What LisbonID 2026 Told Us About the State of Digital Identity in Europe

Two days. Dozens of conversations. One consistent theme: the distance between policy ambition and operational reality is still significant and the organisations closing that gap are the ones worth watching.

We arrived at LisbonID Conference 2026 with a clear question in mind: where does digital identity implementation in Europe actually stand? Not where the regulation says it should be. Not where the roadmaps promise it will be. Where is it right now , in the systems that organisations are building, the integrations that IT teams are managing and the decisions that technology leaders are making under real-world pressure? Two days of conversations gave us a more honest picture than any report could. Here is what stood out.

27 national identity frameworks — one continent, no common operating layer yet
Aware ≠ Ready Most organisations know eIDAS 2.0 is coming. Few have a concrete implementation plan.
The wallet is live before the architecture is Policy timelines and operational timelines are not the same thing.

The eIDAS 2.0 gap is real and most organisations know it

The European Digital Identity Wallet framework has been described as a turning point for how citizens interact with public and private services across Europe. And in principle, it is. The ambition is correct: a portable, interoperable, privacy-respecting identity layer that works across borders and sectors. The problem is that ambition and implementation are running on very different timelines. Most of the IT directors we spoke to at LisbonID are working with organisations that are nominally aware of eIDAS 2.0 requirements but haven’t yet translated that awareness into a concrete implementation plan. The regulation is understood as something coming. The operational implications are still being worked out. This isn’t negligence. It’s the normal rhythm of complex regulatory change, especially when the technical standards that underpin implementation are still being finalised at the European level. But it creates a window of real risk for organisations that wait too long to start building.

The teams that are ahead right now are not the ones who started after the full picture was clear. They are the ones who started building with what existed, stayed close to the evolving standards and built flexibility into their architecture from the beginning.

Interoperability is the actual hard problem

One of the most consistent themes across the two days was the gap between identity solutions that work in isolation and identity infrastructure that works across systems. A digital identity credential that is trusted by one public authority but not by a financial institution. An enterprise identity management system that works domestically but breaks at the border. A citizen-facing application that handles one identity document type but not another. 

What interoperable identity infrastructure actually has to do
Credential issued
By national authority, wallet, or enterprise IdP
Trust validated
Across authority types, sectors and borders
Standard bridged
Middleware translates between frameworks in flight
Legacy reached
Existing systems receive verified identity without rebuild
Service granted
Citizen or employee accesses what they need, seamlessly
The abstraction layer in the middle is the hard part. Interoperability is not a feature to add later — it is the architecture.

These are not edge cases. They are the everyday operational reality of digital identity in Europe — a continent with 27 different national frameworks, significant legacy infrastructure and genuine variation in how identity is legally defined and administratively managed. The most interesting conversations at LisbonID were about how organisations are approaching this. The answer, increasingly, is to stop treating interoperability as a future problem to be solved once everything else is in place and start treating it as a foundational design requirement. This shift in thinking has practical consequences. It means choosing middleware and integration layers that are built explicitly to handle variation across identity standards, rather than optimised for a single framework. It means investing in abstraction — the ability to sit between the credential that exists today and the wallet that will exist tomorrow, without rebuilding the integration every time something changes. It’s the kind of architectural thinking that doesn’t always get recognised at the feature level but makes an enormous difference to the long-term cost and resilience of identity infrastructure.

The procurement challenge nobody is talking about loudly enough

Alongside the technical conversation, there was a quieter but equally important thread running through LisbonID: procurement and vendor selection are not keeping pace with the speed of the identity standards landscape.
Many organisations are locked into contracts with vendors who made commitments about eIDAS 2.0 readiness that are proving difficult to honour. The standards moved. The vendor’s roadmap didn’t move fast enough. And the organisation is now in the uncomfortable position of having invested in infrastructure that may need significant rework before the European Digital Identity Wallet goes live.

This isn’t a criticism of any particular vendor. It’s a structural problem with how identity technology is being procured. Organisations are evaluating solutions against requirements that were written before the current version of the technical specifications existed. By the time a procurement cycle completes and a contract is signed, the specification may have changed again.

The organisations navigating this well are building vendor evaluation criteria that go beyond feature checklists. They are asking how closely a vendor is engaged with the standards bodies. They are asking for evidence of participation in pilot programmes and cross-border interoperability testing. They are treating proximity to the evolving policy conversation as a selection criterion in its own right, not just as a nice-to-have, but as a genuine indicator of whether a solution will remain fit for purpose in two years.

This is a meaningful shift in how identity infrastructure decisions get made. And it’s one we expect to see accelerate as the wallet rollout approaches and organisations realise that compliance is a moving target, not a fixed destination.

Vendor evaluation criterionTypical procurement checklistWhat LisbonID taught us to ask
eIDAS 2.0 compliance commitmentYes / No checkbox✓ Show evidence, not claims
Proximity to standards bodiesNot assessed✓ Active participation required
Cross-border interoperability testingNot assessed✓ Pilot results, not roadmap promises
Architecture flexibility as spec evolvesNot assessed✓ Selection criterion, not nice-to-have
Legacy system compatibilityChecked at feature level✓ Middleware + integration depth
Fit for purpose in 2 yearsAssumed✓ Stress-tested against evolving standards
Compliance is a moving target. The vendor that was ready for last year's draft may not be ready for the version that goes live.

Legacy systems are the real conversation nobody wants to have

If there was one topic that came up more in hallway conversations than in formal sessions, it was legacy. Most European organisations especially in the public sector and financial services, the two sectors where digital identity matters most are not starting from a greenfield environment. They have systems that have been running for ten, fifteen, twenty years. They have databases, authentication layers and document management workflows that were designed before digital identity was a policy priority and before the current generation of identity standards existed. Integrating with modern identity infrastructure doesn’t mean replacing those systems.

In most organisations, that isn’t realistic not in terms of budget, not in terms of risk, and not in terms of the operational continuity required of public services and regulated industries. What it does mean is building the right interface between what exists and what’s coming. The organisations getting this right are treating legacy not as a blocker but as a constraint to design around and investing in integration solutions that can bridge the gap without requiring a full modernisation programme as a prerequisite. This is where the practical value of purpose-built identity middleware becomes clearest. Not as a replacement for existing infrastructure, but as a translation layer — something that allows a legacy system to communicate with modern identity standards without being rebuilt from scratch.

Treat legacy as a constraint, not a blocker
The organisations getting this right are not trying to replace systems that have run reliably for fifteen years. They are designing around them — building the interface between what exists and what is coming, without requiring a full modernisation programme as a prerequisite.
Invest in the translation layer, not the replacement
Purpose-built identity middleware earns its value not by replacing existing infrastructure but by letting it communicate with modern standards. A legacy authentication system that can speak to an eIDAS 2.0 wallet without being rebuilt is operational continuity, not technical debt.
Build flexibility in from the start
The technical standards underpinning the European Digital Identity Wallet are still evolving. Architectures that are built tightly around a single specification version will need significant rework. The organisations ahead right now chose abstraction deliberately — so that when the specification changes, the integration does not have to.

The trust question is more important than the technology question

Perhaps the most important thing we heard at LisbonID had nothing to do with technical standards or regulatory timelines. It was a straightforward observation from an IT director working in the public sector: “The citizens don’t care what standard we use. They care whether they can trust that their identity is being handled correctly.” It sounds obvious. But it has real implications for how organisations approach digital identity implementation and how they communicate it internally. The technology decisions are important. But they are in service of a broader objective: building systems that citizens, employees and partners can rely on without having to understand the mechanics. The trust is the product. The infrastructure is what makes it possible.

What that also means, in practice, is that the user experience layer of digital identity deserves as much attention as the technical layer beneath it. Organisations that invest heavily in compliant, interoperable infrastructure but neglect the moment of interaction, the citizen opening a wallet application for the first time, the employee authenticating across a border, the customer verifying their identity to access a regulated service, risk undermining the trust they have worked hard to build. Seamless, transparent, and clearly communicated identity interactions are not a UX afterthought. They are part of what makes the infrastructure trustworthy.

At Caixa Mágica, this is how we think about eID Box. Not as a compliance tool or a technical integration layer though it is both of those things but as a way of making identity infrastructure that people can actually depend on. Reliable, interoperable, built to evolve as the standards evolve.

Audit evidence chain — built for DORA, Solvency II, PSD2
Requirement
Jira/ALM ID, version, owner
Generated test
Script + hash, model + prompt
Execution
Timestamp, env, operator
Result
Pass/fail, logs, traces
Archive
Signed, retention, on-demand
Designed against DORA Articles 6 & 9, Solvency II Pillar 2, and PSD2 Article 95. Your regulator-facing evidence is a query away.

Qualigentic also deploys where regulated data must live:

On-Premise
Your data centre
  • Open-source self-hosted models (Llama, Mistral)
  • PEFT / LoRA fine-tuning inside customer perimeter
  • No data egress under any condition
  • Audit chain on customer storage
Private Cloud
Your tenant
  • Azure AI Foundry, AWS, GCP — customer-owned
  • Bring-your-own model and keys
  • Region pinning (EU, US, JP)
SaaS
Caixa Mágica managed
  • Managed in the EU, fastest time-to-value
  • SOC 2-style controls, signed evidence chain
  • Anthropic / OpenAI / Azure OpenAI selectable
Tiering is by capability, not deployment. Regulated clients can start on-premise from day one.

What comes next

The conversations at LisbonID 2026 reinforced something we already believed but heard confirmed from multiple directions: the organisations that will be well-positioned as the European Digital Identity Wallet becomes operational are not waiting for clarity. They are building now, with the standards that exist, and staying close enough to the policy conversation to adapt. The gap between policy ambition and operational reality is real. But it’s also a gap that organisations can close if they treat digital identity as infrastructure rather than compliance, and start building with that mindset today.

For the teams navigating this: the questions worth asking are less about which regulation applies and more about what your identity architecture needs to be capable of in three years. Work backwards from that. Build flexibility in from the start. And find partners who are as close to the standards conversation as they are to your implementation challenges.

That is the work we are doing. And if LisbonID 2026 was any indication, it’s the work that matters most right now.

Caixa Mágica Software
Caixa Mágica Team
Caixa Mágica Software is a Portuguese software company with 20+ years of experience delivering custom software, AI solutions and nearshore development teams for European businesses.
eID Box · Caixa Mágica Software
See what identity infrastructure built for eIDAS 2.0 looks like in practice
Designed for public sector, financial services and regulated industries.
Built to evolve as the standards evolve.