Notifications
Clear all
Topic starter
10/06/2026 10:31 pm
TL;DR: Conflicting interpretations of how biometric verification should be regulated are creating uncertainty for EUDI Wallet rollout, after Spain’s data protection authority said biometrics cannot be the sole authentication method in some cases, according to SumSub. The debate shows that digital identity programmes now need clearer assurance models, not just stronger identity checks.
NHIMG editorial — based on content published by SumSub: Industry groups warn biometric rules could complicate EUDI Wallet adoption
By the numbers:
- Under current rules, EU member states are expected to provide digital identity wallets to citizens by the end of 2026.
Questions worth separating out
Q: Why do biometric rules create problems for EUDI Wallet rollout?
A: Biometric rules create problems when they are treated as the only acceptable way to authenticate a wallet holder.
Q: How should teams design EUDI Wallet authentication if biometrics cannot be the sole factor?
A: Teams should design layered authentication, where biometrics bind the user to the wallet but do not carry the entire assurance burden alone.
Q: What breaks when cross-border identity assurance is not harmonised?
A: When assurance is not harmonised, each country ends up with its own acceptance rules, fallback methods, and evidence thresholds.
Practitioner guidance
- Define assurance tiers before deployment Map which authentication events require biometric binding, which require an additional factor, and which can accept lower assurance.
- Separate proofing from authentication design Treat identity proofing, wallet binding, and ongoing login assurance as distinct control layers so a change in biometric policy does not break the whole access model.
- Build jurisdiction-specific fallback paths Prepare alternative sign-in and recovery methods for countries that restrict sole-factor biometric use, including PIN, device possession, or re-proofing where justified.
What's in the full analysis
SumSub's full news piece covers the regulatory detail this post intentionally leaves for the source:
- Spain’s data protection authority interpretation and why it affects sole-factor biometric use
- The Age Verification Providers Association’s concerns about high-assurance identity verification
- How EUDI Wallet rollout deadlines could interact with member-state policy fragmentation
- The source article’s discussion of alternative factors such as PINs and device-based authentication
👉 Read SumSub's coverage of biometric rules and EUDI Wallet adoption →
EUDI Wallet biometrics: what the regulatory split means for teams?
Explore further
11/06/2026 2:34 am
Biometric-only authentication is too narrow a control model for cross-border identity wallets. The article shows that regulators are already questioning whether one biometric factor can carry the full burden of assurance in digital identity flows. That is not a usability issue alone, it is a governance limitation because assurance must survive policy variation, device failure, and jurisdictional disagreement. Practitioners should treat sole-factor biometric design as structurally incomplete for EUDI-scale deployments.
A few things that frame the scale:
- Under current rules, EU member states are expected to provide digital identity wallets to citizens by the end of 2026, according to the Ultimate Guide to NHIs.
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
A question worth separating out:
Q: Who is accountable when biometric authentication is not allowed as the only method?
A: Accountability sits with the programme owner and the relying party as much as with the regulator, because they must prove that identity assurance is still adequate. The control question is whether the wallet design can withstand local restrictions without losing trust, auditability, or recovery capability.
👉 Read our full editorial: Biometric rules could complicate EUDI Wallet adoption in Europe
