One-click identity verification with ID wallets

An opinion piece by Gataca on the European Commission's reference age verification implementation, why it matters for EUDI Wallet adoption, and where the public and private roles should have been drawn.

Key takeaways

• On 15 April 2026, the European Commission released the source code of an "EU Age Verification App", a white-label reference implementation, not a finished consumer product.
• The same day, security researcher Paul Moore bypassed PIN and biometric controls in under two minutes by editing a plain-text configuration file.
• The premise of the project (privacy-preserving, wallet-based age verification) is correct and supports EUDI Wallet adoption.
• The delivery — an open-source codebase contracted out to consultancies, shipped without the security maturity it required — fell short of what a launch of this profile demanded.
• A compliant private market for age verification with digital identity wallets already exists in Europe today. Gataca's view is that the Commission's most valuable contribution is clear, evenly-enforced regulation, not a parallel public implementation.

What happened

On 15 April 2026, European Commission President Ursula von der Leyen unveiled what was widely communicated as the "EU Age Verification App."

In practice, what was released was open-source code, a white-label reference implementation pushed to a public GitHub repository, rather than a production-ready, hardened, end-user product.

The distinction matters. Within days, security consultant Paul Moore picked up that publicly available code and demonstrated a bypass in under two minutes.

By editing a plain-text XML configuration file, he was able to reset the user PIN, disable biometric authentication via a single boolean flag, and retain access to stored credentials. An Italian researcher subsequently reproduced his findings and documented five additional vulnerabilities. Multiple outlets have since reported that the project's own GitHub repository flagged the build as unfit for production before the Commission held its press conference.

The Commission has clarified that the released version is a demo, and that the code will continue to evolve.

What is the EU Age Verification App?

The EU Age Verification App is the European Commission's reference implementation of wallet-based proof of age.

The idea is straightforward: instead of handing your passport, name, address and document number to every adult website, social network or online gambling platform required to check your age under the Digital Services Act (DSA), you prove a single fact — "I am over 18" — from a credential stored in a digital wallet, without sharing additional personal data.

Key facts:

• Released: 15 April 2026 as an open-source reference implementation.
• Pilot Member States: France, Denmark, Greece, Italy, Spain, Cyprus and Ireland.
• Public availability: expected by summer 2026.
• Architecture: selective disclosure, verifiable credentials, wallet-held keys.
• Interoperability: designed to align with the upcoming European Digital Identity (EUDI) Wallet.

This is the direction Europe should be moving in, and at Gataca we have been building privacy-first age verification on this model for years. We want this initiative to succeed and that is precisely why the issues with this rollout matter.

Why the idea is right and why it matters for the EUDI Wallet

The premise of the Commission's app — that you should be able to prove you're over 18 without exposing your name, birthdate, address, document number and selfie to a third party — is the right premise. It is the only premise that respects child safety and user privacy at the same time.

The Commission's investment in this use case is also good news for the EUDI Wallet itself.

The real challenge for the EUDI Wallet has never been the technology. It is adoption. A wallet sitting dormant on a smartphone is useless: you need verifiers with a reason to integrate, and users with a reason to keep it on their phone.

Age verification delivers both:

• For verifiers: a clean compliance path under the DSA and national rules.
• For users: a simple, low-friction way to access services without oversharing.

Most digital ecosystems start with one strong use case and grow from there. Age verification could be exactly that starting point for European digital identity.

By legitimising the wallet-based model, the Commission is signalling to relying parties (adult content sites, social networks, online gambling, dating, gaming) that wallets are the way forward, which can meaningfully accelerate adoption.

That is why we believe the idea behind the EU Age Verification App is right. The challenge lies in how it has been delivered.

What went wrong

Why "open source contracted out" is not the same as "secure"

Open source can be incredibly secure but only after years of adversarial pressure, dedicated maintainers, professional security audits, bug bounty programs, and the feedback loop of real-world exploitation.

The vulnerabilities Moore found are not subtle. They are not obscure side-channel attacks. They are the kind of issues a competent penetration test would surface in an afternoon.

By most accounts the project carried a price tag of around €4M of European public funds, which makes a security and deployment outcome of this kind a particularly disappointing one.

The deeper issue is incentives. Consulting firms are paid to deliver code; they are not paid to operate it for a decade, to absorb the reputational hit when a flaw goes viral, or to hold the bag when a Member State re-skins the codebase and a teenager bypasses it on YouTube.

Private companies whose entire business is digital identity have the opposite incentive structure as their revenue, their certifications, their reputation and their next contract all depend on getting security and privacy right, every day.

The market the Commission's approach overlooked

This would be less concerning if European age verification were starting from scratch. It is not.

A market of digital identity and age verification providers — including Gataca — has spent years building solutions that are independently audited, penetration-tested, privacy-by-design, and aligned with eIDAS 2.0 and EUDI Wallet specifications.

These solutions are already in production: under AGCOM's framework for adult content in Italy, in Germany's age-verification regime, and across social media and gaming platforms.

A government-built reference implementation arrives in that market not as a complement, but as an alternative, and when that alternative ships with the kinds of issues described above, it sets the entire category back.

The timing

Even setting security aside, the timing is hard to reconcile. The Commission released this code only months before Member States' own deadlines to deliver their EUDI Wallets, which by design are perfectly capable of performing age verification, alongside many other use cases.

Why duplicate the effort? Why pour budget, political attention and public credibility into a parallel, single-purpose artefact that risks being obsolete the moment the wallets it is meant to integrate with go live?

Our take: where the European Commission can have the most impact

The European Commission is at its strongest when it regulates markets and helps them thrive sustainably, rather than executing what the market is already responsible for delivering, particularly when a compliant market already exists.

In our view, the current rollout has had three unintended consequences:

1. It has put pressure on trust in the EUDI Wallet before it has even rolled out. Headlines that say "EU age verification app hacked" are read by many citizens as "EU digital wallet hacked." The technical distinction is lost in public perception.
2. It has crowded out compliant private solutions with a free, government-endorsed alternative that then exhibited serious security issues, leaving Member States and platforms more hesitant to adopt anything, including audited solutions that already work.
3. It has handed unnecessary ammunition to critics of government-built identity, when the underlying European digital identity project deserves a much stronger first impression.

We strongly support the Commission's intent. Our suggestion is that public funds and political capital are likely to have more impact when directed toward setting clear rules and enforcing them consistently across the board while letting the market do what it does best: build, harden, audit and operate the production-grade products that citizens actually use.

The two roles are complementary, and they are most effective when each side stays in its lane.

What "good" looks like and how Gataca can help

At Gataca, we’ve built privacy-first age verification that’s already live with relying parties across Europe, proving that a seamless experience and strong compliance can go hand in hand.

Our approach is simple:

• Facial Age Estimation Users take a quick selfie. Our AI estimates age and confirms liveness in seconds—no ID uploads, no stored images, no personal data retained.
• Gataca App (ID Wallet) Users complete a one-time ID verification to receive a reusable proof of age in their digital wallet. From there, they can share it in one click to access your service or any platform that accepts digital ID wallets.

Crucially, this model aligns with the Digital Services Act and anticipates the rollout of the European Digital Identity Wallet, expected by the end of 2026.

If you’re navigating DSA compliance and want to do it without compromising user experience, let’s talk.

FAQ

• What was actually released on 15 April 2026? A reference, white-label open-source implementation of an age verification wallet — code, not a finished consumer app — published to a public GitHub repository.
• Was the EU Age Verification App really hacked? A demonstrator version of the app was bypassed by editing a local plain-text configuration file. Security researcher Paul Moore demonstrated PIN reset and biometric bypass in under two minutes; an Italian researcher reproduced the findings and identified additional vulnerabilities.
• Is the EU Age Verification App the same as the EUDI Wallet? No. The age verification app is a single-purpose reference implementation. The EUDI Wallet is the broader European Digital Identity Wallet, expected from Member States and capable of age verification among many other use cases.
• Does this mean the EUDI Wallet is insecure? No. The two are technically related but distinct. However, the public perception risk is real: incidents like this can be read by citizens as a generalised failure of European digital identity, which is precisely what makes the rollout so consequential.

eIDAS 2.0 (Regulation EU 2024/1183) entered into force on 20 May 2024. Member States must provide EUDI Wallets within 24 months of the Implementing Acts being adopted making the practical mandatory deadline late 2026. Large online platforms and organisations in regulated sectors must then accept the wallet as an authentication method within one additional year.

What is eIDAS 2.0?

eIDAS 2.0 is the updated European framework for electronic identification and trust services. Officially known as Regulation (EU) 2024/1183, it replaces the original eIDAS Regulation (No 910/2014) and introduces the European Digital Identity (EUDI) Wallet as its flagship component — a standardised, government-issued digital identity app available to every EU citizen, resident, and business.

Member States can offer a wallet directly themselves, mandate an external party to create a wallet, or recognise a wallet created by the private sector.

For a full breakdown of the regulation's scope, compliance obligations, and business benefits, see our dedicated guide → eIDAS 2.0 Explained: Steps to Ensure Compliance

eIDAS 2.0 Full Timeline: From Proposal to Mandatory Rollout

The following milestones chart the regulation from its origins to the dates that matter for your organisation:

• June 2021 — European Commission publishes proposal to update eIDAS. The revision signals a shift toward a unified digital identity infrastructure across the EU.
• November 2023 — EU Parliament and Council reach political agreement on the final text of the regulation.
• February 2024 — European Parliament formally adopts Regulation (EU) 2024/1183.
• 20 May 2024 — Regulation enters into force. The legal clock starts. This is the baseline date for all subsequent deadlines.
• Late 2024 — Initial core Implementing Acts adopted. These contain the technical specifications, security standards, and interoperability rules for the EUDI Wallet. Member State deadline is ~24 months after key acts enter into force.
• Late 2026 — Member States must provide at least one certified EUDI Wallet to citizens and businesses. This is the first major hard deadline.
• Late 2027 — Obligated private-sector organisations, including banking, healthcare, telecoms, and large online platforms, must accept the EUDI Wallet as an authentication method.
• 2030 (target) — EU objective: 80% of European citizens equipped with a functional digital identity wallet.

Current Status of eIDAS 2.0: What's Happening in 2026

Last reviewed: March 2026

• Several Member States have launched national EUDI Wallet implementations ahead of the formal deadline, including France (France Identité), Austria (eAusweise), and Italy (IT-Wallet), and many others have announced their development. For a snapshot of the EUDI Wallet initiatives, see our dedicated article → A Global Snapshot of ID Wallets
• Implementing Acts are in advanced stages of review. Although the first core implementing acts were adopted in late 2024, additional rounds followed in 2025, covering areas like relying parties, trust services and attestations so the framework is well underway and usable for pilots and early builds. However, some implementing acts are still under development or consultation and will come throughout 2026 (e.g. certification schemes).
• Large Scale Pilots are testing the EUDI Wallet and providing real-world feedback shaping the final ARF specifications. Two Large Scale Pilots are currently active, with four having concluded their work. Gataca participates currently in the WE BUILD Consortium and has previously been part of the DC4EU and VECTOR consortia.
• The ARF (now in version 2.8) is a collaboratively developed “toolbox” document that guides how to implement the wallet in practice with architectural plans & best practices. It is continuously refined via member State input, large scale pilots and industry feedback. One of the most important debates currently ongoing in the ARF is about privacy vs traceability (and architecture choices) as some concerns remain about potential linkability.
• Private-sector organisations are advised to begin integration planning now to prepare for the 2027 deadline and avoid operational disruption and compliance exposure.

FAQs About the eIDAS 2.0 Timeline

Is eIDAS 2.0 already in force?

Yes. Regulation (EU) 2024/1183 entered into force on 20 May 2024. However, the practical obligations for Member States begin in late 2026, and for private-sector organisations in late 2027.

When must Member States provide the EUDI Wallet?

Member States must provide at least one certified EUDI Wallet in late 2026. They can offer a wallet directly themselves, mandate an external party to create a wallet, or recognise a wallet created by the private sector.

When must organisations accept the EUDI Wallet?

Obligated organisations have an additional 12 months after Member States launch their wallets. Based on current estimates, this means late 2027. The obligation applies to regulated sectors (banking, healthcare, telecoms, energy, transport, education) and very large online platforms with over 45 million EU users.

What is Regulation (EU) 2024/1183?

Regulation (EU) 2024/1183 is the official legal identifier for eIDAS 2.0, the amendment to the original eIDAS Regulation (No 910/2014). It establishes the legal basis for the European Digital Identity Framework, including the EUDI Wallet, new categories of trust services, and the mandatory acceptance requirements.

Does eIDAS 2.0 apply outside the EU?

The regulation applies to EU Member States and organisations operating within the EU. Non-EU organisations serving EU users, particularly very large online platforms, may fall within scope. Additionally, several non-EU countries are exploring interoperability arrangements with the EUDI Wallet framework.

How to Prepare for the eIDAS 2.0 Deadline: A Practical Checklist

Organisations should not wait for the mandatory deadlines. Here are the steps to take now:

1. Assess your scope: Determine whether your organisation falls under the mandatory acceptance obligation — check the sector list (banking, healthcare, telecoms, energy, transport, education) or whether you operate a platform with 45M+ EU users.
2. Review the ARF: Familiarise your technical teams with the EUDI Wallet Architecture and Reference Framework (ARF). This document defines the standards your systems will need to support, including W3C Verifiable Credentials and ISO/IEC 18013-5.
3. Audit your current identity stack: Map your existing identity verification and authentication workflows against the EUDI Wallet acceptance requirements. Identify integration points and gaps.
4. Engage a certified wallet provider: Choose an identity platform already aligned with eIDAS 2.0 specifications to avoid rebuilding from scratch. Gataca platform aligns with eIDAS 2.0 and supports EUDI Wallet integration for relying parties to ensure compliance.
5. Run a pilot: Test EUDI Wallet acceptance in a non-production environment before the deadline. Organisations in the large-scale pilot programmes have a significant head start.

Getting ready for eIDAS 2.0?

Gataca is already aligned with the EUDI Wallet ARF specifications. Whether you need to accept the EUDI Wallet as a relying party or issue verifiable credentials as a trusted issuer, Gataca can accelerate your path to compliance.

Trust is everything online. Every account created, every transaction approved, every digital interaction assumes that we know who’s on the other side.

For years, identity verification has carried that responsibility. And ID wallets have made that process dramatically better by providing more convenience and give users control

But the environment has changed. Fraud no longer operates in isolated moments. It moves across accounts, devices, and platforms. At the same time, users expect seamless experiences. They want security but without friction and constant interruptions.

This creates a gap. The question is no longer just “Is this person real?” but “What does this identity mean in context?”.

That’s where a new layer becomes essential. Not instead of wallets or verification but on top of them. A layer that connects signals and turns verified data into actionable insight.

This is identity intelligence.

Why is Identity Intelligence important now?

Fraud today doesn’t look like it did a few years ago.

We’re now seeing AI-generated identities that pass basic checks. Deepfake-enabled KYC attempts that convincingly mimic real users. Even AI agents acting autonomously on behalf of bad actors.

Meanwhile, users expect faster, frictionless digital experiences without compromising their privacy or security.

In this environment, organizations are often forced into a false choice: strengthen security or protect the user experience. The result is repetitive checks, added friction for everyone and higher drop-offs.

ID Wallets already provide a simple and fast way to verify identity, in just one click. But we need an approach that is as dynamic as the world we operate in, and for this on top of them, we need additional context, and this is done through identity intelligence.

What is Identity Intelligence?

Identity intelligence goes beyond checking whether a credential is valid.

Instead of focusing on a single proof at a single moment, it adds a layer that connects signals — across behavior, transactions, devices, and time — to build a clearer picture of risk.

It’s the difference between verifying a document and understanding an identity.

By analyzing patterns and context, identity intelligence helps organizations detect anomalies, uncover coordinated activity, and assess intent, not just authenticity.

At its core, identity intelligence turns fragmented identity data into actionable insight.

And that’s what allows organizations to strengthen fraud protection without adding unnecessary friction.

How Gataca applies Identity Intelligence on top of ID Wallets

Gataca builds on the foundation of ID wallets and adds intelligence where it matters.

Instead of applying the same static process to every interaction, we combine wallet-based verification with AI-driven analysis, cross-transaction risk assessment, and machine learning models that continuously evaluate behavior over time.

The result is dynamic trust scoring that evaluate each situation and adjusts accordingly, tightening security when threat levels are high and allowing one-click verification when the risk is low.

Organizations can configure risk scenarios specific to their operations, adapting controls to their threat models, compliance requirements, and customer journeys.

Additionally, Gataca generates behavioral and market-level insights derived from identity interactions.

And it’s all built on a privacy-first architecture. Every insight is powered by explicit user consent and anonymized data. That means businesses gain meaningful intelligence without compromising user privacy.

What are the benefits of using Identity Intelligence?

Identity intelligence is often viewed purely as a fraud defense tool but it’s much more than that as it can also unlock growth, efficiency, and better user experiences.

Because when you understand identity in context, you can make smarter decisions.

Smarter User Segmentation

With verified attributes and behavioral signals combined, organizations can segment users based on real trust indicators, not assumptions.

This enables:

• User segmentation based on verified attributes
• Trust tiering aligned with risk profiles
• Clear differentiation between new, unknown, and established users

Not every user should go through the same journey. Identity intelligence makes that possible.

Risk-Based UX and Adaptive Friction

Trusted users don’t want to be treated like suspects.

When organizations can confidently identify low-risk behavior, they can reduce unnecessary checks, making verification simple and fast without lowering security standards.

Automated Compliance

With continuous monitoring and compliance signals, organizations can automate verification processes based on regulatory requirements and automatically adapt to regulatory changes.

Fewer compliance headaches. Greater audit readiness.

Identity Intelligence is the new standard

In a world where fraud is adaptive and AI accelerates both opportunity and risk, trust cannot rely on isolated checks. It must be contextual and intelligent.

Wallets give us trusted data. Identity intelligence turns that data into actionable insights.

Together, they create a new standard for digital trust: one where security and user experience don’t compete, where fraud prevention and growth reinforce each other, and where identity becomes not just verified but understood.