Mila’s Regulatory Radar: March 2026.

Your monthly guide to EU digital identity & compliance by Liudmyla (Mila) Rabchynska, Director of Global Regulatory & Government Affairs at IDnow.

🇪🇺 EU: The Multi-Regulatory Complexity Is Now Unavoidable

EDPB and EDPS issue two joint opinions in March – both matter for identity verification

• What: AI Act / GDPR / Cybersecurity / Certification
• Who’s affected: Compliance, Legal / Product & Security
• Action: One to act on

What happened: The EDPB and EDPS published two joint opinions in March. The first (12 March) addresses AI and health data, focusing on controller accountability, legal basis for AI training, and the role of Data Protection Authorities in AI Act enforcement. The second (19 March) covers certification and cybersecurity, which is relevant to anyone at the intersection of NIS2, eIDAS 2.0, and GDPR, particularly digital identity providers and QTSPs.

My take: March 2026 sits in what I call the AI Act enforcement gap: the window between the prohibition phase (February 2026) and the high-risk system obligations phase (August 2026). These opinions make one thing clear: DPAs are not waiting for the AI Office to shape the enforcement landscape. They are stepping in early, especially where biometric or health data is involved which is precisely the category most relevant to identity verification. The 19 March opinion adds another layer: providers must now navigate three frameworks at once: AI Act, NIS2, and eIDAS 2.0. There is also ongoing debate about whether biometric AI used for remote identity verification qualifies as high-risk under Annex III. Most legal experts say yes, but the conformity assessment path remains partially unclear pending Q2 2026 AI Office guidance. My strong advice: do not wait for that guidance before beginning your compliance readiness assessment.

AMLA’s first public hearing: The EU AML architecture is finding its footing

• What: AML/CFT / AMLA / Regulatory Technical Standards
• Who’s affected: Compliance & Legal / Sales & CS
• Action: One to watch

What happened: On 24 March 2026, AMLA held its first public hearing on draft Regulatory Technical Standards (RTS) under Article 28(1) AMLR. Rather than splitting standards by sector, AMLA is adopting a horizontal approach – one RTS covering both financial and non-financial sectors, with sector-specific measures only where necessary. It builds on the EBA baseline with targeted amendments, ensuring continuity while reflecting AMLA’s broader mandate.

My take: This milestone deserves more attention than it has received. AMLA moving from institution-building to regulatory output marks a genuine transition in how EU AML supervision will function. The decision to go horizontal with one cross-sector RTS rather than separate ones is the right call, and not the obvious one given how differently risk profiles look across financial and non-financial obliged entities. The practical implication for identity verification providers is that AMLA standards will set a common floor, while flexibility provisions within the RTS will determine the operational latitude obliged entities retain in choosing their verification methods. That is exactly where implementation detail will be decisive – and where I will be watching the final RTS text very carefully.

Dutch Supreme Court asks CJEU whether an ID photo is special category data & the implications go far beyond AML

• What: GDPR / AML / Special Category Data
• Who’s affected: Compliance & Legal
• Action: One to watch

What happened: The Dutch Supreme Court has referred to the Court of Justice of the EU (CJEU) a set of questions arising from an AML identity verification case. A woman was asked by her credit card company to upload a copy of her ID document to re-verify her identity under Article 40(1) AML Directive. The core questions referred: Does AML law require retention of the full ID document? If so, does that require retaining the photo? And – most significantly – must an ID photo be treated as special category personal data revealing racial or ethnic origin under Article 9(1) GDPR? A further question asks whether the purpose of the processing affects that classification.

My take: This is one of the most consequential CJEU referrals in the digital identity space in years – not because it will resolve quickly (it won’t), but because the answer to the third question could reshape data protection compliance for virtually every organisation that stores identity document copies. The Dutch Supreme Court itself answered “yes” to the photo-as-special-category-data question back in 2010. If the CJEU concurs – and does so without the “discriminatory purpose” limitation that Dutch courts have since applied to narrow it – the impact would be significant. Banks, employers, customer portals, identity verification archives – anyone storing ID photos would need to revisit their legal basis. This case also highlights an unresolved tension between AML data retention obligations and the GDPR data minimisation principle – a tension that neither legislator has resolved, and which practitioners are left to navigate in the meantime.

The December 2026 EUDI Wallet deadline: Ambitious by design, slipping by reality

• What: EUDI Wallet / National Implementation
• Who’s affected: Everyone
• Action: One to watch

What happened: Multiple Member States have publicly signalled that their EUDI Wallet production environments will not be ready by December 2026. The picture as of March:

• 🇨🇿 Czechia – trial operation in 2026, full certified production planned for early 2027
• 🇩🇪 Germany – phased rollout, first real-state wallet stage expected early 2027
• 🇳🇱 Netherlands – first wallet release expected in 2027, not meeting all EUDI requirements on day one
• 🇫🇷 France – public-private MoU targeting a 2027 launch
• 🇪🇸 Spain – Cartera Digital in pilot today, early 2027 for broader rollout.
• Separately, Switzerland has postponed its national e-ID to December 2026 after a federal audit identified unfinished work on encryption design, identity issuance processes, and verifier oversight.

My take: The December 2026 deadline is working as a coordination mechanism more than a hard delivery date – which is probably the most honest way to put it. The regulation requires wallet availability, but it does not specify what availability looks like when five of the EU’s largest Member States are in pilot or transition mode. What this tells us: the market for EUDI Wallet-integrated services won’t be at scale in 2026, it will begin to emerge through 2027. For technology providers, that is a planning input, not a reason for wait. The infrastructure decisions being made now – architecture, certification pathways, integration standards – will determine who is positioned to win when scale arrives. The timeline has been described as “ambitious”, which, in regulatory parlance, is a polite way of saying “optimistic to the point of courageous.”

EUDI Wallet technical infrastructure taking shape: WE BUILD blueprint, ENISA scheme, ETSI standard

• What: EUDI Wallet / Standards / Certification
• Who’s affected: Product & Security / Compliance & Legal
• Action: One to watch

What happened: Three significant technical publications landed in March. The WE BUILD Large Scale Pilot published its Blueprint for the high-level architecture of the EUDI Wallet ecosystem. ENISA published the EUDIW certification candidate scheme, opening it for review by EU Member States and ENISA experts. ETSI published standard TS 119 472-3 — “Profiles for issuance of EAA or PID” — an EUDI Wallet profile of OpenID4VCI.

My take: Together, these three publications represent the technical backbone of the EUDI Wallet ecosystem taking shape – even as national deployment timelines slip. The ETSI TS 119 472-3 standard is particularly significant: it defines how Person Identification Data and Electronic Attestations of Attributes are issued using OpenID4VCI, which is the protocol the ecosystem is converging on. The ENISA certification candidate scheme, now open for expert review, is the precursor to the formal certification scheme that wallet providers will need to certify against.

AI omnibus enters trilogue; European business wallet still awaiting parliament’s position

• What: AI Act / European Business Wallet / EU Inc.
• Who’s affected: Compliance & Legal, Sales & CS
• Action: One to watch

What happened: On 26 March 2026, the European Parliament adopted its first-reading position on the AI Omnibus. Interinstitutional trilogue negotiations began the same day, with a target for final agreement at the second trilogue on 28 April. The European Business Wallet (EBW) – part of the broader Digital Omnibus – was not included in the voting package; Parliament’s internal handling is still being set up. The Commission’s EBW stakeholder consultation runs until 6 May 2026. On 18 March, the Commission also presented the EU Inc. proposal – an optional EU-wide corporate framework that relies on the EBW for digital-first interactions with public authorities across the Union.

My take: The AI Omnibus moving into trilogue is good news for legal certainty. The faster a final text is agreed, the sooner implementing guidance can follow and the enforcement gap can begin to close. The absence of the European Business Wallet from the Parliament’s voting package is the more notable gap: EBW is the enterprise counterpart to the consumer EUDI Wallet, and the EU Inc. proposal is already building on it as a foundational assumption. The Commission has set an ambitious legislative agenda; Parliament needs to catch up on the EBW file. For organisations that interact frequently with EU public authorities or plan to operate under the EU Inc. framework, getting your response into the stakeholder consultation before 6 May is worthwhile.

🇩🇪 Germany: Framework-Building Season

Germany’s TKG amendment formally recognises the EUDI Wallet for telco identification

• What: Telecommunications / eID / eIDAS 2.0
• Who’s affected: Sales & CS, Product & Security
• Action: One to watch

What happened: The Federal Ministry for Digital and Transport (BMDS) published the draft Telecommunications Act Amendment Bill 2026 (TKG-Änderungsgesetz 2026). The key change for our space is a complete rewrite of §172 Abs. 2, which now lists ten accepted identification methods, including, explicitly, other eIDAS-notified eIDs at Level of Assurance “high” and the EUDI Wallet under Article 3(42) eIDAS 2.0. A new §172 Abs. 2a consolidates provisions on alternative methods. Notably, BNetzA also receives a new general power to set detailed requirements for the standard verification methods, motivated by a documented increase in violations in in-store verification processes.

My take: This is, as far as I am aware, one of the first instances of a national legislator writing the EUDI Wallet into a sectoral compliance obligation by name. §172 TKG governs how telecoms operators must verify subscriber identities, a market where IDnow is an active provider, so the explicit statutory inclusion of the EUDI Wallet as an accepted method is a direct product-planning signal. The BNetzA power to set detailed requirements for standard methods is also worth watching: it responds to real-world enforcement problems and signals that the regulator intends to use its new toolbox actively. This draft will now go through consultation; I will be tracking its progress closely.

Germany’s DIdG: A national EUDI Wallet law with a provision on minors

• What: eIDAS 2.0 / EUDI Wallet / National Implementation
• Who’s affected: Product & Security, Compliance & Legal
• Action: One to watch

What happened: The German federal government published the draft Digital Identity Act (Digitales-Identitäten-Gesetz / DIdG), establishing the legal basis for Germany’s national EUDI Wallet implementation. Among its provisions, the draft expressly permits the experimental issuance of person identification data to natural people from age 12, but only where a prior risk assessment confirms that no overriding risks to the reliability and integrity of the identification infrastructure arise. This is a tightly conditioned testing power, not a decision to make the wallet routinely available to minors.

My take: The DIdG is the legislative foundation Germany needed to move from EUDI Wallet pilots toward a regulated production environment. The provision on minors is drafted with commendable caution – risk-assessment-gated experimental issuance is a far cry from a blanket policy to deploy digital identity to under-18s, and the distinction matters for how implementers should read it. More broadly, Germany is, characteristically, building the legislative framework before the wallet infrastructure is ready, which is the right sequencing but confirms that a production-grade German EUDI Wallet will not appear before early 2027, consistent with what we are hearing across major Member States.

Germany submits AI Act implementation law to Bundestag

• What: AI Act / Market Surveillance / Regulatory Sandboxes
• Who’s affected: Compliance & Legal, Product & Security
• Action: One to watch

What happened: The German Cabinet has submitted the AI Market Surveillance and Innovation Promotion Act (KI-Marktüberwachungs- und Innovationsförderungsgesetz) to the Bundestag. BNetzA is designated as the national AI Act market surveillance authority; BaFin covers the financial sector. BNetzA will also operate Germany’s AI regulatory sandbox (KI-Reallabor), building on a completed pilot project run jointly with the Hessian Ministry for Digitalisation and the Federal Data Protection Commissioner. The EU deadline for establishing at least one national AI sandbox is 2 August 2026.

My take: The designation of BNetzA as Germany’s primary AI Act authority, combined with its new powers under the TKG amendment, makes it an increasingly central counterpart for any organisation providing AI-assisted identity verification in Germany. The KI-Reallabor is genuinely interesting as a mechanism: a supervised environment where companies, particularly SMEs and start-ups, can develop and validate AI systems under regulatory oversight before market entry. For identity verification providers navigating the AI Act high-risk classification and conformity assessment requirements, this is a pathway worth understanding now rather than in August.

🇬🇧 UK: The moment DVS became real

The UK Digital Identity Trust Framework reaches v1.0

• What: Digital Identity / Trust Framework
• Who’s affected: Everyone
• Action: One to act on

What happened: On 3 March 2026, the UK’s Office for Digital Identities and Attributes (ODIA) published DIATF version 1.0 – the first release to carry a “1.0” designation and the first to introduce version-controlled supporting documents. Beta (0.3) certifications expired definitively on 31 March. Gamma-certified providers can undertake a step-up assessment rather than a full re-assessment. All new certifications from this point must be against v1.0. On 26 March 2026, the UK Government published a draft statutory instrument, together with an explanatory memorandum, proposing amendments to the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs). The draft has been submitted for parliamentary approval and formally enables DVS-certified providers to satisfy statutory identity checks under the MLRs, connecting the trust framework directly to a binding legal AML obligation.

My take: This is UK digital identity infrastructure moving from pilot plumbing into real regulatory architecture, and the significance is easy to understate if you have been tracking the framework since its beta drafts. What changed is not just a version number – it is that the framework is now statutory (post-Data (Use and Access) Act), version-controlled, and tied to a concrete compliance obligation in AML law. The DVS-to-AML confirmation is the commercial unlock the market has been waiting for: for the first time, a UK regulated business can satisfy an AML identity check requirement by pointing to a certified digital verification service. That is a structural shift. The 31 March Beta certification expiry was the hard stop that forced the market to decide, and that kind of deadline discipline is, frankly, something EU regulators could learn from.

Also worth your attention this month:

• 🇫🇷 France: French airports will accept the France Identité digital ID from Summer 2026 — a real-world deployment milestone that shows national eID working in high-friction physical use cases.
  
• 🇸🇪 Sweden: DIGG (Swedish Digitalisation Agency) has published the official timeline for the Swedish EUDI Wallet — one of the clearer, more detailed national roadmaps currently available publicly.
  
• 🇧🇬 Bulgaria: Bulgaria has published a draft digital ID law but is widely expected to miss the EUDI Wallet December 2026 deadline — adding to the growing list of Member States where implementation timelines are under pressure.
  
• 🌐 US-EU Biometrics: The United States and the European Union have entered formal negotiations over a biometric data-sharing arrangement that would grant DHS access to fingerprint and biometric records held by EU Member States. Given the current state of transatlantic data relations and the sensitivities around Article 9 GDPR data, this one deserves careful watching.

By

Liudmyla (Mila) Rabchynska
Director of Global Regulatory & Government Affairs at IDnow
Connect with Mila on LinkedIn