In this series, we are exploring different countries' relationship to EUDI developments. In this article: Türkiye, a candidate EU-member. Do you have a unique point of view of a country's progress, triumphs, and/or obstacles? Reach out to ana@animo.id to share your insights. Alongside desk research, this article draws on an interview we conducted with an anonymous experienced digital identity practitioner from Türkiye.
Türkiye sits in an unusual position in the European digital-identity debate, as they are not an EU Member State but a candidate country. The European Council granted candidate status in 1999 and accession negotiations opened in 2005. In practice, those negotiations have been at a standstill since 2018, with the European Commission citing continued backsliding in democratic standards, respect for fundamental rights, and the independence of the judiciary. The European Parliament had already urged a temporary freeze in 2016 amid concerns about “disproportionate repressive measures” under the state of emergency in Türkiye.
That political stalemate has not stopped Türkiye from aligning with the EU in certain domains. Through the EU-Türkiye Customs Union, Turkey has harmonised significant parts of the acquis that are directly relevant to industrial goods and technical barriers to trade. In other words: formal alignment with EU rules, like eIDAS 2.0 / the EUDI Wallet, matters in principle, while political and institutional concerns remain a structural constraint in practice.
It is also a country that has already built and scaled a national digital government gateway. Something that seems in adoption and use cases to be very similar to the goals set by the EUDI Wallet ecosystem. Türkiye’s e‑Government Gateway (e‑Devlet) reports 66,753,526 registered users and 4.23 billion accesses in 2024, with 9,170 services available on the platform in December 2025. In the UN E‑Government Development Index (EGDI), which presents the state of E-Government Development of the United Nations Member States, Türkiye ranks 27th globally in 2024 (and was ranked 48th in 2022), reflecting a rapid rise in measured digital government maturity. In 2024, 1,080 institutions offered services via the gateway, including 127 private institutions. The most-used services include social security service records, tax debt inquiry and payment, land registry information inquiry, and Ministry of Justice case file inquiry, which are familiar use cases to anyone working on eIDAS 2.0 digital identity, and which illustrate how closely the platform sits to everyday administrative life. The platform comes with a user facing app in which Turkish citizens can manage their interactions with these services. For many Turkish citizens, actively managing their digital identity through a mobile app, similar to the aim of EUDI, is not an abstract future goal, but the way routine administrative life works.
To reduce friction, e-Devlet supports multiple authentication methods, including logging in via a user’s bank (internet banking authentication), as well as e-signature, mobile signature, and national ID card options.
The breadth of services is what turns identity into everyday infrastructure. Public descriptions of e‑Devlet emphasise a one-stop entry point for administrative life, while connected systems extend into sensitive domains such as health. Türkiye’s national personal health record system (e‑Nabız) explicitly includes diagnoses, tests, prescriptions, and medical images submitted by healthcare providers, and it is presented to citizens through digital channels. This shows the EUDI Wallet ecosystem an important lesson: if a wallet is to become accepted by the general population, it must be reliable, convenient, and integrated into real workflows.
However, although both the widespread integration and adoption of digital identity services seem to match EUDI goals great on paper, Türkiye significantly deviates in the underlying infrastructure design. One centralized access portal might be convenient for user experience, but it poses issues when you dive into the underlying infrastructure. Where does authoritative identity data live, and how are attestations retrieved? Türkiye civil registration infrastructure (MERNIS) is described as a centrally administered registry, and public bodies access identity information via government sharing mechanisms (such as KPS), with defined access protocols and logging. In other words, the default pattern is server‑centric: citizens authenticate to view or transact against records that remain in government-operated systems.
This is precisely where Türkiye diverges from the direction Europe is trying to set with eIDAS 2.0 and the EUDI Wallet. The EUDI Wallet Architecture and Reference Framework describes wallets as user-controlled applications intended to let people receive, store, and present personal identity data and attestations under their sole control. The European Commission frames EU Digital Identity Wallets similarly: enabling people to store and share identity and attribute proofs (e.g., diplomas, licences, bank account attributes) across the EU. The point is not only user experience, it is power distribution. When credentials can be held and presented from a user-controlled environment, verification does not require a transaction-by-transaction lookup into a central identity database.
Still, in an EUDI Wallet ecosystem, issuer and relying party databases do not disappear. The difference is not that data stops existing server-side, but that the system is designed to reduce unnecessary centralised observation and data copying. Credentials can be presented directly from the user’s device, with data minimisation and selective disclosure, so fewer attributes need to be replicated across systems and fewer transactions require a central lookup.
This difference materially changes the risk that comes with a national ID system, especially in a context where the EU itself documents serious rule-of-law and rights concerns. The European Commission’s 2024 Türkiye Report states that the country remains at an early stage on rule of law and fundamental rights, that undue pressure on judges and prosecutors continues to negatively affect judicial independence, and that the High Council of Judges and Prosecutors lacks independence from the executive. The same report notes that Türkiye’s data protection framework (including the 2016 Personal Data Protection Act) is not in line with the EU acquis and that safeguards around law-enforcement processing are not aligned with EU standards. In a centralized identity-and-attestations model, weak oversight and misaligned safeguards translate into systemic risk, because the technical architecture concentrates visibility and control.
The risks of the large-scale effects of central databases are well illustrated by past incidents. A few examples: In 2016, Reuters reported on a leak of personal details associated with roughly 49.6 million Turkish citizens. In June 2023, reports emerged that the personal data of 85 million citizens and residents, which is effectively the entire population, had been stolen. The leaked information included ID numbers, phone numbers, and family details and is being sold on the internet. And there are more examples of (alleged) big data leaks from the e-Devlet ecosystem.
Furthermore, Türkiye’s Cybersecurity Law No. 7545 (in force since March 2025) centralises the government’s control over digital infrastructure. It created a new cybersecurity authority, the Cybersecurity Board (chaired by President Erdoğan), and gives it wide powers to inspect systems and request data from both public bodies and private companies, with heavy penalties for refusing. The law adds safeguards on paper, such as requiring a court order for certain searches, but it also allows “urgent” access to start with a prosecutor’s order, with a judge reviewing it afterwards. Critics argue this still leaves a lot of room for broad access, especially in a context where the EU has long raised concerns about rule of law and judicial independence. Additionally, the Cybersecurity Law No. 7545 has been criticized by press-freedom organisations for criminalising certain forms of reporting about alleged cybersecurity-related data leaks.
This is relevant for digital identity, because in Türkiye, identity data and many records sit on government-controlled systems, so access ultimately depends on institutional checks. The EUDI Wallet model under eIDAS 2.0 aims to reduce that risk through privacy by design, by keeping PID and attestations stored on users’ secure devices and only shared when the user presents them.
What Europe can learn from Türkiye
For the EUDI Wallet community, Türkiye offers two lessons at once. First, adoption accelerates when services are unified and the experience is smooth and predictable. Second, once a server-centric identity infrastructure becomes the default, it is difficult to retrofit user control, minimisation, and unlinkability. Europe’s challenge is therefore to match the usability of highly integrated systems without inheriting their structural risks. That requires privacy by design and by default: enforceable minimisation, strong separation of roles, and verification flows that do not create unnecessary central observation points. Türkiye shows what identity-as-infrastructure can look like at scale. The EUDI Wallet could deliver similar convenience, while keeping control closer to the citizen and governance safeguards strong enough to deserve trust.
What Türkiye can learn from Europe
If Türkiye ever decided to pivot toward eIDAS 2.0–style compliance and a user-controlled wallet model, it could learn a lot from EU countries that already had mature national eID systems but are now adapting them for cross-border interoperability and “privacy by design.” Portugal is a good example of building on what already exists: its Chave Móvel Digital (Digital Mobile Key) is a mobile eID scheme at high assurance under eIDAS, showing how you can modernise access without rebuilding the whole state stack.
Estonia shows how to operationalise a strong eID ecosystem with a shared, central authentication layer (TARA) that supports national eIDs and EU-notified eIDs, which is useful when you need consistent onboarding and interoperability across many services. The Netherlands (DigiD) and Belgium (Belgian eID) demonstrate how to run widely used, eIDAS-notified identity schemes that can be recognised cross-border, while still evolving user experiences over time. Austria is especially relevant for the wallet transition: its ID Austria ecosystem is eIDAS-notified and it already supports loading certain IDs/credentials into a smartphone app (“eAusweise”), illustrating the step from “log in to a central portal” toward “carry and present credentials from your own device.” And Italy’s SPID is a useful governance pattern: multiple identity providers under one framework, which can help avoid locking the entire ecosystem to a single operator while still keeping nationwide reach. Taken together, these countries illustrate a practical path Türkiye could copy: keep authoritative registries for issuance, but move toward citizen-held credentials and interoperable trust frameworks, exactly the direction the EU is driving through the EUDI Wallet implementation work.
