The Identity Paradox: How Europe's Online ID Mandate Became a Fraudster's Business Plan

The most uncomfortable headline of the week did not come from the Berlaymont. It came from a Dutch newspaper reporting, via Telegraaf, that online ID scans are now driving a sharp rise in fraud cases.

For those of us who watched the eIDAS 2.0 framework and the broader EU digital identity architecture move through co-decision, this is not a surprise. It is a prophecy fulfilled on schedule.

Let me explain what happened, because the policy chain matters.

Over the past three years, Brussels stitched together a quietly enormous regime. The Digital Services Act demanded age verification for sensitive content. The AI Act required identity assurance for certain high-risk deployments. National implementations of anti-money-laundering rules pushed platforms toward document scans for ever smaller transactions.

Each measure, in isolation, was defensible. Together, they created something no impact assessment captured: a continent in which the average citizen now uploads a photograph of their passport or national ID card to a private company several times a month.

Which is, of course, exactly the dataset a competent fraudster would design if given a blank cheque.

"We legislated the haystack into existence and are now astonished that needles are being stolen from it."

The Dutch reporting is the canary. The Netherlands has one of the most digitally literate populations in the Union and one of the better-resourced fraud authorities. If the signal is visible there first, it is because the instruments are sharper, not because the problem is smaller elsewhere.

The mechanics are depressingly simple. A consumer scans their ID to verify age on a gambling site, to open a neobank account, to rent a scooter, to access an adult platform, to sign up for a crypto exchange operating under MiCA. The scan travels through verification vendors, sub-processors, and cloud storage in jurisdictions the consumer cannot name.

One breach, anywhere in that chain, and the document is for sale. Unlike a password, you cannot rotate your face.

Now, who benefits?

The verification industry itself, first. A small constellation of identity-tech vendors — most headquartered in London, Amsterdam, and Tallinn — has become indispensable infrastructure. Industry estimates suggest the European KYC and identity verification market has roughly doubled in the past four years. Every new directive is a revenue line.

Large platforms benefit too, though they will not say so. Mandatory ID verification is a compliance moat. A start-up cannot afford the vendor stack that Meta or Booking.com integrates as a rounding error. Regulation written in the name of consumer protection has, once again, raised the drawbridge around the incumbents.

And the fraudsters benefit most of all. They did not need to build the database. We built it for them, then mandated that citizens keep filling it.

The losers are the obvious ones: the citizen whose stolen ID is used to open accounts they will spend two years disputing, and the smaller merchants who absorb the chargebacks while the verification vendor invoices upward.

There is a second-order consequence Brussels has not yet absorbed. The European Digital Identity Wallet — the EUDI Wallet — was designed precisely to solve this problem. Selective disclosure, zero-knowledge proofs, citizen-held credentials. In theory, you prove you are over eighteen without surrendering your birth date, address, and document number.

In practice, the wallet's rollout has lagged the verification mandates by years. Member states are at radically different stages. Private platforms, facing immediate DSA and AML deadlines, did not wait. They built the document-scan economy because the wallet was not ready.

This is the recurring pathology of EU digital policy: the obligation arrives on time, the infrastructure that would make the obligation safe does not.

What happens now depends on whether the Commission treats the Dutch numbers as an aberration or a warning. The honest read is that every Member State will produce similar figures within twelve to eighteen months, because the underlying architecture is identical.

A serious response would mean three things. Pausing new ID-scan mandates until the EUDI Wallet reaches functional parity across Member States. Imposing strict data-minimisation audits on verification vendors, with real fines, not the PostNL kind that get called "disproportionate." And acknowledging, in writing, that document-image storage is now a category of critical infrastructure.

None of this is in the current work programme.

So the question I would put to the relevant Commissioner, were the microphone open: how many breaches will it take before Brussels admits that the cure, deployed in the wrong order, has become a vector?