A deep dive into the most significant regulatory developments shaping identity verification, the EUDI Wallet rollout, AI Act compliance, and AML reform curated by Liudmyla (Mila) Rabchynska, Director of Global Regulatory & Government Affairs at IDnow.

April 2026 was not a quiet month in the European regulatory landscape. If you follow digital identity, compliance, or AI governance, the developments that landed this month deserve your full attention – not just the headlines, but the detail beneath them.

At IDnow, we track these changes closely because they directly shape the future of identity verification across Europe. This article breaks down the key developments, explains what they mean in practice, and highlights what compliance teams, product leaders, and business decision-makers need to do next.

Two themes dominated the month: first, the legal infrastructure of the EUDI Wallet is being assembled piece by piece, faster than many expected. Second, the political architecture around AI is fracturing in ways that create real, immediate compliance risks.

EUDI Wallet & eIDAS 2.0: The Infrastructure Becomes Real

After years of policy debate and pilot programmes, the European Digital Identity Wallet is now acquiring legal bones. April 2026 saw three landmark developments in rapid succession.

1. CIR (EU) 2026/798: Remote Onboarding Is Now Law

On 7 April 2026, the European Commission adopted CIR (EU) 2026/798 under Article 5a(24) of eIDAS 2.0 (Regulation (EU) 2024/1183). Published in the Official Journal on 8 April, this implementing regulation establishes the legally mandated standard for remote onboarding of EUDI Wallet users across all EU and EEA Member States.

The standard in question is ETSI TS 119 461 V2.1.1 (2025-02), the European technical standard for identity proofing policy and security requirements. Every national wallet issuance process must now conform to it.

💡Why it matters for identity verification providers: This is the moment identity proofing for EUDI Wallet issuance moves from expectation to legal obligation. ETSI TS 119 461 creates an immediate, procurement-level demand signal for compliant identity proofing solutions across all Member States. If you operate in this space as a provider or as a procurer, this standard is now your compliance floor.

2. TLv6 Migration: The Trusted List Gets Its eIDAS 2.0 Upgrade

On 29 April, the eIDAS Trusted List ecosystem completed its migration from TLv5 to TLv6 format. A new LOTL notice (C/2026/1944) was published in the Official Journal, formally retiring TLv5 from the ecosystem.

TLv6 enables Member States to officially list the new categories of qualified trust services introduced by eIDAS 2.0: Qualified Electronic Attestations of Attributes (QEAAs), qualified archiving, electronic ledgers, and remote management of qualified signing devices.

💡One to watch: This is infrastructure plumbing the kind of milestone that gets underreported because it is not a political moment. But without TLv6, the new trust services created by eIDAS 2.0 cannot be officially recognised across Member States. This migration is, quietly, one of the most significant technical milestones of 2026.

3. EHDS Draft CIRs: The First Mandate to Issue Wallet Attributes at Scale

The European Commission published two draft implementing regulations under the European Health Data Space (EHDS) Regulation (2025/327). The Identity Management CIR (Ares(2026)3673210) is particularly significant: it is the first EU instrument to mandate that Member States issue sector-specific Electronic Attestations of Attributes (EAAs) to citizens’ EUDI Wallets at scale.

Every Member State must issue healthcare professional attributes as EAAs, and healthcare providers must accept them. Identity assurance requirements will progressively rise to Level of Assurance High.

💡The distinction that matters: The AMLR already mandated acceptance of EUDI Wallets – that was eIDAS 2.0’s first sectoral application. The EHDS CIR goes further: it mandates issuance of wallet credentials at mass-market scale. This makes healthcare the most concrete, legally mandated EUDI Wallet use case in existence. The public feedback period is still open.

4. ENISA Certification Scheme: Public Review Closes, Working Group Launches

30 April was the deadline for feedback on ENISA’s Draft Candidate EUDIW Cybersecurity Certification Scheme (v0.4.614), which includes the first draft of security requirements for Wallet-Related Service Providers. ENISA also formally launched an ad-hoc working group on standardisation.

💡 IDnow perspective: The certification scheme will define the security baseline for every provider in the EUDI Wallet ecosystem, including identity proofing and trust service providers. Engaging now is how organisations shape requirements rather than simply receive them.

5. EUDI Wallet Launchpad Report: Interoperability Is Real, Scale Is Not

The report from the EUDI Wallets Launchpad Event confirmed genuine progress on interoperability, the technical foundations are holding. However, trust frameworks, cross-Member-State coordination, and real-world adoption remain the unsolved problems. For organisations building wallet-based onboarding roadmaps, this report is essential reading.

National Spotlight: Digital Identity Goes Live

🇪🇸 Spain: MiDNI – Your Phone Is Now Your ID

Since 2 April 2026, Spain’s digital ID is officially available via the MiDNI app. Banks, hotels, public administrations, and businesses must now accept it for in-person processes. Citizens verify instantly with a dynamic QR code, no physical card required.

Current limitations include no support for online procedures, e-signatures, or travel documents, and an internet connection is required. Spain has entered Phase 2, adding banking, travel, and age verification use cases.

💡Why this matters beyond Spain: Spain has made digital ID real for ordinary citizens overnight, with mandatory acceptance across key sectors. The MiDNI launch is a proof of concept for the entire European digital identity project. When politicians argue that EUDI Wallets are too complex or too distant, Spain’s 2 April moment is the counter-evidence.

🇩🇪 Germany: 70% of Citizens Have Never Heard of the EUDI Wallet

A Bitkom survey of 1,004 Germans found that 52% have never heard of the EUDI Wallet, and 18% more know the term but cannot explain it. Only 5% say they can explain it well yet the German EUDI Wallet is set to launch for all citizens in early 2027.

The German EUDI Wallet Hackathon takes place fully online on 4–5 June 2026, open to developers, designers, product managers, and public sector participants, with top teams presenting at the EUDI Wallet Community Event in Berlin on 25 June.

💡The adoption risk: Technology readiness and public readiness are not the same thing. The awareness gap is a real variable for businesses building wallet-based onboarding roadmaps. Factor it into your timeline projections for Germany.

🇨🇭Switzerland & Ireland: Momentum Across the Continent

The Swiss Supreme Court ruled that the referendum result endorsing a national digital ID cannot be overturned, removing the last legal obstacle to implementation. Public beta testing of the Swiyu digital wallet is already open. Switzerland is now moving faster than several EU Member States, offering a valuable comparative benchmark.

In Ireland, active transposition of the EU Digital Identity Regulation continues, with citizen registration open for future wallet testing. Ireland has confirmed preference for its own national solutions for specific use cases like age verification, a pragmatic approach that reflects the layered reality of EUDI Wallet implementation.

AI Act: A Deadline That Refuses to Move

AI Act Omnibus Negotiations Collapse: August 2026 Deadline Stands

After twelve hours of negotiations on 29 April, EU Member States and the European Parliament failed to reach agreement on proposed amendments to the AI Act under the Digital Omnibus package. The core sticking point: whether industries already subject to sectoral regulation should be exempt from AI Act obligations.

The Cyprus Presidency confirmed no deal was reached. Talks are expected to resume in mid-May. Until a new deal is struck, the original August 2026 compliance deadline for high-risk AI systems, including biometric identification systems, remains in force. If the Omnibus amendments are eventually adopted, this deadline would be extended by 16 months.

Biometrics note: The Council’s proposal would allow authorities to ban biometric use based on data minimisation grounds if a less intrusive alternative exists. This provision has significant implications for organisations offering biometric verification. Additionally, whether AI-powered facial recognition and liveness detection systems fall within the ‘high-risk’ category remains unresolved.

💡IDnow recommendation: Plan your compliance programme against August 2026. Hope for a May deal. Do not bet your roadmap on it.

EU Age Verification App: ‘Technically Ready’: Until It Wasn’t

The EU’s official age verification app had a difficult April. Security researcher Paul Moore publicly demonstrated he could bypass its PIN protection in under two minutes, with other experts confirming the findings. The Commission initially declared the app ‘technically ready’ before walking the claim back, clarifying it was ‘still a demo version.’

Eight Member States including Germany, France, Ireland, and Poland have expressed reluctance to adopt it, preferring national solutions. For identity solution providers, the fragmentation this creates is also a market opportunity: demand for interoperable, standards-based, security-audited alternatives does not disappear because a Commission app exists.

EDPS AI Regulatory Sandbox: A New Mode of Engagement

The European Data Protection Supervisor has launched a pilot project for an AI regulatory sandbox, a controlled environment where organisations can test AI systems under regulatory supervision, with data protection compliance assessed in real time rather than retrospectively.

For any organisation developing AI products that process personal data, including biometric and identity data, this is the kind of regulatory engagement that can significantly reduce downstream legal risk. Monitor eligibility criteria as the pilot develops.

AML & Payments: The Compliance Architecture Tightens

AMLA Opens Two New Consultations

The Anti-Money Laundering Authority (AMLA) opened two additional public consultations in April:

A Draft RTS on group-wide AML/CFT requirements under Articles 16(4) and 17(3) of Regulation (EU) 2024/1624 – setting minimum standards for consolidated risk management across groups, including cross-border structures and third-country operations.
Draft Guidelines on business-wide risk assessment under Article 10(4) – defining expectations for identifying and managing ML/TF risks at entity level.

Together with the CDD RTS already under consultation, these instruments are shaping the full compliance framework that banking and financial services customers will operate under. The group-wide RTS is particularly significant for international financial groups.

PSD3/PSR: Strong Anti-Fraud Framework Incoming

The EU is replacing PSD2 with a two-instrument package: a directly applicable Payment Services Regulation (PSR) and a complementary Payment Services Directive (PSD3). The final compromise texts (Council documents ST-8221/26 and ST-8222/26) have been confirmed with no delegation objections and are heading for formal second-reading agreement at ECOFIN.

The shift to a directly applicable regulation means no more transposition variability across Member States. For identity verification providers, the strengthened anti-fraud provisions create a clear regulatory basis for stronger identity assurance requirements in payment contexts.

Digital Sovereignty: From Political Rhetoric to Procurement Reality

EU Business Wallet: The Sovereignty Debate Gets Uncomfortable

The proposed EU Business Wallet regulation is generating significant pushback around Article 7(2), which could exclude European QTSPs from the EBW ecosystem based on shareholder structure, even where those providers are fully operationally European.

IDnow has formally submitted feedback arguing that the restriction should focus on operational control rather than capital origin. The current drafting risks unjustified exclusion of EU-supervised QTSPs, artificial market concentration, higher costs for SMEs, and a chilling effect on international investment in European deep tech. Applying ownership tests rather than operational control tests would exclude some of Europe’s most capable trust service providers from the very infrastructure the EU is trying to build.

France, Germany & the Commission: A Pattern of Digital Sovereignty

Three significant developments reinforced Europe’s sovereignty shift this month:

France: Prime Minister Sébastien Lecornu signed the implementing decree for Article 31 of the SREN law, making ‘cloud de confiance’ a hard procurement filter for public administrations, not a soft preference.
EU Commission: A €180 million cloud procurement contract was awarded to four European providers, signalling that European provenance is becoming a procurement criterion, not just a political aspiration.
Germany: Digital Minister Karsten Wildberger announced plans to reduce dependence on US software, explicitly naming Microsoft, and shift towards open source solutions in public administration.

For European technology companies, including identity and trust service providers, this convergence is a structural tailwind worth taking seriously.

Netherlands: Data Sovereignty in Digital Identity Contracts

The Netherlands is examining data sovereignty implications in a digital identity contract with Solvinity, reflecting the broader EU trend of applying sovereignty criteria to identity and trust service procurement decisions. For European-headquartered, EU-supervised providers, this is an additional structural tailwind.

Data Protection: Rights, Tools & Tensions

Germany Proposes Police Facial Recognition on Public Social Media Images

German federal lawmakers are proposing an amendment to the Code of Criminal Procedure (Strafprozessordnung) that would allow law enforcement to run biometric searches against publicly accessible online images, including social media profiles.

This proposal sits at the intersection of the AI Act’s biometric identification provisions, GDPR’s restrictions on biometric data, and the EU’s Law Enforcement Directive. If adopted, it would almost certainly face immediate legal challenge. For identity and biometric technology providers, this is a reminder that the regulatory environment for facial recognition in law enforcement contexts remains deeply contested.

EDPB Publishes New DPIA Template: Immediately Useful

The European Data Protection Board has released a new standardised Data Protection Impact Assessment (DPIA) template. For organisations processing biometric and identity data, DPIAs are a legal requirement. A standardised template reduces compliance burden and improves consistency across jurisdictions.

Practical action: If your team has been working with a legacy internal DPIA template, now is a good moment to review it against the EDPB’s updated version, particularly if you operate in multiple Member States.

Key Takeaways for Identity & Compliance Teams

April 2026 demonstrated how rapidly the European regulatory landscape is moving. Here is what matters most:

CIR (EU) 2026/798 is law. ETSI TS 119 461 is now the compliance floor for EUDI Wallet identity proofing. Act accordingly.
The August 2026 AI Act deadline has not moved. Plan your biometric AI compliance against it – do not wait for the Omnibus outcome.
The EHDS Identity Management CIR will make healthcare the most legally mandated EUDI Wallet use case when adopted. Track it through 2026.
Digital sovereignty is becoming a procurement criterion across France, Germany, the Netherlands, and EU institutions. European identity providers have a structural advantage.
PSD3/PSR and AMLA consultations are tightening the compliance architecture for banking and payments customers. Engage with the consultations now.

How IDnow Can Help

IDnow is a European identity verification leader headquartered in Munich, with deep expertise in eIDAS 2.0 compliance, ETSI TS 119 461 conformance, AML/KYC solutions, and AI-powered identity proofing. Our Trust Platform is built for the regulatory environment described in this article, today and for what comes next.

Whether you are navigating EUDI Wallet readiness, AI Act compliance, or AML reform obligations, our team is ready to help you turn regulatory complexity into competitive advantage.