The App Store Is Not the Argument

A Threads post went quietly viral this week. It claimed that the EU’s new digital identity wallet, despite being promoted as fully independent, still requires users to have an Apple or Google account on their phone. The implication: the EU’s ambition to build sovereign digital infrastructure is undermined before it starts.

It is a good-looking critique. It does not hold up.

The delivery problem

The EU Digital Identity Wallet is a smartphone app. Like every smartphone app, it arrives on your device through an app store: the App Store on iOS, Google Play on Android. Both require an account. That account belongs to Apple or Google, not to the EU.

So the observation is factually correct. But the conclusion drawn from it is circular.

To criticise the wallet for this, you first have to argue that people should be able to use their smartphones without an Apple or Google account. That is a legitimate debate. It touches platform monopoly, the Digital Markets Act, the degree to which mobile operating systems function as gatekeepers. But it is a debate about the phone, not about the wallet. The wallet inherits whatever dependency the device already carries. It did not create it.

The analogy is awkward but exact: complaining that a Dutch government website requires internet access.

Citizens, not consumers

There is a more fundamental confusion in the critique, and it goes beyond circular reasoning.

The App Store and Google Play are commercial environments. They exist to distribute software to consumers and businesses. The EUDI Wallet is civic infrastructure. It is the digital equivalent of a passport or a national ID card. The state issuing you a passport is not making a statement about the postal service, even if the envelope arrived by post.

The wallet’s sovereignty claim is about the credential, not the device. The EU is asserting that a citizen’s identity, qualifications, health data, and legal documents should be portable, state-backed, and not dependent on any commercial party for their validity. That is a claim about the relationship between citizen and state. Apple and Google are simply not the relevant actors in that frame.

This is a classical European institutional move: carve out a domain where citizens interact with public institutions and insist it operates under public law, not commercial logic. That the app happens to be distributed through the App Store is about as relevant as the fact that tax forms used to be printed by private printing companies. The printer is not the point.

What is actually at stake

There is a real sovereignty question buried here, and it deserves more than a Threads post. Some national implementations of the EUDI Wallet, notably Italy and France, have built in a dependency on Google’s Play Integrity API. This means the app contacts Google at runtime to verify its own integrity before it will function. That is a structural dependency on US infrastructure baked into the security model of a European identity system, and critics inside the project’s own GitHub repository have called it out forcefully.

That critique lands. It is the difference between platform dependency as supply chain risk and platform dependency as deliberate architectural choice. One is the condition of operating in the current mobile ecosystem. The other is a decision that could have been made differently.

The app store requirement is unavoidable given the devices most citizens actually use. The Play Integrity integration is not. One is a precondition; the other is a choice. Conflating them obscures both.

The framing problem

European digital policy initiatives attract a particular kind of criticism that holds them to a standard no single instrument could possibly meet. The wallet is not designed to solve Apple and Google’s grip on mobile distribution. It is designed to give citizens a portable, privacy-preserving credential layer that works across all 27 member states without requiring each service to build its own identity system.

The sovereignty question in Europe is real and unresolved. The EuroStack ambition, the push for European cloud alternatives, the tension between regulation and building capacity: these are the coordinates of a genuine structural challenge. A critique that reduces it to “you still need an Apple account” does not advance that conversation. It performs scepticism without earning it.

The wallet lands on your phone through Apple or Google because that is where your phone lives. What it does after that, and who controls the trust chain inside it, is the question worth asking.

A note on Play Integrity

Some readers may wonder why this concern applies primarily to Android. The answer lies in the structure of the ecosystem itself.

Apple's iOS platform is already vertically integrated. Apple controls the hardware, operating system, app distribution, and security model. An identity wallet running on iPhone inevitably operates within that framework.

Android is different. A wallet can be distributed through Google Play, Samsung Galaxy Store, enterprise channels, alternative app stores, or direct installation. Google's Play Integrity API effectively introduces Google as a trust anchor inside that more diverse ecosystem by allowing apps to ask Google whether a device and app installation should be considered trustworthy.

The controversy is therefore not that Google provides a security service. It is that a European public identity system may come to depend on Google's judgement about what constitutes a legitimate Android device. For critics concerned with digital sovereignty, that is a different question from simply downloading an app through Google Play.