eIDAS 2.0 Explained: What the EU Digital Identity Wallet Means for Compliance Teams

Key Takeaways

• eIDAS 2.0, formally Regulation (EU) 2024/1183, entered into force on May 20, 2024. All 27 EU Member States must provide citizens with a certified EUDI Wallet by late 2026, with private sector acceptance obligations following in late 2027.
• The regulation introduces the European Digital Identity Wallet, enabling EU citizens and businesses to store and share verified credentials across borders without repeated identity checks.
• Organizations in regulated sectors including banking, healthcare, telecommunications, and digital commerce need to assess their readiness now, not after the deadline.
• Selective disclosure is a core principle: users share only the attributes a transaction requires, reducing data exposure for both individuals and organizations.
• Identity verification providers operating in Europe need to align with eIDAS 2.0 standards, including ETSI TS 119 461, to remain competitive and compliant in the European market.

There’s a new regulation in town. The eIDAS 2.0 will officially come into effect in 2027, and businesses operating in the regulated sectors must get themselves ready now. Without it, they stand to lose not only their compliance, but also their competitive edge.

What is eIDAS 2.0?

eIDAS stands for electronic Identification, Authentication, and Trust Services. A mouthful, we know. The original eIDAS regulation, established in 2014, created a framework for electronic transactions across the European Single Market. It was a significant step, but it had clear limitations: digital identification systems offered by EU governments before Regulation (EU) 2024/1183 were not available to the whole population, were often limited to online public services, and did not allow for seamless access across borders.

eIDAS 2.0 is the update that addresses those gaps. Adopted on March 26, 2024, published in the EU Official Journal on April 30, 2024, and entering into force on May 20, 2024, it amends and expands the 2014 eIDAS regulation without fully repealing it.

The headline innovation is the EU Digital Identity Wallet. Every EU Member State must make available to its citizens, residents, and businesses at least one digital identity wallet by the end of December 2026. In practice, the EUDI Wallet is a mobile application enabling users to store and present certified digital credentials including identity documents, diplomas, professional qualifications, driving licenses, and health data, all under the user’s exclusive control, who decides precisely which information to share and with whom.

For organizations providing identity verification and trust services, eIDAS 2.0 is not a distant regulatory concern. It establishes technical standards, security requirements, and audit frameworks that will define the next decade of digital trust infrastructure across Europe and beyond.

Who Does eIDAS 2.0 Apply To?

eIDAS 2.0 creates different obligations for different types of organizations, and the scope is broader than many compliance teams initially assume.

The obligation to accept EUDI Wallets applies to regulated sectors including banking, healthcare, telecommunications, energy, transport, and education, as well as very large online platforms with over 45 million EU users.

More specifically:

• Financial institutions must accept EUDI Wallets as a method of strong customer authentication for KYC and AML processes
• Telecommunications companies and Very Large Online Platforms must accept wallet credentials for customer verification and service provisioning
• Healthcare organizations handling patient data across borders require eIDAS-compliant processes for cross-border records and directives
• Qualified Trust Service Providers issuing qualified signatures must integrate wallet authentication for certificate issuance
• Identity verification providers operating in Europe or serving European customers must align their platforms with eIDAS 2.0 technical standards and assurance levels

With 450 million EU citizens gaining access to digital identity wallets, and penalties reaching €5 million or 1% of global turnover for non-compliance, the stakes for organizations that delay are significant.

For a deeper understanding of how KYC obligations intersect with these requirements, our articles on what KYC regulations require and the key components of KYC provide useful context.

What are Key Requirements Under eIDAS 2.0?

For compliance teams working through what eIDAS 2.0 actually demands, the requirements break down across several dimensions.

The EUDI Wallet

The Digital Identity Wallet enables users to store government-verified credentials including identity documents, professional qualifications, and educational certificates, and selectively share them with trusted services. Unlike current authentication methods requiring repeated identity verification, the wallet provides instant, government-assured identity proof across borders.

Selective disclosure

Wallets let users present only the attributes required. For example, wallet holders can choose to disclose selective attributes like age over 18, residency, or a professional license. For firms, this reduces data collection and lowers breach exposure. Institutions must be able to request only the attributes a given transaction actually requires. Requesting a full identity record when only age verification is needed is not compliant.

Technical standards

The EUDI Wallet uses ISO/IEC 18013-5, W3C Verifiable Credentials, and EUDI-specific ARF specifications. Relying party systems must support them. For identity proofing, compliance with ETSI TS 119 461 is required for Qualified Trust Service Providers. AU10TIX

Cross-border interoperability

A core objective of eIDAS 2.0 is ensuring that credentials verified in one Member State are recognized across all 27. This means identity verification processes that work in Germany must be equally valid when used by a customer onboarding from the Netherlands or Spain.

Data protection alignment

eIDAS 2.0 operates alongside GDPR. Personal data must be protected at all times, and financial institutions must ensure they follow GDPR data protection principles including data minimization, purpose limitation, and accurate recording of data processing activities.

Are You eIDAS Ready?

The timeline for eIDAS compliance is structured in two waves, and understanding the distinction matters for planning purposes.

By late 2026, all 27 Member States must provide at least one certified EUDI Wallet to citizens and businesses. This is the first major hard deadline. By late 2027, obligated private sector organizations including banking, healthcare, telecoms, and large online platforms must accept the EUDI Wallet as an authentication method. Morningstar

For compliance teams, this means:

• Now through 2026: Assess which user journeys and authentication flows will be affected. Register as a relying party where applicable. Begin integration planning with wallet-compatible infrastructure.
• By December 2026: Governments must have wallets deployed and available to citizens. Organizations should have their acceptance infrastructure ready for testing.
• By late 2027: Mandatory acceptance for regulated private sector organizations goes live. This is the legal, not aspirational, deadline for financial institutions under Strong Customer Authentication requirements.

Differences in national implementation speed and technical infrastructure could create uneven access for customers and varying levels of integration complexity across markets. Organizations operating across multiple EU Member States should not assume uniform rollout timelines. Biometric Update

The clearest advice from the regulatory environment is consistent: organizations that begin preparation now will be in a materially better position than those that wait for final implementing acts to be fully settled.

What eIDAS 2.0 Means for Identity Verification Providers

For identity verification providers, eIDAS 2.0 is both a compliance obligation and a signal about the direction of digital identity globally. Understanding what identity verification is and how it is evolving is essential context for any organization evaluating their provider partnerships.

The regulation creates clear expectations around identity assurance levels, data protection practices, and cross-border interoperability. Providers that align with these standards demonstrate technical maturity and long-term regulatory readiness. Those that do not risk becoming a liability for the enterprises that depend on them.

At AU10TIX, we treat regulatory compliance as a continuous commitment rather than a periodic checkpoint. We are currently in the process of validating compliance with eIDAS 2.0, working with TÜV Austria, an EU-accredited Conformity Assessment Body, to evaluate our identity verification technologies, security infrastructure, data handling practices, and operational procedures against eIDAS 2.0 and ETSI TS 119 461 standards.

This builds on our existing certifications including SOC 2, ISO 27001, and NIST 800-63A. For our customers, this initiative means:

• Regulatory alignment: We are investing in meeting European digital identity standards, reducing future integration risk as the ecosystem matures
• Transparency: We communicate clearly about our compliance status without overclaiming or creating false expectations
• Long-term partnership: As eIDAS 2.0 implementation progresses, we will continue adapting our capabilities to support our customers’ evolving European operations
• Global standards lift: The rigor of eIDAS 2.0 validation benefits customers globally, not just in Europe

For enterprises operating in Europe or serving European customers, partnering with identity verification providers who understand and align with eIDAS compliance requirements is not optional. It is a core part of due diligence.

FAQ