Rolle und Pflichten von Intermediaries im EUDI-Wallet-Ökosystem
Copyright: pixabay
-Hinweis: Inhalt aufgrund der Wahrung der fachlichen Genauigkeit nur in englischer Originalfassung verfügbar-
In the ongoing discourse about the European Digital Identity Wallet (EUDI Wallet), the role of intermediaries has sparked legitimate questions — and, at times, misconceptions. This article seeks to clarify the legal and technical responsibilities of intermediaries and explain their place within the EUDI Wallet ecosystem. It further outlines the strict requirements they must meet and places their use in context — especially as the ecosystem transitions from early deployment to broader adoption.
Intermediaries Must Meet the Same Requirements as Relying Parties
The eIDAS under Article 5b(10) clearly states: “Intermediaries acting on behalf of relying parties shall be deemed to be relying parties and shall not store data about the content of the transaction.” Which means they must not store personal data, including verifiable credentials or metadata such as IP addresses.
Additionally, this means intermediaries must adhere to the same privacy, security, and transparency obligations as any direct relying party:
- They are required to process data strictly for the purpose of forwarding requests or handling protocol complexity.
- All data sharing must be preceded by explicit user consent.
- All requests may include a registration certificate that declares the intended use of the data. If none is provided, it shall be accessible via the registrar.
Whether the relying party interacts directly with the wallet or via an intermediary, the legal and technical accountability remains the same.
Registration Certificates: Ensuring Transparency Regardless of the Actor
A common concern is whether intermediaries can "bypass" the registration certificate requirement and silently request user data without declaring the intended use. This is not possible under the current legal framework and technical design. While the registration certificate itself is not mandatory, the declaration of intended use is. This declared purpose must be registered with the registrar and is always retrievable by the wallet at runtime—ensuring transparency for the end user. In a typical setup, every data request — whether initiated directly by a relying party or facilitated by an intermediary — must provide:
- Identification of the end relying party (the entity ultimately receiving the data),
- The declared intended use of the data (e.g. “HR onboarding”),
- A binding between the declared use and the access request — either through a registration certificate or a lookup via the registrar.
For example, the wallet may display a message like: “Example GmbH, via Wallet-Con, requests your PID for HR onboarding.” If an intermediary initiates a request without any declared purpose, the wallet will detect this. Depending on the wallet implementation, it may issue a warning or block the request entirely. While the respective Implementing Act does not prescribe the exact behavior, the absence of a declared use is considered a policy violation and surfaces visibly to the user. Bottom line: The intended use must always be declared and accessible — even in cases where no registration certificate is provided.
Misuse is Possible — but Illegal and Detectable
Like any product provided as a service, misuse is theoretically possible. An intermediary could try to re-use a registration certificate intended for one relying party to request data for another. But this would:
- be a violation of the contract between the intermediary and the relying party,
- breach GDPR and eIDAS obligations and
- be detectable through audit trails and cryptographic proofs.
This scenario is no different than a mail server administrator forging emails on behalf of users: it’s technically possible but clearly illegal, and strongly discouraged by design, governance, and enforcement.
The Role of Intermediaries: Transitional Support, Not a Default Model
Intermediaries may serve a useful function in the early stages of the EUDI Wallet rollout, particularly to use existing services to be used as multipliers for relying parties, who lack the capacity to integrate directly. For example, service providers can act as intermediaries to simplify onboarding and reduce implementation friction. That said, a direct integration of a relying party with the EUDI Wallet remains the most privacy-preserving and transparent approach. It enables peer-to-peer interactions without introducing additional processors into the data flow and unlocks the full capabilities of the wallet ecosystem.
Final Thoughts
The EUDI Wallet ecosystem is built with strong privacy and data protection safeguards, grounded in GDPR and reinforced by the Implementing Acts. Intermediaries are permitted — but not exempt. They are subject to the same rules and responsibilities as any other relying party. Their role is optional, not essential. Importantly, users will also have the ability to report misuse or violations directly from within the walet. This ensures that any unlawful behavior, such as undeclared data use or impersonation, can be detected and escalated easily. Combined with legal obligations and auditability, this creates a significant risk for actors attempting to bypass the rules. Let’s continue to build a system that scales responsibly, empowers users, and upholds the principles of privacy-by-design at every layer.
Veröffentlicht am: 08.08.2025