Brussels, 1 July 2026 – In the negotiating position the Council of the EU adopted on 9 June 2026 on the European Business Wallet, the cybersecurity section was tightened considerably. The key change: national supervisory authorities will now have up to 60 days, instead of the initially proposed 30, to review an authorisation application from a would-be provider. The European Business Wallet authorisation process is becoming both more thorough and stricter than the European Commission originally proposed in November 2025.
Why the Council extended the deadline
Providers of European Business Wallets take on a sensitive role: they manage the digital identity businesses use to identify themselves across borders, sign documents and share data. A rushed or superficial review of an authorisation application could undermine trust in the entire system. By extending the review period to 60 days, supervisory authorities gain more room to thoroughly examine a provider’s technical, organisational and security setup before granting approval.
Alongside the longer deadline, the Council also specified that the European Commission must adopt implementing acts detailing exactly what documentation aspiring providers need to submit. This is meant to prevent member states from applying inconsistent evidentiary standards, supporting harmonisation across the EU. In cases of systemic non-compliance by a provider, national supervisory authorities also gain a stronger role to intervene.
Who becomes the supervisory authority?
Under the Commission’s proposal, the bodies already designated as supervisory authorities under the broader eIDAS2 digital identity framework also become responsible for overseeing European Business Wallets. They monitor compliance, review notifications and complaints, verify termination plans when a provider ceases operations, ensure providers remedy any shortcomings, and inform competent authorities of major security breaches. They can also impose effective, proportionate and dissuasive penalties.
Cooperation between member states
The existing European digital identity cooperation group, established under the eIDAS2 regulation, gains an expanded role under the Council’s position: it will also facilitate the implementation and functioning of the European Business Wallet. This is meant to prevent 27 national supervisory authorities from each developing their own interpretation of the authorisation requirements, and ensures that providers operating across multiple member states face a consistent set of demands.
What this means for the provider market
For parties considering certification as a European Business Wallet provider, the longer authorisation window means a more thorough, but also more predictable, process. Providers must demonstrate that they are established in the EU, have their principal place of business and main operations in the EU, and do not pose a security risk to the Union. They must ensure the confidentiality, integrity, authenticity, interoperability and availability of the wallet, working according to a security-by-design principle.
For Peppol Service Providers weighing whether to take on this role, or trying to understand how the broader supervisory framework relates to existing Peppol certification, this is a process worth following. The tightened cybersecurity requirements fit a broader European trend towards stricter oversight of digital identity and invoicing infrastructure. Existing certification routes within the Peppol network run through OpenPeppol and national Peppol authorities, and remain separate from the authorisation procedure for European Business Wallets. Still, it is realistic to expect the two frameworks to intersect over time, especially now that the European Business Wallet and Peppol infrastructure are already being brought together in projects such as WE BUILD.
Looking for a reliable Peppol Service Provider for your e-invoicing? Use our comparison tool. Also read our earlier article on how the European Business Wallet connects architecturally to e-invoicing.
- Council of the EU: European business wallets: Council adopts negotiating position (9 June 2026)
- Council of the EU: General approach, ST-7659-2026-INIT
- EUR-Lex: Proposal for a regulation on the establishment of European Business Wallets, COM(2025) 838
- European Parliament: Legislative Train Schedule, European business wallets






