The Aggregator Advantage: Why Smart Businesses Won't Get Their Own WRPAC
There's a quiet revolution happening in the eIDAS 2.0 compliance space. While some businesses are preparing to register as Relying Parties and manage their own WRPAC certificates, a smarter cohort is asking a different question: "Why should we build compliance infrastructure when someone else can handle it for us?"
The answer lies in Article 5b(10) of Regulation (EU) 2024/1183—a provision that explicitly allows intermediaries to act as Relying Parties on behalf of merchants. This isn't a workaround or a hack. It's a fundamental part of how the EUDI Wallet ecosystem is designed to work.
Let's explore why the aggregator model is becoming the default choice for businesses that want EUDI Wallet verification without the compliance overhead.
The Intermediary Model: Article 5b(10) Explained
Here's what Article 5b(10) actually says:
"A relying party may rely on a service provided by an intermediary for the purposes of requesting and validating attributes from European Digital Identity Wallets... The intermediary shall be registered in accordance with paragraph 1 and shall comply with the obligations set out in this Article."
In plain language: You can hire someone else to be the Relying Party for you.
This is intentional. The European Commission recognized that requiring every small business, every online shop, every age-gated website to individually register as a Relying Party would be an administrative nightmare. Aggregators solve this by providing compliance as a service.
How It Works Technically
When you use an aggregator like eIDAS Pro:
- The aggregator (eIDAS Pro) holds the WRPAC Access Certificate — This is the credential that allows technical communication with EUDI Wallets
- You (the merchant) get a Registration Certificate managed by the aggregator — This documents your specific use case and identity
- The user's wallet shows both identities — Transparency is maintained. The wallet displays: "eIDAS Pro acting for [Your Business Name]"
- You call an API — Your integration is a simple API call or JavaScript widget. No OpenID4VP protocol implementation, no trust list management, no certificate renewals
This isn't masking your identity or hiding behind someone else. The user sees exactly who's requesting their data and who's technically facilitating the request. Full transparency, zero compliance burden on your end.
The Current Landscape: February 2026
Before we dive into why aggregators are the smart choice, let's establish where we are right now:
What's Published
- ETSI TS 119 475 standard for WRPAC certificates (published October 2025)
- Article 5b regulatory framework in eIDAS Regulation (EU) 2024/1183
- December 2026 deadline for EUDI Wallet availability confirmed
- December 2027 deadline for mandatory compliance in regulated sectors
What's Not Yet Operational
- No RP registration infrastructure deployed by any member state (as of February 2026)
- No QTSPs issuing WRPAC certificates yet (can't issue without RP registrations)
- Expected timeline: Registration infrastructure mid-2026, production launch December 2026
The opportunity: Businesses that integrate aggregator services today in DEMO mode will be ready for production in December 2026 with zero registration scrambling. Those who wait to handle it themselves will face compliance chaos and technical integration simultaneously when the clock runs out.
How It Will Work When Production Launches (December 2026)
Let's walk through the technical architecture when aggregators go live with real WRPAC certificates:
The Aggregator's Side (eIDAS Pro)
eIDAS Pro will:
- Register as an intermediary RP in Luxembourg when infrastructure opens
- Obtain WRPAC Access Certificate from a qualified QTSP
- Integrate with trust lists from all 27 EU member states
- Implement OpenID4VP protocol for wallet communication
- Handle all 27+ national wallet implementations (each country has its own app)
- Manage certificate renewals and ongoing compliance
Luxembourg registration = valid across all 27 member states via passporting (Article 5b). One registration, EU-wide validity.
Your Side (The Merchant)
You:
- Call an API with the verification request (e.g., "verify age over 18")
- Receive the verification result (success/failure and disclosed attributes)
- Display the QR code to your user (or trigger the wallet via deep link on mobile)
- Handle the response in your application flow
That's it. No certificates to manage, no protocol implementation, no trust list integration, no compliance reporting.
The User's Experience
When a user scans your verification QR code with their EUDI Wallet app:
- Wallet displays: "eIDAS Pro acting for [Your Business Name]"
- User sees what attributes you're requesting (e.g., "Age over 18")
- User authorizes with biometrics or PIN
- Wallet sends response to eIDAS Pro
- eIDAS Pro forwards result to your system
Transparency maintained. Privacy preserved. Compliance handled.
What Merchants Skip by Using an Aggregator
Let's quantify what you're avoiding:
1. Relying Party Registration
DIY Approach:
- Navigate your national authority's registration portal (varies by country)
- Prepare legal documentation and intended use declarations
- Submit registration application and pay fees
- Wait for approval (timeline unknown)
- Manage updates whenever your use case changes
Aggregator Approach:
- None of the above. We handle registration. You provide us your business details and use case.
Time saved: 2-4 weeks of administrative work, ongoing compliance overhead
2. WRPAC Certificate Procurement
DIY Approach:
- Research and select a Qualified Trust Service Provider
- Complete QTSP identity verification and onboarding
- Purchase WRPAC Access Certificate (pricing not yet public, likely €500-5,000/year)
- Manage certificate lifecycle and renewals
- Handle certificate revocation and replacement if needed
Aggregator Approach:
- We hold the certificates. You pay for verification transactions, not certificates.
Cost saved: Certificate procurement and renewal fees, operational overhead
3. National Trust List Integration
This is where the complexity explodes.
DIY Approach:
- Integrate with 27+ national wallet implementations
- Each member state has its own wallet app (e.g., ID Austria, Smart-ID, BankID)
- Handle multiple credential formats: SD-JWT VC and mdoc (ISO/IEC 18013-5)
- Implement OpenID4VP protocol correctly
- Parse and validate selective disclosure credentials
- Monitor trust lists for issuer certificate updates
- Handle protocol updates and breaking changes
Aggregator Approach:
- We integrate once with all wallets. You integrate once with our API.
Development effort saved: 6-12 months of engineering work, ongoing maintenance
4. Ongoing Compliance Reporting
DIY Approach:
- Report changes to national authority when use case evolves
- Maintain registration accuracy
- Respond to regulatory inquiries or audits
- Stay current with implementing acts and technical standards
- Document compliance for internal and external audits
Aggregator Approach:
- We handle regulatory reporting. You focus on your business.
Operational overhead saved: Dedicated compliance staff or significant management time
The Passporting Advantage: One Registration, 27 Countries
Here's why Luxembourg-based aggregators are particularly attractive:
Under Article 5b of eIDAS 2.0, a Relying Party registration in one member state is valid across all 27 EU member states. This is the passporting principle.
What this means:
- eIDAS Pro registers in Luxembourg = valid for merchants from any EU country
- A German e-commerce shop can use eIDAS Pro without registering in Germany
- An Italian fintech can use eIDAS Pro without registering in Italy
- A Spanish marketplace can use eIDAS Pro without registering in Spain
One aggregator. One API. All of Europe.
This is fundamentally different from patchwork approaches where you'd need separate compliance arrangements per country. Passporting makes the EUDI ecosystem truly pan-European from day one.
Build Now, Ready for Production: The Strategic Timeline
Here's the timeline advantage of using an aggregator:
Today (February 2026) - DEMO Mode
You can integrate right now using DEMO mode:
- Test the full verification flow with auto-completion (3 seconds)
- Build your user interface and application logic
- Train your team on the new workflow
- Zero risk, zero cost during development
Mid-2026 - MOCK Mode Testing
When you're ready for realistic testing, MOCK mode lets you:
- Simulate real wallet interactions without real credentials
- Test success and failure scenarios
- Validate your error handling and edge cases
- Prepare for production with confidence
December 2026 - Production Launch
When EUDI Wallets go live:
- Flip a switch from DEMO/MOCK to production mode
- Start verifying real users with real EUDI Wallets
- Zero scrambling. Zero compliance panic. Zero downtime.
Compare this to the DIY approach:
- Waiting for registration infrastructure (mid-2026)
- Applying for RP registration (timeline unknown)
- Procuring WRPAC certificates (2-4 weeks)
- Building technical integration (6-12 months)
- All while trying to meet the December deadline
The aggregator advantage: Start building today. Be ready for production tomorrow.
Cost Comparison: DIY vs Aggregator
Let's do the math (conceptual—actual WRPAC pricing is not yet public):
DIY WRPAC (Estimated Annual Costs)
- WRPAC Access Certificate: €500-5,000/year (QTSP pricing TBD)
- RP Registration Fees: €100-1,000/year (varies by member state)
- Engineering resources: €100,000+ (6-12 months of development)
- Ongoing maintenance: €30,000-50,000/year (compliance staff, technical updates)
- Opportunity cost: Diverting engineering from your core product
Total Year 1 (estimated): €150,000-200,000+
Aggregator Model (Transaction-Based Pricing)
- No registration fees — We handle it
- No certificate procurement — We hold the WRPAC
- No development overhead — Simple API integration (1-2 days)
- Pay per verification transaction — Scales with usage, no fixed overhead
Total Year 1 (estimated): €1,000-20,000 depending on transaction volume
For most businesses, the aggregator model is 10-20x more cost-effective in Year 1, and continues to save 50-70% annually thereafter.
Data Handling: Stateless Processing and Compliance
A common concern: "If the aggregator handles my verifications, do they have access to my users' personal data?"
Short answer: No.
Aggregators operating under Article 5b(10) must comply with the same data minimization and privacy requirements as any Relying Party. Here's how it works:
How Aggregators Process Data
- User authorizes verification in their wallet app
- Wallet sends disclosed attributes to aggregator (eIDAS Pro)
- Aggregator validates cryptographic signatures and trust chains
- Aggregator forwards result to merchant (your system)
- Aggregator deletes personal data immediately (stateless processing)
eIDAS Pro retains:
- Audit log: verification occurred, timestamp, merchant ID, attribute types requested (not values)
- No storage of: names, birth dates, addresses, ID numbers, or any PII
This is mandatory under Article 5b. Aggregators can't hoard your users' data even if they wanted to—it would violate GDPR and eIDAS requirements.
Two Paths Forward: Aggregator vs DIY WRPAC
So when does it make sense to get your own WRPAC?
Choose an Aggregator If:
- You're a small to medium business without dedicated compliance staff
- Your verification volume is under 1 million transactions/year
- You want to get to market quickly (days, not months)
- You prefer operational simplicity over control
- You're integrating one use case (age, identity, credentials)
Bottom line: For 90% of businesses, this is the right choice.
Get Your Own WRPAC If:
- You're a large enterprise with in-house compliance and legal teams
- Your verification volume is multi-million transactions annually
- You require complete control over the technical stack for regulatory or strategic reasons
- You have complex, custom use cases that require deep integration
- You're willing to invest 6-12 months and €150K+ in Year 1
Bottom line: If you're a fintech, telecom, or major e-commerce platform with dedicated resources, DIY may make sense.
Path 3: Consulting Services
Don't want to choose? There's a middle path:
- Use consulting services (like eIDAS Pro's advisory offerings) to get documentation packages for your national RP registration
- Receive technical guidance on OpenID4VP, SD-JWT VC, mdoc, and trust list integration
- Maintain complete control while benefiting from expert guidance
This path: You register in your own country using provided documentation. You control the WRPAC. You get expert support without the full DIY burden.
Conclusion: The Aggregator Advantage
The aggregator model isn't a compromise. It's a strategic choice based on a simple reality:
Compliance infrastructure is undifferentiated heavy lifting.
Building your own WRPAC compliance system doesn't make your product better. It doesn't differentiate you from competitors. It doesn't delight customers. It's table stakes—necessary, but not strategic.
What is strategic:
- Getting to market fast
- Focusing your engineering resources on your core product
- Scaling verification without scaling compliance overhead
- Avoiding regulatory risk through proven, audited systems
The businesses that will win in the EUDI Wallet era aren't the ones that build the best compliance infrastructure. They're the ones that integrate fastest, iterate quickest, and focus relentlessly on their customers—while letting compliance specialists handle the regulatory complexity.
Article 5b(10) exists for a reason. Use it.
Ready to start building? eIDAS Pro is offering DEMO mode access to early adopters right now. Integrate today in DEMO mode, test in MOCK mode, and flip to production in December 2026—with zero registration burden.
Share this article
Help others learn about eIDAS verification