Two days. Dozens of conversations. One consistent theme: the distance between policy ambition and operational reality is still significant and the organisations closing that gap are the ones worth watching.
We arrived at LisbonID Conference 2026 with a clear question in mind: where does digital identity implementation in Europe actually stand? Not where the regulation says it should be. Not where the roadmaps promise it will be. Where is it right now , in the systems that organisations are building, the integrations that IT teams are managing and the decisions that technology leaders are making under real-world pressure? Two days of conversations gave us a more honest picture than any report could. Here is what stood out.
The eIDAS 2.0 gap is real and most organisations know it
The European Digital Identity Wallet framework has been described as a turning point for how citizens interact with public and private services across Europe. And in principle, it is. The ambition is correct: a portable, interoperable, privacy-respecting identity layer that works across borders and sectors. The problem is that ambition and implementation are running on very different timelines. Most of the IT directors we spoke to at LisbonID are working with organisations that are nominally aware of eIDAS 2.0 requirements but haven’t yet translated that awareness into a concrete implementation plan. The regulation is understood as something coming. The operational implications are still being worked out. This isn’t negligence. It’s the normal rhythm of complex regulatory change, especially when the technical standards that underpin implementation are still being finalised at the European level. But it creates a window of real risk for organisations that wait too long to start building.
The teams that are ahead right now are not the ones who started after the full picture was clear. They are the ones who started building with what existed, stayed close to the evolving standards and built flexibility into their architecture from the beginning.
Interoperability is the actual hard problem
One of the most consistent themes across the two days was the gap between identity solutions that work in isolation and identity infrastructure that works across systems. A digital identity credential that is trusted by one public authority but not by a financial institution. An enterprise identity management system that works domestically but breaks at the border. A citizen-facing application that handles one identity document type but not another.
These are not edge cases. They are the everyday operational reality of digital identity in Europe — a continent with 27 different national frameworks, significant legacy infrastructure and genuine variation in how identity is legally defined and administratively managed. The most interesting conversations at LisbonID were about how organisations are approaching this. The answer, increasingly, is to stop treating interoperability as a future problem to be solved once everything else is in place and start treating it as a foundational design requirement. This shift in thinking has practical consequences. It means choosing middleware and integration layers that are built explicitly to handle variation across identity standards, rather than optimised for a single framework. It means investing in abstraction — the ability to sit between the credential that exists today and the wallet that will exist tomorrow, without rebuilding the integration every time something changes. It’s the kind of architectural thinking that doesn’t always get recognised at the feature level but makes an enormous difference to the long-term cost and resilience of identity infrastructure.
The procurement challenge nobody is talking about loudly enough
Alongside the technical conversation, there was a quieter but equally important thread running through LisbonID: procurement and vendor selection are not keeping pace with the speed of the identity standards landscape.
Many organisations are locked into contracts with vendors who made commitments about eIDAS 2.0 readiness that are proving difficult to honour. The standards moved. The vendor’s roadmap didn’t move fast enough. And the organisation is now in the uncomfortable position of having invested in infrastructure that may need significant rework before the European Digital Identity Wallet goes live.
This isn’t a criticism of any particular vendor. It’s a structural problem with how identity technology is being procured. Organisations are evaluating solutions against requirements that were written before the current version of the technical specifications existed. By the time a procurement cycle completes and a contract is signed, the specification may have changed again.
The organisations navigating this well are building vendor evaluation criteria that go beyond feature checklists. They are asking how closely a vendor is engaged with the standards bodies. They are asking for evidence of participation in pilot programmes and cross-border interoperability testing. They are treating proximity to the evolving policy conversation as a selection criterion in its own right, not just as a nice-to-have, but as a genuine indicator of whether a solution will remain fit for purpose in two years.
This is a meaningful shift in how identity infrastructure decisions get made. And it’s one we expect to see accelerate as the wallet rollout approaches and organisations realise that compliance is a moving target, not a fixed destination.
| Vendor evaluation criterion | Typical procurement checklist | What LisbonID taught us to ask |
|---|---|---|
| eIDAS 2.0 compliance commitment | Yes / No checkbox | ✓ Show evidence, not claims |
| Proximity to standards bodies | Not assessed | ✓ Active participation required |
| Cross-border interoperability testing | Not assessed | ✓ Pilot results, not roadmap promises |
| Architecture flexibility as spec evolves | Not assessed | ✓ Selection criterion, not nice-to-have |
| Legacy system compatibility | Checked at feature level | ✓ Middleware + integration depth |
| Fit for purpose in 2 years | Assumed | ✓ Stress-tested against evolving standards |
Legacy systems are the real conversation nobody wants to have
If there was one topic that came up more in hallway conversations than in formal sessions, it was legacy. Most European organisations especially in the public sector and financial services, the two sectors where digital identity matters most are not starting from a greenfield environment. They have systems that have been running for ten, fifteen, twenty years. They have databases, authentication layers and document management workflows that were designed before digital identity was a policy priority and before the current generation of identity standards existed. Integrating with modern identity infrastructure doesn’t mean replacing those systems.
In most organisations, that isn’t realistic not in terms of budget, not in terms of risk, and not in terms of the operational continuity required of public services and regulated industries. What it does mean is building the right interface between what exists and what’s coming. The organisations getting this right are treating legacy not as a blocker but as a constraint to design around and investing in integration solutions that can bridge the gap without requiring a full modernisation programme as a prerequisite. This is where the practical value of purpose-built identity middleware becomes clearest. Not as a replacement for existing infrastructure, but as a translation layer — something that allows a legacy system to communicate with modern identity standards without being rebuilt from scratch.
The trust question is more important than the technology question
Perhaps the most important thing we heard at LisbonID had nothing to do with technical standards or regulatory timelines. It was a straightforward observation from an IT director working in the public sector: “The citizens don’t care what standard we use. They care whether they can trust that their identity is being handled correctly.” It sounds obvious. But it has real implications for how organisations approach digital identity implementation and how they communicate it internally. The technology decisions are important. But they are in service of a broader objective: building systems that citizens, employees and partners can rely on without having to understand the mechanics. The trust is the product. The infrastructure is what makes it possible.
What that also means, in practice, is that the user experience layer of digital identity deserves as much attention as the technical layer beneath it. Organisations that invest heavily in compliant, interoperable infrastructure but neglect the moment of interaction, the citizen opening a wallet application for the first time, the employee authenticating across a border, the customer verifying their identity to access a regulated service, risk undermining the trust they have worked hard to build. Seamless, transparent, and clearly communicated identity interactions are not a UX afterthought. They are part of what makes the infrastructure trustworthy.
At Caixa Mágica, this is how we think about eID Box. Not as a compliance tool or a technical integration layer though it is both of those things but as a way of making identity infrastructure that people can actually depend on. Reliable, interoperable, built to evolve as the standards evolve.
Qualigentic also deploys where regulated data must live:
- Open-source self-hosted models (Llama, Mistral)
- PEFT / LoRA fine-tuning inside customer perimeter
- No data egress under any condition
- Audit chain on customer storage
- Azure AI Foundry, AWS, GCP — customer-owned
- Bring-your-own model and keys
- Region pinning (EU, US, JP)
- Managed in the EU, fastest time-to-value
- SOC 2-style controls, signed evidence chain
- Anthropic / OpenAI / Azure OpenAI selectable
What comes next
The conversations at LisbonID 2026 reinforced something we already believed but heard confirmed from multiple directions: the organisations that will be well-positioned as the European Digital Identity Wallet becomes operational are not waiting for clarity. They are building now, with the standards that exist, and staying close enough to the policy conversation to adapt. The gap between policy ambition and operational reality is real. But it’s also a gap that organisations can close if they treat digital identity as infrastructure rather than compliance, and start building with that mindset today.
For the teams navigating this: the questions worth asking are less about which regulation applies and more about what your identity architecture needs to be capable of in three years. Work backwards from that. Build flexibility in from the start. And find partners who are as close to the standards conversation as they are to your implementation challenges.
That is the work we are doing. And if LisbonID 2026 was any indication, it’s the work that matters most right now.
Built to evolve as the standards evolve.


