Confidentiality in the Digital Euro: Where are we?

26 May 2026

The draft regulation on digital euro is currently being voted on in the European Parliament, and the Eurosystem is preparing for its issuance by 2029. The CNIL and the German Federal Data Protection Authority (BfDI) discuss the issues at stake and the work being done to protect the privacy of Europeans.

The European data protection authorities have been advising the EU institutions on this topic from the outset and explain why a high level of privacy and data protection is a key condition for the success of the project and its benefits for EU citizens, so that the digital euro as proposed in the draft regulation improves the data protection situation of EU citizens compared to the current landscape dominated by private solutions, most of which are in the hands of non-EU companies.

Towards a Digital Euro

Noting the increasing digitisation of payment transactions and a relative decline in the use of cash in Europe, the European Central Bank (ECB) launched a public consultation in late 2020 on the possible issuance of a digital form of the euro, circulating on a digital infrastructure and made available to European citizens for their everyday payments. The ECB’s aim was not to replace cash, but to complement it with a more inclusive monetary instrument that does not require a bank account, and which benefits the same level of confidence as physical euro coins and banknotes – an asset with no counterparty risk, unlike other means of payment, as it constitutes a claim on the central bank.

As the public responded positively to this consultation, the Eurosystem launched a pilot project for the digital euro in the summer of 2021. It soon became clear, however, that the introduction of the digital euro would require EU-level legislation to define more precisely the key features of this new monetary instrument, the roles of the various stakeholders, and to grant it with legal tender status (it will be generally mandatory to accept it). The European Commission therefore published a draft regulation in the summer of 2023 to provide a legal basis for the issuance of the digital euro. This draft regulation is currently going through the European codecision procedure. The regulation is not expected to be adopted until next year. In parallel, the Eurosystem will launch a so-called ‘pilot’ phase in early 2027, with a view to being ready to issue the digital euro by 2029.

The policy objective of the digital euro is to serve as an equivalent of cash, issued and traded via a sovereign infrastructure. It should be free for citizens to use, with limits on the amounts used so as not to compete excessively with bank deposits, and should, in principle, offer the same level of confidentiality as cash. At this stage of the project, it is expected to be available in two forms : an ‘online’ mode based on a dedicated account, and an ‘offline’ mode based on an electronic wallet (smartphone or card) that does not require network connectivity to function. This second mode is particularly innovative and does not currently exist on the payments market.

A high level of privacy and data protection is a key condition for the success of the project and its benefits for EU citizens.

Monetary Sovereignty, Resilience and Sovereignty of Payments

In the first place, the digital euro aims at strengthening the monetary anchor of the eurozone by offering a dematerialized version of the public currency. Currently, cash is the only access to central bank money, considered a public good. In a rapidly digitizing economy, relying exclusively on physical banknotes to guarantee the public good status of money is questionable. It is worth remembering that bank deposits constitute private money, the value of which depends on the solvency of the financial institution. Private money only has value and stability if it can be converted into public money at any time, which is the objective of financial stability regulations sustaining the banking system's robustness.

On top of serving specific economic objectives such as financial inclusion and, for the offline modality, operational resilience in the absence of network connectivity, the digital euro is indeed a tool with a political purpose. One of its merits is to preserve European sovereignty in the area of payments. In fact, the European payment landscape is dominated by two foreign companies handling 61% of bank card payments in the Eurozone in 2022. The digital euro would be the first fully European payment architecture in this landscape, providing for a free, public tender monetary instrument. In this context, it makes total sense to align the digital euro design with the European values and a strong level of privacy and data protection.

The digital euro also seems justified by the increasing role of stablecoins in other jurisdictions. A majority of these stablecoins are currently issued in US dollars by non-European companies and could therefore weaken the international status of the euro in the digital world. Their market capitalization remains low today, but they could represent a competitor to traditional currency in the future and pose a risk to the effectiveness of monetary policy. Indeed, the ECB's main tool for controlling the money supply, and therefore inflation, is interest rates, but their transmission effect could be diminished if the adoption of stablecoins reduces the share of the money supply influenced by these interest rates and other monetary policy channels.

A strong political Request for Confidentiality

Following the initial guidance from the CNIL in 2022, and the joint opinion from the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) on the draft regulation in 2023, the European data protection authorities are entrusted to assess the technical and legal developments of the project with an objective of “privacy by design”.

As a reminder, the digital euro is intended to complement cash and not to replace it, aiming to be the digital monetary instrument that most closely replicates the characteristics of cash. For European citizens, the protection of personal data is a key factor as compared to digital payment means that already offer instant transactions. On top of the initial consultation of the European Central Bank (ECB), where privacy was considered as the most important feature, various opinion polls since then demonstrate Europeans' attachment to cash and the importance of confidentiality in payments.

In 2024, 62% of Europeans considered it important to be able to pay in cash, and 60% were concerned about protecting their privacy when using digital payments.

Source: SPACE study by the ECB

In 2025, 81% of adults surveyed expressed concern about privacy breaches or the misuse of personal data.

Source: 2025 study by the European Consumer Organisation (BEUC)

In this context, the creation of the digital euro, on top of its political dimension, raises technical questions intertwined with economic issues, data protection concerns and also security and sovereignty questions.

Some actors question the value added of the digital euro in regards to its development costs, especially in the context of a competitive and innovative private payment landscape, which already offers instant transactions. As cash transactions decline, some digital players leverage their market position to increase network fees and are able to massively exploit user data for commercial purposes. Against this background, the main interest of the digital euro project is to represent an alternative offer, respecting European values and based on a high level of data confidentiality.

In this perspective, the data protection authorities argue that the acceptability of the digital euro as a form of digital cash for citizens and the industry alike, would rely on its confidentiality: a key condition for the success of the project.

The technical Architecture of the Digital Euro and its Confidentiality Mechanisms

The proposed architecture of the digital euro is now more clearly defined. It favours, for its “online” mode, an account-based approach, similar to the electronic money model where a central authority oversees balances and fund transfers. Unlike token systems, where value resides in a digital object exchangeable peer-to-peer, this design records each transaction in a centralized electronic ledger managed by central banks and transparent to intermediaries. This is why, in order to improve the confidentiality profile of the account-based online mode, the EDPB recommended the adoption of a “privacy threshold” for low-value transactions, under which no monitoring of transactions by intermediaries should take place. Privacy-enhancing technologies and additional safeguards could play a role in that regard.

An “offline” mode, favoured by many stakeholders, will complement the online mode to guarantee a high level of confidentiality for these transactions. The EDPB had recommended a token-based system for both modes. It argued that only the token technology could structurally prevent the creation of payment histories, thus ensuring full confidentiality. Data protection authorities thus strongly support the proposed offline mode. An expert report published on the EDPB website in October 2025 explores, how this token-based solution can offer protection equivalent to cash, guaranteeing anonymity while mitigating the risk of double spending. This approach represents the most rigorous way to comply with the principle of privacy by design. The offline mode would be available for proximity payments below a certain cap, yet to be determined, with funds held "on their own" on a card or smartphone - and therefore unrecoverable in case of loss.

Data protection authorities strongly support the proposed offline mode, guaranteeing anonymity while mitigating the risk of double spending.

Moreover, the digital euro is defined as a non-programmable currency (unlike the digital yuan, for example), a fundamental characteristic aimed at preserving its status as legal tender and its monetary equivalence with banknotes. Non-programmability means that units of the digital euro cannot be subject to restrictions limiting their use to specific goods or services.

A Confidentiality Safeguard conferred by Data Pseudonymisation

The digital euro will be based on a partnership between the Eurosystem and payment service providers (PSPs). These PSPs include credit institutions (commercial banks), payment institutions, and electronic money institutions (neobanks, etc.). The Eurosystem launched a call for applications for PSPs in March 2026 to begin a one-year pilot phase in January 2027 and test the technical aspects of a beta version of the architecture.

PSPs will act as the sole managers of the customer relationship: they hold the users' real identities, run the Know-Your-Customer (KYC) procedures and manage accounts, allowing them to look into the identity of the transactors. Processors and controllers receive access on a strict need-to-know-basis: this was one of the key recommendations of the joint EDPB-EDPS opinion as regards the “single access point”. On the other hand, the ECB and national central banks manage the settlement infrastructure but will not be able to directly identify the transactors. In practice, when a user initiates a payment, the PSP knows their real identity. Before transmitting the payment order to the central infrastructure, this information is replaced by a technical identifier - also known as a pseudonym. The central bank then executes the transaction without knowing the users’ identity.

The joint opinion welcomes this pseudonymisation and calls on to make it a legal requirement, but questions remain open. The single access point would act as a communication hub to facilitate PSPs' access to the settlement system. While this facilitates interoperability, data matching enabling reidentification is theoretically possible. Therefore, this single access point could be subject to cyberattacks if state-of-the-art security and privacy-preserving measures are not implemented. From a legal perspective, this configuration imposes a "joint controllership" between the ECB and national central banks for the management of the common infrastructure, while the PSPs assume responsibility for the processing of their customers' personal data. Such clarifications, implying the competence of national data protection authorities on the subject matter, were supported by the joint opinion, which recommended technically robust pseudonymisation techniques.

Security and associated Risks of the Digital Euro

Security of the involved systems is one of the highest priorities of the project. In the proposed architecture, data is pseudonymised and segregated among central banks and financial actors. As mentioned above, only PSPs are able to identify their own customers, while the rest of the processes use pseudonyms, to mitigate the risk of data misuse.

These pseudonyms can come in the form of static identifiers. That means, that each user is assigned a unique, fixed internal ID. Without additional knowledge it shall be impossible to de-pseudonymise a user with just this identifier. However, the fact that these identifiers are planned to be static does not exclude the risk of being retroactively de-pseudonymised for example through reconciliation with other external data. This is why, data protection authorities suggest the use of dynamic identifiers (updated at regular intervals) in the digital euro design to eliminate this risk.

Another risk in the context of the digital euro comes to the monetary system itself, namely in the form of double spending. Double spending means spending a unit of digital currency more than once. The digital euro must have resilience against this and other kinds of illegal duplication of monetary values. This relates especially to the offline modality, because the online modality has a significantly lower risk to double spending due to its central settlement system. In the report on the Token-Based Offline-Modality by Tibor Jager, safeguards against doubles-spending were discussed in detail. The report comes to the conclusion, that an offline-modality that is both resistant to double spending and privacy-friendly seems feasible.

Data protection authorities suggest the use of dynamic identifiers (updated at regular intervals) in the digital euro design.

The Case for Payment Limits in the Interest of Users

The limits and caps to choose are also a point of design where confidentiality plays a role. In the draft regulation, holding limits will be defined (see Article 16), in order to protect financial stability, because of the possible transfer of bank deposits to the digital euro accounts. Moreover, a cap for offline transactions and holdings will also be adopted, with consultation of the EDPB (see Article 37).

A holding limit between €500 and €3,000 is currently being discussed. Recent analyses by the ECB show that a limit of €3,000 ensures a very limited impact on liquidity and bank profitability, with outflows in extreme situations of loss of confidence representing 8.2% of total demand deposits and 1.2% under normal circumstances. Against this background, in order to make the digital euro attractive for the consumer, limits shall not be tailored too low: this is one of the conditions of success for the project.

As regards the offline sublimit, the design of digital euro shall ensure that the maximum amount usable offline and that the privacy threshold for the online mode are sufficient to cover daily individual transactions. They could be defined with a reference of the face value of banknotes. Indeed, it is important that the user can rely on this substitute of cash with a very high level of confidentiality. With such an approach, it would make sense that the privacy threshold online proposed above follows the same sublimits.

In order to set these limits, it is worth remembering that cash payments are limited to €1,000 in France for example. If the digital euro is indeed intended to be a digital equivalent of cash, the ability of citizens to pay easily and anonymously at comparable levels would be key.