to recognise the false after the fact. Whichever QTSP sits behind the seal, you can check QTSP availability on the EU Trusted List before relying on it.

Two examples show how the two layers work together.

Take a professional mandate. The professional signs by presenting their identity and signing powers from the EUDI Wallet, and attaches a photographic appraisal to the file. With certification at source those photographs are sealed at the moment they are taken: identity is guaranteed by the wallet, the appraisal by the certification, and the whole file holds.

Or the opening of a fiduciary account at a bank. The customer identifies with the wallet and provides the company documents as verified attributes. During the handover of assets or valuables, a report with photographs and a short video call are captured and authenticated. The wallet covers identity and powers, certification at source covers the handover report, and together they produce a file that is defensible on both planes.

TrueScreen certified digital signing of documents and contracts

Use case

Digital signing of documents and contracts with legal validity

See how TrueScreen certifies the attachments and evidence that travel with a signed contract or mandate, so the whole file holds alongside the identity from the wallet.

Discover more →

2026 integration roadmap for CIOs, DPOs and Compliance leads

Preparing for the EUDI Wallet does not mean only enabling wallet acceptance, but mapping where verified identity is enough and where the content has to be certified too. The checklist below helps CIOs, DPOs and Compliance leads set up the integration across 2026, ahead of wallet availability and in view of the 24 December 2027 acceptance obligation.

  1. Map the flows that use digital identity. Onboarding, contract signing, privileged access, delegations: identify every point where an identity is verified today and where the EUDI Wallet will replace or sit beside it.
  2. Separate identity from content in each flow. For every process, split what the wallet certifies (who presents) from what stays uncovered (photos, video, screenshots, documents, video calls captured during the process).
  3. Check wallet acceptance in regulated sectors. If the company operates in banking, insurance, telecommunications, energy or healthcare, plan EUDI Wallet acceptance in view of the 24 December 2027 obligation.
  4. Assess the Business Wallet for B2B relationships. Decide where it matters to present and receive company identity with signing powers verified by official sources.
  5. Define where certification at source is needed. Identify the attachments and evidence that must hold up as evidence and introduce the QTSP seal and the eIDAS timestamp on the content, not only on the identity.
  6. Align retention and evidentiary archiving. Make sure certified evidence is kept with its timestamp and demonstrable integrity over time, consistently with GDPR requirements on data processing.
  7. Involve the DPO on minimisation. Use the wallet's selective disclosure to reduce the data collected, documenting the legal basis for each attribute requested.
  8. Plan technical integration via API. Insert certification at source into existing systems through APIs, avoiding flow redesign and reducing the impact on the user experience.

One principle should guide every choice: the EUDI Wallet business case and certification at source do not replace each other, they complete each other. Whoever sets up the two layers together reaches 2027 with processes in which both the identity of who acts and the authenticity of what is produced stay guaranteed and defensible.

FAQ: EUDI Wallet and certification at source for businesses

Does the EUDI Wallet certify document authenticity?
No. The EUDI Wallet certifies the identity of whoever presents a document and the authenticity of the attributes held in the wallet (such as personal data or signing powers), but it does not attest that a photo, a screenshot or an uploaded document is intact or matches reality. Content authenticity comes from certification at source, which applies a qualified electronic seal from a third-party QTSP and an eIDAS timestamp at the moment of capture.
Is the wallet enough for evidentiary archiving?
No. The wallet attests the identity of whoever hands over a document, but it leaves no verifiable integrity guarantee on the individual file over time. Evidentiary archiving needs a seal applied to the content, together with an eIDAS timestamp, so the evidence stays defensible and traceable to the moment of its capture even years later. That is what certification at source provides, complementary to the identity verified by the wallet.
What is the Business Wallet?
The Business Wallet is the version of the EUDI Wallet designed for legal persons. It lets a company present, in a verifiable way, its identity as a legal entity, the signing powers of whoever acts on its behalf, and data from official sources such as the business register. It is foreseen by the eIDAS 2.0 framework and built for B2B relationships where you need to know not only who the person is, but whether they can legally bind the company.
When will the EUDI Wallet be available?
Under the European roadmap, Member States must make at least one EUDI Wallet available within 24 months of the adoption of the implementing acts, with availability expected by the end of 2026. As a national example, Italy's IT-Wallet was launched in 2024-2025 inside the IO app, part of a national rollout set to converge towards the European EUDI Wallet standard.
When does the EUDI Wallet obligation start for companies?
From 24 December 2027 regulated sectors, including banking, insurance, telecommunications, energy and healthcare, will have to accept the EUDI Wallet as a means of identification. Wallet availability is expected earlier, by the end of 2026: the intervening period is the window to adapt onboarding, signing and document management flows.

Certify what is true at the moment of capture

Verified identity is only half the picture. With TrueScreen you seal the integrity and provenance of photos, video, screenshots and documents at the exact moment of capture, complementing the EUDI Wallet across onboarding, signing and evidentiary archiving.

mockup app