Data Portability: Ensuring EUDI Wallet Users Can Move Their Digital Identity

The right to data portability, established by Article 20 of the General Data Protection Regulation (GDPR), grants individuals the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. In the EUDI Wallet ecosystem, data portability is a foundational principle that prevents vendor lock-in, ensures genuine user control over digital identity, and enables competitive wallet markets across all EU Member States. Users must be able to move their digital credentials and identity data between wallet providers as freely as they can switch mobile phone carriers.

Without data portability, digital identity systems risk creating walled gardens where users become dependent on a single wallet provider. If switching wallets meant losing all credentials and having to re-verify identity with every issuer, users would effectively be locked into their initial wallet choice regardless of service quality, privacy practices, or cost.

The eIDAS 2.0 regulation explicitly addresses this concern. Each Member State must ensure that at least one EUDI Wallet is available to its citizens, but users may also choose from certified private-sector wallet providers. For this market to function, switching costs must be low. Data portability ensures that a user who starts with their government-issued wallet can later migrate to a private-sector wallet (or vice versa) without losing their digital identity infrastructure.

This principle also supports the broader EU digital single market goals. If a citizen moves from Germany to France, they should be able to port their wallet data to a French provider if desired, or continue using their German wallet with full cross-border functionality. Portability eliminates geographic and commercial barriers to digital identity management.

Implementing data portability for cryptographic credentials is more complex than porting a contact list or email archive. EUDI Wallet credentials are digitally signed by issuers and bound to specific cryptographic keys stored in the device's secure element. A simple file export would not produce functional credentials because the private keys cannot (and should not) be extracted from the secure hardware.

The EUDI Wallet portability mechanism therefore works through a re-issuance model:

• •Export manifest: The source wallet generates a structured manifest listing all held credentials, their issuers, credential types, issuance dates, and expiry dates. This manifest is signed by the source wallet and provided to the user.
• •Key generation: The destination wallet generates new cryptographic key pairs in its own secure element. These keys will be bound to re-issued credentials.
• •Automated re-issuance: Using the export manifest, the destination wallet contacts each credential issuer through OpenID4VCI and requests re-issuance. The user authenticates to prove their identity, and the issuer issues a fresh credential bound to the new wallet's keys.
• •Transaction history export: Consent logs, presentation history, and user settings are exported in a standardized JSON format that any EUDI-compliant wallet can import directly.

This approach preserves security (private keys never leave secure hardware) while enabling practical portability (the user ends up with equivalent credentials in the new wallet, typically within minutes).

The EU envisions a competitive marketplace of EUDI Wallet providers. Government wallets, bank-issued wallets, telecom wallets, and independent providers may all offer EUDI-compliant wallets with different user experiences, additional features, and privacy guarantees. Data portability is the mechanism that prevents any single provider from capturing users through data lock-in.

Consider the analogies from other regulated markets: mobile number portability transformed the telecom industry by eliminating switching barriers, and PSD2 open banking enabled financial data portability. Similarly, EUDI Wallet portability is expected to drive innovation as providers compete on quality rather than switching costs.

The certification framework for EUDI Wallets includes portability requirements. A wallet that makes it difficult for users to export their data or that uses proprietary formats incompatible with the standard export mechanisms would not receive or maintain its eIDAS 2.0 certification. This regulatory enforcement ensures portability is not just a theoretical right but a practical capability available to all EUDI Wallet users.