VLOPs Must Accept EUDI Wallets by December 2027 - Mandatory Compliance Deadline

eIDAS 2.0 requires Very Large Online Platforms (45M+ monthly users) to accept EUDI Wallet credentials by December 2027.

The Legal Framework Behind the VLOP Mandate

The mandatory acceptance requirement for Very Large Online Platforms is rooted in Article 6a of the revised eIDAS regulation (eIDAS 2.0), which was adopted as part of the European Digital Identity framework. This article requires that relying parties designated as VLOPs under the Digital Services Act must accept EUDI Wallet credentials for user authentication by the date specified in the regulation. The convergence of two major EU digital regulations, eIDAS 2.0 and the DSA, creates a powerful legal framework for digital identity adoption.

The VLOP designation is based on the Digital Services Act's definition of very large online platforms as services reaching more than 45 million monthly active users within the EU, approximately 10 percent of the EU population. The European Commission periodically reviews and updates the list of designated VLOPs based on user data reported by platforms. As of the latest designation, 19 platforms are classified as VLOPs, covering social media, search engines, e-commerce, travel booking, and app distribution services.

The regulation also extends the acceptance requirement to Very Large Online Search Engines (VLOSEs), including Google Search and Bing, which must accept wallet credentials for services that require user authentication. Additionally, all public sector bodies in EU member states must accept EUDI Wallet credentials, and the financial sector must accept them for customer identification under anti-money laundering regulations. The VLOP mandate is thus part of a broader acceptance framework that encompasses the most important online and offline services in European life.

Which Platforms Are Affected and What Must They Do

The designated VLOPs span the full range of major online services that EU citizens use daily. Social media platforms including Facebook, Instagram, TikTok, Twitter/X, LinkedIn, Snapchat, and Pinterest must offer EUDI Wallet login for account creation and authentication. E-commerce platforms including Amazon and Zalando must accept wallet credentials for identity verification during purchases, particularly for age-restricted products and high-value transactions.

Google faces the broadest compliance requirement due to the number of its services designated as VLOPs or VLOSEs, including Google Search, Google Maps, Google Play, Google Shopping, and YouTube. Each service must independently support EUDI Wallet authentication, though Google can implement a unified wallet integration across its service ecosystem. Apple must support wallet authentication in the App Store, which has implications for app-level age verification and parental controls.

Travel platforms including Booking.com and Airbnb must accept wallet credentials for guest identity verification, which is already required by local regulations in many EU countries. The wallet integration replaces the current practice of uploading passport scans or ID document photos, providing stronger identity assurance while better protecting travelers' personal data. These platforms are among the most enthusiastic adopters, as the wallet reduces their liability for data breaches involving stored identity documents.

Privacy Benefits for Platform Users

One of the most significant benefits of the VLOP mandate for consumers is enhanced privacy when interacting with major online platforms. Currently, platforms collect extensive personal information during account creation and ongoing use, often far beyond what is necessary for the service provided. The EUDI Wallet's selective disclosure capability enables users to share only the minimum information needed, fundamentally shifting the data collection dynamics between platforms and users.

For age verification, which platforms increasingly require under the Digital Services Act's child protection provisions, the privacy improvement is dramatic. Instead of uploading government ID documents that expose full name, date of birth, address, and document numbers, users can prove they meet the minimum age requirement through a single yes/no verification from their wallet. The platform learns only that the user is over 18, with no additional personal data disclosed, stored, or at risk of breach.

The wallet also enables pseudonymous authentication where appropriate. Users can prove they are a unique, real person without revealing their actual identity, useful for platforms where anonymity is valued but bot prevention is necessary. The wallet can issue a unique, unlinkable token for each platform, confirming human uniqueness without creating a persistent identifier that could be used for cross-platform tracking. This capability directly addresses concerns about surveillance capitalism while meeting platforms' legitimate needs for user verification.

Platform Compliance Preparations

Major platforms are in various stages of preparation for the December 2027 deadline. Meta (Facebook, Instagram) has established a European Digital Identity team working on wallet integration across its services. Google has published preliminary technical specifications for EUDI Wallet support in its identity services infrastructure. Amazon's European operations team is developing wallet-based identity verification for marketplace purchases, particularly for age-restricted and high-value items.

Industry groups including the Computer and Communications Industry Association (CCIA) and DigitalEurope have engaged with the European Commission on the technical implementation details. Key discussion points include the specific credential formats that platforms must support, the user interface requirements for wallet login options, the handling of existing accounts that predate wallet integration, and the obligations regarding data retention after wallet-based authentication.

Some platforms have gone beyond the minimum requirements, announcing plans to offer users incentives for wallet-based authentication such as enhanced privacy controls, reduced advertising targeting, and priority customer support. These platforms view wallet integration not just as a compliance obligation but as a competitive advantage, offering users a demonstrably more private and secure authentication experience. Early adopters hope to differentiate themselves in a market where data privacy is increasingly valued by consumers.

Enforcement Mechanisms and Timeline

Enforcement of the VLOP acceptance mandate falls to national Digital Services Coordinators (DSCs), the authorities designated by each member state to oversee DSA compliance. DSCs have the power to conduct investigations, request information from platforms, and impose penalties for non-compliance. The European Commission retains the authority to act directly against VLOPs in cases involving multiple member states or systemic failures.

The penalty framework for non-compliance is designed to be proportionate and dissuasive. Fines of up to 6 percent of global annual turnover can be imposed for persistent non-compliance, with periodic penalty payments of up to 5 percent of average daily turnover for ongoing violations. These penalty levels mirror the GDPR enforcement framework and are calibrated to ensure that even the largest platforms cannot treat non-compliance as a cost of doing business.

The December 2027 deadline provides platforms with approximately three and a half years from the regulation's entry into force to implement wallet acceptance. The European Commission has published a detailed compliance timeline with intermediate milestones, including technical readiness demonstrations by mid-2027 and user testing phases in the second half of 2027. Platforms that demonstrate good faith efforts toward compliance but encounter genuine technical difficulties may receive limited extensions, though the Commission has signaled that these will be granted sparingly.