Abstract
This dissertation presents a comparative legal analysis of digital identity frameworks in the United Kingdom and European Union member states, examining the divergent regulatory philosophies, institutional arrangements, and technological architectures that characterise each jurisdiction’s approach. Through a comprehensive literature synthesis, the study investigates how the UK’s market-led, federated model—exemplified by the Gov.UK Verify programme and subsequent trust framework initiatives—contrasts with the EU’s harmonised, public-law regime established under the eIDAS Regulation and its successor, eIDAS 2.0. The analysis reveals fundamental differences in the role of state versus private actors, legal bases for data processing, cross-border interoperability mechanisms, and the extent to which digital identity serves domestic service delivery versus supranational integration objectives. Particular attention is given to the implications of Brexit for UK participation in mutual recognition arrangements and the recently abandoned Labour government proposals for expanded digital identity systems. The findings demonstrate that whilst both jurisdictions pursue digital identity solutions to enhance service accessibility and security, their approaches reflect distinct constitutional traditions, privacy expectations, and political sensitivities. The research concludes by identifying pathways for potential regulatory convergence and areas requiring further scholarly attention.
Introduction
Digital identity has emerged as a foundational element of contemporary governance, enabling citizens to access public services, engage in commercial transactions, and exercise civic rights in an increasingly digitalised society. The verification of identity in online environments presents complex legal, technical, and political challenges that jurisdictions worldwide have addressed through markedly different regulatory strategies. Within the European context, the contrast between the United Kingdom’s approach and that of European Union member states offers a particularly instructive case study in comparative law, illuminating how constitutional traditions, political sensitivities, and institutional arrangements shape regulatory outcomes in the digital sphere.
The United Kingdom has historically demonstrated pronounced resistance to centralised identity documentation, most notably evidenced by the abandonment of the Identity Cards Act 2006 and the destruction of the National Identity Register in 2010 (Naghmouchi et al., 2023). This political context fundamentally shaped the subsequent development of Gov.UK Verify, a federated system relying upon private identity providers rather than state-issued credentials. In contrast, numerous EU member states have long-established traditions of mandatory national identity cards, providing a foundation upon which digital identity schemes could be constructed with comparatively less political controversy (Kubicek, 2010).
The significance of this comparative analysis extends beyond academic interest. Digital identity frameworks directly affect citizens’ fundamental rights, including privacy, data protection, and access to services. They also have profound implications for cross-border commerce, freedom of movement, and the functioning of the digital single market. Following Brexit, the UK’s departure from the eIDAS mutual recognition framework has created new barriers to cross-border identity verification, whilst simultaneously providing opportunities for regulatory innovation unconstrained by EU harmonisation requirements. The Labour government’s recent proposals for expanded digital identity systems, subsequently abandoned amid political and civil liberties concerns, demonstrate that these issues remain contested and evolving.
This dissertation examines the legal and structural differences between UK and EU digital identity models, situating these differences within their broader constitutional, political, and historical contexts. It contributes to comparative law scholarship by systematically analysing how two closely related legal systems have diverged in their approaches to a common technological and governance challenge.
Aim and objectives
The primary aim of this dissertation is to conduct a comprehensive comparative legal analysis of the United Kingdom’s approach to digital identity and the models adopted by European Union member states under the eIDAS regulatory framework.
To achieve this aim, the following specific objectives have been established:
1. To trace the historical development of digital identity policy in the United Kingdom, from the rejection of identity cards through the Gov.UK Verify programme to the current trust framework model and recent policy proposals.
2. To examine the legal architecture of the EU’s eIDAS Regulation and its successor, eIDAS 2.0, including the mutual recognition framework and the European Digital Identity Wallet initiative.
3. To analyse the respective roles of public authorities and private sector actors in UK and EU digital identity ecosystems, identifying the regulatory philosophies underpinning each approach.
4. To evaluate the data protection implications of both models, with particular reference to GDPR compliance, legal bases for processing, and the allocation of controllership responsibilities.
5. To assess the cross-border implications of Brexit for UK digital identity schemes and the potential pathways for future regulatory cooperation or equivalence arrangements.
6. To identify areas of potential convergence and divergence in UK and EU approaches, drawing conclusions regarding the optimal design of digital identity frameworks.
Methodology
This dissertation employs a doctrinal legal research methodology combined with comparative analysis, synthesising existing scholarly literature, primary legal sources, and policy documents to examine digital identity frameworks across jurisdictions. The approach is qualitative rather than empirical, focusing on the interpretation and analysis of legal texts, regulatory instruments, and academic commentary.
The literature synthesis draws upon peer-reviewed journal articles, conference proceedings, and working papers published between 2010 and 2025, covering the evolution of digital identity policy from early eIDAS implementation through to the current wallet-based initiatives. Sources were selected based on their relevance to the comparative legal questions under examination, their methodological rigour, and their publication in reputable academic venues.
Primary legal sources include the eIDAS Regulation (EU) No 910/2014, the proposed eIDAS 2.0 amendments, the UK’s Data Protection and Digital Information Act provisions relating to digital verification services, and policy documents from the Office for Digital Identities and Attributes. Government publications, parliamentary materials, and official guidance documents supplement these primary sources.
The comparative methodology follows established approaches in comparative law scholarship, examining functional equivalents across jurisdictions rather than assuming direct correspondence between legal concepts. This approach recognises that different legal systems may achieve similar regulatory objectives through structurally distinct mechanisms, and that superficial similarities may obscure fundamental differences in legal effect or constitutional significance.
The analysis is structured around thematic dimensions identified as significant in the literature: the core identity instrument and its legal status; the institutional role of public and private actors; cross-border recognition and interoperability mechanisms; and data protection compliance frameworks. This thematic approach facilitates systematic comparison whilst accommodating the complexity and heterogeneity of national implementations within the EU framework.
Literature review
Historical foundations of digital identity policy
The development of digital identity frameworks in Europe reflects deeply embedded constitutional and political traditions regarding the relationship between the state and the citizen. Kubicek’s foundational comparative study of national eID management systems identified significant variations in the conceptual frameworks underpinning different national approaches, noting that the introduction of electronic identity in certain jurisdictions represented a “radical change in citizenship” whilst in others it constituted a technical enhancement of existing documentation practices (Kubicek, 2010). This observation proves particularly pertinent to understanding the UK’s distinctive trajectory.
The United Kingdom’s rejection of identity cards under the Identity Cards Act 2006, culminating in the destruction of the National Identity Register in 2010, established a political context fundamentally different from that prevailing in continental Europe. Naghmouchi and colleagues observe that this political history profoundly shaped the architecture of Gov.UK Verify, which deliberately avoided creating any form of national identification document or centralised identity database (Naghmouchi et al., 2023). The federated model, employing private identity providers operating under commercial contracts, emerged as a politically acceptable alternative to state-issued credentials.
In contrast, numerous EU member states possess long-established civil registration systems and mandatory national identity cards, providing institutional infrastructure upon which digital identity schemes could be constructed. Ruiu, Saiu and Grosso note that these states have progressively enhanced physical identity cards with electronic capabilities, including chip-based storage of biometric data, creating a foundation for high-assurance digital identity verification (Ruiu, Saiu and Grosso, 2024). This path-dependent development explains much of the structural variation observed across EU implementations.
The UK’s evolving digital identity architecture
The Gov.UK Verify programme represented the United Kingdom’s primary attempt to establish digital identity infrastructure for public service access. Launched in 2016, the system employed a federated architecture in which citizens selected from multiple certified private identity providers, who would verify their identity against various data sources before issuing credentials accepted by government services. Tsakalakis, O’Hara and Stalla-Bourdillon provide detailed technical and legal analysis of this architecture, noting that the central hub operated by the Government Digital Service received pseudonymised assertions from identity providers, which were then matched to service-specific identifiers (Tsakalakis, O’Hara and Stalla-Bourdillon, 2016).
This federated model raised significant questions regarding compliance with both the eIDAS Regulation and the General Data Protection Regulation. Stalla-Bourdillon, Pearce and Tsakalakis conducted a comprehensive analysis of Gov.UK Verify’s data protection implications, identifying substantial concerns regarding the legal basis for processing, the allocation of controller and processor responsibilities across the multiple parties involved, and the adequacy of transparency mechanisms (Stalla-Bourdillon, Pearce and Tsakalakis, 2018). They characterised the GDPR as a “game changer” for electronic identification schemes, suggesting that Verify’s architecture required fundamental reconsideration in light of enhanced data protection requirements.
The joint controllership question proved particularly problematic. Tsakalakis, Stalla-Bourdillon and O’Hara demonstrated that the complex data flows between identity providers, the central hub, and relying party services created ambiguity regarding which entity bore responsibility for which processing operations, potentially undermining individuals’ ability to exercise their data subject rights effectively (Tsakalakis, Stalla-Bourdillon and O’Hara, 2017). The UK government’s reliance on contractual arrangements rather than clear statutory provisions exacerbated these difficulties.
Gov.UK Verify was notified under the eIDAS Regulation shortly before Brexit, representing the UK’s sole notified national eID scheme. However, the UK’s departure from the European Union meant that this notification ceased to have legal effect, removing UK eIDs from the mutual recognition framework and creating barriers to cross-border service access for UK citizens (Stalla-Bourdillon, Pearce and Tsakalakis, 2018). The programme was subsequently wound down, with the UK government pivoting toward a new trust framework model under the auspices of the Office for Digital Identities and Attributes.
The current UK approach, embodied in the digital verification services provisions of the Data Protection and Digital Information Act and the GOV.UK One Login initiative, maintains the market-led philosophy whilst introducing stronger regulatory oversight. Naghmouchi and colleagues describe this framework as creating a certification regime for identity and attribute providers, establishing technical and governance standards without mandating any particular architectural approach or creating state-issued credentials (Naghmouchi et al., 2023). Seifert situates these developments within broader trends toward self-sovereign identity and blockchain-based credentialing, suggesting that the UK framework offers potential for innovation unconstrained by eIDAS harmonisation requirements (Seifert, 2020).
Recent political developments have demonstrated the continuing sensitivity of digital identity policy in the UK. The Starmer-led Labour government initially signalled intentions to expand digital identity requirements, particularly for age verification and access to certain services. However, these proposals were subsequently withdrawn following significant opposition from civil liberties organisations and parliamentarians concerned about surveillance implications and the potential for function creep. This episode illustrates that the political constraints which shaped Gov.UK Verify’s architecture remain operative, limiting the scope for more comprehensive identity infrastructure regardless of technical capabilities.
The EU eIDAS framework and mutual recognition
The eIDAS Regulation (EU) No 910/2014 established a legal framework for electronic identification and trust services across the European Union, creating the first supranational mutual recognition regime for digital identity. Under this framework, member states voluntarily notify their national eID schemes to the European Commission, whereupon other member states must recognise those schemes for access to public services requiring electronic identification at the same or lower level of assurance (Tsakalakis, Stalla-Bourdillon and O’Hara, 2017).
The regulation distinguishes three levels of assurance—low, substantial, and high—corresponding to different degrees of confidence in the claimed identity. Sharif and colleagues explain that the level of assurance depends upon the identity proofing and verification processes employed during enrolment, the authentication mechanisms used during service access, and the overall management and security of the identity scheme (Sharif et al., 2022). Only schemes notified at substantial or high assurance benefit from mandatory mutual recognition, creating incentives for member states to implement robust identity verification processes.
Implementation across member states has, however, remained heterogeneous. Ruiu, Saiu and Grosso observe that whilst some states base their notified schemes on chip-based national identity cards incorporating biometric data, others support multiple schemes at different assurance levels, and still others have been slow to notify any schemes (Ruiu, Saiu and Grosso, 2024). This variation creates interoperability challenges and fragments the user experience, limiting the practical benefits of mutual recognition for citizens seeking cross-border service access.
Wagner, Mannino and Lauer identify technical interoperability as a persistent challenge, noting that the eIDAS framework specifies requirements for notified schemes but does not mandate particular technical implementations, resulting in diverse architectures that must be bridged through dedicated interoperability nodes (Wagner, Mannino and Lauer, 2021). The eIDAS interoperability framework addresses these challenges at the protocol level, but variations in identity attributes, naming conventions, and data semantics continue to create friction.
The evolution toward wallet-based identity under eIDAS 2.0
The revision of the eIDAS framework through the eIDAS 2.0 Regulation represents a fundamental shift in the EU’s approach to digital identity, moving from a model based on notified national schemes toward a harmonised European Digital Identity Wallet (EUDIW) that all member states must offer to their citizens. Weigl and Reysner analyse this transition through the lens of institutional mimesis, observing that the wallet model explicitly draws upon GDPR principles of data minimisation and user control, effectively transplanting regulatory concepts from data protection law into identity management (Weigl and Reysner, 2025).
The EUDIW embodies principles associated with self-sovereign identity, enabling citizens to hold their identity credentials and attributes in a personal wallet application and selectively disclose only those elements necessary for particular transactions. Kudra and colleagues provide a comprehensive guide to this model, explaining that the wallet architecture decouples the issuance of credentials from their use, allowing citizens to obtain attested attributes from various public and private issuers and present them to relying parties without the issuer’s involvement or knowledge (Kudra et al., 2025). This design aims to enhance privacy by preventing the aggregation of transaction data by identity providers.
Sharif and colleagues situate the wallet model within broader technological trends, including distributed ledger technologies, verifiable credentials, and decentralised identifiers, noting that these developments enable new forms of identity verification that were not technically feasible when the original eIDAS Regulation was adopted (Sharif et al., 2022). However, they caution that the integration of these technologies with existing member state identity infrastructure presents significant technical and organisational challenges.
The relationship between eIDAS 2.0 and GDPR compliance has been central to the design of the wallet framework. Weigl and Reysner demonstrate that the regulation explicitly incorporates GDPR concepts and terminology, requiring that processing of personal data within the wallet ecosystem complies with data protection principles and that supervisory authorities with data protection competence oversee relevant operations (Weigl and Reysner, 2025). This alignment addresses criticisms levelled at the original eIDAS framework regarding insufficient attention to privacy implications.
Sedlmeir and colleagues examine the broader context of verifiable credentials and digital identity, noting that the wallet model enables attribute-based identity verification that can minimise disclosure of personal information whilst maintaining high assurance of specific claims (Sedlmeir et al., 2021). For example, a citizen might prove they are over eighteen years of age without revealing their precise date of birth, or demonstrate possession of a professional qualification without disclosing their full educational history. This selective disclosure capability represents a significant privacy enhancement compared to traditional identity documents.
Governance and institutional arrangements
A fundamental distinction between UK and EU approaches concerns the respective roles of public authorities and private sector actors in the digital identity ecosystem. The UK model, from Gov.UK Verify through to the current trust framework, assigns substantial responsibility to certified private identity providers, with the state acting primarily as a regulator and standards-setter rather than a direct service provider (Tsakalakis, O’Hara and Stalla-Bourdillon, 2016). This reflects broader UK preferences for market-based delivery of public services and scepticism regarding centralised government databases.
In contrast, EU member state implementations predominantly feature public authorities as the primary issuers and managers of identity credentials, reflecting traditions of administrative law that conceive identity verification as an inherently governmental function. Weigl and Reysner note that whilst the EUDIW framework accommodates private sector involvement in attribute provision, the core identity credentials remain anchored in state-issued documentation verified through public registries (Weigl and Reysner, 2025).
The institutional arrangements for oversight and supervision also differ significantly. The UK’s Office for Digital Identities and Attributes operates as a domestic regulator, establishing standards and certifying providers within a national framework that does not engage with EU-level coordination mechanisms (Naghmouchi et al., 2023). EU supervisory bodies, whilst nationally constituted, operate within a harmonised framework that includes mechanisms for cross-border cooperation and consistent application of standards.
Leese examines the governance of biometric identity systems within the EU, highlighting the role of interoperability frameworks in connecting previously separate databases and enabling automated identity verification across different administrative systems (Leese, 2020). This integration raises significant questions regarding the scope of state surveillance and the potential for function creep, concerns that have been prominent in UK debates regarding digital identity expansion.
Cross-border implications and the Brussels effect
The implications of regulatory divergence between the UK and EU extend beyond the immediate practical consequences of lost mutual recognition. Sullivan and Van Den Meerssche analyse the continuing influence of EU law on UK digital infrastructure, identifying an “infrastructural Brussels effect” whereby technical systems designed for EU compliance continue to shape UK practice even after formal withdrawal (Sullivan and Van Den Meerssche, 2024). This suggests that complete regulatory divergence may be neither feasible nor desirable, particularly for businesses operating across both jurisdictions.
The question of equivalence or adequacy arrangements, analogous to those existing in data protection, has been raised as a potential mechanism for restoring some degree of cross-border interoperability. However, the eIDAS framework does not currently include robust provisions for third-country recognition, and the technical and governance requirements for equivalence remain undefined (Tsakalakis, Stalla-Bourdillon and O’Hara, 2017). The UK’s ability to secure recognition for its digital identity schemes would depend upon its willingness to align with EU standards, potentially constraining the regulatory autonomy that Brexit was intended to restore.
Ivic and Troitiño analyse digital sovereignty as a dimension of European integration, suggesting that the EU’s digital identity initiatives serve not merely functional objectives of service accessibility but also contribute to the construction of a common European identity and the assertion of EU regulatory authority in the digital sphere (Ivic and Troitiño, 2022). From this perspective, the UK’s exclusion from eIDAS mutual recognition has symbolic significance beyond its practical effects.
Privacy, data protection, and fundamental rights
The relationship between digital identity systems and fundamental rights, particularly privacy and data protection, represents a critical dimension of comparative analysis. The GDPR establishes baseline requirements applicable across both UK and EU jurisdictions, though the UK has signalled intentions to diverge from EU data protection standards through provisions in the Data Protection and Digital Information Act.
Stalla-Bourdillon, Pearce and Tsakalakis demonstrate that Gov.UK Verify’s architecture raised substantial questions regarding GDPR compliance, particularly concerning the legal basis for processing, transparency obligations, and the exercise of data subject rights across the federated system (Stalla-Bourdillon, Pearce and Tsakalakis, 2018). The reliance upon contractual necessity and legitimate interests as legal bases was criticised as inadequately specified and potentially insufficient to justify processing of identity data.
Bulgakova and Bulgakova examine facial processing for identity verification in France, illustrating how member states navigate the intersection of eIDAS requirements and GDPR provisions regarding biometric data (Bulgakova and Bulgakova, 2023). Their analysis demonstrates that high-assurance identity verification increasingly requires biometric processing, engaging the enhanced protections afforded to special category data under Article 9 GDPR.
The EUDIW framework explicitly addresses these concerns through its design principles. Weigl and Reysner explain that the wallet architecture incorporates privacy by design, requiring that implementations minimise data collection, enable selective disclosure, and prevent the aggregation of transaction data by issuers or relying parties (Weigl and Reysner, 2025). Whether these design principles will be effectively implemented across the diverse technological and administrative contexts of EU member states remains to be seen.
Discussion
The comparative analysis reveals fundamental structural and philosophical differences between UK and EU approaches to digital identity, differences that reflect deeper constitutional and political divergences regarding the relationship between state, market, and citizen. These differences manifest across multiple dimensions: the role of state versus private actors; the legal basis and institutional arrangements for oversight; the extent of cross-border integration; and the mechanisms for ensuring data protection compliance.
The role of state versus market
The UK’s market-led approach, delegating identity verification to certified private providers, reflects a distinctive regulatory philosophy that conceives the state’s role as establishing standards and certifying compliance rather than directly providing identity services. This approach offers advantages in terms of innovation, allowing multiple providers to compete and develop diverse solutions, and in terms of political acceptability, avoiding the creation of centralised government databases that have historically provoked opposition. However, it also creates challenges regarding accountability, interoperability, and the consistent application of standards across different providers.
The joint controllership issues identified in Gov.UK Verify illustrate the complexity of allocating responsibilities across a federated system involving multiple private actors and government agencies. When identity verification fails or data breaches occur, the distribution of liability and the pathways for redress become unclear. The current trust framework model, whilst maintaining the market-led philosophy, attempts to address these concerns through stronger regulatory oversight and clearer certification requirements.
The EU model, whilst accommodating private sector involvement in attribute provision, maintains public authority leadership over core identity credentials. This reflects administrative law traditions that conceive identity verification as an inherently governmental function, closely connected to citizenship and the exercise of fundamental rights. The public authority role provides clearer lines of accountability but may limit innovation and create dependencies on government capacity and priorities.
The eIDAS 2.0 wallet model represents a hybrid approach, maintaining public authority responsibility for foundational identity credentials whilst enabling citizens to aggregate and present attributes from multiple sources. This architecture attempts to combine the accountability advantages of public provision with the flexibility and innovation potential of decentralised credentialing. Whether this hybrid model can be effectively implemented across twenty-seven member states with diverse administrative traditions remains uncertain.
Legal basis and data protection compliance
Both UK and EU frameworks must navigate the requirements of data protection law, but they do so through different mechanisms and with different degrees of success. The criticisms directed at Gov.UK Verify regarding inadequate specification of legal bases and unclear controllership arrangements highlight the challenges of designing federated identity systems that comply with GDPR requirements. The reliance upon contractual necessity and legitimate interests, rather than statutory provisions clearly specifying processing purposes and responsibilities, created legal uncertainty and potential vulnerability to challenge.
The eIDAS 2.0 framework explicitly incorporates GDPR principles, attempting to align identity regulation with data protection requirements from the outset. The institutional mimesis identified by Weigl and Reysner suggests that the wallet model draws legitimacy from its association with GDPR principles of user control and data minimisation. However, the translation of these principles into technical implementations across diverse national contexts presents significant challenges, and the gap between regulatory aspirations and practical outcomes may prove substantial.
The UK’s potential divergence from EU data protection standards creates additional complexity for cross-border scenarios. If UK data protection law diverges significantly from GDPR, the basis for data transfers between UK and EU identity systems would be undermined, further complicating any future equivalence arrangements.
Cross-border integration and regulatory divergence
Brexit has created a fundamental rupture in the cross-border dimension of digital identity. The UK’s notification of Gov.UK Verify under eIDAS, achieved shortly before withdrawal, provided only temporary access to mutual recognition, and UK eIDs are no longer recognised for access to EU public services. This exclusion affects both UK citizens seeking services abroad and EU citizens resident in the UK whose EU-issued credentials may not be recognised by UK service providers.
The absence of robust third-country provisions in the eIDAS framework limits the potential for restoring interoperability through equivalence arrangements. Unlike the adequacy mechanism in data protection, which provides a clear pathway for third countries to secure recognition for their data protection frameworks, eIDAS does not establish comparable procedures. Any future arrangement would require either bilateral agreements or amendment of the EU framework to accommodate third-country participation.
The “infrastructural Brussels effect” identified by Sullivan and Van Den Meerssche suggests that UK systems may continue to be shaped by EU standards regardless of formal regulatory divergence, particularly where businesses operate across both jurisdictions and find alignment more efficient than maintaining separate compliance regimes. This dynamic may constrain the scope for genuine regulatory innovation whilst preserving informal interoperability.
Political constraints and future trajectories
The abandonment of the Labour government’s digital identity proposals illustrates that the political constraints which shaped Gov.UK Verify remain operative. Civil liberties concerns regarding surveillance, function creep, and the potential for exclusion continue to limit the scope for comprehensive identity infrastructure in the UK. This political context distinguishes the UK from many EU member states where mandatory identity documentation is accepted as a normal feature of administrative practice.
These political constraints may ultimately prove more significant than technical or legal considerations in determining the trajectory of UK digital identity policy. The trust framework model, with its emphasis on certification of private providers rather than state provision, represents an accommodation of these constraints, but may limit the UK’s ability to achieve the coherent, high-assurance identity infrastructure that supports broader digital transformation objectives.
The EU’s trajectory toward wallet-based identity under eIDAS 2.0 represents an ambitious attempt to harmonise digital identity across member states whilst enhancing privacy and user control. The success of this initiative will depend upon effective implementation across diverse national contexts, significant technical coordination, and sustained political commitment. The challenges are substantial, but the potential benefits for cross-border service access and digital single market integration provide strong incentives for perseverance.
Conclusions
This dissertation has achieved its aim of conducting a comprehensive comparative legal analysis of UK and EU digital identity frameworks, examining the divergent regulatory philosophies, institutional arrangements, and technological architectures that characterise each jurisdiction’s approach.
The analysis demonstrates that the UK’s market-led, domestically focused model and the EU’s public-law, cross-border mutual recognition regime represent fundamentally different responses to the common challenge of digital identity verification. These differences reflect deeper constitutional and political divergences regarding the role of the state, the acceptable scope of identity documentation, and the relationship between domestic and supranational governance.
The UK approach, shaped by historic resistance to identity cards and preference for market-based service delivery, has produced a federated system relying upon certified private providers operating within a domestic trust framework. This model offers flexibility and innovation potential but creates challenges regarding accountability, interoperability, and GDPR compliance. The abandonment of recent Labour government proposals for expanded digital identity demonstrates that political constraints continue to limit the scope for comprehensive identity infrastructure.
The EU model, anchored in the eIDAS framework and evolving toward wallet-based identity under eIDAS 2.0, prioritises cross-border interoperability and public authority leadership whilst increasingly incorporating privacy-by-design principles drawn from GDPR. The heterogeneity of member state implementations and the technical complexity of the wallet architecture present significant implementation challenges, but the framework provides a coherent vision for European digital identity.
Brexit has created a fundamental rupture in cross-border digital identity recognition, excluding UK schemes from the eIDAS mutual recognition framework without establishing clear pathways for future cooperation. The absence of robust third-country provisions and the UK’s potential divergence from EU data protection standards may render formal equivalence arrangements difficult to achieve.
For comparative law scholarship, the UK-EU digital identity divergence offers valuable insights into how closely related legal systems respond to common technological challenges. The case demonstrates that regulatory outcomes in the digital sphere reflect not merely technical considerations but deeply embedded constitutional traditions, political sensitivities, and institutional arrangements.
Future research should examine the practical implementation of eIDAS 2.0 across EU member states, assessing whether the ambitious harmonisation objectives can be achieved given existing heterogeneity. Further attention to potential mechanisms for UK-EU cooperation, whether through formal equivalence or informal alignment, would address questions of considerable practical significance. Finally, comparative analysis extending beyond Europe to examine digital identity developments in other jurisdictions would enrich understanding of the range of regulatory possibilities and their respective advantages and limitations.
References
Balani, H., 2025. Securing the future of the EU Digital Identity Wallet: Why we need corporate digital identity standards now. *Journal of Financial Compliance*. https://doi.org/10.69554/snbz8506
Bulgakova, D. and Bulgakova, V., 2023. The Compliance of Facial Processing in France with the Article 9 Paragraph 2 (a) (g) of (EU) General Data Protection Regulation. *NaUKMA Research Papers. Law*. https://doi.org/10.18523/2617-2607.2023.11.64-76
Hofmann, H., 2025. New Regulatory Approaches under the EU’s Legislation on Digitalisation: Introduction to the Special Edition of the EJRR “Charting the Landscape of Automation of Regulatory Decision-Making”. *European Journal of Risk Regulation*. https://doi.org/10.1017/err.2024.86
Ivic, S. and Troitiño, D., 2022. Digital Sovereignty and Identity in the European Union: A Challenge for Building Europe. *European Studies*, 9, pp. 80-109. https://doi.org/10.2478/eustu-2022-0015
Kubicek, H., 2010. Introduction: conceptual framework and research design for a comparative analysis of national eID Management Systems in selected European countries. *Identity in the Information Society*, 3, pp. 5-26. https://doi.org/10.1007/s12394-010-0052-0
Kudra, A., Rieger, A., Sedlmeir, J., Roth, T., Fridgen, G. and Young, A., 2025. Digital Identity Wallets: A Guide to the EU’s New Identity Model. *Information Systems Journal*. https://doi.org/10.1111/isj.70009
Leese, M., 2020. Fixing State Vision: Interoperability, Biometrics, and Identity Management in the EU. *Geopolitics*, 27, pp. 113-133. https://doi.org/10.1080/14650045.2020.1830764
Lips, S., Vinogradova, N., Krimmer, R. and Draheim, D., 2022. Re-Shaping the EU Digital Identity Framework. *Proceedings of the 23rd Annual International Conference on Digital Government Research*. https://doi.org/10.1145/3543434.3543652
Naghmouchi, M., Laurent-Maknavicius, M., Levallois-Barth, C. and Kaaniche, N., 2023. Comparative Analysis of Technical and Legal Frameworks of Various National Digital Identity Solutions. *ArXiv*, abs/2310.01006. https://doi.org/10.48550/arxiv.2310.01006
Ruiu, P., Saiu, S. and Grosso, E., 2024. Digital Identity in the EU: Promoting eIDAS Solutions Based on Biometrics. *Future Internet*, 16, pp. 228. https://doi.org/10.3390/fi16070228
Sedlmeir, J., Smethurst, R., Rieger, A. and Fridgen, G., 2021. Digital Identities and Verifiable Credentials. *Business & Information Systems Engineering*, 63, pp. 603-613. https://doi.org/10.1007/s12599-021-00722-y
Seifert, R., 2020. Digital identities – self-sovereignty and blockchain are the keys to success. *Network Security*, 2020, pp. 17-19. https://doi.org/10.1016/s1353-4858(20)30131-8
Sharif, A., Ranzi, M., Carbone, R., Sciarretta, G., Marino, F. and Ranise, S., 2022. The eIDAS Regulation: A Survey of Technological Trends for European Electronic Identity Schemes. *Applied Sciences*. https://doi.org/10.3390/app122412679
Stalla-Bourdillon, S., Pearce, H. and Tsakalakis, N., 2018. The GDPR: A game changer for electronic identification schemes? The case study of Gov.UK Verify. *Computer Law & Security Review*, 34, pp. 784-805. https://doi.org/10.1016/j.clsr.2018.05.012
Sullivan, G. and Van Den Meerssche, D., 2024. An Infrastructural Brussels Effect: The translation of EU Law into the UK’s digital borders. *Computer Law & Security Review*, 55, pp. 106057. https://doi.org/10.1016/j.clsr.2024.106057
Tsakalakis, N., O’Hara, K. and Stalla-Bourdillon, S., 2016. Identity assurance in the UK: technical implementation and legal implications under the eIDAS regulation. *Proceedings of the 8th ACM Conference on Web Science*. https://doi.org/10.1145/2908131.2908152
Tsakalakis, N., Stalla-Bourdillon, S. and O’Hara, K., 2017. Identity Assurance in the UK: technical implementation and legal implications under eIDAS. *Journal of Web Science*, 3, pp. 32-46. https://doi.org/10.1561/106.00000010
Vinay, S., 2025. A Comparative Analysis of Cybersecurity Models and Issues: India, United States, and European Union. *Global Journal of Cyber Security*. https://doi.org/10.34218/gjcs_03_01_002
Wagner, E., Mannino, M. and Lauer, O., 2021. Towards European electronic identity: A blueprint for a secure pan-European digital identity. *Journal of Financial Compliance*. https://doi.org/10.69554/wjaw5900
Weigl, L. and Reysner, M., 2025. The Governance of the European Digital Identity Framework Through the Lens of Institutional Mimesis. *Regulation & Governance*. https://doi.org/10.1111/rego.70032
