How does eIDAS 2.0 handle biometric data in identity wallets?

Fingertip hovering over a smartphone displaying a glowing fingerprint scan on a brushed-steel government desk, EU flag blurred in the background.

eIDAS 2.0 does not require biometric data to be stored inside the European Digital Identity Wallet itself. The regulation focuses on enabling secure identity verification and data sharing, but it does not mandate that biometric information such as fingerprints or facial images must live within the wallet. What eIDAS 2.0 does require is that any biometric data used in identity processes is handled in accordance with strict data protection rules, including the General Data Protection Regulation (GDPR). The sections below unpack the most common questions organizations have about biometrics, the EUDI Wallet, and what this means in practice.

Does eIDAS 2.0 require biometric data to be stored in the wallet?

No, eIDAS 2.0 does not require biometric data to be stored in the European Digital Identity Wallet. The EUDI Wallet is designed to hold verifiable credentials and digital documents, such as a driving license or an educational certificate, but the regulation deliberately avoids mandating the storage of sensitive biometric data within the wallet itself. Biometrics may be used during the identity proofing process that happens before a wallet is issued, but that is a separate step.

The distinction matters because many organizations assume that a digital identity wallet automatically implies a biometric database. In practice, the wallet stores attestations about a person’s identity, not raw biometric data. For example, a wallet might contain a credential confirming that a person’s identity was verified at a high assurance level, without storing the fingerprint or facial image that was used to reach that conclusion.

This design choice reflects a core principle of eIDAS 2.0: data minimization. Users should only share what is strictly necessary. Storing biometric data inside the wallet would create unnecessary risk and conflict with that principle.

How does eIDAS 2.0 protect biometric data under GDPR?

eIDAS 2.0 works alongside GDPR to protect biometric data. Because biometric data is classified as a special category of personal data under GDPR Article 9, any processing of it requires an explicit legal basis, such as explicit user consent or a specific legal obligation. eIDAS 2.0 reinforces this by requiring that identity wallets respect user privacy and apply data minimization principles throughout every interaction.

In practical terms, this means that organizations involved in identity verification or wallet issuance cannot collect or retain biometric data beyond what is strictly necessary for the purpose at hand. Once the identity proofing step is complete, the biometric data used during that process should not be retained unless there is a clear and lawful reason to do so.

The regulation also requires that wallet providers and relying parties implement appropriate technical and organizational security measures. This includes encryption, access controls, and audit trails. The combination of eIDAS 2.0 and GDPR creates a layered framework where biometric data is protected both at the regulatory level and through technical design.

What is the difference between biometric authentication and biometric verification in the EUDI Wallet?

Biometric authentication and biometric verification serve different purposes in the context of the EUDI Wallet. Biometric authentication happens on the user’s device and unlocks access to the wallet itself, for example using Face ID or a fingerprint sensor. Biometric verification refers to the process of confirming a person’s identity against a trusted reference, such as a passport photo, and typically happens during the initial onboarding or identity proofing stage.

This is an important distinction for organizations to understand because the two processes have very different data flows and compliance implications.

Biometric authentication: local and device-bound

When a user unlocks their EUDI Wallet using a fingerprint or facial scan, that biometric data never leaves the device. It is processed locally by the device’s secure element. No biometric data is transmitted to the wallet provider or any relying party. This approach is privacy-preserving by design and aligns with the data minimization principles embedded in eIDAS 2.0.

Biometric verification: identity proofing at onboarding

Biometric verification takes place when a person first enrolls and their identity is checked against a government-issued document. This process may involve a liveness check or a comparison between a selfie and a passport photo. This step happens before the wallet is issued and is governed by strict rules about data retention and purpose limitation. Once the identity has been confirmed and the wallet credential issued, the biometric data used in that process should not be stored indefinitely.

Who can access biometric data shared through an identity wallet?

In the EUDI Wallet model, biometric data is generally not shared through the wallet at all. What is shared are verifiable credentials that attest to a person’s identity or attributes, without exposing the underlying biometric data. The user remains in control of what they share and with whom. No relying party, such as a bank or government service, receives raw biometric data through a standard wallet interaction.

Access to any biometric data that was collected during the identity proofing process is strictly limited. Only the entity responsible for issuing the wallet credential, typically a government body or a certified trust service provider, would have access to that data, and only for the duration required by law.

eIDAS 2.0 is explicit about user control: individuals must be able to see what data is being shared, with whom, and for what purpose. This applies to all personal data exchanged through the wallet. Any attempt by a relying party to request more data than is necessary for the service they provide would be a violation of both eIDAS 2.0 and GDPR.

What biometric data can be included in verifiable credentials under eIDAS 2.0?

Certain digital documents that can be stored in the EUDI Wallet, such as a mobile driving license or a digital travel credential, may include a facial image as part of the credential’s data set. This is because these documents are digital representations of physical identity documents that already contain a photo. In that sense, a facial image can be part of a verifiable credential, but it is treated as an identity attribute rather than a biometric template.

The key difference is that a biometric template, such as a fingerprint map or a facial geometry model, is a processed representation used for matching. A facial image, such as the photo on a driving license, is an identity attribute that a human or system can compare visually. eIDAS 2.0 and the Architecture and Reference Framework for the EUDI Wallet allow facial images within specific credentials, but they do not introduce a general mechanism for storing or sharing biometric templates.

Organizations in sectors such as healthcare or financial services that handle identity verification should pay close attention to this distinction. Using a facial image from a wallet credential for automated biometric matching would constitute biometric data processing under GDPR and would require a specific legal basis.

How should organizations prepare for biometric data requirements in eIDAS 2.0 compliance?

Organizations should start by mapping out where biometric data currently enters their identity processes and what legal basis they rely on for processing it. eIDAS 2.0 compliance is not just a technical exercise. It requires a clear understanding of data flows, retention policies, and the distinction between what happens during identity proofing and what happens during ongoing authentication.

Here are the key steps organizations should take:

  1. Audit your current identity proofing process. Identify where biometric data is collected, how long it is retained, and whether your current practices align with GDPR’s data minimization and purpose limitation principles.
  2. Clarify the legal basis for biometric processing. Biometric data is a special category under GDPR. Make sure you have a lawful basis documented for every stage where biometrics are processed.
  3. Separate authentication from verification in your architecture. Design your systems so that device-level biometric authentication (unlocking the wallet) is clearly distinct from identity verification processes that may involve biometric checks.
  4. Review your data retention policies. Biometric data collected during onboarding should not be retained beyond what is legally required. Update your policies to reflect this.
  5. Prepare for wallet-based interactions. If your organization will act as a relying party accepting EUDI Wallet credentials, make sure your systems only request the attributes you genuinely need and never attempt to extract or reprocess biometric data from those credentials.

Organizations in government and regulated industries should also engage with the technical specifications being developed through the large-scale pilot programs, as these will shape the practical requirements for wallet issuance and credential formats going forward. Staying close to the latest developments in the Architecture and Reference Framework is essential for organizations building or adapting identity infrastructure.

How TrustTech helps with biometric data and eIDAS 2.0 compliance

Navigating the intersection of biometric data, GDPR, and eIDAS 2.0 is complex, especially for organizations that need to adapt existing identity infrastructure while staying compliant. TrustTech supports organizations across regulated sectors in building identity processes that are secure, privacy-respecting, and ready for the EUDI Wallet era.

Working with TrustTech means you get practical support across the areas that matter most:

  • Identity proofing and verification that meets eIDAS 2.0 assurance levels without unnecessary data collection
  • Reusable digital identity infrastructure so users verify once and share only what is needed, reducing repeated biometric checks
  • Wallet-ready architecture built on European digital identity standards, designed to integrate with the EUDI Wallet as it rolls out
  • Compliance guidance that bridges the technical and regulatory dimensions of biometric data processing under GDPR and eIDAS 2.0

Whether you are assessing your current compliance posture or actively building toward EUDI Wallet integration, TrustTech provides the expertise and technology to get there. Explore our identity solutions or get in touch to discuss what eIDAS 2.0 means for your organization.