Relying Party: Relying Party (Verifier)

Organization or service that accepts and verifies EUDI Wallet credentials. Examples: airlines for boarding, banks for account opening, hotels for check-in, government services for authentication.

In the EUDI Wallet ecosystem, a relying party is any entity that requests and verifies credentials from a wallet holder. The term "relying party" comes from the fact that these entities "rely" on the identity information provided by the wallet and the trust established by the credential issuers.

Government services: Public administration bodies that need to verify citizen identity for accessing online government services, filing taxes, applying for permits, accessing healthcare services, or registering for social benefits. Under eIDAS 2.0, all public sector bodies in the EU must accept the EUDI Wallet for authentication, making them the largest category of relying parties.

Financial institutions: Banks, payment service providers, insurance companies, and investment platforms that need identity verification for KYC and anti-money laundering compliance. These entities are mandated to accept the EUDI Wallet within 36 months of implementing acts (approximately late 2027).

Very Large Online Platforms (VLOPs): Platforms designated under the Digital Services Act, including companies like Amazon, Google, Meta, Apple, and others with over 45 million monthly active users in the EU. VLOPs must accept the EUDI Wallet for user authentication within their services.

Travel and hospitality: Airlines verifying passenger identity for boarding, car rental companies confirming driving licence validity, hotels verifying guest identity for check-in, and border control authorities processing digital travel documents.

Healthcare providers: Hospitals, doctors, and pharmacies verifying patient identity and health insurance coverage. Digital health credentials in the wallet can streamline cross-border healthcare access under the EU Cross-Border Healthcare Directive.

Education and employment: Universities verifying student identity for enrollment, employers verifying professional qualifications, and recruitment platforms verifying credential authenticity. Retailers and age-restricted services verifying customer age for online purchases of alcohol, tobacco, or adult content.

Unlike traditional identity verification where anyone can ask to see your ID card, the EUDI Wallet ecosystem imposes registration requirements on relying parties. This protects citizens from fraudulent or unauthorized credential requests.

Mandatory registration: Before a relying party can request credentials from EUDI Wallets, it must register with the relevant authority in its member state. The registration must include the relying party's legal identity and establishment (name, registration number, address), the specific credential types and attributes it intends to request, the legal basis and purpose for which the data will be processed, and the member states in which it intends to operate as a relying party.

Relying party authentication certificate: Upon registration, the relying party receives a cryptographic certificate that it must present to the wallet during each credential request. This certificate allows the wallet to verify that the relying party is legitimately registered and authorized to request the specific credential types it is asking for. The wallet displays the relying party's verified identity to the user, so the user can make an informed decision about whether to share their data.

Ongoing compliance: Registration is not a one-time event. Relying parties must maintain their registration, report changes to their data processing activities, and comply with supervisory oversight. If a relying party is found to request excessive data, misuse received data, or violate its stated purposes, its registration can be suspended or revoked, immediately preventing it from requesting credentials from any EUDI Wallet across the EU.

eIDAS 2.0 creates a tiered system of mandatory and voluntary EUDI Wallet acceptance, depending on the type of relying party and the use case.

Mandatory acceptance (public sector): All public sector bodies across the 27 EU member states must accept the EUDI Wallet for electronic identification when they currently require electronic identification at assurance level "substantial" or "high" for accessing their online services. This covers a vast range of government services from tax filing to social security applications.

Mandatory acceptance (regulated private sector): Certain private sector entities are required by sector-specific legislation to verify customer identity. When such legislation requires identification at assurance level "high," these entities must accept the EUDI Wallet. This primarily affects banks and financial institutions (under AML regulation), telecommunications providers (under SIM registration requirements), healthcare providers (under healthcare regulations), and Very Large Online Platforms (under the Digital Services Act).

Voluntary acceptance: Any other business or organization can voluntarily register as a relying party and accept EUDI Wallet credentials. This includes online retailers for age verification, event organizers for ticket verification, employers for credential checking, car-sharing platforms for licence verification, and any service that benefits from verified identity or attributes. The voluntary nature of acceptance for most private sector entities ensures the ecosystem grows organically based on genuine business value.

A important security feature of the EUDI Wallet is that authentication is bidirectional: not only does the relying party verify the wallet's credentials, but the wallet also verifies the relying party's identity and authorization. This prevents phishing attacks where a malicious entity impersonates a legitimate service to steal credentials.

Relying party certificate verification: When a relying party initiates a credential request, it presents its registration certificate to the wallet. The wallet verifies the certificate against the trusted registries maintained by member state authorities. This confirms that the relying party is who it claims to be, that it is registered and authorized to request the specific credential types, that its registration has not been suspended or revoked, and that the requested attributes fall within the scope of its registration.

User transparency: The wallet displays the verified relying party information to the user, including its legal name, the purpose of the data request, and exactly which attributes are being requested. This allows the user to make an informed decision. If the wallet cannot verify the relying party's certificate (because it is expired, revoked, or not issued by a recognized authority), the wallet warns the user or blocks the request entirely.

Protection against over-asking: The relying party's registration specifies which credential types and attributes it is authorized to request. If a relying party attempts to request attributes outside its registered scope (for example, a bar registered for age verification attempting to request a user's home address), the wallet can detect this mismatch and warn the user. This technical enforcement mechanism supplements the GDPR's data minimization principle with actual technical controls.

Relying parties do not verify credentials in isolation. They participate in a broader trust framework that ensures end-to-end trust across the entire EUDI Wallet ecosystem.

Trusted lists: The European Commission and member states maintain trusted lists that catalogue all authorized actors in the ecosystem: PID Providers, qualified trust service providers (who issue electronic attestations of attributes), wallet providers, and registered relying parties. When a relying party verifies a credential, it checks the issuer's identifier against these trusted lists to confirm the issuer is authorized to issue that type of credential.

Revocation checking: Relying parties must check whether a presented credential has been revoked before accepting it. The ARF specifies mechanisms for revocation checking, including status lists that can be queried without revealing which specific credential is being checked (to protect user privacy).

Wallet attestation verification: Relying parties can verify that the wallet presenting credentials is a genuine, certified EUDI Wallet (not a modified or fraudulent application). This is done through wallet attestation, a mechanism where the wallet proves its authenticity using a certificate issued during the wallet's certification process.

Cross-border trust: The trust framework is designed to work smoothly across borders. A relying party in Italy can verify a PID issued by the Finnish PID Provider because both participate in the same EU-wide trust framework. The Italian relying party does not need a bilateral agreement with Finland; the EU trusted lists provide the necessary trust anchors.

• •Lufthansa (airline)
• •ING Bank (banking)
• •Marriott (hotels)
• •Government tax portals (public services)
• •Amazon, Google, Meta (VLOPs)