How eIDAS 2.0 Will Reshape Identity Verification Across the EU
- 01 How eIDAS 2.0 Will Reshape Identity Verification Across the EU
- 02 What is eIDAS 2.0 Regulation?
- 03 eIDAS Journey from a proposal to implementation
- 04 How eIDAS 2.0 enables EU-wide identity verification
- 05 How eIDAS 2.0 differs from eIDAS 1.0
- 06 How do firms benefit from the eIDAS 2.0 Regulation?
- 07 How to prepare your business for the eIDAS ecosystem?
- 08 How Shufti helps businesses in a shifting IDV environment
How eIDAS 2.0 Will Reshape Identity Verification Across the EU
The countdown has already started. eIDAS 2.0 entered into force on 20 May 2024, and the core Wallet implementing regulations took effect in December 2024. By December 2027, many private services that already use strong user authentication, and all very large online platforms, must accept Wallet logins at the user’s request. For compliance, product, and risk teams, this is not optional change management. It’s a new operating baseline for onboarding, authentication, and e-signatures across borders.
What is eIDAS 2.0 Regulation?
eIDAS is short for electronic Identification, Authentication, and Trust Services. The eIDAS 2.0 Regulation was introduced to address interoperability issues linked to eIDs issued under the earlier eIDAS Regulation. This new regulation seeks to harmonize the technical standards applicable in the issuance, use, and authentication of eIDs and innovative trust services.
The updated eIDAS Regulation sets the framework for digital interactions between users and businesses to ensure that these business transactions remain safer, faster, and convenient not only within the domestic borders but also across other EU member states.
The eIDAS regulation sets rules for two pillars. First is electronic identification (eID), which is how users prove who they are online. And, second is trust services that include e-signatures, electronic seals, electronic time stamps, electronic registered delivery services, and qualified website authentication certificates.
It is the regulation that promotes interoperability of eIDs and trust services in the European Union. This means notified eIDs issued in one EU country will be valid in all 27 EU states. Similarly, the regulation ensures that trust services offered under this framework have legal weight in the courts across the EU.
eIDAS Journey from a proposal to implementation
eIDAS regulations that were proposed in 2012 have gone through several updates and transformations. This is a result of a continuous process of discussions, reviews, and piloting, which aims to achieve the goals of the EU’s policy “Path to Digital Decade” and declaration on “Digital Rights & Principles”. Path to digital decade targets that 80% of the EU citizens use a Digital ID by 2030, and 100% of the citizens have access to it. Here are some notable moments in eIDAS regulations:
These milestones have made “eIDAS regulation” a global leader, influencing digital trust discussions far beyond European borders.
How eIDAS 2.0 enables EU-wide identity verification
Before eIDAS, trust services and eIDs were fragmented across the EU, resulting in slowing down and hindering the cross-border provision of services. Because of the lack of unified standards for electronic identification, it was hard to reuse outside a home country. A common framework was needed to harmonize the issuance, use, and acceptance of identification and trust services across the digital borders of the EU. Realizing its necessity and utility, the EU Commission proposed a legal framework in 2012 that later became the eIDAS Regulation in 2016.
How eIDAS 2.0 differs from eIDAS 1.0
eIDAS 2.0 brings some major changes that matter to compliance and product teams.
Mandatory EU Digital Identity (EUDI) Wallets: Every Member State must provide at least one certified wallet by the end of 2026. Member States must disclose the Wallet app’s user-facing software components under an open-source licence, with limited exceptions for public security. Issuance and use of EU Digital Identity Wallets must be free for natural persons.
Enhanced User Control: The eIDAS 2.0 allows users to control their data by choosing between attributes that can be disclosed to requesting parties (for example, verifying above 18 without disclosing date of birth and other identity details). Wallet providers are restricted from combining wallet data with other services unless the user asks.
New and Expanded Trust Services: The list now includes electronic attestations of attributes. It adds qualified electronic archiving and recognises electronic ledgers. It clarifies the qualified trust service for managing remote qualified signature or seal creation devices. These expand lawful digital interactions beyond signatures alone.
Mandatory Acceptance of EUDI Wallet for Public & Private Services: Public services must accept notified eIDs and the EUDI Wallet. In the private sector, all but micro/small enterprises that already use strong user authentication, including banking, energy, health, education, and telecoms, must also accept the Wallet upon a user’s request within 36 months of the Wallet implementing acts (i.e., by December 2027). Very large online platforms must support Wallet login on the same basis.
New obligations for relying parties: If your service already uses strong customer authentication, you should plan to register as a wallet relying party. You will need to identify your legal entity, intended data use, and technical contact details. You must also support pseudonyms of wallet users where identification is not legally required.
Security and Supervision: The update aligns with wider EU cyber rules and adds specific breach handling for wallets. It tightens certification and supervision of trust service providers. Wallet software and ecosystems must meet technical standards defined through implementing acts and certification schemes.
How do firms benefit from the eIDAS 2.0 Regulation?
The financial sector, healthcare, professional services, and e-commerce all rely on trustworthy digital identity more than ever before. People in compliance, technical, or business roles know that regulations can make or break operational efficiency. So, how does eIDAS actually affect businesses?
Cross-border onboarding becomes simpler
Firms can now authenticate customers with notified eIDs and wallet credentials. That supports faster due diligence while reducing manual review of identity documents. This means a financial services provider in Germany can remotely onboard a potential customer from the Netherlands without any friction.
Qualified e-signatures carry full legal weight
A qualified electronic signature has the same legal effect as a handwritten signature across the EU. That gives legal certainty for remote agreements.
Data minimisation by design
Wallets let users present only the attributes required. For example, wallet holders can choose to disclose selective attributes like age over 18, residency, or a professional licence. For firms, this reduces data collection and lowers breach exposure. However, this depends on the technology used by a firm’s IDV suite, if it supports selective disclosures.
How to prepare your business for the eIDAS ecosystem?
Organizations that stay ahead of eIDAS regulation are better placed to adapt to digital trends and deliver seamless, secure, and compliant services across finance, health, government, and beyond. Here are some of the following paragraphs, we’ll enlist some practical steps to ensure your organization stays ready to embrace the impact of eIDAS regulations.
While small firms have the option whether to opt for EUDI wallets or not, larger firms are obliged to accept them if their customer requests them. If a firm decides to rely on any user credentials under the eIDAS ecosystem, it’s called a “relying party,” and it must complete the relying party registration process.
In order to complete registration as a relying party, firms will need to provide details like legal entity type, Tax ID, VAT, or company registration numbers, including why and what customer attributes (age, name, address, etc) they plan to access/collect. For this, firms will need to map every authentication and onboarding flow where strong authentication is required by law or contract.
The next step is planning for electronic attestations of attributes. Decide which attributes you will accept and how you will verify them. For example, if you’re an e-commerce business selling goods restricted by age, in this case, the attribute you need to attest is age. Review your signature strategy and how you would accept qualified signatures for contracts that need high legal assurance.
The next step is to align IDV vendor and integration requirements to operationalize acceptance of wallet and trust services. EUDI Wallet Architecture and Reference Framework states that relying parties need to maintain an interface with the EUDI Wallet to request attestations (such as age, address, name, etc to establish the identity of a person, with mutual authentication. The framework clearly mentions that every such instance/request must be authenticated by the relying party. This will further require having an interface for the required authentication methods.
If you’re a relying party who needs to verify the identity of a customer, you need to review certain things beforehand:
- What are your current identity verification requirements/obligations, which depend on:
- Business needs and legal obligations
- geographic footprint of your current/potential client base
- needs/preferences of your clients to use different verification methods
- Is your current IDV suite adaptable enough to cater to diverse verification methods like biometrics, document verification, NFC reads, and Wallet APIs?
- KYC & AML controls should work concurrently. A comprehensive IDV solution can cleanly connect wallet-based onboarding to sanctions, PEP, and adverse media screening and ongoing monitoring.
eIDAS 2.0 moves digital identity from domestically bound eIDs to a harmonised European framework. Compliance and product teams that prepare now will deliver faster onboarding, lower fraud risk, and stronger legal assurance across the EU.
How Shufti helps businesses in a shifting IDV environment
Prepare your onboarding for eIDAS 2.0, without the rebuild.
Shufti helps compliance and product teams operationalise Wallet-ready identity flows with powerful authentication via liveness detection. Solution also offers comprehensive AML screening (PEP, sanctions, adverse media) to streamline compliance workflows in a single interface.
If your business falls in the eIDAS ecosystem, map user journeys, register as a relying party, and connect selective-disclosure attributes to your existing Know Your Customer and ongoing monitoring, so you minimize data, reduce fraud risk, and meet deadlines ahead of 2026/2027.
Talk to Shufti’s EU compliance specialists to see a Wallet-ready demo.
Learn more about Shufti’s digital identity solutions and how we’re helping businesses prepare for the future of trust and compliance.
