TL;DR: eIDAS2 and business wallets shift corporate identity from fragmented credentials toward reusable, attribute-based evidence that can support selective disclosure, audited access decisions, and regulated-sector compliance across NIS2, ENS, and GDPR, according to Vintegris. The governance challenge is no longer just authentication strength, but how organisations prove roles, authorisations, and access rights without multiplying identity silos.
NHIMG editorial — based on content published by Vintegris: eIDAS2 y Business Wallets and the future of corporate digital identity
By the numbers:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: How should organisations govern business wallets in regulated identity programmes?
A: They should treat business wallets as part of the identity governance stack, not a side channel.
Q: Why do business wallets matter for access governance in regulated sectors?
A: They matter because they let organisations verify specific attributes such as role, authority, or certification without repeatedly exposing full identity records.
Q: What breaks when identity evidence is spread across too many systems?
A: Governance breaks because no single team can reliably prove who approved what, which attributes were trusted, or whether revocation happened everywhere it needed to.
Practitioner guidance
- Inventory identity evidence sources Map where roles, authorisations, certifications, and delegation proofs are currently stored across directories, HR, PAM, and third-party systems.
- Define wallet-backed lifecycle controls Treat business wallet evidence as governed identity data with explicit issuance, validation, renewal, and revocation rules.
- Rework compliance evidence collection Replace ad hoc audit evidence gathering with a model that captures cryptographic proof of role, authority, and disclosure events.
What's in the full article
Vintegris's full article covers the operational detail this post intentionally leaves for the source:
- How business wallets are positioned for employees and suppliers in regulated workflows.
- The mechanics of qualified electronic attestations of attributes and selective disclosure.
- How eIDAS2 aligns with NIS2, ENS, and GDPR in corporate identity governance.
- The role of qualified trust service providers in issuing and validating evidence.
👉 Read Vintegris's analysis of eIDAS2 business wallets and corporate identity →
Business wallets and eIDAS2: what changes for IAM teams?
Explore further
Identity evidence, not just identity records, is becoming the real control point. eIDAS2 and business wallets shift the governance question from who is in the directory to what evidence can be trusted across systems. That matters because modern IAM estates are fragmented by design, while compliance obligations still expect coherent proof of role and authority. The implication is that access governance must increasingly treat attestations as first-class identity objects.
A few things that frame the scale:
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: Who is accountable when wallet-backed identity evidence is wrong or outdated?
A: Accountability should sit with the issuer of the attestation, the platform validating it, and the business owner using it for access decisions. If those responsibilities are not explicit, outdated attributes can be accepted as current evidence. Governance teams need a clear control owner for each trust decision path.
👉 Read our full editorial: eIDAS2 and business wallets reshape corporate identity governance