European Digital Identity Wallet (EUDI Wallet): The Uncomfortable Truth Behind the Innovation
By Giannis Konstantinidis*
Note: This is the English translation of the original article which was written in Greek.
A critical look at the EU’s new “wallet” and the hidden risks it poses to personal data protection and privacy in the digital age.
What are digital identities?
Digital identities are the set of information (e.g. name, professional status, address, telephone number, password) that characterise us when we use digital services on the Internet. In simple words, they are our “digital selves” when we connect to social networking platforms, e-government services, e-banking systems, etc. In practice, digital identities contain personal data which in many cases are also sensitive (e.g. in the case of e-health services). Therefore, digital identities must enable fast and trouble-free access to digital services and meanwhile be accompanied by strict safeguards regarding information security and data protection.
How have digital identities evolved?
There are three main models for organising digital identities (Figure 1). In the centralised model, an organisation maintains a central database with the digital identities of all users. A key disadvantage of the centralised model is that users must maintain a separate account for each digital service they use. In contrast, in the federated model, organisations cooperate with each other and exchange digital identity information using a common protocol. For example, if a user has an account with a central provider (e.g. Facebook, Google, Microsoft or gov.gr), then they can log-in to another compatible digital service with the same information. Therefore, the federated model is quite easy to use, although the overall management of digital identities and their attributes is carried out by a few providers (who might be aware of the users’ activities).
Figure 1: In the centralised model, users have separate accounts (and passwords) for each service they use. In contrast, in the federated model, there are a few providers that act as single “gateways” to services. Finally, in the decentralised model, users use their digital wallets and ideally choose the specific information they want to share with service providers. (Creator Giannis Konstantinidis)
Therefore, in both the centralised and the federated model, a major concern is the concentration of a large amount of data in central locations that are considered attractive to malicious attackers (see massive data breaches). As an “antidote”, the decentralised model has been proposed, which is often associated with the concept of “self-sovereign identity” (SSI). In this model, the user controls all the identity elements that are to be used by the services. Instead of relying upon a few providers, each user holds a set of “credentials”, which have been issued by trusted entities, and maintains them in an application called a digital wallet or digital identity wallet. When the user needs to prove something (e.g. their age), the digital credential is directly presented (signed beforehand by a trusted organisation that serves as the issuer). Ideally, the presentation of that digital credential reflects the minimum amount of the required data and does not reveal the entire personal data of the user.
Figure 2: In the decentralised model, the issuer generates and delivers a credential to the user (holder) who stores it in the digital wallet. The user then presents the credential to a verifier, i.e. an organisation that requests confirmation of the user’s identity and/or status. The validity of the credential is verified based on the information found in a registry.(Creator Giannis Konstantinidis)
What is happening in the EU with digital identities?
With the revision of the eIDAS Regulation (2024/1183), the European Commission has established that each EU Member-State must offer its citizens a digital identity wallet. This will be an application for mobile devices in which each user will be able to store documents in digital form (e.g. ID cards, driving licenses, educational qualifications, social security documents and other travel documents). The user's interaction with the respective services will be done through the wallet, i.e. the user will select the credentials they wish to share. As mentioned earlier, the entire documents are not sent by each user, but a selected presentation of certain data in combination with the appropriate digital evidence that cryptographically proves the validity of those documents. Admittedly, the original vision of a “sovereign identity” seems to be significantly limited in the current design of the EUDI Wallet. In particular, the draft architecture (i.e. Architecture and Reference Framework - ARF) foresees the use of a traditional Public Key Infrastructure (PKI). Simply put, instead of leveraging a fully decentralised system, the European Commission chooses to leverage existing infrastructures that collect digital identity data. As such, it is more of a cross-border federated model in which users are responsible for managing and sharing their credentials on their own, rather than a fully decentralised model.
Is the protection of privacy and personal data enhanced or undermined?
Based on current developments, several risks related to data protection and privacy arise. First, the wallet can generate unique identifiers for each user (although theoretically this is necessary to identify the user when accessing cross-border services in the EU) and several experts express fear that these identifiers will allow for the continuous monitoring and correlation of all user activities.
In particular, according to the position of a group of distinguished academics (specialists in cryptography), the proposed architecture does not include sufficient technical measures to limit the “observability” and prevent the “linkability” of user activities. This means that even if user activities are carried out through the use of pseudonyms, there is no special care to prevent service providers from collecting usage patterns and correlating them with each other. So, in practice, this gap allows the tracing of user activities. The latest version of the architecture (ARF 2.3.0) recognises these risks, however, the integration of appropriate mechanisms remains at the level of discussion and has not yet been implemented (due to complexity and certain technical limitations). The European Telecommunications Standards Institute (ETSI) recognises the importance of technical measures, such as zero-knowledge proofs (ZKPs), but it is shown that (for the time being) the complete elimination of tracking is not feasible due to the technical complexity and lack of interoperability.
Regarding the overall “flexibility” and accountability of the ecosystem, there are also several negative comments. For example, if a service decides to request more data than necessary, there is no mechanism for prevention or even control. At the same time, it is considered that a huge share of responsibility will be shifted to users, because they will be constantly asked to approve the credentials that will be shared with service providers. In fact, if something goes wrong (e.g. in the event of theft of the user’s device or electronic fraud), there are no sufficient protection measures and therefore the user bears a large share of the responsibilities. In fact, there is no provision (so far) for any kind of recovery or restoration process.
Finally, an additional concern relates to the expansion of the wallet's functionalities, as it is going to gradually collect all kinds of electronic documents and certificates (e.g. even travel credentials and electronic payment details). Thus, the risk of a "surveillance dossier" emerges, where a malicious analyst or attacker could discover an extensive set of information about a person through a single medium.
Towards a cautious acceptance or questioning of the framework?
Although the EUDI Wallet is an important step in the development of modern digital services on the Internet, it comes with several challenges. If citizens are to trust such a technological solution, they must do so with full awareness of the advantages as well as the potential risks involved. At the same time, experts must further develop and document the mechanisms that contribute to security and privacy, otherwise we risk moving from a “wallet that empowers users to protect their data” to a “wallet that exposes data arbitrarily”. Finally, the contribution of experts and civil society organisations is extremely important, as gaps and possible omissions can be identified and corrected before the final implementation.
*Giannis Konstantinidis (CISSP, CIPM, CIPP/E, ISO/IEC 27001 & 27701 Lead Implementer) is a cybersecurity consultant and member of Homo Digitalis since 2019.
Schools in Messinia at the Heart of Digital Awareness
From March 31 to May 7, the NGO Homo Digitalis visited 11 primary and secondary schools across Messinia, bringing education and awareness on internet safety closer to students.
During the workshops held in Arfara, Dorio, Eva, Thouria, Kalamata, Kyparissia, Pylos, Filiatra, Finikounda, and Chora, a total of 554 students engaged with key issues of the digital world, such as: cyberbullying, online safety, recognition and understanding of deepfakes, and responsible use of social media.
Raising awareness and informing both children and adults is a vital step toward a safe and healthy experience in the digital space.
The initiative was supported by the “Captain Vassilis and Carmen Constantakopoulos” Foundation and it will continue with new sessions from September to December 2025.
If your school is located in Messinia and would like to host these free educational sessions, please contact the Homo Digitalis team at info@homodigitalis.gr.
Article 77 of the AI Act: 6 months after the designation of the Fundamental Rights Authorities
On the first official deadline set by the Artificial Intelligence Regulation (AI Act), it required member states to appoint one or more authorities in accordance with Article 77 for the protection of fundamental rights by November 2, 2024.
Today, May 2, 2025 — six months after the deadline — 25 out of the 27 European countries have appointed a total of 210 authorities, a number that seems staggering and at the same time sends a strong message about how seriously these countries take the issue of fundamental rights. But does it reflect reality?
With this brief study, we aim to provide answers to the following questions:
-
What is the purpose of Article 77 of the AI Regulation?
-
Which authorities have been appointed by the member states to date?
-
What powers does the AI Regulation actually grant to these regulatory authorities, and what obligations arise from Article 78 of the AI Regulation regarding the confidentiality of information?
-
Who are the four national authorities that have taken on this role, what are their existing and new powers under the AI Regulation?
Through a case study, our Director on Fundamental Rights and AI, Lamprini Gyftokosta, attempts to explore how these authorities will cooperate, while also raising some questions that will undoubtedly concern us over time.
You can read our study here (EL).
We publish our 4th Study on the AI ACT – Comparative overview of the provisions on the rights of affected individuals
Today, April 11, 2025, Homo Digitalis publishes its fourth study on the provisions of Regulation 2024/1689 on Artificial Intelligence (AI), widely known as the AI Act.
This study focuses on the right to explanation and the right of individuals not to be subject to automated decision-making.
Specifically, the use of artificial intelligence systems for making automated decisions is continuously expanding in both the public and private sectors, with significant impacts on the individuals subjected to them.
Therefore, this study examines the legal remedies available to individuals affected by decisions made through the use of AI. The analysis focuses on the right to an explanation of individual decision-making as provided in Article 86 of Regulation 2024/1689. However, since the protection of affected individuals is not limited solely to these provisions, the analysis extends to the right to contest individual decision-making, which—under appropriate interpretation—is based on Article 22 of Regulation 2016/679, known as the GDPR.
The study’s authors are two distinguished legal professionals and volunteer members of Homo Digitalis: Maria-Evangelia Konstantopoulou and Stratygia-Danai Skevi (listed alphabetically).
You can read our 4th study here.
We remind you that we have published three previous studies on Regulation 2024/1689 and its transposition into the Greek legal order: in October (impact assessment on fundamental rights), November (AI governance and competent supervisory authorities), and December (prohibited practices) of 2024, respectively.
This intensive effort aims to contribute constructively to the public dialogue in Greece and at the EU level in the field of artificial intelligence, and it is the result of significant support from the European Artificial Intelligence & Society Fund.
Successful Awareness-Raising Activities in Larissa during February – March
A series of important awareness-raising activities were successfully carried out in Larissa during the February–March period. Our member, Tasos Arampatzis, represented Homo Digitalis with great success by voluntarily leading several awareness and educational initiatives in the region.
In particular, in collaboration with Frosso Ktistaki — PhD holder and piano professor — they delivered an educational presentation on the theme Cybersecurity, Music, and Human Emotions. Within this context, they discussed the human factor in cybersecurity, the impact of personal data breaches, and how music can serve as a helpful tool. The event took place at Pyrgetos High School on February 24.
Additionally, at the end of March, Tasos represented Homo Digitalis in presentations to 5th and 6th grade students of two co-located primary schools in Larissa — the 15th and 43rd Primary Schools. The topic of the presentations was cyberbullying.
We Sponsor and Speak at the 15th InfoCom Security 2025!
We are excited to announce that Homo Digitalis is once again offering its sponsorship to the 15th InfoCom Security 2025! This special anniversary edition will take place on April 2 & 3 at the Athens Conservatory.
Our Board Member, Konstantinos Kakavoulis, will proudly represent us at the event and deliver the opening keynote speech on the second day of the conference!
Registrations are open and free!
You can secure your spot and explore the full two-day agenda here.
A huge thank you to the organizing team (SmartPress S.A., IT Security Pro) for the excellent collaboration in making this event possible!
Registration for the 2nd AI Summit of Cleon Conferences, under the auspices of Homo Digitalis, is now open
CLEON Conferences & Communications is organizing the 2nd AI SUMMIT under the auspices of the Ministry of Digital Governance, SEKEE, ISACA, Homo Digitalis, and Rythmisis.
The conference will be moderated by lawyer and journalist Antonis Papagiannidis, while a speech will also be given by Stefanos Vitoratos, co-founder of Homo Digitalis and lawyer.
The conference will take place on Tuesday, April 29, at the Divani Caravel Hotel in Athens.
Don’t miss the opportunity to stay informed about the latest developments and trends in AI!
You can register here.
Homo Digitalis Event on the AI Act and opportunities for synergies for Civil Society Organizations
On Thursday, February 27, Homo Digitalis organized the first-ever workshop on the AI Act for Civil Society Organizations in Greece at its offices in ViOS Coworking Space!
More than 20 organizations participated, coming from diverse backgrounds but sharing a common interest: collaborating on the challenges and opportunities arising from the AI Act.
Event Highlights
During the event, we presented our three thematic studies on the AI Act:
-Fundamental Rights Impact Assessments (FRIAs)
-Supervisory Authorities & AI Governance Ecosystem
-Prohibited Practices
We also hosted thematic discussion groups on four key topics:
-Environment & Artificial Intelligence
-Business Practices & Algorithmic Transparency
-AI in Policing & Migration
-AI Systems, Democracy & the Information Society
A Huge Thank You!
We extend our heartfelt thanks to all the organizations that participated, bringing their energy, trust, and spirit of collaboration!
A special thanks to the Homo Digitalis team for organizing the event and presenting our studies: Sofia Antonopoulou, Niki Georgakopoulou, Lamprini Gyftokosta, Tania Skrapaliori, Eleftherios Chelioudakis, and Stavroula Chousou.
Proudly Supported by:
This event was made possible with funding from the European AI & Society Fund and European Digital Rights—we are incredibly proud of their support!
Join Us!
Want to be part of this collaborative effort? Fill out the contact form on our website!
Participating Organizations:
ActionAid Hellas, KEAN – Cell of Alternative Youth Activities, Greenpeace Greece, WWF Greece, inside story., Reporters United, Solomon, Eteron Institute, KnowledgeRights21, EKPIZO, Greek Council for Refugees, Open Lab Athens, Vouliwatch, Amnesty International – Greece, Transparency International Greece, I Have Rights., HIAS Greece, Open Technologies Organization, CopWatchGR, Hellenic League for Human Rights, omniatv, Diversity Charter Greece, Generation 2.0 for Rights, Equality and Diversity.
We are co-organizing an event on Cybersecurity and Personal Data Protection at the JOIST Innovation Park in Larissa!
On March 20, 2025, from 18:00 to 20:30, Homo Digitalis is delighted to co-organize and participate in the event “Cybersecurity and Personal Data Protection: Resilience, Compliance, Innovation” at the JOIST Innovation Park in Larissa!
The event aims to raise awareness and empower businesses of all industries and sizes so they can become resilient and innovate safely while respecting citizens’ rights.
Speakers at the event include:
-
Michail Bletsas, Head of the National Cybersecurity Authority
-
Panagiotis Soulos, Member of ISC2 Hellenic Chapter, Information Security GRC Senior Manager at STEELMET Corporate Services
-
Lamprini Gyftokosta, Director of Human Rights & Artificial Intelligence at Homo Digitalis
-
Giannis Koukouras, Member of ISC2 Hellenic Chapter, Managing Director at TwelveSec
-
Karina Iskandarova, Founder of CharismaWorks
The event will be moderated by Anastassios Arabatzis from Bora – Cybersecurity Marketing and Homo Digitalis.
Register for free here.