September 2025 marked a pivotal moment for digital identity in Europe and the UK. While the EU pushed forward with large-scale testing and cross-border coordination, the UK made its most significant digital identity policy announcement in decades. Both regions hit critical milestones, but both also exposed fundamental challenges that will shape implementation over the next 15 months.
For organisations building verification services and enterprises preparing to accept digital credentials, September revealed where the opportunities lie and where the risks remain.
Here's what happened and why it matters...
On September 3-4, the WE BUILD consortium officially launched in Amsterdam, bringing together 197 organisations across 27 countries with a €25 million budget. This represents the first major focus on business and organisational identity within the EUDI Wallet framework, addressing a critical gap that previous pilots overlooked.
The consortium includes 20 wallet providers, 13 business register providers, 30 Qualified Trust Service Providers, and 25 public agencies. It will test 13 high-impact use cases including cross-border business verification, legal representation via power of attorney, signatory rights attestations, and Ultimate Beneficial Owner attestations.
Why this matters:
Most digital identity discussion focuses on individual consumers. WE BUILD recognises that businesses need verifiable organisational credentials too. For enterprises, consider the operational impact: when a company opens a bank account in another EU country, or when someone signs a contract on behalf of their organisation, verification requirements are complex and paper-heavy. Business wallets could streamline cross-border operations that currently require stacks of notarised documents and apostilles.
This opens new use cases beyond consumer onboarding. B2B relationships, supply chain verification, and regulatory compliance could all benefit from standardised organisational credentials.
Amadeus and Lufthansa announced successful Phase 3 testing of the EUDI Wallet during summer 2025, with 160 frequent flyers completing one-click check-in, contactless self-service, automated bag-drop, and boarding gate validation. Of those, 153 completed successfully, representing a 96% success rate in real-world conditions.
Travellers tapped their phones at check-in desks, kiosks, bag-drop machines, and boarding gates instead of manually entering information or presenting physical documents. As Patrick Sgueglia from Lufthansa noted: "We don't want to recreate the wheel here. We want to use something people are used to, iOS, Apple wallet, this is exactly what that is."
Why this matters:
Travel represents one of the most complex cross-border use cases, involving multiple verification points, time pressure, and diverse user populations. Successful testing here validates the technical approach and provides confidence for broader adoption. However, challenges remain regarding alignment between ICAO Digital Travel Credentials standards and EUDI Wallet specifications. Different standards bodies working in parallel create integration complexity that will need resolution before widespread deployment.
September crystallised a problem that's been building: the certification scheme won't be ready when Member States need it. ENISA is not expected to deliver the EU-wide certification scheme until after the December 2026 rollout deadline, with the first draft expected in 2026 and the European scheme published as an Implementing Act by end of 2026.
Igor Ljubi from Croatia's Ministry of Digital Transformation put it bluntly: "I'm worried about certification. If there's no scheme, there is no wallet."
Until then, Member States must rely on transitional national certification schemes, creating risk of fragmentation across 27 jurisdictions. Technical certification complexity is compounded by requirements for multiple components: Wallet Secure Cryptographic Device (WSCD), Wallet Secure Cryptographic Application (WSCA), smartphone operating systems, and applications all require separate certification under Common Criteria Composite Evaluation.
Why this matters:
Without harmonised certification by December 2026, the ecosystem risks severe fragmentation and reduced cross-border trust. A credential certified in France might not be trusted in Germany if certification standards differ. This undermines the entire value proposition of a European digital identity system. Organisations building verification services need to prepare for a period of uncertainty around which credentials to accept and which certification schemes to trust.
Assessment data from May 2025 (relevant through September) shows concerning disparities:
Italy continues to lead with over 4 million activated wallets and 7 million digital documents issued by September 2025. However, Latvia faces awareness challenges, with a Norstat survey showing 69% of Latvians know nothing about the digital identity wallet.
Why this matters:
The four Member States that hadn't started implementation by mid-2025 face extreme time pressure to meet the December 2026 deadline. Even countries in development phases may struggle to complete development, testing, certification, and deployment in the remaining timeframe. This creates risk of non-uniform deployment across the EU, potentially undermining cross-border interoperability.
For enterprises operating across Europe, this means you may need to support multiple verification approaches depending on which countries your customers come from, at least initially.
The European Commission published Architecture Reference Framework version 2.4.0 on September 17, incorporating five initial implementing regulations and subsequent Commission Implementing Regulations from 2025. The update provides stable technical specifications for Member States and wallet providers.
Key technical elements include support for ISO/IEC 18013-5 and ISO/IEC 23220-2 formats, SD-JWT VC (Selectively Disclosable JSON Web Token Verifiable Credentials), W3C Verifiable Credentials Data Model v2.0, OpenID4VP and OpenID4VCI protocols, and W3C Digital Credentials API integration.
The W3C Credentials Community Group also published Verifiable Credential Rendering Methods v0.9 on September 8, addressing standardised rendering of verifiable credentials across different wallet implementations.
Why this matters:
These specifications provide the foundation for interoperable implementations. The incorporation of multiple standards (W3C, ISO, IETF) reflects the reality that different regions and use cases have adopted different technical approaches. Supporting this diversity is essential but adds complexity for verification services.
At Vidos, we've built our verification stack to support these multiple credential formats precisely because we anticipated this standards diversity. Our Verifier handles W3C Verifiable Credentials, JWT, JSON-LD, and ISO 18013-5 mDocs through a single API, so enterprises don't need separate integrations for each format.
On September 26, Prime Minister Keir Starmer announced a mandatory digital ID scheme for all UK citizens and legal residents, with digital ID becoming mandatory for Right to Work checks by the end of Parliament (potentially August 2029).
The free digital ID will be stored on smartphones containing name, date of birth, nationality or residency status, and photo for biometric security. The government emphasised that police cannot demand to see digital ID, maintaining current UK precedent against routine identity checks, and the ID will not be required for accessing NHS services or benefits except when seeking employment.
Prime Minister Starmer positioned the scheme as addressing illegal working while streamlining access to driving licences, childcare, welfare, and tax records. The security architecture features state-of-the-art encryption with credentials stored directly on devices rather than centralised databases, enabling immediate revocation if phones are lost or stolen.
Why this matters:
This represents the most significant UK digital identity policy development in decades, reviving concepts from Tony Blair's failed biometric ID card attempt 20 years ago. The political opposition emerged immediately, with Conservative leader Kemi Badenoch stating "We won't back any system that makes ID mandatory for British citizens," and Liberal Democrats opposing forcing people to "turn over their private data." Over 2 million signatures appeared on petitions opposing the scheme within weeks.
The controversy illustrates that technical infrastructure readiness does not guarantee public acceptance of mandatory identity systems. For organisations building in this space, the political dimension matters as much as the technical one. It's worth remembering that significant initiatives were already underway through the UK Digital Identity and Attributes Trust Framework (DIATF), and the industry hopes these existing standards and certification processes will align with any new BritID scheme if introduced.
On September 18, OfDIA published strategic guidance outlining priority sectors for digital verification adoption: employment, age-restricted products, financial services, property, and travel.
In employment, millions of secure digital Right to Work and DBS checks already occur monthly, reducing processing time from days to minutes. For age-restricted products, the Home Office announced legislative changes allowing digital verification for alcohol purchases in England and Wales, with changes expected by end of 2025. The changes will extend to tobacco, vapes, fireworks, and gambling.
In financial services, the government committed to produce bespoke GOV.UK guidance on using digital verification services for Money Laundering Regulations identity verification checks, addressing current lack of clarity for financial institutions on KYC requirements.
Why this matters:
This reveals the government's methodical approach to expanding digital identity from employment screening into consumer-facing transactions and financial services. Each sector has different regulatory requirements, risk profiles, and user expectations. The focused approach allows for learning and refinement before broader rollout.
For verification service providers, this creates clear market opportunities with regulatory support. Organisations can prioritise development roadmaps around these specific use cases knowing the regulatory framework will support adoption.
In September, the Age Check Certification Scheme filed a formal complaint with European Accreditation alleging that the UK DIATF "is not fit for accreditation" due to transparency issues with certification scheme rules from DSIT.
The complaint identified five technical issues, including that Good Practice Guides 44 and 45 are not normative documents and provide ambiguous requirements without measurable outcomes, making it "technically impossible" for Conformity Assessment Bodies to meet ISO/IEC 17065 accreditation requirements. Most significantly, ACCS raised concerns about DSIT operating both the governance mechanism and providing technology being governed (GOV.UK One Login), creating potential conflicts of interest.
Why this matters:
The complaint reveals tensions within the digital identity industry about accreditation transparency and governance as the framework transitions from pilot to formal implementation. While the technical standards may be sound, questions about governance processes could undermine trust in the certification scheme.
For organisations seeking certification, this creates uncertainty about long-term stability of certification requirements. The outcome of this complaint could reshape how UK digital identity governance operates.
Research across UK government sources, EU official sources, and international digital identity news from September found no evidence of UK-EU cooperation, bilateral agreements, or interoperability initiatives specifically related to eIDAS 2.0. The UK's mandatory digital ID announcement referenced international examples from Australia, Estonia, Denmark, and India but made no mention of EU cooperation or eIDAS 2.0 interoperability.
While UK eIDAS allows legal effect of EU qualified trust services to continue being recognised in the UK, no reciprocal agreement exists. The Information Commissioner's Office confirms that UK qualified trust services are not automatically recognised as equivalent in the EU.
Why this matters:
The structural separation indicates the UK is pursuing digital identity development independently from EU eIDAS 2.0, with international learning from multiple jurisdictions but no formal UK-EU digital identity interoperability arrangements. For enterprises operating in both regions, this means supporting two separate systems with different technical standards, governance frameworks, and certification requirements.
The question remains whether the GOV.UK Wallet will achieve international interoperability comparable to the EU Digital Identity Wallet. Legal analysis noted: "It remains to be seen whether the UK government has similar ambitions for the GOV.UK Wallet to be more than a domestic form of electronic ID and to receive mutual recognition outside the UK."
September 2025 demonstrated both the progress and challenges facing digital identity implementation:
The shift from pilots to production is underway. WE BUILD's launch with 197 organisations, Amadeus and Lufthansa's successful travel testing, and the UK's mandatory ID announcement all signal that digital identity has moved beyond experimental phases. Enterprises need to prepare for integration.
Certification and standards remain the critical path. Both regions face certification challenges, though of different types. The EU lacks a harmonised scheme before the December 2026 deadline, while the UK faces governance questions about its certification process. Standards diversity (W3C, ISO, IETF, OpenID) creates interoperability complexity that verification services must navigate.
Political and social acceptance matters as much as technical capability. The UK's mandatory ID announcement sparked immediate backlash, demonstrating that technical infrastructure readiness does not guarantee public adoption. The EU's multi-national coordination challenges show the difficulty of harmonising digital identity across diverse political and cultural contexts.
The UK and EU are pursuing independent paths. Organisations operating in both regions must support separate systems with different requirements. This increases complexity but also creates opportunities for verification services that can bridge both ecosystems.
At Vidos, we're tracking all these developments to ensure our verification infrastructure supports these emerging ecosystems. UK DIATF certification positions us as a trusted partner in the UK market, while our support for W3C Verifiable Credentials, ISO 18013-5 mDocs, SD-JWT VC, and other formats ensures compatibility with EU requirements.
We've built our service architecture specifically to handle this standards diversity. For example, the Vidos Verifier cryptographically validates credentials across formats without requiring separate integrations for each. The Vidos Universal Resolver supports multiple DID methods (did:web, did:ethr, did:key, did:webvh) through a single API. This standards-agnostic approach reflects the reality that different regions, use cases, and industries have adopted different technical paths.
September confirmed what we've been building toward: enterprises need verification services that work across jurisdictions and standards without forcing them to become digital identity experts. As both regions move from pilots to production, the organisations that succeed will be those that can verify credentials reliably regardless of which wallet issued them or which standard they follow.
Key questions for the coming months:
Will the EU resolve its certification crisis before December 2026?
The current timeline suggests Member States will deploy wallets before harmonised certification exists, creating fragmentation risks.
Can the UK government build public support for mandatory digital ID?
The political opposition suggests significant challenges ahead, potentially delaying or modifying implementation plans.
How will the four Member States with no wallet initiatives meet the deadline?
Bulgaria, Croatia, Malta, and Romania face extreme time pressure, raising questions about enforcement of the December 2026 requirement.
What happens when biometric security standards remain incomplete at deployment?
The EU's admission that critical security standards won't be ready suggests potential vulnerabilities or expensive post-deployment retrofitting.
Will UK-EU interoperability ever materialise?
The complete absence of cooperation discussions in September suggests divergent paths, with implications for international businesses and cross-border services.
We continue tracking these developments and updating our infrastructure to support whatever emerges. For organisations preparing to accept digital credentials, the message from September is clear: start preparing now, build for flexibility across standards, and expect continued evolution in both regulatory requirements and technical specifications.
The digital identity future is arriving faster than many expected. The question is no longer whether it will happen, but how quickly organisations can adapt to support it.
Preparing your digital identity implementation?
Whether you need to understand how these changes affect your organisation or would like hands-on training in digital credential verification, we can help.
Explore our training programs to build your team's expertise, or contact us to discuss how Vidos can support your digital verification requirements across UK and EU ecosystems.
