Under EU Regulation 2024/1183 (eIDAS 2), Romania is required to make at least one European Digital Identity Wallet available to its citizens and residents by the end of 2026. This is a directly applicable obligation carrying fixed deadlines, as well as financial and reputational consequences, but, despite some recent progress, Romania does not yet have an operational wallet. Prime Minister's Decision No. 183/2026 established the RO EUDIW Committee, a consultative inter-institutional body chaired by one of the Deputy Prime Ministers, and in June 2026 the principal ecosystem roles were allocated: the Ministry of Economy, Digitalisation, Entrepreneurship and Tourism as the supervisory authority and single point of contact for cross-border cooperation; the Ministry of Internal Affairs as provider of the mobile application and backend, issuer of Person Identification Data, and provider of age-verification attestations; and the Special Telecommunications Service as the access-certificate, registration-certificate, registry, and attestation-scheme authority. In parallel, Romania has chosen Germany's open-source wallet as its technical base, announced the contours of a phased delivery plan beginning in 2026, signalled an eventual opening of the market to certified private providers, and, through the memorandum of understanding with Mastercard and subsequent announcements, indicated an openness to receive private-sector technical assistance.
Taken together, these decisions determine which institutions hold some of the roles from the Architecture Reference Framework provided by the European Commission, and thus partially settle the governance of the project. The wallet's success, however, depends on the development of internal delivery capacity, in both its technical and strategic dimensions. Romania's principal risk is organisational rather than technical, and the decisions taken so far, while necessary, do not mitigate it: reuse of the German open-source solution lowers the cost of initial development without reducing the in-house expertise required to integrate, operate, and maintain it. The recurring lesson of Romania's digital-government record is that competent institutions can each fulfil their bounded role and yet collectively fail to deliver the intended outcome or reach the targeted levels of adoption. Eurostat data shows that in 2025 just over 10% of Romanians used an eID solution for personal purposes and only 1.58% used one to access public-sector services.
This paper's core recommendation is the establishment of a dedicated EUDI Wallet taskforce at the centre of government, positioned close to the Deputy Prime Minister in charge of state modernisation, building on the RO EUDIW Committee already in place. The defining feature of the proposal is that technical delivery and strategic ownership are combined within one structure, under a single point of accountability, rather than inexistent or split across institutions. In the near term the taskforce assumes the Wallet Provider function directly, owning the technical build and the product roadmap; over time it evolves into a permanent digital delivery capability, taking on the oversight of other programmes before ultimately anchoring a reformed national digital authority. To that end, it must be resourced and organised to recruit and retain specialists outside the rigid salary scales that constrain standard public-sector employment, drawing on, besides staff seconded from the relevant institutions, newly recruited experts and targeted private-sector support.
The paper sets out the two halves of this capacity:
The technical team delivers and operates the wallet: leadership and architecture, backend and credential-issuance engineering, identity proofing and cryptographic hardware, mobile development, and a testing-and-certification function.
The strategic team drives take-up and secures the wallet's relevance: an ecosystem-and-integration function that builds the pipeline of relying parties and onboards ministries as attribute providers; a private-sector-cooperation function that integrates commercial actors as both relying parties and attestation providers; policy, legal, and data-protection expertise that tracks the evolving regulatory framework and manages relations with the European Commission and the national institutions, including the data-protection authority; and a communications-and-adoption function that translates usage data into roadmap decisions.
The argument is grounded both in the literature on policy delivery and coordination and in the comparative experience of France, Poland, and Sweden, where the strategic functions are housed in the same unit as technical delivery. The wallet Romania has to deliver can be built; whether it is adopted, trusted, sustainable and useful will be decided by the internal capacity the state chooses to build around it, both from a technical and strategic point of view.
Technical deliveryStrategic functionsHeadcounts are indicative FTE ranges
Introduction
Photo: Azopan Archive
Romania is legally required to make at least one European Digital Identity Wallet available to its citizens and residents by the end of 2026 and all public-sector institutions, along with part of private-sector actors, will be required to accept the wallet as a means for authentication.Note 1Regulation (EU) 2024/1183, Article 5f: „1. Where Member States require electronic identification and authentication to access an online service provided by a public sector body, they shall also accept European Digital Identity Wallets that are provided in accordance with this Regulation. 2. Where private relying parties that provide services, with the exception of microenterprises and small enterprises as defined in Article 2 of the Annex to Commission Recommendation 2003/361/EC, are required by Union or national law to use strong user authentication for online identification or where strong user authentication for online identification is required by contractual obligation, including in the areas of transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications, those private relying parties shall, no later than 36 months from the date of entry into force of the implementing acts referred to in Article 5a(23) and Article 5c(6) and only upon the voluntary request of the user, also accept European Digital Identity Wallets that are provided in accordance with this Regulation.” This obligation is codified in Regulation (EU) 2024/1183Note 2Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework., and has directly applicable deadlines, with sanctions and reputational consequences attached. Regulation (EU) 2024/1183, hereinafter referred to as eIDAS 2, amends the 2014 eIDAS frameworkNote 3Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS)., which was a cross-border framework for trusted electronic identification and trust services, built on mutual recognition of nationally notified eID schemes. By the time the Commission evaluated it in 2020, the instrument had only partially delivered on its 2014 objectives: fourteen Member StatesNote 4Including the UK. had notified nineteen eID schemes, 59% of EU citizens were covered in principle, and only an estimated 14% of public service providers actually offered eIDAS authentication.Note 5European Commission, Evaluation study of the Regulation no. 910/2014 (eIDAS Regulation) SMART 2019/0046 — Final Report (2020). Take-up in the private sector, where the bulk of identity transactions occur, was negligible. The EPRS briefing of March 2022 summarised this diagnosis: limited scope, absence of incentives for Member States and private actors to join the cross-border infrastructure, diverging national interpretations in trust services, and a rigid approach to attributes that left most real-world use cases outside the Regulation.Note 6EPRS, Revision of the eIDAS Regulation: findings on its implementation and application — Briefing (2022).
Against that backdrop, the Commission’s June 2021 amending proposal (COM (2021) 281) introduced a structural shift: each Member State would be required to issue a European Digital Identity Wallet. After inter-institutional negotiations, the revised instrument was adopted and entered into force in May 2024. In addition to the regulatory framework, mechanisms meant to facilitate the deployment of the national solutions per se were put in place: the architecture and reference framework provided by the Commission, the testing carried out — and in some cases still ongoing — in large-scale pilots such as POTENTIAL, EWC, NOBID and DC4EU and, more recently, APTITUDE and WE BUILD.Note 7„What Are the Large Scale Pilot Projects — EU Digital Identity Wallet”, accessed 9 June 2026, ec.europa.eu/digital-building-blocks.
With the deadline approaching, Romania still has no operational wallet, despite important steps being made regarding the governance of this project. The scale of the task is sometimes misunderstood: the EUDI Wallet, far from being just a technical solution, is a sovereign infrastructure for digital identity: a Personal Identification Data (PID) scheme, a qualified electronic signature instrument, a potential container for mobile driving licences, diplomas, health credentials and dozens of other attestations, a certified cryptographic architecture, and an interoperable tool recognised across 27 Member States and the EEA. Developing and operating the wallet ecosystem requires the coordinated effort of nearly all Romanian public institutions and a significant share of private-sector actors, as well as a permanent capability, both technical — to oversee the development, to facilitate the issuance of attributes, the integration with the wallet — and strategic, to ensure mass adoption.
„[…] the modular nature of the wallets’ architectural paradigm inherently creates some complexity, given the complementary roles of various ecosystem participants, such as credential issuers, wallet providers, and trust service providers. Unlike traditional centralized digital identity models, in which all of these roles might have been played by a single entity, implementing a wallet ecosystem requires active orchestration among actors. Although there are many benefits to this orchestration, such as scalability and fewer duplicative investments, operationalizing such an ecosystem can introduce some initial setup complexities and an ongoing governance overhead.”
The teams and models for the EUDIW rollout in the different Member States vary: some countries have mature eID schemes (example: Denmark, Italy, Netherlands, Sweden), some already have a wallet-like solution (example: Greece, Poland, Spain) that they will use as a base for the EUDI wallet, while some countries lack eID schemes, or schemes that have large adoption (example: Germany, Slovenia). Regarding the implementation per se, there is no public information that one company solely develops the wallet for a Member State and the most common scenario is that they make use of a combined in-house team, external experts as consultants and open-source software but with in-house development and private contracting for specific blocks of the wallet infrastructure. Looking at what is needed from a wallet developing team, there is some clear guidance. The technology is, to some extent, quite new; IT resources are generally quite scarce and expensive. In some parts there is need for very specialised expertise, especially in correct use of cryptography. There is also a clear need for experts who can understand both the technology and the relevant regulations and standards. Understanding legacy systems is important, but that may differ depending on if the EUDI wallet is an upgrade or something new to the national context.
There are also a number of ways to approach wallet development and the choices that need to be made. These include how the Wallet Secure Cryptographic Device (WSCD) should be handled, whether it should be an MVP-wallet containing only the PID, whether there is need for issuer and verifier capabilities, whether the wallet should be only in smartphones, web wallet or both. But the Wallet Provider role, as defined in the ARF, is essentially a technical function: its focus is not on adoption, not on how government persuades citizens to install and use the wallet, how it brings hospitals, banks, universities, and transport operators into the relying party ecosystem, nor how it sequences the addition of new attributes over time to steadily increase the wallet’s utility.
This is why, besides the technical profiles, strategic internal capability is indispensable in a way that goes beyond filling ARF roles, as a country may have a plan for who will be the Wallet Provider and the PID Provider, but the success of a national wallet will depend on a plan for who will own the adoption strategy, manage the integration pipeline for relying parties, maintain a public-facing attribute roadmap, or make the ongoing investment decisions that keep the wallet competitive and relevant as user expectations evolve. All the previously mentioned functions require different profiles, profiles that combine product thinking, stakeholder engagement, data-driven iteration, and long-term strategic focus.
This paper argues that, to deliver a successful EUDI wallet and drive adoption, Romania needs a taskforce placed at the centre of the government equipped with technical and strategic capability for developing the wallet and driving adoption.
The paper opens by grounding the analysis in the national context: Romania’s digital-government track record and the current state of play on the RoEUDIW, from the governance committee and the allocation of institutional roles to the choice of technical solution (I). It then draws on an academic literature overview on the notion of delivering and policy coordination, which supports the idea that new policy priorities, such as the EUDIW, should not only benefit from strong political sponsorship but also be doubled by a development in the operational capability, a direction that an increasing number of countries adopt, acknowledging the importance of development of in-house expertise (II). Building on the Wallet Provider function from the architecture reference framework and the indispensable strategic dimension that accompanies it, we highlight the existence of this ambivalent capacity in other EU countries by exploring team structures from France, Poland and Sweden (III). Finally, we propose technical and strategic profiles to be considered by the Romanian Government for a successful implementation and adoption of the EUDIW (IV).
Chapter I
Romania: digital-government track record
and state of play on RoEUDIW
01
Photo: Azopan Archive
Romania has repeatedly ranked last in the EU on the e-government usage dimension of the Digital Decade indicator, with a score that remains roughly a third of the EU average in the 2025 assessment. There is a familiar pattern in digitalisation efforts in Romania: fragmented mandates across ministries and agencies, long procurement cycles, oversized tenders, parallel solutions that do not interoperate, lack of integration with existing technical solutions and low citizen adoption.
What makes this pattern particularly damning is that it is not new: as far back as 2016, the OECD Public Governance Scan examined digital government as one of five priority areas and identified the same structural weaknesses.Note 8OECD, OECD Public Governance Reviews: Romania Scan 2016, OECD Public Governance Reviews (OECD, 2016), doi.org/10.1787/d7fe89a4-en. The 2016 report called on Romania to overcome fragmented efforts across public administration by building a shared, system-thinking culture grounded in national key enablers such as eID, interoperability frameworks, and a government cloud strategy, stating that the country faced the challenge of developing more articulated, coherent and sustainable digital government policies. The report was clear that the real challenge lays ahead: putting in place the right policy processes and coordination mechanisms, and monitoring implementation and impact. Nearly a decade later, the 2023 OECD Digital Government ReviewNote 9OECD, Digital Government Review of Romania: Towards a Digitally Mature Government, OECD Digital Government Studies (OECD Publishing, 2023), doi.org/10.1787/68361e0d-en. and the 2025 Digital Nation report for Edge InstituteNote 10Digital Nation for Edge Institute, Digital Governance Framework for Romania (2025). found that challenge still unmet, with the same vocabulary reappearing almost verbatim: fragmentation, missing coordination, absent accountability.
A 2026 European Commission study on the EU’s critical digital capacities identifies, as structural weaknesses across Member States, a „siloed national approach to technology, particularly in the deployment of interoperability technologies”Note 11European Commission, Technopolis Group, Study on the EU’s critical digital capacities deployment beyond 2027 — Final report (Publications Office of the European Union, 2026), data.europa.eu/doi/10.2759/0673677, p. 174. and „fragmentation in the implementation of cross-border services despite regulations”. Romania’s digital-government record is therefore not an outlier, but it is one of the most acute expressions of a problem the Commission documents across the Union. That, however, makes it no less urgent to address; what it means is that without deliberate structural intervention, the result is predictable.
In other words, repeating this pattern with the EUDI Wallet is highly likely to produce the same outcome at a higher cost, both from financial and opportunity perspectives. It is important to acknowledge that a weakness can, in this case, become a strength, as Romania does not have the same legacy as many other first-mover countries and there is a great potential to leapfrog into the newest technologies and ways of digital interactions. The wallet infrastructure can be an important tool to make life easier for Romanians and lower costs for the public sector as they can focus on one solution for authentication and attribute presentation, rather than many disparate and outdated solutions.
Important steps have been made recently regarding the governance of the wallet. Decision No. 183/2026, issued by the Prime Minister on 12 May 2026, establishes the RO EUDIW Committee: a consultative inter-institutional body tasked with coordinating institutional, legal, and technical steps required to develop and implement Romania’s national ecosystem for the EUDIW. The Committee is chaired by one of Romania’s Deputy Prime Ministers and has two other permanent members: the Ministry of Economy, Digitalisation, Entrepreneurship and Tourism, and the Ministry of Internal Affairs, while the Special Telecommunications Service participates through a senior management representative. According to the decision, the Committee may establish thematic working groups drawing on experts from public and private entities. The RO EUDIW Committee is a soft instrument: a consultative space in which, at least theoretically, consensus is formed among the institutions. Its decisions are not binding, unless codified in legislation initiated by its members.
In June 2026, the Government set out the principal institutional roles for implementation via a Press Release that is soon to be codified in national legislation.Note 12Romanian Government, Guvernanță, roluri instituționale și deschidere către parteneriate strategice în implementarea Portofelului de Identitate Digitală (RoEUDIW), Press release, 26th of June 2026. Available at: gov.ro The Ministry of Economy, Digitalisation, Entrepreneurship and Tourism acts as the supervisory authority for the EUDIW ecosystem and as the single point of contact for cross-border cooperation, coordinating governance, the drafting of normative acts, the relationship with public and private actors, and the technical monitoring of the solutions deployed. The Ministry of Internal Affairs is the official provider of the mobile application (RO Wallet) and of the backend infrastructure; it issues Person Identification Data and provides attestations for age verification, hosting the solution in its online hub of services. The Special Telecommunications Service holds four roles: Access Certificate Authority, issuing access certificates to ecosystem participants; Provider of Registration Certificates for entities registered to offer services through the wallet; Registry Administrator for the centralised registry of relying parties; and Attestation Scheme Provider for the national schemes of qualified and non-qualified attestations, with the registry and attestation infrastructure hosted in the Government Private Cloud (the internal cloud component).
It must be underlined that the June 2026 allocation is, for now, a press release, not even a project in public consultation, therefore this form is not definitive, and it is to be hoped that it will not prove exhaustive either. For now, no role is foreseen for the Romanian Accreditation Association (RENAR)Note 13Regulation (EU) No. 910/2014, as amended by Regulation (EU) No. 2024/1183, Article 3, point (18): „»conformity assessment body« means a conformity assessment body as defined in Article 2, point 13, of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides, or as competent to carry out certification of European Digital Identity Wallets or electronic identification means”, Romania’s single national accreditation body under Regulation (EC) No 765/2008; for the Romanian Digitalization Authority (ADR), which under the eIDAS framework remains the supervisory body for the qualified trust service providers that issue QEAAs into the walletNote 14The Ministry of Economy, Digitalisation, Entrepreneurship and Tourism is described as the supervisory authority for the EUDIW ecosystem and the single point of contact for cross-border cooperation. „Supervisory authority for the EUDIW ecosystem”, however, is a national umbrella label: eIDAS 2 speaks of a supervisory body for trust services and, separately, of the oversight of wallet providers. The trust-services supervisory function is precisely the competence that HG 89/2020 vested in ADR. Since ADR now sits under this ministry’s coordination, the natural reading is that its supervisory function continues inside the ministry, and the drafting should say so to avoid leaving an apparent gap.; for the National Cyber Security Directorate (DNSC), the natural author of the national certification scheme, whose absence means that, as currently configured, the Special Telecommunications Service (STS) and the Ministry of Internal Affairs (MAI) would each supervise their own cybersecurity; or for the National Supervisory Authority for Personal Data Processing (ANSPDCP), without whom there is no clear mechanism for assessing the proportionality of the data that relying parties request from citizens’ wallets.
On the technical strategy, Romania has decided to adopt and deploy the German EUDI Wallet solution, following an assessment of the solutions at various stages of implementation across other Member States and of their long-term ecosystem development strategies. The solution is developed as open source, which the Government presents as giving Romania free access to source code, certification schemes, and technical components that can be adapted to national needs, avoiding the cost of building a complex infrastructure from scratch and aligning Romania with a collaborative European approach. Government officials described the choice as the result of a „rigorous assessment of other solutions”, but no evaluation criteria or shortlisted alternatives have been published yet. How the solution will be adapted to Romania’s own identity infrastructure is yet to be defined.
Romania has a solid basis for implementation: in June 2025, it started the nationwide rollout of the electronic identity cards, with over 1.5 million cards issued in over a year.Note 15Publicly available data from the Ministry of Internal Affairs. Additionally, from December 2025, the Ministry of Internal Affairs launched eIDentity, the dematerialized version of the electronic identity card, which allows for selective disclosure and the sharing of the data via a generated QR code valid for 10 minutes. These two instruments that are already available, although highly underused because of lack of integration with public or private servicesNote 16On low adoption of eID in Romania: Melany Pașca, „Identitate electronică în România: Cauzele adopției scăzute și direcții de acțiune”, Edge Institute (2026), edgeinstitute.ro, will facilitate the task of building the national wallet.
Romanian electronic Identity Card and eIDentity
Delivery of the Romanian EUDI wallet is announced to be structured in successive phases. The first phase, running through 2026, will focus on implementing the first version of the RoEUDIW mobile application, issuing PID and developing the age-verification functionality, and finalising the regulatory framework.
On the market structure, the Government has indicated that it intends, in time, to open the market to private wallet providers, conditional on certification under the national scheme. The Government has also invited organisations and interested actors willing to provide technical assistance on the development of the wallet to submit a letter of intent to the Ministry of Economy, Digitalisation, Entrepreneurship and Tourism, expressing thereby its openness to sign memoranda of understanding similar with the one signed with Mastercard.Note 17Memorandum of understanding between the Government of Romania and Mastercard Europe S.A., available at: sgg.gov.ro
Taken together, these two pictures frame the task ahead. On one side is a digital-government record defined, across a decade of external assessments, by the same recurring weaknesses: fragmentation, missing coordination, and absent accountability. On the other is a set of decisions taken in the first half of 2026 that, for the first time, give the RoEUDIW project the basis of a governance structure that is yet to be codified in legislation, a technical choice in the form of the German open-source solution, and even a sort of head start, with the electronic identity card and eIDentity. Nonetheless, the question of human resource is still unaddressed. To technically adapt the German solution to the Romanian context, develop and maintain it over time, expertise in the field is required. It is important to keep in mind that the decision to adopt the German open-source solution, while sensible as a reuse-first strategy, does not reduce the internal capacity Romania needs: it certainly lowers the cost of the first build, but the state still has to integrate the solution with national registers and the PID issuance process, operate it at production scale, and maintain it over time.
Moreover, adoption is precisely the point at which Romania’s previous digital efforts have repeatedly stalled, strategic human resource is indispensable for the success of this project. The electronic identity card and eIDentity already demonstrate that Romania can deliver capable instruments and still see them go underused for want of integration with public and private services. The wallet risks the same fate unless the gap between responsibility, capability and actual adoption is owned by teams of experts with the mandate and capacity to close it, as responsibility assigned without being doubled by the development of capacity is, as we will show next, most likely to result in an implementation failure.
Chapter II
Delivering: an academic literature perspective
and the OECD case for internal capacity development
02
Photo: Azopan Archive
The academic literature on policy coordination captures the previously presented dynamic precisely. Peters shows that policy coordination is one of the oldest challenges for governments, and that the absence of explicit coordinating structures reliably produces fragmentation even when individual agencies are competent in the matter. Using the example of the Finnish government, which „developed a program management system that required a new government to select four or five priorities after its election […] (that) cut across existing departments and require the involvement of these departments”, Peters illustrates how governments can produce enhanced policy coordination.Note 18B. Guy Peters, „The Challenge of Policy Coordination”, Policy Design and Practice 1, no. 1 (2018): 7, doi.org/10.1080/25741292.2018.1437946.
The integrative capacity framework, as seen by Vince et al., identifies four conditions under which integration fails: weak coordination and coherence; unclear accountability; insufficient dedicated resources; and inadequate institutional architecture.Note 19Joanna Vince et al., „Understanding Policy Integration through an Integrative Capacity Framework”, Policy and Society 43, no. 3 (2024): 381–95, doi.org/10.1093/polsoc/puae027. Formulated positively in the paper: „Policy coordination and coherence; accountability, transparency, and legitimacy; resourcing and adequate institutional architecture were identified as conditions for integration.” Romania’s EUDI Wallet context is very likely to encounter all four. Knill, Steinebach and Zink, surveying the European literature on bureaucratic overload, show that when policies pile up in organisations without commensurate increases in dedicated capacity, the organisations develop „policy triage” behaviour, meaning that some tasks are quietly delayed or neglected in favour of others with more immediate visibilityNote 20Christoph Knill et al., „How Policy Growth Affects Policy Implementation: Bureaucratic Overload and Policy Triage”, Journal of European Public Policy 31, no. 2 (2024): 324–51, doi.org/10.1080/13501763.2022.2158208. and the EUDI Wallet is exactly the kind of politically abstract, technically demanding, long-horizon project that might be first to be triaged out of existence in an overloaded administration.
The implementation unit model draws on a well-documented body of academic and practitioner literature on centre-of-government delivery units. The canonical case is the UK Prime Minister’s Delivery Unit (PMDU), established by Tony Blair in 2001 under Sir Michael Barber, which developed the practice now known as „deliverology”. Clement’s work on the PMDU documents how a compact team of roughly 40 professionals, reporting directly to the Prime Minister through the Cabinet Secretary, with an annual budget around €2 million, was able to materially accelerate delivery across health, education, crime and transport priorities.Note 21Michelle Clement, The Art of Delivery: The Inside Story of How the Blair Government Transformed Britain’s Public Services (Biteback Publishing, 2024). Blair himself later described the approach as „quite revolutionary, more so than we realised at the time”Note 22King’s College London, „Blair’s »delivery revolution« Unveiled: New Book Reveals inside Story of Government Reform”, accessed 8 June 2026, kcl.ac.uk.. Research by the World BankNote 23World Bank, Driving Performance from the Centre: Malaysia’s Experience with PEMANDU (World Bank Group, 2017). and the Centre for Public ImpactNote 24Centre for Public Impact, „The Prime Minister’s Delivery Unit (PMDU) in the UK” (2016). has documented the spread of the delivery-unit model to different countries and the conceptual synthesis by WilliamsonNote 25Williamson T and others, Delivery Approaches to Improving Policy Implementation: A Conceptual Framework (Learning Generation Initiative, 2024). and colleagues identifies the core functions of effective delivery units, the main ones being: goal-setting and prioritisation; data-driven performance management; problem-solving and unblocking; stakeholder engagement; and capacity-building, all five being directly relevant to the EUDI Wallet context. The same literature flags the well-known pitfalls: delivery units that lose political sponsorship, become monitoring-only without delivery capability or grow beyond their effective size, which inform the unit’s design below.Note 26Ibid. On task forces specifically, the comparative literature by Nair and Garg distinguishes task forces that are purely advisory from those that are operationalNote 27Sreeja Nair and Akshat Garg, „How Do Governments Learn from Ad Hoc Groups during Crises? From SARS to COVID-19”, Policy & Politics 52, no. 4 (2024): 625–47, doi.org/10.1332/03055736Y2023D000000011. and this distinction matters because it determines skill mix and reporting line in part IV of this paper, which is oriented towards operationality.
Romania has itself experimented with structures of this type. In March 2014, with World Bank support, a Delivery Unit was established within the Prime Minister’s Chancellery, explicitly modelled on the UK PMDU: it concluded delivery agreements with line ministries specifying targets, metrics, and deadlines across four priority areas, and produced the Romanian Fiscal Authority (ANAF)’s Virtual Private Space, launched in September 2014. Yet the unit did not survive the political cycle, as it depended on the personal sponsorship of the sitting Prime Minister and on externally funded advisory support.
More recently, the NRRP institutional framework established under Emergency Ordinance No. 124/2021 required ministries responsible for reforms and investments to create dedicated implementation structures, staffed where necessary with fixed-term contractual personnel recruited outside the approved organisational chart. In the digital domain this produced two such units: the Task Force for the Implementation and Monitoring of Digital Transformation Reforms and Investments within the Ministry of Economy, Digitalisation, Entrepreneurship and Tourism, and the Unit for the Implementation of Digital Transformation Programmes within the Romanian Digitalisation Authority. Their limits are instructive and five design requirements, directly linked to the pitfalls identified in the academic literature, follow for any successor:
proximity to a strong political sponsor with clear ownership of the project;
basis in an act with the force of law, so that the unit’s existence and reporting lines are more likely to survive a change of government;
a stable multiannual budget line and focus on transfer of expertise to permanent internal resource rather than dependence on donor-funded advisers whose expertise leaves with the contract, where possible;
a mandate defined by outcome, through formal delivery milestones, published targets, so that authority derives from an institutionalised process, besides personal access to one office-holder;
deliberate continuity mechanisms via documented methods, with evolution into a permanent structure envisaged from the outset.
The OECD Digital Government Outlook 2026Note 28OECD, „Digital Government Outlook 2026: From Foundations to Transformational Impact”, OECD Publishing, 15 June 2026, doi.org/10.1787/0496b2bc-en., published in June 2026, provides guidance on why internal capacity matters, and why outsourcing alone cannot deliver the kind of digital infrastructure countries need to build. One of the report’s central arguments is that governments must retain sufficient internal expertise to govern, oversee, and adapt digital systems over time.
„Governments need the right balance between outsourcing and in-house capability to sustain transformation and preserve agency. External providers can bring skills and capacity that government does not have and accelerate delivery. But over-reliance hollows out the internal knowledge and judgement that governments need to define what they want, assess whether they are getting it, hold suppliers to account and adapt systems when circumstances change. Several OECD countries are actively rebuilding internal digital capability. The goal is not to bring everything in-house, but to ensure government retains the core expertise needed to govern digital transformation responsibly.”
OECD, Digital Government Outlook (2026) p. 74
The OECD is clear that the answer to „outsource or develop internally” is not binary. External providers play a legitimate and important role, particularly for specialised capabilities that are difficult to build internally at pace, but what the government must not outsource is the core judgement and oversight function. The report documents a clear direction among OECD countries, as the United Kingdom introduced controls on consultancy spending and is investing in permanent digital, data and technology roles across government, Canada is rebalancing spending away from external professional services, Australia is reducing labour-hire while reinvesting in internal data and digital capability, backed by a dedicated workforce plan through 2030 and France has strengthened central digital capacity through its Interministerial Digital Directorate, reducing fragmentation and dependence on outsourced delivery.Note 29Ibid, p. 79. The OECD also highlights the specific danger of poor internal capacity in procurement decisions. Without sufficient understanding of the technology being procured, governments cannot evaluate vendor proposals critically, cannot manage contracts actively, and cannot understand the long-term implications of their choices.Note 30Ibid, p. 75.
The recommendation of this paper should therefore not be read as a case to eliminate external contractors in building the national wallet, but to ensure the development of internal capability, organised as a governmental taskforce, that holds the institutional knowledge, technical oversight capability, and strategic judgement that no outsourcing arrangement can nor should substitute.
Chapter III
An overview of three European approaches
France, Poland and Sweden
03
Photo: Azopan Archive
The ARF defines fifteen distinct roles within the EUDIW ecosystem, spanning primary roles such as the Wallet Provider, PID Provider, and Relying Party. Each role carries well-defined responsibilities within the trust architecture, and most Member States, including Romania, have made reasonable progress in assigning these roles to existing institutions or planned organisational structures, as we have seen in part I.
The Wallet Provider role in particular is relatively well understood: it covers making the wallet solution available to users, providing Wallet Trust Evidence and Wallet Unit Attestation. How a Wallet Provider team is structured — its size, its composition, the balance between in-house and contracted expertise — directly shapes what the wallet can do and how fast it can evolve.
Three national implementations will be analysed — France, Poland, and Sweden — as case studies in the design of wallet delivery organisations, since each country has made distinct choices: France has built a government agency issuer-model with a developer-facing ecosystem strategy; Poland has sustained a large in-house Scrum team over nearly a decade and uses adoption data to drive product decisions, aiming to switch to an EUDI-compliant wallet in time; Sweden has articulated a layered four-tier governance model that explicitly separates strategic, coordination, product, and execution responsibilities. Together, these profiles illustrate that governance architecture is a first-order design decision and the comparison surfaces actionable patterns for other implementing authorities, procurement bodies, and policy teams grappling with the same organisational questions that eIDAS 2 poses across all 27 member states. The common denominator, besides the technical human resource allocated to the EUDI wallet project, is the focus on adoption, even at incipient stages.
1. France
France is among the more technically mature EU member states on eIDAS 2 implementation. France Identité already covers several mandatory wallet capabilities (PID issuance, proximity presentation, online presentation). The OpenID4VP endpoint positions France to meet the regulatory deadline. Open items as of early 2026 include: wallet certification, relying party registration, and passport-based onboarding. Launched in February 2024, the French wallet already has around 4 million users and around 800,000 LoA high users. The digital wallet project was formally incubated within ANTS (Agence Nationale des Titres Sécurisés) — the agency that also manages passports, driving licences, and vehicle registrations. ANTS operates under the Ministry of the Interior and is the designated eIDAS notified scheme operator for France.
France’s approach has been shaped by a deliberate choice to build on top of existing federated login infrastructure (France Connect) rather than replace it. France Connect, launched in 2016, already had tens of millions of users across e-government services. France Identité was designed as a higher-assurance complement: where France Connect supports LoA Low/Substantial for everyday public services, France Identité targets LoA Substantial and High, including legally sensitive and proximity use cases. France Identité is developed within ANTS and the team operates a continuous delivery model, based both on internal capacity and external contractors, with regular public releases through distinct build stages (development; alpha; beta; stable). A dedicated developer relations function supports the third-party ecosystem, including the public playground environment.
The organisational model places full accountability for the wallet at agency level, with the Ministry of the Interior setting policy parameters and ANTS retaining operational and technical autonomy, with an internal team of more than 100 people, with technical and strategic profiles.
ANTS has made a deliberate decision to act as credential issuer into third-party wallets as well as operator of its own wallet application — the „issuer-as-platform” model. The agency has built a dedicated developer playground environment featuring mock credentials (PID, age verification) that third-party developers and relying parties can use. Private ecosystem wallets can receive ANTS-signed Verifiable Credentials, enabling a model where the state acts as issuer into third-party wallets without requiring citizens to use the government wallet exclusively.
Governance
Delivery
Ecosystem
Ministry of Interior
Policy parameters
France Connect
Existing · LoA Low / Substantial
ANTS
Agence Nationale des Titres Sécurisés
~100 people
In-house + contractors · Full technical autonomy
France Identité
LoA Substantial · High
Issuer-as-platform model
Own wallet app
4M users · 800K LoA High
Third-party wallets
ANTS-signed Verifiable Credentials
Developer playground
Mock PID & age verification credentials
Release pipeline
Dev→Alpha→Beta→Stable
Overview: France Model
2. Poland
Poland’s digital wallet programme is one of the longest-running in the EU, dating back to 2017, nearly a decade before eIDAS 2 entered into force. mObywatel was conceived as a mobile platform to replace the physical booklet of citizen documents, beginning with the mLegitymacja (mobile student ID) and expanding progressively to cover a wide range of public documents and transactions.
The 2022 relaunch was transformative: a ground-up technical rebuild introduced a new architecture, a redesigned UX, and Mobile ID (mDowód), a digital national identity card with full legal equivalence to the physical document. Legal acceptance since 2022 has been the single most important policy enabler, unlocking use cases that require legally valid identity verification.
Poland’s Ministry of Digital Affairs has consistently positioned mObywatel as a citizen service platform first and identity infrastructure second. The design philosophy prioritises concrete, high-frequency, low-friction citizen problems over abstract architectural goals, a philosophy that has produced a very broad service scope for a government wallet. With around 11 million users and 2 million daily logins, mObywatel is currently supported by an in-house team of over 70 people, with five cross-functional Scrum teams that work at two-week sprint cadence.
This is perhaps the most intensive in-house delivery model among EU wallet programmes and is the direct enabler of the product’s rapid iteration pace. The team’s continuous development over nine years has also produced a rare depth of institutional knowledge about citizen adoption patterns and service integration complexity. Poland’s model is primarily characterised by delivery scale and cadence. The governance structure is integrated with product delivery, so product ownership, regulatory tracking, and technical execution are co-located within the same team structure. The deliberate architectural separation in the new mObywatel Europa (eIDAS 2 compliant), representing the isolation of the certified wallet core from the broader services layer, reflects a governance lesson learned: when regulatory certification cycles are slow and costly, architectural choices that protect delivery agility have significant organisational value.
Poland’s dominant organisational challenge is how to execute a migration from the non-certified wallet to an EUDI wallet that does not strand or frustrate the existing user base. The proposed two-track approach:
December 2026: Two apps appear simultaneously, mObywatel 2.0 (existing 40+ services intact) and mObywatel Europa (MVP: PID, driving licence, age verification)
2027–2028: Services gradually migrate from mObywatel 2.0 into mObywatel Europa
2028+: The two apps merge into a single full-featured application
The goal is to give users time for migration and new activation without blocking access in December 2026 to current features: This approach requires parallel maintenance of two codebases and carries a risk of user base fragmentation, but the Centrum Informatyki (Centre for Information Technology) from the Ministry of Digital Affairs considers these costs preferable to a hard cutover requiring 11 million users to immediately re-enrol at LoA High.
Governance
Team capacity
Ministry of Digital Affairs
eIDAS 2 policy oversight
11M+
active users
2M
daily logins
70+
team members
5 cross-functional Scrum teams · 2-week sprints
Centrum Informatyki
Centre for Information Technology
70+ people · 5 Scrum teams
Scrum Team
01
Scrum Team
02
Scrum Team
03
Scrum Team
04
Scrum Team
05
Migration roadmap
Dec 2026
2027 — 2028
2028+
mObywatel 2.0
40+ existing services intact
Launched 2017 · rebuilt 2022
Services migrate
Gradual transition to Europa
Parallel maintenance
mObywatel Europa
MVP: PID, driving licence, age verification
Services integrate
Growing service coverage
EUDI compliant
Unified wallet
Full-featured single app
11M+ users re-enrolled
LoA High · EUDI certified
Simultaneous launch — no hard cutover for 11M users
Overview: Poland Model
3. Sweden
Sweden presents a uniquely challenging context for a state digital identity wallet, as the country already has one of the world’s most mature private-sector digital identity ecosystems: BankID, operated by a consortium of major Swedish banks, is used by approximately 99.9% of the adult population for authentication across both public and private services. Swish, built on the same banking infrastructure, is the dominant person-to-person and point-of-sale payment identifier.
The Agency for Digital Government (DIGG) assumed responsibility for the national eID function taking over from a prior arrangement in which eID was managed by private-sector actors. The Swedish State Wallet is being developed in parallel with this institutional transition, compressing the timeline and increasing the organisational complexity of the programme.
Sweden offers perhaps the clearest example of governance-first design in the European wallet landscape. Rather than launching with ambition and building governance later, DIGG started the Swedish State Wallet with just two part-time staff in January 2025, deliberately building institutional capacity before scaling delivery. By early 2026 the team had grown to 36–40 people, with a projection of around 50 within a year, and the programme remains in sandbox and MVP testing, with only two to three use cases in scope. Contractors are sourced exclusively from three pre-whitelisted Swedish consultancy firms, maintaining a roughly even split between in-house and external capacity while preserving institutional control. Sweden is consciously sequencing its work, getting the legal framework, coordination architecture, and implementation infrastructure right before broadening scope.
DIGG’s organisational framework for the wallet programme is structured around three distinct input streams that feed into the Swedish Wallet System (det svenska plånbokssystemet):
Leading team: they coordinate the overall wallet delivery process and manage the European and external relations of the unit.
Business team / Expert team: Three internal working circles — Collaboration (Samverkan), WeBuild LSP participation, and Working Groups (Arbetsgrupper, covering e-signature, cybersecurity, and other domains). The Expert team separately develops and validates the Certification Framework (Certifieringsordning). These teams receive inputs from both the regulatory stream and from the business/certification community, and feed coordination outputs to the development team.
Development team (Utvecklingsteam): Delivers across six product areas. The Certification Framework flows directly from the Expert team into the Development team as a constraint on wallet architecture.
Longer horizonShorter horizon
DIGG leadership
Leading team
Product management
Team
DIGG leadership group
Given conditions to understand the overall process and budget. Makes strategic decisions.
Leading team
Coordinates delivery capacity. Manages EU coordination, risk, and external relations.
Product management
Responsible for delivery content within budget. Coordinates operational production.
Team
Does the work. Responsible for design, technical decisions, and day-to-day execution.
Overview: Swedish Team Structure
This three-stream model is significant because it makes explicit that regulatory interpretation, ecosystem coordination, and technical delivery are distinct organisational functions and conflating them, as some Member States have done by embedding regulatory tracking inside the development team without a dedicated intermediary layer, creates bottlenecks when implementing acts change or when ecosystem partners need coordinated onboarding.
The comparative analysis of France, Poland, and Sweden surfaces a consistent pattern: in all three cases, the strategic functions (ecosystem coordination, adoption strategy, regulatory tracking, and cross-institutional liaison) are housed within the same organisational unit as the technical delivery team. In each case the wallet is delivered by a dedicated unit that holds technical execution and strategic responsibility together, rather than distributing them across separate institutions; in each case adoption is treated as a first-order concern from the outset; and in each case the balance between in-house capacity and external contracting is managed so that the state retains ownership of the core expertise rather than ceding it to suppliers. Beneath the surface variety, these are three expressions of the same underlying choice: to build a single organisation capable of owning the outcome.
Two further lessons cut across the cases and bear directly on Romania. The first is that the unit’s design follows from the country’s context: the right structure must be derived from a country’s own institutional reality, the decisions it has already taken, and the assets it already has in hand. The second is that none of these countries treated the allocation of responsibility as sufficient but built dedicated delivery capacity on top of that allocation, and it is that capacity, not the role map, that explains the progress they have made, and it is precisely this gap that Romania must now close. The following section sets out a model for such a structure: a taskforce at the centre of government that combines technical delivery with strategic ownership of adoption, drawing on the patterns identified here and adapting them to Romania’s particular constraints and opportunities.
Chapter IV
RoEUDIW taskforce
proposal and profiles
04
Photo: Azopan Archive
Romania’s current institutional context offers a promising, if still embryonic, foundation for the kind of taskforce envisioned here, placed at the centre of the government. The RO EUDIW Committee is chaired by the Deputy Prime Minister, so the responsibility for political coordination has already been assigned, although it would benefit from codification in primary legislation. The critical question is whether the Deputy Prime Minister (and, therefore, the Committee) will be resourced with an executive arm empowered to act as a genuine delivery and strategy taskforce.
The taskforce should draw staff from relevant institutions, whether on a full-time basis or through a modest allocation of several hours per week, supplemented by newly recruited specialists and, where necessary, ad hoc support from private sector companies. To preserve competitiveness on remuneration, it should benefit from a clear and stable budgetary allocation, with remuneration that can be supplemented from EU funds. For example, within the framework of the 2021–2027 programming period, Romania has the possibility to amend the existing project financed under the Smart Growth, Digitalisation and Financial Instruments Operational Programme (POCIDIF) in order to extend its scope of intervention to encompass the development, piloting, and deployment of the wallet.
Proximity to the centre of government is, in our view, non-negotiable: it gives the taskforce the flexibility required for fast delivery, the political authority needed to coordinate across ministries and hold attribute providers to account, and a natural path towards its eventual absorption into a national digital authority that should likewise sit at the centre of government. Within the centre of government, two institutional homes are plausible: the working apparatus of the Deputy Prime Minister in charge of state reform, or the Prime Minister’s Chancellery. We recommend the former. The function of a Deputy Prime Minister without portfolio charged with coordinating state reform already has a legal basis in O.U.G. No. 32/2025 and disposes of its own working apparatus, even if the legislation governing it, both primary and secondary, remains underdeveloped. The relationship would also be mutually reinforcing: the taskforce gives the Deputy Prime Minister an instrument of execution, while the Deputy Prime Minister gives the taskforce political weight, strengthening both positions and creating a solid basis for the central coordination of digital transformation.
Like the Chancellery itself, the Deputy Prime Minister’s working apparatus is a structure without legal personality, financed through the budget of the General Secretariat of the Government. The objection that a unit anchored with the Deputy Prime Minister would lack administrative resources therefore applies with equal force to one anchored in the Chancellery: both depend on the General Secretariat of the Government for premises and expenditure, and both can be consolidated through the same legislative clarification. Nor does the Chancellery offer superior continuity, as in some governments it is absorbed into the Secretariat, just as nothing guarantees that a future government will include a Deputy Prime Minister for state modernisation or, for that matter, a ministerial portfolio for digitalisation. No host institution is, therefore, safe without clear legislative consecration of its mandate, budget, scope, and institutional levers, which is precisely why the taskforce’s mandate, reporting line, and resources must be fixed in the law implementing eIDAS 2.
The taskforce’s mandate should be understood in two phases. In the longer term, once a solid foundation for the EUDI Wallet has been established, the taskforce should evolve into a permanent digital delivery structure within the Romanian government, progressively expanding its capacity and taking on the oversight of other projects, before ultimately being absorbed into a reformed Authority for the Digitalisation of Romania, repositioned at the centre of government. In the near term, it should fulfil the Wallet Provider function, taking ownership of the technical build and product roadmap from the outset, departing on this point from what the Government has announced. Far from sidelining the Ministry of Internal Affairs, this would relieve some of the pressure on it: the Ministry is already responsible for Person Identification Data and is building the age-verification pipeline, and its limited resources would be better invested in the data it actually holds (driving licences, civil status documents, criminal record certificates and other special permits), which make excellent candidates for the first publicly issued attestations in the wallet.
Cross-ministerial coordination further reinforces the case for positioning this structure at the centre of government. Persuading the Ministry of Health to become an attribute provider, or the Ministry of Education to integrate as a relying party, despite the codified obligation under the eIDAS 2 Regulation, requires a level of authority that a line ministry or agency is unlikely to hold. Without seniority and an explicit political mandate, even a well-resourced institution would struggle to convene the actors it needs to convene. Assigning the Wallet Provider function, together with strategic oversight, to an existing institution may work in more digitally mature contexts. In Romania’s case, however, it carries substantial risk, given the country’s documented history of fragmented digital mandates which means that coordination failure is not a theoretical concern. Compounding this, the public sector’s rigid legislative framework on hiring, with pre-established salary scales that are not competitive, bureaucratic recruitment processes, and limited flexibility on working arrangements, would make it genuinely more difficult to attract and retain the specialists this work demands. This model is consistent with the most successful precedents identified in the delivery unit literature, where strategic capacity was deliberately placed at the centre of government rather than inside a line ministry, and it responds directly to the OECD’s repeated recommendation to build cross-cutting coordination capacity with real authority and internal capacity. Part of the Ministry of Internal Affairs’ staff could, moreover, contribute directly to the development of the wallet through the taskforce.
A similar rebalancing is warranted for the responsibilities announced for the Ministry of Economy, Digitalisation, Entrepreneurship and Tourism, which accumulates functions of different natures. The coordination of the relationship with public and private actors, the technical monitoring of the solutions deployed and, in practice, the working-level relationship with the European Commission are operational functions that presuppose daily proximity to the delivery work, and should be absorbed by the taskforce. MEDAT would retain, and be strengthened in its supervisory function, exercised in coordination with the trust-services supervision that, under the current legislative framework, belongs to the Authority for the Digitalisation of Romania.
The taskforce must combine technical delivery and strategic oversight within a single structure, as this ensures that adoption considerations are embedded into technical decisions from the start. It also creates a single point of accountability, simplifying governance and reporting while eliminating the risk of parallel entities developing conflicting priorities. The strategic dimension encompasses maintaining a citizen-facing and outcome-oriented perspective, managing Romania’s relationship with the European Commission and other Member States, tracking the evolution of the Architecture Reference Framework and relevant implementing acts, developing partnerships with private actors, and planning the wallet’s role as an authentication mechanism across both the public and private sectors. The technical dimension would be in charge of the development, while constantly mapping and coordinating public acquisitions for parts of the project, as needed. In the next part, we explore the profiles of this technical and strategic taskforce.
Technical deliveryStrategic functionsHeadcounts are indicative FTE ranges
Taskforce Leadership
1.1Programme Director
Expertise profile
The Programme Director holds overall accountability for the wallet programme across both its technical and strategic dimensions. This is the single person responsible for the programme's success in practice, managing upward to government leadership and the Deputy Prime Minister, outward to the European Commission and EU-level governance bodies, and laterally across the ministries whose cooperation the ecosystem depends on. The Programme Director is the primary coordination point between the teams, owns the national attribute roadmap at a strategic level, and maintains Romania's positioning within the evolving EU landscape.
Experience & background
Minimum 12–15 years in senior programme leadership spanning public sector digital transformation and regulatory or policy environments. Direct experience managing cross-institutional programmes with politically contested dependencies. Active participation in EU digital governance fora strongly preferred.
Technical Profiles
1.Technical Leadership
1.1Technical lead
Expertise profile
The Technical Lead is the senior technical authority across the entire Wallet Provider solution. This requires deep understanding of the eIDAS 2 ecosystem (the regulation, the ARF, and the associated standards) as well as direct experience with at least one full wallet implementation cycle.
Experience & background
Minimum 10+ years in identity and access management or digital identity systems. Deep understanding of PKI, trust frameworks, and credential ecosystems.
1.2Solution architect
Expertise profile
The Solution Architect designs and maintains the overall technical architecture, ensuring it meets ARF requirements and conformity assessment obligations.
Experience & background
Minimum 8+ years in distributed systems architecture with specific experience designing SDK and platform products. Understanding of the EUDI trust infrastructure — trusted lists, credential status mechanisms, issuer and verifier trust chains.
1.3Security architect
Expertise profile
The Security Architect designs the security posture across the entire solution — mobile platforms, backend services, cryptographic components, and development infrastructure — ensuring compliance with eIDAS 2 security requirements, NIS2, and the Cybersecurity Act.
Experience & background
Minimum 8+ years in information security for high-assurance systems with direct experience in identity or trust service platforms. CISSP, CISM, or equivalent. Experience with Common Criteria evaluations or eIDAS-related conformity assessments.
Technical Lead
10+ YRS
eIDAS 2.0 · PKI · Trust frameworks
Solution Architect
8+ YRS
Architecture · EUDI trust · SDK
Security Architect
8+ YRS
Security posture · NIS2 · CISSP
Summary: Technical Leadership
2.Wallet Provider Backend
2.1Senior backend engineers (2–3)
Expertise profile
These engineers build the wallet provider backend services: wallet unit activation, status management, key attestation verification, and integration with the EUDI trust infrastructure.
Experience & background
Minimum 5+ years building high-availability distributed backend systems. Direct experience with trust frameworks, and certificate and attestation verification. Experience designing systems that meet stringent availability SLAs with formal penalty structures.
2.2SRE / DevOps engineers (1–2)
Expertise profile
These engineers operate and monitor the wallet provider backend services in production, managing deployment pipelines, scheduled maintenance windows, and the monitoring infrastructure.
Experience & background
Minimum 3+ years in SRE or DevOps for production services with formal SLA requirements. Experience with EU cloud infrastructure providers and infrastructure as code.
These engineers implement the credential issuance infrastructure: OID4VCI protocol flows for QEAA and PID issuance, credential lifecycle management, status registries, and administrative interfaces. For PID issuance, they integrate with the Romanian PID issuer and implement identity verification at assurance level High.
Experience & background
Minimum 5+ years in backend systems with direct experience in credential or certificate issuance.
4.Relying-Party Solutions: Backend engineers — verification and trust infrastructure (2–3)
Expertise profile
These engineers build the relying-party capabilities: receiving and verifying attestations and PIDs presented from EUDI Wallets, validating cryptographic proofs, checking credential status, and resolving issuer trust chains.
Experience & background
Minimum 4+ years in backend development with experience in credential or certificate verification. Understanding of OID4VP, SD-JWT-VC verification, and mdoc verification.
5.WSCA/WSCD: Cryptography and secure hardware specialists (1–2)
Expertise profile
These specialists design and implement the Wallet Secure Cryptographic Application and Wallet Secure Cryptographic Device, working with secure elements, Trusted Execution Environments, and Hardware Security Modules, and making architectural decisions about local versus remote secure cryptographic execution.
Experience & background
Minimum 5+ years specifically in cryptography. Direct experience with Common Criteria evaluations at EAL4+ and understanding of GlobalPlatform specifications and FIDO2/WebAuthn attestation models would be an advantage.
6.Quality, Testing and Certification
6.1Test lead / QA manager
Expertise profile
The Test Lead designs the test strategy and ensures that test documentation is comprehensive, traceable from requirements through test cases to results, and suitable for direct use as certification materials.
Experience & background
Minimum 7+ years in test management for certified or regulated software products. Experience with formal acceptance testing in public-sector contexts and how test evidence feeds into conformity assessment.
6.2Test automation engineers (2–3)
Expertise profile
These engineers build and maintain automated test suites that are comprehensive, well-documented, and traceable to requirements for use as certification materials.
Experience & background
Minimum 3+ years in test automation for mobile and backend systems. Experience with CI/CD-integrated testing and device lab or cloud-based device testing infrastructure.
6.3Security test engineer
Expertise profile
This engineer validates SaaS component availability under expected and peak load and continuously tests the security posture of the entire solution, encompassing SAST, DAST, dependency vulnerability scanning, and penetration testing.
Experience & background
Minimum 4+ years spanning application security testing. Proficiency in SAST/DAST tooling, dependency scanning, and penetration testing methodologies.
6.4Interoperability test engineer (1–2)
Expertise profile
These engineers maintain test suites verifying interoperability with wallets and relying-party services across other Member States, participate in EU-wide interoperability testing events, and diagnose the origin of interoperability failures.
Experience & background
Minimum 3+ years in interoperability or integration testing for multi-party systems. Familiarity with the EUDI Wallet interoperability test suites and the Commission's reference implementation.
6.5Certification and compliance lead
Expertise profile
This role bridges engineering and formal conformity assessment, preparing all documentation required by the certification scheme — security targets, protection profiles, risk analyses, test reports, vulnerability analyses, and compliance matrices — and coordinating directly with the conformity assessment body.
Experience & background
Minimum 3+ years with involvement in eIDAS conformity assessments, Common Criteria evaluations, or ETSI EN 319 401 audits. Ability to map certification criteria to technical implementation requirements.
Test Lead / QA Manager
7+ YRS
Test strategy Traceability
Test Automation Engineers
3+ YRS2–3 FTE
Automated suites CI/CD testing
Security Test Engineer
4+ YRS
SAST/DAST Pen testing
Interoperability Test Engineer
3+ YRS1–2 FTE
Cross-border interop EU test suites
Certification & Compliance Lead
3+ YRS
Certification docs CAB liaison
Summary: Quality, Testing and Certification
7.Security and Operations
7.1Information security officer
Expertise profile
Manages the security and audit aspects of the project, ensuring compliance with NIS2 and the Cybersecurity Act and maintaining the programme's security posture across all components.
Experience & background
Minimum 7+ years in information security management. CISSP, CISM, or equivalent.
7.2Incident response / on-call engineers (4–5 in rotation, post-launch)
Expertise profile
These engineers staff the 24/7 on-call rotation for critical components, responding within 15 minutes to P1 incidents and producing structured incident notifications under the reporting requirements of the Cybersecurity Act and GDPR.
Experience & background
Minimum 3+ years in operational incident response for production services with formal incident classification and escalation procedures.
7.3DevOps / infrastructure engineers (2–3)
Expertise profile
These engineers manage repositories through which the wallet is delivered, maintaining tagged, versioned releases with release notes, and manage the underlying infrastructure.
Experience & background
Minimum 3+ years in DevOps or infrastructure engineering for regulated software products. Familiarity with infrastructure as code and reproducible deployments.
Information Security Officer
7+ YRS
Security & audit NIS2 / Cyber Act
Incident Response On-call Engineers
3+ YRS4–5 FTE
24/7 on-call Post-launch
DevOps / Infra Engineers
3+ YRS2–3 FTE
Release mgmt IaC
Dashed border = post-launch role
Summary: Security and Operations
8.Mobile Wallet Engineering
8.1Senior iOS engineers (2–3)
Expertise profile
These engineers implement the core wallet functionality on Apple's platform: wallet unit activation, credential storage and presentation using OID4VP and ISO 18013-5, cryptographic operations via Secure Enclave, and the full wallet unit lifecycle. They must have deep knowledge of iOS security APIs — CryptoKit, keychain services, App Attest, and LocalAuthentication — and implement both proximity and remote presentation flows.
Experience & background
Minimum 5+ years in native iOS development with a focus on security-sensitive applications. Direct experience with Secure Enclave key management and Apple's attestation frameworks.
8.2Mid-level iOS engineer
Expertise profile
Supports senior engineers on UI implementation, accessibility compliance, and testing across OS version matrices.
Experience & background
Minimum 3+ years in native iOS development. Solid understanding of UIKit/SwiftUI and iOS accessibility frameworks.
8.3Senior Android engineers (2–3)
Expertise profile
These engineers implement the wallet on Android, mastering the Android Keystore system, StrongBox, TEE integration, BiometricPrompt, Play Integrity API, and Host Card Emulation for NFC proximity presentation. They must design graceful degradation paths for the device fragmentation that characterises the Android ecosystem.
Experience & background
Minimum 5+ years in native Android development focused on security-sensitive applications. Direct experience with Android Keystore and hardware-backed key management.
8.4Mid-level Android engineer
Expertise profile
Supports senior engineers on UI implementation, accessibility compliance, and device compatibility testing across the Android device matrix.
Experience & background
Minimum 3+ years in native Android development with experience testing across diverse Android devices and OS versions.
iOS
Senior iOS Engineers
5+ YRS2–3 FTE
Secure Enclave OID4VP / ISO 18013-5
Mid-level iOS Engineer
3+ YRS
UI & accessibility OS version testing
Android
Senior Android Engineers
5+ YRS2–3 FTE
Keystore / StrongBox HCE / NFC
Mid-level Android Engineer
3+ YRS
UI & accessibility Device compatibility
Summary: Mobile Wallet Engineering
Strategic Profiles
1.Ecosystem and Integration
1.1Ecosystem and Integration Lead
Expertise profile
This role owns everything that makes the wallet useful beyond its technical compliance: the pipeline of relying parties across the public and private sectors, the onboarding of attribute providers from the ministries responsible for health, transport, education, and social services, the developer-facing documentation and sandbox that allow external parties to integrate, and the sequencing of new attributes to maximise citizen utility over time. It is simultaneously a business development role, a stakeholder management role, and a technical liaison function.
Experience & background
Minimum 7–10 years spanning partnership or ecosystem development, product management, and public sector stakeholder engagement. Sufficient technical depth to understand ARF credential flows and diagnose integration blockers. Experience in regulated or identity-adjacent sectors strongly preferred.
1.2Public Sector Integration Manager
Expertise profile
This role is responsible for the end-to-end onboarding of public sector relying parties and attribute providers, translating the national attribute roadmap into concrete integration agreements with the ministries and agencies that hold the underlying data. The Public Sector Integration Manager manages the institutional relationships that determine the wallet's practical utility for citizens: negotiating data-sharing arrangements, resolving the legal and technical blockers that arise when legacy systems meet ARF credential flows, and sequencing onboarding to ensure that the most impactful use cases come online first. Where ministries lack internal technical capacity, this role also coordinates the support needed to bring them to integration readiness.
Experience & background
Minimum 7–10 years in public sector programme delivery, interoperability, or digital transformation, with direct experience managing cross-institutional dependencies and data-sharing negotiations. Sufficient technical grounding to engage credibly with ministry IT teams and diagnose integration constraints. Familiarity with Romanian public administration and its institutional dynamics is essential.
1.3Private Sector Ecosystem Manager
Expertise profile
This role owns Romania's private sector wallet strategy, from defining the value proposition for commercial relying parties to managing the partnerships, commercial frameworks, and developer-facing tools that make private sector adoption viable. The Private Sector Ecosystem Manager identifies the sectors (banking, insurance, healthcare providers, telecoms etc.) where wallet-based authentication or attribute sharing can generate sufficient commercial value to drive adoption, and works to remove the barriers that would otherwise delay it. This role also maintains awareness of how private sector wallet implementations are developing across other Member States, ensuring Romania's approach remains compatible with emerging European market norms.
Experience & background
Minimum 7–10 years in business development, partnerships, or product strategy within technology, financial services, or identity-adjacent sectors. Experience engaging with developer communities and managing commercial frameworks in regulated environments. Sufficient technical literacy to understand credential flows and speak credibly with product and engineering counterparts.
1.4Cross-Border Interoperability Specialist
Expertise profile
This role ensures that Romanian wallet implementations remain technically and legally interoperable with those of other Member States, tracks the evolution of the Architecture Reference Framework and relevant implementing acts as they affect cross-border use cases, and represents Romania's technical interests in EU-level interoperability working groups. The Cross-Border Interoperability Specialist works closely with the Policy and Regulatory Affairs team on regulatory developments and with the Wallet Provider team on their technical implications, acting as the primary bridge between Romania's domestic implementation and the wider European ecosystem. As cross-border use cases mature, this role also manages the bilateral and multilateral technical relationships that make them operational in practice.
Experience & background
Minimum 5–7 years in digital identity, interoperability architecture, or EU-level technical standardisation. Direct experience with ARF specifications, OpenID4VC protocols, or comparable credential frameworks. Participation in EU technical working groups, whether through a Member State authority, a notified body, or a standards organisation, is strongly preferred.
Ecosystem & Integration Lead
7–10 YRS
Ecosystem strategy RP & attribute onboarding
Public Sector Integration Manager
7–10 YRS
Public sector onboarding Data-sharing agreements
Private Sector Ecosystem Manager
7–10 YRS
Private sector strategy Commercial partnerships
Cross-Border Interoperability Specialist
5–7 YRS
EU interoperability ARF / OpenID4VC
Summary: Ecosystem and Integration
2.Policy, Legal and Regulatory
2.1Policy and Regulatory Affairs Specialist
Expertise profile
This role monitors regulatory developments at EU level, translates their implications into actionable requirements for both the Wallet Provider team and the programme leadership, manages Romania's participation in EU working groups and governance bodies, and maintains the legal and policy framework within which the wallet operates domestically. The Policy Specialist is also the internal expert on what other Member States are doing, maintaining a comparative picture that informs Romania's own design decisions as the ecosystem matures.
Experience & background
Minimum 5–7 years in EU regulatory affairs or digital policy with direct experience in the eIDAS or electronic identity domain. Active participation in EU-level technical or policy working groups.
2.2Policy and Regulatory Affairs Analyst
Expertise profile
This role supports the Policy Specialist in tracking EU regulatory developments, preparing briefing notes and comparative analyses of Member State implementations, maintaining the programme's regulatory calendar, and coordinating Romania's contributions to EU working group consultations. The Policy Analyst monitors the official publication pipeline for implementing acts and delegated regulations, flags developments with material implications for the programme, and maintains the documentation repository through which regulatory requirements are translated into internal guidance.
Experience & background
Minimum 2–3 years in EU policy, regulatory affairs, or public administration. Familiarity with EU legislative processes and digital policy. Reading knowledge of EU institutional documentation and comfort synthesising regulatory texts into accessible summaries.
2.3Legal Counsel and Data Protection Specialist
Expertise profile
This role provides the legal foundation on which the entire programme operates. The Legal Counsel and Data Protection Specialist maintains the domestic legal framework governing the wallet's operation, advises the programme leadership and team leads on the legal implications of design and policy decisions, manages the programme's relationship with the National Supervisory Authority for Personal Data Processing, and ensures that every component of the wallet ecosystem, from attribute provisioning to relying party onboarding, operates in full compliance with GDPR, eIDAS 2, and applicable Romanian law. This role is also the primary internal authority on data minimisation architecture, purpose limitation, and the legal basis for each category of data processed within the ecosystem, and supports the policy team in tracking legislative developments that carry legal consequences for the programme.
Experience & background
Minimum 7 years in data protection, digital law, or regulatory compliance, with direct experience in identity, authentication, or public sector data governance. Deep working knowledge of GDPR and eIDAS 2 is essential; experience engaging with supervisory authorities or contributing to legislative processes is strongly preferred.
This role is responsible for building the public understanding and institutional trust on which wallet adoption depends. The Communications Specialist develops and executes the programme's external communications strategy across citizen-facing, stakeholder, and media channels, manages the narrative around key milestones and rollout phases, and ensures that the wallet's value proposition is translated into clear, accessible messaging for audiences with varying levels of digital literacy.
Experience & background
Minimum 7 years in strategic communications, or digital engagement, ideally in programmes with significant public-facing dimensions. Experience managing communications for complex, multi-stakeholder programmes. Familiarity with digital identity or data rights discourse is an advantage.
3.2Communications Analyst
Expertise profile
This role supports the Communications Specialist in producing and distributing content across the programme's communication channels, maintaining the editorial calendar, preparing materials for citizen-facing campaigns, and monitoring media and public discourse around digital identity topics. The Communications Analyst also assists with internal communications, including programme updates for government stakeholders, and manages the programme's social media presence where applicable.
Experience & background
Minimum 2–3 years in communications or content production. Strong written communication skills across different registers and audiences. Familiarity with digital channels and content management tools.
3.3Adoption Metrics and Data Specialist
Expertise profile
This role designs and maintains the measurement framework that tracks wallet issuance, activation, and active use across citizen segments and use cases, monitors relying party integration progress and transaction volumes, and produces the analytical outputs that allow programme leadership and team leads to identify where adoption is accelerating, where it is stalling, and why. Data collected through this function feeds directly into the product roadmap and the ecosystem sequencing decisions owned by the integration team.
Experience & background
Minimum 5–7 years in data analysis, product analytics, or programme performance measurement. Experience designing measurement frameworks for multi-sided platforms or public sector digital services. Familiarity with EU reporting requirements in the digital domain is an advantage.
Communications
Communications Specialist
7+ YRS
External comms strategy Stakeholder & media messaging
The current situation of Romania can be summed up as follows: a governance committee is in place, key institutional roles have been allocated, Germany’s open-source solution has been announced to be adopted as the technical base, and the electronic identity card provides a foundation that not all Member States had when eIDAS 2 was first proposed. This paper has argued, drawing on the academic literature on delivery units and on the comparative experience of France, Poland, and Sweden, that building and ensuring adoption of national wallets requires development of internal capacity. For Romania, adopting Germany’s solution reduces the load for building the wallet but does not imply that there is no need to assign experts on this task, as customising a foreign codebase to national infrastructure, tracking upstream changes as the ARF evolves, and managing a cross-border technical relationship all require a team with both technical depth and institutional authority, precisely what the proposed taskforce is designed to be.
The central recommendation of this paper is therefore the establishment of a taskforce for the EUDIW at the centre of the government. The main risk this paper identifies is that assignment of roles alone, without a proper allocation of human resource dedicated to the task via a mechanism that allows for flexible recruitment and deployment of the person-hours that experts from public institutions and private companies can contribute has repeatedly failed to produce a service that is actually used. The technical team builds and operates the wallet: a bounded, technical, compliance-oriented mandate that is well defined in the ARF and well understood by most Member States. The strategic team makes the wallet matter, through adoption, trust and compliance via legal, policy and regulatory expertise and communication.
Taken together, the profiles set out above imply a unit of roughly 40 to 50 full-time equivalents at full build; a leaner configuration of around 20 people is sufficient for the 2026 phase, in which the priority is the first release of the application, PID issuance and age verification, with the testing, incident-response and mobile-engineering functions scaling as the wallet moves into production.
Edge Institute will follow this paper with a dedicated piece that translates the governance proposal set out here into a phased implementation roadmap, covering the critical window from taskforce constitution through launch, the sprint toward certification and public availability, and the 2027 horizon when mandatory private sector acceptance obligations arrive.
While a phase-by-phase implementation roadmap is deliberately left to the follow-up work, as Romania is currently in a period of government transition, the sequence of first decisions is sufficiently independent of the eventual government configuration to state here.
The immediate priorities are six:
to select and legally constitute the taskforce vehicle and appoint a Programme Director with a clear mandate to recruit experts according to a pre-defined scheme;
to second an initial technical core from the Ministry of Internal Affairs, the Special Telecommunications Service, the Ministry of Economy, Digitalisation, Entrepreneurship and Tourism and other relevant public institutions so that work on integrating the German solution with the national registers and the PID issuance process begins without waiting for full recruitment;
to map the help that private companies can offer, keeping in mind that it should not undermine nor replace the development of internal capacity;
to identify the eventual components that need to be bought from the market and prepare the public tenders accordingly;
to confirm the funding route and secure the first tranche; and
to stand up the ecosystem function early, so that the pipeline of relying parties and attribute providers is being built in parallel with, not after, the technical work.
About and acknowledgements
This paper was written by Melany Pașca, Director of Public Policy and Legal Affairs at Edge Institute, with the support of the think tank’s team. Special thanks are due to David Magard, Director of Government and Regulatory Affairs at the SIROS Foundation, former coordinator of the EU Digital Wallet Consortium (EWC) and of the WE BUILD large-scale pilot, whose substantial contribution shaped the architecture and part of the comparative analysis of national delivery models. Warm thanks are also due to the technical experts of the SIROS Foundation’s team, whose input strengthened the technical dimensions of the analysis.
The overview of the French, Polish and Swedish approaches was informed by discussions with key members of the teams delivering the digital identity wallets in the three countries, whose openness in sharing their experience, organisational choices and lessons learned made the comparative chapter possible.
The sections on the Romanian national context benefited from the peer review of experts in digital policy and public administration reform. Although their view is that the taskforce should be placed within the Chancellery of the Prime Minister, aspect addressed directly in the paper, their feedback was very valuable.
The views expressed in this paper are the sole responsibility of the author. Any remaining errors are the author’s own.
Bibliography
Centre for Public Impact, „The Prime Minister’s Delivery Unit (PMDU) in the UK” (2016).
Clement, Michelle, The Art of Delivery: The Inside Story of How the Blair Government Transformed Britain’s Public Services (Biteback Publishing, 2024).
Digital Nation for Edge Institute, Digital Governance Framework for Romania (2025).
EPRS, Revision of the eIDAS Regulation: Findings on Its Implementation and Application — Briefing (2022).
European Commission, DESI: e-Government Users (2025).
European Commission, Evaluation Study of Regulation (EU) No 910/2014 (eIDAS Regulation), SMART 2019/0046 — Final Report (2020).
European Commission, „What Are the Large Scale Pilot Projects — EU Digital Identity Wallet”, accessed 9 June 2026, ec.europa.eu/digital-building-blocks.
European Commission and Technopolis Group, Study on the EU’s Critical Digital Capacities Deployment beyond 2027 — Final Report (Publications Office of the European Union, 2026), data.europa.eu/doi/10.2759/0673677.
European Digital Identity Wallet Architecture and Reference Framework (ARF), v1.4.0, eudi.dev/1.4.0/arf.
Government of Romania and Mastercard Europe S.A., Memorandum of Understanding (2026), sgg.gov.ro.
King’s College London, „Blair’s »Delivery Revolution« Unveiled: New Book Reveals Inside Story of Government Reform”, accessed 8 June 2026, kcl.ac.uk.
Knill, Christoph, et al., „How Policy Growth Affects Policy Implementation: Bureaucratic Overload and Policy Triage”, Journal of European Public Policy 31, no. 2 (2024), 324–51, doi.org/10.1080/13501763.2022.2158208.
Ministry of Internal Affairs (Romania), publicly available data on electronic identity card issuance.
Nair, Sreeja, and Akshat Garg, „How Do Governments Learn from Ad Hoc Groups during Crises? From SARS to COVID-19”, Policy & Politics 52, no. 4 (2024), 625–47, doi.org/10.1332/03055736Y2023D000000011.
OECD, Digital Government Outlook 2026: From Foundations to Transformational Impact (OECD Publishing, 2026), doi.org/10.1787/0496b2bc-en.
OECD, Digital Government Review of Romania: Towards a Digitally Mature Government, OECD Digital Government Studies (OECD Publishing, 2023), doi.org/10.1787/68361e0d-en.
OECD, Public Governance Reviews: Romania Scan 2016, OECD Public Governance Reviews (OECD Publishing, 2016), doi.org/10.1787/d7fe89a4-en.
Pașca, Melany, „Identitate electronică în România: Cauzele adopției scăzute și direcții de acțiune” (Edge Institute, 2026), edgeinstitute.ro.
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS).
Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework.
Romanian Government, „Guvernanță, roluri instituționale și deschidere către parteneriate strategice în implementarea Portofelului de Identitate Digitală (RoEUDIW)”, press release, 26 June 2026, gov.ro.
Vince, Joanna, et al., „Understanding Policy Integration through an Integrative Capacity Framework”, Policy and Society 43, no. 3 (2024), 381–95, doi.org/10.1093/polsoc/puae027.
Williamson, T., et al., Delivery Approaches to Improving Policy Implementation: A Conceptual Framework (Learning Generation Initiative, 2024).
World Bank, Digital Wallets: A New Paradigm (World Bank Group, 2026).
World Bank, Driving Performance from the Centre: Malaysia’s Experience with PEMANDU (World Bank Group, 2017).
What can you do?
Subscribe to Edge Institute's newsletter. All our reports and research reach subscribers' inboxes first, before being published anywhere else. The newsletter is our main distribution channel and the only way we guarantee that you receive every deliverable in its complete form. You can subscribe in 10 seconds at edgeinstitute.ro.
Share it forward. If you work in public administration, the private sector, civil society, the press, or academia, send this document to the people who make decisions or influence them. The 84% of Romanians who say the state is digitalising too slowly are only heard through the amplification of each individual voice.
Share this document
Edge Institute writes for everyone who wants a digitalised Romania. Without political preference. Without conditions. But we cannot do it alone.
If you have read this far, you are already part of the solution. The next step takes 10 seconds.
Edge Institute
Receive every report in your inbox, ahead of any publication.