European governments race toward a 2026 deadline to deliver digital identity wallets to citizens across the bloc. These tools promise to simplify access to public services, verify age online and store official documents in one place on a smartphone. Yet the architecture chosen by several member states creates an unexpected outcome. It ties critical public infrastructure directly to the security services of two American technology giants.
The European Digital Identity Wallet, born from updates to the eIDAS regulation, aims for interoperability and user control. Pilots wrapped up in 2025. Large-scale tests involving over 140 organizations from 19 member states validated uses in banking, health records and cross-border travel. Results looked promising on paper. Over 1,300 tests produced more than 1,000 successful transactions, including hundreds that crossed borders. But one detail undermines the sovereignty talk. Many national implementations depend on Google Play Integrity API and Apple’s device attestation to confirm the wallet app runs on untampered hardware.
That dependency matters. A lot.
Danny Lämmerhirt at Waag laid out the risks in a detailed analysis published June 22, 2026. He argued that embedding these remote attestation services into public systems risks locking Europe into private corporate policies. Waag pointed to the Netherlands and Italy as examples where developers integrated Google’s API. Users running alternative Android builds such as GrapheneOS or /e/OS suddenly face blocks. They cannot prove device integrity without Google’s blessing.
Google’s Play Integrity API checks more than just tampering. It verifies whether the device runs a Google-licensed version of Android. It favors apps installed through the Play Store. It often requires a Google account sign-in. The service, offered free to developers to combat fraud and bots, doubles as a gatekeeper for the entire Android environment. Lämmerhirt called this “a clear violation of the Digital Markets Act.” The DMA seeks to curb exactly this sort of self-preferencing by gatekeepers.
But here’s the contradiction. European officials repeatedly pledge to reduce reliance on dominant technology firms. They speak of digital sovereignty and open standards. The Architecture Reference Framework for the wallets recommends but does not strictly require the Google and Apple services. Some countries took the recommendation as near-mandatory. Switzerland took a different path. It dropped Play Integrity over data protection and freedom-of-choice worries. It relies instead on Android’s Hardware Attestation API. That option performs security checks without enforcing Google’s ecosystem rules.
The split reveals fragmented governance. One EU framework. Multiple interpretations. Italy treats the recommendation like a requirement. The Netherlands follows suit. Such inconsistency weakens the claim that these wallets advance European independence. They risk turning national governments into enforcers of private platform rules.
Recent coverage reinforces the tension. A Follow the Money investigation, referenced in the Waag piece, detailed how the Dutch wallet cannot function without American tech. Android Authority reported on warnings that de-Googled devices trigger blocks in web-based services tied to similar attestation. Those articles date from before the June 2026 Waag publication but highlight persistent technical realities.
Meanwhile rollout preparations continue at pace. The European Commission adopted new implementing regulations in 2025. Member states must offer at least one certified wallet by the end of 2026. A study released in early 2026 asked what Europeans expect from these tools. Convenience ranked high. Privacy protections and ease of use mattered too. Yet the survey, hosted on the Commission’s digital-building-blocks site, did not address device-level dependencies on Big Tech. European Commission.
Status reports from April 2026 show uneven progress. Some countries maintain they will meet the December deadline. Others lag in public sandbox availability and testing infrastructure. EID Easy tracked implementations and found many projects still opaque. Preparedness varies widely despite public commitments. EID Easy.
Technical pilots delivered proof of concept. The POTENTIAL project, concluded in late 2025, demonstrated cross-border interoperability in government services, bank account opening and mobile driver’s licenses. Coordinators stressed that success depends on common standards, governance and citizen trust. Florent Tournois, project coordinator, stated that “security is not just about technology — it requires governance, certification, and liability.” The pilot involved real transactions and reusable attestations. Its lessons now shape the reference implementation and upcoming rules. Yet none of the public summaries from that effort tackled the attestation layer dependency on commercial operating systems.
Critics inside the technical community have noticed. Discussions on public repositories in Germany and Switzerland show developers raising the same flags Lämmerhirt highlighted. These forums reach limited audiences. Broader public debate remains scarce. The wallets function as gateways to essential services. Health data. Tax filings. Age verification for online content. When access requires implicit approval from Google or Apple, the public nature of the infrastructure erodes.
Waag’s own work through the EU-funded Mobifree project adds evidence. Over two years researchers studied what drives users toward de-Googled mobile operating systems. Among 120 testers, compatibility with government identification and payment apps ranked as a top barrier to switching. Without those core services, alternative phones lose appeal. The finding underscores a practical lock-in effect even if users prefer more open software.
Alternatives exist. Android’s Hardware Attestation API offers hardware-based checks without the ecosystem enforcement. Open-source approaches could extend further. Yet the current reference framework tilts toward the convenient, proprietary options. Convenience for developers today may translate into structural dependence tomorrow.
Discussions on X reflect divided views. Some users see the EUDI system as an open ecosystem that could include wallets from banks, tech firms and even Google and Apple themselves. Others warn that distribution advantages and app store control still favor the giants. One thread from June 2026 noted that while the technical design avoids central databases and uses pseudonyms, installation outside app stores remains difficult. Apple and Google retain the ability to restrict distribution.
Industry voices express parallel concerns. Analyses from 2025 and 2026 note that off-the-shelf devices may need extra work to meet security standards. Wallet providers must cooperate with platform owners for access to secure elements. That cooperation carries risks of constrained innovation. One report observed that market concentration could favor companies with existing user bases and hardware control. The same names surface again and again.
Europe faces a genuine policy test. The wallets could deliver real gains in usability and cross-border functionality. They could reduce reliance on passwords and paper documents. They could give citizens better data control through selective disclosure features. All of that depends on implementation details that currently favor two companies whose business models rest on data collection, platform lock-in and app store revenue.
Public infrastructure demands public accountability. Design choices made in technical committees now shape daily digital life for hundreds of millions. If governments truly want technological sovereignty, they must revisit the attestation requirements. They could mandate hardware-based open mechanisms. They could fund development of attestation methods that do not report back to commercial gatekeepers. Switzerland shows one viable path. Others could follow.
Citizens running alternative operating systems already contact ministries to demand changes. Developers flag issues in open repositories. Journalists track the procurement and certification processes that will decide which solutions scale. The next few months matter. The 2026 launch window approaches. Decisions locked in now will prove hard to undo once millions of users download their national wallets.
The promise of digital identity that works everywhere in Europe collides with the reality of who controls the phones in our pockets. Resolving that collision requires more than pilot success metrics and regulatory deadlines. It demands consistent application of the principles Europe claims to champion: openness, interoperability and independence from any single vendor. Anything less hands the keys to the very firms regulators say they want to constrain.


WebProNews is an iEntry Publication