European Digital Identity Wallets and the Risk of US Tech Duopoly

The Dependency on US Tech Giants

The implementation of the European Digital Identity (EUDI) wallet framework risks cementing a systemic dependency on Google and Apple, potentially undermining European digital sovereignty. By relying on proprietary mobile operating systems and their respective attestation services, the EU is effectively outsourcing the verification of citizen identities to two US-based corporations.

This dependency manifests primarily through the requirement for hardware attestation to ensure device integrity. When digital ID apps rely on services like Google Play Integrity or Apple's equivalent, the ability of a citizen to access their legal identity becomes contingent on the approval and operational status of a private company's proprietary API.

Technical Barriers and the GrapheneOS Conflict

Proprietary attestation requirements create significant barriers for users of privacy-focused or open-source operating systems.

Exclusion of De-Googled Devices

Certain national implementations of the EUDI wallet have been criticized for strictly requiring Google Play Services. For example, users have reported that Italy's IO app—which handles wallets, documents, and age verification—refuses support for GrapheneOS, a privacy-hardened version of Android. This forces users to either accept Google's ecosystem or lose access to essential digital government services.

The Risks of Remote Attestation

Beyond specific app requirements, the use of remote attestation APIs is viewed by some as an attack on digital autonomy. Remote attestation allows a government or service provider to determine which operating systems are "acceptable." This creates a mechanism where the state could potentially pressure OS developers to install backdoors or ban any OS that does not meet specific, centrally managed security criteria.

Systemic Risks to Citizen Access

Integrating national identity into a proprietary app ecosystem introduces several non-technical risks that could impact citizen rights.

Account Deplatforming

If a citizen's identity is tied to a device that requires a proprietary account (e.g., a Google account), a ban or suspension of that account could theoretically lead to a loss of access to the digital ID. This creates a scenario where a private company's terms of service could inadvertently or intentionally strip a citizen of their primary means of interacting with the state.

Digital Exclusion

Requiring a smartphone for identity verification risks marginalizing populations who cannot afford such devices or choose not to own them. While EU regulations theoretically forbid member states from making smartphones mandatory for public services, the practical push toward "wallet" apps creates a high-friction environment for those relying on traditional physical IDs.

Proposed Alternatives for Digital Sovereignty

Critics and technical experts suggest several paths to decouple European identity from US tech monopolies:

• Hardware Tokens: The EU could provide specialized, free hardware tokens with cryptographic primitives and device-bound keys, allowing citizens to verify their identity without a smartphone.
• Physical Card Attestation: Utilizing existing physical EU ID cards as the attestation source. Users would tap their physical card against a phone for critical operations, moving the "root of trust" from the OS/Google/Apple to the physical government-issued card.
• Local-First Open Standards: Rebuilding the EUDI (OpenID4VP) framework as a local-first open standard. In this model, the government issues a certificate that the user loads into any supported client app (open-source or proprietary), allowing selective data sharing via an open protocol without a static subject public key that could be used for tracking.
• Web-Based Identity: Implementing web-based identity solutions to reduce dependency on the "safety" services provided by mobile app stores.

The Regulatory Paradox

There is a broader concern that regulations intended to curb the power of tech giants may actually reinforce their monopolies. Because large corporations can afford the high cost of implementing complex new regulations—whereas smaller competitors cannot—regulatory burdens can inadvertently clear the market of smaller players, leaving only the largest entities capable of compliance.