What is WRPAC and Why Every Online Business Will Need One by December 2026

The clock is ticking. In less than ten months, the EU Digital Identity Wallet (EUDI Wallet) infrastructure goes live across Europe. If your business verifies the identity or age of EU citizens, you need to understand WRPAC certificates—and you need to prepare now.

What is a WRPAC Certificate?

WRPAC stands for Wallet Relying Party Access Certificate. Think of it as your business's license to request identity information from EU citizens via their digital identity wallets.

Starting December 2026, when someone wants to prove their age to buy alcohol online, verify their identity for a financial service, or confirm their professional credentials, they'll do it through their national EUDI Wallet app—not by uploading photos of their driver's license or passport. And to request that verification, your business will need a valid WRPAC certificate.

Without WRPAC certification, you won't be able to verify EU citizens through the official EUDI Wallet system. It's that simple.

The Dual-Certificate Architecture

WRPAC isn't just one certificate—it's actually a dual-certificate system designed to balance security with transparency:

1. Access Certificate (WRPAC)

The Access Certificate is the cryptographic credential that allows your business to technically communicate with EUDI Wallets. It's issued by a Qualified Trust Service Provider (QTSP) and proves that you're an authorized relying party.

This certificate:

• Enables secure communication with wallet apps
• Authenticates your requests to users' wallets
• Must be renewed periodically (typically annually)
• Requires procurement from a qualified QTSP

2. Registration Certificate

The Registration Certificate is your registration record with your national supervisory authority. It's the legal foundation that makes you eligible to obtain an Access Certificate in the first place.

This registration:

• Documents your intended use cases and data requests
• Makes your identity and purpose publicly transparent
• Must be maintained in your home member state
• Requires updates whenever your use case changes

Important: You can't get an Access Certificate without first completing Registration. Both are mandatory under Article 5b of eIDAS Regulation (EU) 2024/1183.

Article 5b: What Every Relying Party Must Do

Article 5b of the eIDAS 2.0 regulation spells out exactly what's required to become a Relying Party. Here's what you're signing up for:

Registration Requirements

Your business must register with your home member state authority and declare:

1. Who you are: Legal establishment, registered address, and official identity
2. What you want: Specific attributes you'll request from users (age, identity, professional qualifications, etc.)
3. Why you need it: Your intended use cases and legal basis for requesting data

This registration is cost-effective and proportionate to risk—meaning authorities can't impose unreasonable financial or administrative burdens just to register.

Ongoing Obligations

Once registered, you have continuing responsibilities:

• Report changes without delay: If your use case changes or you want to request new attributes, you must notify your national authority
• Identify yourself to users: When a user's wallet shows your verification request, it must clearly display who you are and what you're requesting
• Accept pseudonyms where allowed: If your use case doesn't legally require full identification, you must accept pseudonymous credentials

Public Transparency

Your registration isn't secret. National authorities maintain public registries of Relying Parties, so users and regulators can verify that you're legitimately registered.

This transparency is intentional—it builds trust in the EUDI ecosystem and allows users to verify that the businesses requesting their data are legitimate and supervised.

Current Status: Where We Are in February 2026

Here's the landscape as of today:

What's Ready

• Standards are finalized: The ETSI TS 119 475 standard for WRPAC was published in October 2025, defining the technical specifications for Access Certificates
• Legal framework is in force: Regulation (EU) 2024/1183 (eIDAS 2.0) took effect in May 2024, with Article 5b fully applicable
• Timeline is set: December 2026 deadline for EUDI Wallet availability is confirmed

What's Not Ready Yet

• No operational registration infrastructure: As of February 2026, no EU member state has deployed a live Relying Party registration system
• QTSPs preparing: Qualified Trust Service Providers are gearing up to issue WRPAC certificates, but can't do so until RP registrations are live
• Expected timeline: Industry consensus suggests RP registration infrastructure will open mid-2026, giving businesses roughly 6 months to register before the December launch

The Compliance Burden: What DIY WRPAC Registration Involves

If you're considering getting your own WRPAC, here's what you're committing to:

1. Relying Party Registration Process

• Navigate your home country's registration portal (each member state has its own system)
• Prepare documentation proving legal establishment and intended use
• Submit declarations about data attributes you'll request
• Pay registration fees (amounts vary by country)
• Wait for authority approval (timelines TBD)

2. WRPAC Certificate Procurement

• Select a Qualified Trust Service Provider
• Provide Registration Certificate as proof of eligibility
• Complete QTSP's identity verification and onboarding
• Purchase and renew Access Certificates (pricing not yet public)
• Manage certificate lifecycle and renewal schedules

3. Trust List Integration

This is where it gets complex. You need to:

• Integrate with trust lists from all 27 EU member states
• Handle wallet implementations from 27+ national systems
• Build support for multiple credential formats (SD-JWT VC, mdoc)
• Implement OpenID4VP protocol correctly
• Maintain compatibility as standards evolve

4. Ongoing Compliance Maintenance

• Monitor changes in your use case and report to national authority
• Keep Registration Certificate current
• Renew Access Certificates on schedule
• Stay current with technical standard updates
• Respond to regulatory inquiries or audits

Estimated effort: Setting this up internally could require 6-12 months of development time, dedicated compliance staff, and ongoing operational overhead.

Who Needs This?

If your business does any of the following with EU citizens, you'll need WRPAC certification by December 2026:

• Age verification for alcohol, tobacco, gambling, adult content
• Identity verification for financial services (KYC/AML)
• Professional credential verification for hiring or licensing
• Address verification for shipping or legal compliance
• Educational credential verification for admissions or employment

Basically: If you verify EU citizens digitally, you need WRPAC compliance.

Why Prepare Now: The Case for Early Action

You might be thinking, "It's only February 2026. December is months away. Why rush?"

Here's why early preparation matters:

1. Registration Infrastructure Uncertainty

No one knows exactly when member state registration portals will open. If they launch in June and you wait until November, you may face:

• Processing delays
• Application backlogs
• Authority resource constraints
• Technical issues with new systems

2. Build and Test During Demo Mode

Smart businesses are integrating EUDI Wallet verification today in DEMO and MOCK modes. When December 2026 arrives, they'll simply flip a switch to production. Companies that wait will face both compliance scrambling and technical integration simultaneously—a recipe for missed deadlines.

3. Competitive Advantage

Being ready on day one means:

• No service interruption when EUDI wallets launch
• Marketing your compliance readiness to customers
• Capturing early adopters who prefer privacy-preserving verification
• Avoiding the "please use our old identity verification flow" workaround that erodes trust

The Alternative: Aggregator Services

Here's the reality many businesses are discovering: You don't have to get your own WRPAC.

Article 5b(10) of the eIDAS regulation explicitly allows intermediaries to act as Relying Parties on behalf of merchants. Services like eIDAS Pro handle:

• RP registration in Luxembourg (valid across all 27 EU member states via passporting)
• WRPAC certificate procurement and renewal
• Trust list integration with all national wallet systems
• Ongoing compliance and regulatory reporting
• Technical protocol implementation (OpenID4VP, SD-JWT VC, mdoc)

You call an API. They handle the compliance infrastructure. Users' wallets display both the aggregator's identity and yours, ensuring full transparency.

For most businesses, this is the smarter path. Save your development resources for your core product. Let compliance specialists handle the regulatory complexity.

Timeline to December 2026

Here's what the next 10 months look like:

Mid-2026 (Expected):

• RP registration infrastructure opens in member states
• QTSPs begin issuing WRPAC certificates to registered RPs
• Early adopters complete registration and receive certificates

December 2026:

• EUDI Wallets go live across the EU
• Wallet-based verification becomes available
• Production verifications begin for WRPAC-certified relying parties

December 2027:

• Mandatory compliance deadline for regulated sectors
• Traditional verification methods may face restrictions
• Full market maturity expected

Next Steps: Two Paths Forward

Path 1: Use an Aggregator (Most Businesses)

If you want to focus on your business, not compliance infrastructure:

1. Start integrating today in DEMO mode
2. Test your flows with MOCK mode
3. Be ready for production in December 2026 with zero registration effort

Path 2: Get Your Own WRPAC (Enterprises)

If you need complete control and in-house compliance:

1. Watch for registration infrastructure to open in your country (expected mid-2026)
2. Prepare documentation for RP registration now
3. Select a QTSP for certificate procurement
4. Build technical integration with wallet standards

Or consider Path 3: Consulting services that provide documentation packages and technical guidance to navigate your own WRPAC registration while you maintain control.

Conclusion

WRPAC isn't optional—it's mandatory for any business that wants to verify EU citizens via digital identity wallets starting December 2026. The compliance requirements under Article 5b are clear, and the deadline is fixed.

The question isn't whether you need WRPAC compliance. The question is how you'll achieve it: build it yourself, use an aggregator, or get consulting support.

What's certain is this: The time to prepare is now. Don't wait for December to start thinking about compliance. Start building and testing today so you're ready when the EUDI Wallet era begins.

---

Ready to get started? eIDAS Pro is currently offering DEMO mode access to early adopters. Build your integration today and be ready for production WRPAC verifications in December 2026—with zero registration burden on your team.

Start Building Now | Learn About Aggregator Model