Ireland's Government Digital Wallet Pilot Launches With Confirmed Security Gaps


How Government Digital Wallets Handle Identity Credential Storage


Ireland launched its government digital wallet pilot in mid-2025 storing driving licences, birth certificates, and passports without confirmed hardware binding. That's the exact fraud-prevention control the EU Architecture and Reference Framework explicitly requires for High assurance credentials under eIDAS 2.0. For US developers building on the same ISO/IEC 18013-5 standard, the real question is how a state-managed credential store reaches public deployment when the policy layer, hardware security guarantees, consent framework, and Data Protection Impact Assessment are all unresolved at launch.



  • ISO/IEC 18013-5 defines the mdoc format used for mobile driving licence presentation over NFC or QR code proximity protocols
  • SD-JWT (Selective Disclosure JSON Web Token) lets holders reveal only specific claims from a credential without exposing the full token payload
  • eIDAS 2.0, adopted by the EU in 2024, mandates that wallets meet High assurance level under ENISA's identity proofing framework
  • Wallet attestation verifies a device's software integrity before credential issuance and is required under the Architecture and Reference Framework (ARF) published by the European Commission
  • Hardware-level fraud prevention typically relies on a device's Secure Enclave or Trusted Execution Environment (TEE) binding the credential to one specific physical device. Without that, the credential is mobile in ways that create real impersonation risk.

The security model for these wallets lives or dies on binding strength: how tightly a credential is locked to a single authenticated device. Skip confirmed hardware binding, and credentials become portable in ways that enable impersonation and fraud. The gap between the theoretical architecture and what actually ships in a pilot is precisely where Ireland's implementation has drawn criticism. A deployment that bypasses confirmed hardware binding is shipping a credential store with a weaker threat model than the EU ARF requires, full stop.



Ireland's Digital Wallet Pilot and the Security Concerns Driving US Tech Attention


The Irish Government's public services digital wallet pilot launched in mid-2025 without confirmed hardware binding, no published Data Protection Impact Assessment, and a consent framework that the Irish Council for Civil Liberties (ICCL) and Digital Rights Ireland (DRI) argue is invalid under GDPR. The Irish Independent reported that the wallet would not include additional security measures specifically designed to prevent fraudsters from accessing or replicating stored credentials, which directly contradicts the assurance level requirements in eIDAS 2.0. The broader rollout is expected around 2026, with the wallet designed to store driving licences, birth certificates, and passports in a single state-managed application, though the precise timeline has not been formally confirmed.



  • ICCL and DRI identified missing legal basis documentation for processing sensitive identity data within the wallet infrastructure
  • The Irish Independent reported the wallet has been described internally as "mandatory but not compulsory," a framing that raises coercion concerns under GDPR Article 7 on freely given consent
  • No hardware-binding requirement was confirmed for the pilot, meaning credentials may not be locked to a single Secure Enclave or TEE as the EU ARF recommends
  • The Irish Times confirmed the wallet scope includes a driving licence, birth certificate, and passport: three of the highest-value identity documents a state can issue
  • Governance transparency was flagged as deficient by ICCL and DRI, with no published Data Protection Impact Assessment (DPIA) available at the time of their review

The phrase "mandatory but not compulsory" has become the sharpest point of controversy. It describes a system where refusing to use the wallet may result in reduced access to public services, even if participation is technically voluntary on paper. Under GDPR, consent used as a legal basis for processing is invalid if refusal carries a penalty. That means the Irish Government likely needs to rely on a different lawful basis entirely, probably a statutory obligation, but that basis has not been clearly articulated in any public documentation.



US developers and security researchers should pay attention, because several American states are actively piloting mobile driver's licences using the same ISO/IEC 18013-5 standard that underpins Ireland's credential format. The TSA began accepting mDLs at select airport checkpoints in the early-to-mid 2020s, and states including Arizona, Colorado, and Maryland have had active deployments, though the precise dates and current status of those programmes are worth verifying independently. What the Ireland pilot illustrates is what happens when the policy layer, the DPIA, the consent framework, the fraud-prevention controls, lags behind the technical deployment timeline. A wallet storing a passport and birth certificate without confirmed hardware binding is not a convenience feature with manageable risks. It is a high-value credential store with an unclear threat model. The ICCL and DRI critique arrives at a moment when the US identity community is watching European eIDAS 2.0 implementations closely to calibrate its own governance decisions, and Ireland has now handed everyone a concrete case study in what not to ship before the legal architecture catches up with the technical one.