The 2026 Identity Stack: How EUDI, My Number 2.0, and NIST 800-63-4 Are Rewiring the Trust Layer

For two decades, “digital identity” has been a phrase that meant whatever the speaker needed it to mean: a login, a KYC check, a national ID card with a chip nobody used. In 2026 that ambiguity collapses. Three jurisdictions — the European Union, Japan, and the United States — are each shipping concrete identity infrastructure within months of each other, and the technical standards they have converged on are close enough that a credential issued in one will, by design, be verifiable in another.

That changes the conversation. Identity stops being a compliance checkbox and starts being the substrate that ESG disclosure audits, AI-output provenance, cross-border service delivery, and supply chain attestations will all sit on top of. Boards that treated digital identity as an IT-procurement question are about to discover it is a strategic one.

The EU’s deadline forces the issue

The European Digital Identity Framework — Regulation (EU) 2024/1183 — entered into force in 2024 and gives every Member State a hard deadline: by the end of December 2026, each must offer at least one EU Digital Identity (EUDI) Wallet to its citizens, free of charge. The first set of implementing regulations was published on 4 December 2024, anchoring the 24-month national-availability clock.

The EUDI Wallet is not a redesigned login. It is a mobile container that holds verifiable attestations — your residency, your professional licence, your educational degree, your tax status — and lets you present any subset of them, selectively, to any verifier in the EU. Use of the wallet is voluntary for citizens but, per the regulation, mandatory for acceptance by specified private-sector relying parties — banks, telcos, healthcare providers — and by Very Large Online Platforms by late December 2027.

Readiness varies widely. Some Member States are on track; the Netherlands has signalled limited functionality at launch; Bulgaria, per public reporting, has barely started. But the legal deadline is the legal deadline. By the close of 2027, any platform offering authenticated services to EU residents will need to accept an EUDI Wallet presentation. That single regulatory fact will reshape every consumer-facing onboarding flow in Europe, and — because the EU represents roughly a fifth of the global digital economy — most multinational platforms will build wallet acceptance once and turn it on everywhere.

Japan turns the card into a platform

Japan’s My Number Card is older than the EUDI Wallet — issuance began in 2016 — and quieter. But the architectural shift coming in fiscal 2026 is at least as consequential.

By January 2026, roughly 80 percent of Japan’s population held a My Number Card, with more than 100 million issued. Penetration of that depth in a major economy is rare; only a handful of countries — Estonia, Singapore, India in different ways — operate at comparable scale. What Japan did not have, until now, was a way for that card to serve as anything other than a government-issued credential.

The Digital Agency is changing that on several axes at once. Starting in fiscal 2026 (which begins 1 April 2026), a redesigned My Number Card ships with the gender field removed from the surface and stored only in the chip, with added furigana, Romanized names, and Gregorian-calendar standardised birthdates aligned to international identity norms. The card moves onto Android in 2026 after a 2025 iOS launch, paired with a new “Myna App” that the Digital Agency plans to use as the consumer-facing surface for tax filing, healthcare credentials, and administrative procedures.

The bigger architectural move is the authorisation of Toshiba Digital Engineering to install applications into the unused IC chip space on the card itself. The government notice opens the door for regulated private-sector apps to run on My Number, transforming the card from a single-purpose government credential into a platform for issuing attestations: employment credentials, professional licences, healthcare proofs, eventually anything an accredited issuer can sign.

This is the same architectural pattern the EUDI Wallet has chosen. The form factor differs — a smart card with chip-resident apps versus a smartphone wallet — but the conceptual model is identical: the citizen holds a portable container, and accredited issuers and verifiers transact attestations across it. Japan’s healthcare DX timeline pairs neatly with this: the card is already being used as a health insurance credential, and the 2026 push expands that into nursing care and broader medical records access.

NIST blesses the new vocabulary

In July 2025 the National Institute of Standards and Technology published the final version of SP 800-63 Revision 4, the canonical reference for digital identity assurance in the United States. The revision is the product of an almost four-year process, two public drafts, and nearly 6,000 individual comments.

Two changes matter most for the global picture.

First, NIST formally acknowledges mobile driver’s licences (mDLs) and verifiable credentials as valid forms of identity evidence. That is the regulatory bridge that lets US federal agencies, banks, and any organisation that benchmarks against NIST treat an ISO/IEC 18013-5 mDL or a W3C-format verifiable credential the same way they treat a passport scan or an in-person identity proofing event. It is the move that pulls the new credential formats out of pilots and into compliance footprints.

Second, the document shifts from a checklist regime to a risk-based Digital Identity Risk Management framework, and steers organisations away from one-time passwords toward passkeys and hardware-bound credentials with phishing resistance built in. The practical consequence: by the time CISO teams finish their 2026 budget cycles, “SMS OTP” will be a documented liability rather than a default.

The mDL adoption curve underneath the standard is moving fast. As of early 2026, 21 US states plus Puerto Rico have mobile driver’s licences accepted by the Transportation Security Administration at airport checkpoints; 41 percent of Americans live in states where mDLs are already active; 76 percent live in states with programmes live or in development. ISO/IEC 18013-5 has become the de facto international standard, with parallel adoption in Australia, New Zealand, South Korea, and the Gulf states.

Why the C-suite should read this as infrastructure, not IT

The reason these three threads matter together, rather than as three separate national stories, is what sits on top of them.

ESG and sustainability disclosure. The next phase of CSRD compliance, ISSB IFRS S1/S2 reporting, and SSBJ disclosure in Japan all converge on a shared problem: every emissions figure, every supplier attestation, every renewable-energy certificate needs a verifiable provenance chain. Verifiable credentials are the cleanest technical answer. When a Tier 3 supplier presents a Scope 3 attestation to a Tier 1, the auditable artefact that satisfies both an EU CSRD assurance review and an SSBJ disclosure note is, structurally, a signed verifiable credential. The companies that build that machinery now will look like sustainability leaders by 2028; the ones that don’t will look like spreadsheet-era stragglers.

AI provenance. As regulators in Tokyo, Brussels, Seoul, and Washington tighten requirements around AI output labelling — see our coverage of the forked Asian AI rulebook — the cryptographic substrate that proves a piece of media was produced by a human, by a specific AI model, or under a specific licence is, again, a verifiable credential. C2PA content credentials and EUDI Wallet attestations are converging vocabularies.

Cross-border services. The EUDI Wallet’s mandatory-acceptance scope reaches every platform offering services in the EU. Japanese companies operating in Europe will need to accept EUDI presentations by 2027; European companies onboarding Japanese executives will need to accept My Number-issued attestations. The cost of not having a wallet-acceptance strategy compounds quickly.

Supply chain and trade finance. Bills of lading, letters of credit, certificates of origin, customs declarations — every paper-based artefact in cross-border trade is a candidate for replacement by a verifiable credential. The same standards stack that powers identity will power the documents that move goods.

The question for executive boards

Digital identity in 2026 is less a feature decision than a posture decision. The infrastructure exists. The standards are converging. The deadlines are real. The question executives need to answer this year is not whether to engage but how aggressively — as a wait-and-see adopter, a fast follower, or a leader that helps define the credential schemas in its sector.

That posture decision is exactly the kind of question Tech for Impact Summit 2027 will surface. As digital identity weaves into privacy as a public good, collaborative-technology models of democratic governance, and the broader Japan policy stack, the leaders who treat identity as infrastructure — not as an IT line item — will hold a structural advantage in every adjacent market.

T4IS2027 will gather the executives, policymakers, and technologists building that layer. If your organisation is making bets on what the trust layer looks like in 2028 and beyond, that is the room to be in.