Fake EUDI Wallet (eIDAS 2) onboarding incomplete-enrollment lure — "EUDI Wallet enrollment incomplete — verify with your BankID / itsme / SPID / CIE / MitID national eID within 48 hours" harvesting member-state IDP credentials and qualified electronic signature material from EU citizens enrolling in the European Digital Identity Wallet pilot. Real EUDI Wallet enrollment goes through the member-state IDP UI (bankid.se, itsme.be, spid.gov.it, cie.gov.it, mitid.dk) and ec.europa.eu, never via inbound email link demanding a fresh national-eID handshake. Compromised national-eID credentials enable government-portal impersonation, qualified-signature forgery, and bank-account takeover. Source: GC1 R7 multiagent council (S3 EU-reg specialist).

Fake EUDI Wallet (eIDAS 2.0 European Digital Identity) onboarding incomplete-enrollment lure targeting EU citizens enrolling in the European Digital Identity Wallet pilot. The phish narrative arrives as: "Your EUDI Wallet enrollment is incomplete — verify with your BankID / itsme / SPID / CIE / MitID national eID within 48 hours to activate your qualified electronic signature," or "eIDAS 2 onboarding requires you to verify your national eID — action required to enroll and activate." The EUDI Wallet pilots ran across EU member states through 2025-2026 with member-state IDP integrations (Sweden BankID, Belgium itsme, Italy SPID and CIE, Denmark MitID, Norway BankID, Poland gov.pl, etc.); citizens have been primed to expect "your national eID can now be linked to your EUDI Wallet" reminders, which gives the lure cover. Lookalike portals harvest the corresponding member-state IDP credentials (the most valuable identity material in Europe — gateways into bank account access, government portals, qualified electronic signature, healthcare records, tax filings) plus QSealC and QWAC handshake material. Real EUDI Wallet enrollment is delivered through ec.europa.eu and the member-state IDP UI directly (bankid.se, itsme.be, spid.gov.it, cie.gov.it, mitid.dk); the Commission and IDPs never demand a national-eID handshake via inbound email link, never set 48-hour deadlines, and provide regular formal correspondence channels for late-enrollment reminders. Compromised national-eID credentials enable government-portal impersonation, qualified-signature forgery on legal documents, full bank-account takeover, healthcare-record exfiltration, and downstream synthetic-identity creation. Distinct from generic credential-harvest phish — this signal is specifically the eIDAS 2 / EUDI / national-eID regulatory framing with member-state IDP allowlist. Fires when body references EUDI Wallet / European Digital Identity / eIDAS 2 / qualified electronic / QSealC / QWAC / national eID AND contains enroll / onboard / verify / activate / enrollment-incomplete / action-required urgency. Excludes ec.europa.eu, digital-strategy.ec.europa.eu, bankid.se, bankid.no, mitid.dk, itsme.be, spid.gov.it, cie.gov.it, gov.pl, and the broader .europa.eu / .gov umbrellas. Auto-classified as danger via the `-lure` suffix. Source: GC1 R7 multi-agent council (S3 EU-reg specialist).