Cash-like privacy for the digital euro has emerged as one of the project’s most acute political dilemmas, balancing citizen privacy against regulatory oversight and financial stability. The issue has moved to the forefront following technical preparation completed in October 2025 and an EU Council endorsement of an online/offline architecture in December 2025.
The debate matters for product design, compliance, and bank funding models because the degree of anonymity will shape AML/CFT controls, holding limits, and the role of intermediaries. How policymakers resolve anonymity will directly determine the operating model that banks, payment providers, and users must adopt.
Online/offline blueprint and data minimization
The current blueprint separates an offline mode designed to mimic cash for low-value peer-to-peer payments from an online mode that preserves supervisory access. In the offline configuration, transaction details are intended to remain on the payer’s and payee’s certified devices, with intermediaries recording only top-ups and defunding events. The core design objective is to minimize data collection in a way that approximates the privacy characteristics of physical cash.
Cash-like privacy for the digital euro has become a political flashpoint precisely because it exposes the core contradiction of many CBDC proposals: promising “cash-like” freedom while engineering a system built for oversight. From the outset, the design tension signals that a CBDC can drift from public benefit toward institutional control.
The issue intensified after technical preparation completed in October 2025 and an EU Council endorsement of an online/offline architecture in December 2025, but those milestones do not resolve the underlying legitimacy problem. Progress on timelines does not reduce the reality that privacy is being negotiated down to fit compliance and stability priorities.
A “cash-like” promise that is structurally constrained
The blueprint separates an offline mode intended to mimic cash for low-value peer-to-peer payments from an online mode that preserves supervisory access. In the offline configuration, transaction details are intended to remain on certified devices, with intermediaries recording only top-ups and defunding events as the system pursues data minimization. Even in its most privacy-oriented mode, the model still depends on controlled devices and monitored entry and exit points.
That architecture carries operational and security caveats that undermine the reassurance of “cash-like” behavior. Regulators and privacy experts have acknowledged the difficulty of enforcing true physical proximity in a digital environment, and relay attacks could weaken proximity guarantees. A privacy claim that relies on proximity controls the system struggles to guarantee is not a durable foundation for public trust.
For online payments, the Eurosystem would receive only pseudonymized data, while banks and payment service providers would access information required to meet EU anti-money-laundering and counter-terrorism financing rules. In practice, the online mode embeds traceability expectations into everyday payments, reframing “privacy” as a managed and conditional privilege.
ECB Executive Board member Piero Cipollone said in November 2025 that the digital euro “will never be programmable money,” positioned as a safeguard for user freedom. But even with that boundary, the project still foregrounds oversight through design choices like monitoring points and differentiated data access. Non-programmability may limit one category of control, yet it does not remove the broader governance and visibility architecture.
Compliance-first incentives and the erosion of cash anonymity
The debate is fundamentally political: privacy advocates press for untraceable transactions, while policymakers prioritize system integrity and crime prevention, with one observer calling this among the hardest tradeoffs. When the central argument becomes how much anonymity regulators will tolerate, the direction of travel is away from cash-like privacy, not toward it.
Stakeholder positions reinforce that negative trajectory. Privacy advocates warn against surveillance risks and call for wider debate, regulators emphasize AML/CFT and stability, and commercial banks worry about deposit outflows and lending capacity, pushing for holding limits and constraints. A CBDC shaped by surveillance concerns on one side and balance-sheet defensiveness on the other is unlikely to deliver a user-centric outcome.
Concrete tools under consideration include holding limits, AML checks tied to wallet top-ups, and differentiated treatment between offline and online flows. Each introduces visibility into parts of the payment lifecycle and reduces full cash anonymity. The emerging toolkit operationalizes compromise by building monitoring and restriction into the payment rails.
Traceability rules must be precise, controls must be auditable, and offline modes must be hardened against proximity and relay-style attacks. This is a high-governance, high-assurance build that risks prioritizing control frameworks over a frictionless user experience.
Market participants are watching a programme positioned toward a possible 2029 launch, following milestones in October and December 2025. Yet the central risk remains that the project’s compromises will satisfy neither privacy expectations nor stability concerns once deployed at scale. A 2029 launch would not be a finish line so much as the moment the CBDC’s legitimacy and risk tradeoffs become unavoidable.