This article further develops the concept of algorithmic vulnerability. The analysis is built on empirical evidence of the Chinese Health Code System (HCS), compared to similar plans for the “COVID-19 Certificate” in the European Union (EU). Implementing the HCS has shown two-sided regulatory implications: improving social protection (a national strategy, a common mutual-recognition standard, scaled-up public–private cooperation) and increasing risks of social exclusion (non-digital and digital forms of vulnerability). This article argues that algorithmic vulnerability is caused by mismatches between biased databases, unfairly pre-designed algorithms and dynamically changed risk groups in reality in the context of COVID-19 vaccination. It contributes a framework for deploying plans for digital certificates in the EU concerning minimising the social risks associated with algorithmic vulnerability. The framework consists of (1) reinforcing existing vulnerability inherited from non-digital society (eg caused by intersectional factors of race/ethnicity, gender, age and health) and (2) introducing new forms of vulnerability generated by algorithm design and implementation (eg excluding the risk groups of individuals who are un/mis/overrepresented in the databases, such as those defined by nationality plus COVID-19 status).