What regulations govern digital ID use in the United States and EU (2024)?
Executive summary
The European Union now governs digital ID through a reinforced eIDAS framework (Regulation (EU) 2024/1183) that establishes a mandatory, interoperable European Digital Identity Wallet and associated implementing acts; member states must provide at least one wallet to citizens and residents under tight technical and certification rules [1] [2] [3]. The United States, according to available reporting, has not enacted a single federal digital‑ID law equivalent to eIDAS; instead U.S. authorities (notably NIST) are coordinating standards and a transatlantic mapping exercise with the EU, leaving implementation to agencies and states while the U.S.–EU dialogue continues [4].
1. The EU’s new legal backbone: eIDAS 2.0 and Regulation (EU) 2024/1183
The European Parliament and Council adopted Regulation (EU) 2024/1183 to amend the 2014 eIDAS regime and formally create a European Digital Identity Framework that entered into force in May 2024, giving the EU legal authority to require interoperable digital identity wallets across Member States [2] [3] [5]. The Regulation spells out that capable wallets must be available to any EU citizen, resident, or business that requests one and that the core rules and technical specifications are set out in implementing acts and an Architecture and Reference Framework to guarantee interoperability across borders [6] [7] [2].
2. What the Wallet must do and when — timelines and certification
Under eIDAS 2.0 Member States are required to make at least one EU Digital Identity Wallet available within defined deadlines: implementing acts published in late 2024 set timelines that effectively require national wallets to be offered to users within 24 months of those acts (i.e., by the end of 2026 for the first wave), with the Commission providing core specifications and testing guidance [3] [2] [8]. Before deployment, wallets must meet cybersecurity certification under the EU Cybersecurity Act and data‑protection certification consistent with the GDPR, and the Commission adopted implementing rules in late 2024 to govern registers, interfaces and core functions [1] [7].
3. Privacy, pseudonymity and technical safeguards written into the law
The Regulation and attendant commentary position privacy and user control as central: wallets are intended to let users share selected attributes (for example proving age without revealing a birthdate), implement cryptographic, device‑based protections, and enable revocation and redress if relying parties misuse data; the text also preserves a right to pseudonymity and requires alignment with GDPR data‑protection norms [3] [1] [9]. EU sources emphasize certification, mandatory technical standards and end‑to‑end security measures—multi‑factor authentication, encryption and liveness checks are cited in industry and Commission briefings as expected controls [3] [2].
4. Where the wallets must be accepted — public and specified private uses
The EU framework requires acceptance of EUDI Wallets by digital public services across the Union and envisages mandatory recognition by certain private relying parties—especially where high‑assurance identification is needed such as financial services or very large online platforms—creating legal obligations for both government and designated private actors to accept wallet‑based authentication [1] [10].
5. The U.S. picture: standards, mapping exercises, and a patchwork implementation space
U.S. reporting provided here does not show a single federal digital‑ID law comparable to eIDAS; instead, the National Institute of Standards and Technology has been involved in a transatlantic mapping exercise and solicited feedback on draft documents that compare U.S. approaches with EU rules, reflecting an emphasis on standards harmonization rather than a unilateral U.S. mandate [4]. The available sources describe dialogue and technical alignment efforts between the U.S. and EU, not a unified federal requirement in the United States; limits in the reporting prevent definitive statements about individual state laws or agency programs without further source material [4].
6. Stakes, tensions and what to watch next
The EU’s approach ties legal obligations, cross‑border interoperability and privacy safeguards into a single regulatory package that mandates wallets and certification, while the United States — per the mapping work reported — is focused on standardization and cooperation rather than an immediate EU‑style mandate, a divergence that raises near‑term interoperability and policy questions for transatlantic services and platforms; ongoing Commission implementing acts, national rollouts through 2026 and NIST’s final mapping outputs are the concrete milestones to monitor [7] [3] [4].