The eIDAS 2.0 Power Grab: Who Controls Digital Identity in Europe

By the end of 2026, all EU member states must offer the new European Digital Identity (EUDI) Wallet to their citizens and official residents. The aim is to provide a highly secure means of digital identity verification, give people more control over sharing their personal data, and improve the security of cross-border transactions.

While this change promises many benefits for individuals and businesses that need to verify identities, it also raises questions about who will control Europeans’ digital identities and what impact the new technology will have on customer onboarding and compliance.

Let’s explore the power dynamics behind eIDAS 2.0, and what it means for KYC, onboarding, and cross-border trust.

What is eIDAS?

The eIDAS Regulation (Regulation (EU) 910/2014) is an EU law that creates a standardized legal framework for verifying digital identities and authenticating transactions across EU member states. 

Key eIDAS principles include mutual recognition of national electronic IDs (eIDs) between member states, as well as provision for highly secure electronic signatures and seals to authenticate transactions.

What is eIDAS 2.0?

eIDAS 2.0 (Regulation (EU) 2024/1183) amends and extends the previous eIDAS legislation by requiring all EU member states to offer their citizens and official residents at least one version of the EUDI Wallet. This Wallet is an app that allows people to store and share important electronic credentials, such as their electronic ID (eID) and driver’s license.

eIDAS 2.0 is also sometimes referred to as the European Digital Identity (EUDI) Regulation.

eIDAS 1.0 vs eIDAS 2.0: What actually changed

The first eIDAS Regulation (Regulation (EU) 910/2014) became applicable  in July 2016 and is now sometimes referred to as ‘eIDAS 1.0’ to distinguish it from the later eIDAS 2.0 Regulation (Regulation (EU) 2024/1183) that was introduced in May 2024. 

Both regulations focus on creating a standardized framework for verifying digital identities and securing electronic transactions within the EU, with the newer eIDAS 2.0 amending the original eIDAS Regulation to address concerns about the initial scheme.

Regulation (EU) No 910/2014 (eIDAS) established cross-border electronic identification (eID) recognition and a framework for trust services (e.g., e-signatures, seals, timestamps), while Regulation (EU) 2024/1183 (eIDAS 2.0) expands this into a broader European Digital Identity Framework.

The original eIDAS framework

Key principles of the original eIDAS regulation include:

• Mutual recognition of EU member states’ eIDs. Electronic IDs issued in one member state must be accepted by entities in other member states, provided they meet regulatory requirements.
• Interoperability of national eID schemes. A technology-neutral framework is required so electronic identification data can be seamlessly shared between entities, regardless of which member state’s eID scheme is used.
• Legal validity of electronic documents, signatures, and seals. Entities operating within the EU must accept the validity of electronic documents, signatures, and seals that meet the regulatory criteria.
• Standardization of trust services. A standardized market for trust services, e.g., electronic signature providers, was created to ensure they work seamlessly across borders and carry the same weight as traditional alternatives.

What eIDAS 2.0 adds to the equation

eIDAS 2.0 is intended to boost take-up of eIDs within the EU. It does this by ensuring that every citizen and permanent resident of an EU member state has the option of an EU Digital Identity Wallet that allows them to easily share digital identity credentials accepted across the EU. 

The Regulation also extends certain obligations to private sector relying parties, including entities in regulated sectors such as banking, requiring them to accept and interact with EU Digital Identity Wallets in specified circumstances, in particular where strong customer authentication or identification is required under Union or national law. These obligations are not linked to platform size or classifications such as Very Large Online Platforms under the Digital Services Act. The implementation of EU Digital Identity Wallet-related requirements will take place progressively, with key milestones expected by 2026–2027 following the adoption of relevant implementing acts.

The European Digital Identity Wallet explained

How the EUDI Wallet works

The European Digital Identity Wallet is a mobile app that can store electronic credentials and share them with public and private sector entities for authentication and verification.

Once users have downloaded the EU Digital Wallet app (EUDI Wallet), the security features of their mobile device can be used to ensure only they have access to the app and the credentials it stores. Users may connect the app to the systems of credentials providers, such as their national eID scheme, and then add a specific digital credential.

When the user needs to verify their identity or authenticate attributes or identity data stored in the EUDI Wallet, they can selectively share the relevant credential or data. For example, if a user needs to prove their age for a website or to receive an age-related discount on a purchase, they can choose to share only their authenticated date of birth through the app.

What can be stored in the EUDI Wallet?

An EU Digital Wallet can be used to store European digital identity credentials, such as:

• Personal Identification Data (PID). For example, national eIDs and driver’s licenses.
• Qualified Electronic Signatures (QES). Digital signatures carry the same legal effect as traditional handwritten signatures.
• Qualified Electronic Attestations of Attributes (QEAA). Certified credentials (e.g., educational qualifications and professional licenses) issued by qualified trust service providers.

As covered above, any data stored in an eIDAS Digital Wallet can be shared selectively by the holder, meaning they only need to share exactly as much information as is required for a particular situation.

Suggested read: Types of Electronic Signatures Explained: Complete Guide

Who controls EU digital identity?

The EU Digital Identity Framework is based on the principle that “everyone should always control their digital identity”. While this suggests that digital identity in Europe should belong to individuals, in practice, multiple actors participate in the issuance, management, and reliance on European digital identitywithin the framework.

Suggested read: Digital IDs Are Here: How Reusable Identity Is Transforming Everyday Life

Banks and the digital identity advantage

Banks were one of the first adopters of digital identities. eIDs can simplify banks’ regulatory obligations to identify their customers and assess their risk of involvement in financial crime (referred to as ‘Know Your Customer’ or ‘KYC’) by providing a straightforward, robust means of identity verification.

Now, under eIDAS compliance obligations, service providers such as banks may be required to accept verified credentials shared through EUDI Wallets in specified use cases, following the application of implementing acts expected by 2026–2027. Under eIDAS, KYC should be easier due to a larger pool of customers with access to eIDs.

Fintechs and identity verification providers

Fintech identity verification providers play a key role in the new EU digital identity landscape. Digital identity verification solutions will need to securely collect, process, and store users’ personal data for remote identity verification purposes. This must be done in compliance with GDPR and the eIDAS regulations, so while verification service providers will have significant control of digital identity data, this will be within a strict compliance framework.

Telecom operators as identity gatekeepers

Because the EUDI Wallet is a mobile app, telecom operators that provide mobile devices will act as key gatekeepers to the new digital identity system in Europe. The system will only be as secure as the infrastructure of those telecom operators, and it will only be available to people who have access to the mobile devices they provide. This is an issue that regulators and national governments will need to grapple with to ensure the new technology is as widely available as possible.

Big Tech and the eIDAS 2.0 rulebook

Under the eIDAS 2.0 Regulation, businesses will need to be able to connect with the European Digital Identity (EUDI) Wallet app by the end of 2026. For many, the solution to achieving this will be to buy ‘access-as-a-service’ in the form of a ‘Wallet Connector’ from an intermediary.

For Big Tech firms, this presents an opportunity to “get in on the action”, as there is the potential for a huge Wallet Connector market. This may raise concerns about EU digital sovereignty, as part of the eIDAS project's aim was to prevent Big Tech firms from processing the data of EU citizens and official residents.

However, any Wallet Connector provider will have to comply with eIDAS 1.0, eIDAS 2.0, and GDPR rules, including meeting high security and data-handling standards. This should, hopefully, alleviate some of the worries around Big Tech's involvement in EU digital identity.

eIDAS 2.0 and KYC: Onboarding reimagined

eIDAS 2.0 is expected to have significant implications for the Know Your Customer (KYC) onboarding process that regulated businesses must go through when taking on new customers. KYC is a regulatory requirement for Anti-Money Laundering (AML) purposes and involves verifying customers’ identities and assessing their risk of involvement in financial crime.

eIDAS 2.0 will be particularly important for remote identity verification, which is usually required as part of digital KYC processes when opening accounts online. Strengthening online identity verification will have benefits for both consumers and businesses. At the end of the day, eIDAS 2.0 shifts verification toward reusable, trusted digital identities, making non-documentary (Non-Doc) verification methods more viable and increasingly accepted across the EU.

Suggested read: Documentary vs Non-Documentary Verification

Remote identity verification under eIDAS 2.0

Digital onboarding processes typically involve online identity verification using eID or digital copies of traditional IDs, such as passports. Under eIDAS 2.0, KYC and remote identity verification will be much simpler as users with an EUDI Wallet can use verified credentials held in their Wallets to quickly and securely confirm their identity. This will make digital KYC much more straightforward for users and more robust for service providers.

Cross-border KYC compliance in the EU

Digital onboarding and KYC processes can experience challenges when a service provider signs up customers in a different jurisdiction. These KYC onboarding challenges can include verifying IDs in different formats and meeting regulatory requirements in different countries. 

Under the new EU AML Regulation and eIDAS 2.0, KYC issues like these should no longer be a concern for service providers in the EU. This is because every member state will apply the same rules, and key identity documents for EU citizens and official residents should be recognized by service providers across all member states.

Verified credentials, AML, and eIDAS 2.0

The EUDI Wallet scheme can benefit identity fraud prevention and Anti-Money Laundering (AML) in Europe. By putting verified credentials at the fingertips of EU citizens and official residents, it can also help obliged entities meet their obligations under the new EU AML Regulation.

Digital wallets and AML obligations

From July 2027, the EU’s new Anti-Money Laundering Regulation (EU AML Regulation) will apply to all member states. This will standardize approaches to AML in Europe, replacing the previous patchwork of different legislation in individual states. 

The new rules involve stricter due diligence requirements, including the ones for identifying the beneficial owners of businesses. EUDI Wallet users will be able to quickly and easily share verified credentials with different service providers, making it easier for obliged entities to discharge their AML obligations.

eIDAS 2.0 as a fraud prevention tool

eIDAS 2.0 should supercharge identity fraud prevention efforts by making it much harder for criminals to steal identities and bypass KYC checks. 

Verified credentials stored in the EUDI Wallet will be much more difficult for criminals to forge or steal, thanks to robust multi-factor authentication during digital identity verification.

Qualified Electronic Signatures (QES) that can be stored and shared with the EUDI Wallet should also simplify and secure transaction authentication, which further reduces the potential for fraud.

Trust, interoperability, and the EU Framework

Levels of assurance in eIDAS 2.0

eID schemes offered by individual EU member states are given a ‘level of assurance’ under the EU Digital Identity (EUDI) Framework. These levels of assurance indicate the degree of confidence a service provider can have that the bearer of one of these eIDs is who they claim to be.

The three eIDAS levels of assurance are: 

• Low: for eID schemes that rely on self-registration with no identity verification.
• Substantial: such as eIDs, where identity information has been verified online.
• High: for eIDs that rely on in-person registration and authentication using a smart national ID card.

As part of their eIDAS compliance obligations, service providers must ensure they only accept an eID with the appropriate level of assurance for a given transaction.

Cross-border recognition: Challenges ahead

A key principle of both eIDAS regulations is that eIDs issued in one EU member state should be recognized by service providers in other member states. 

This cross-border, mutual recognition has been an eIDAS compliance requirement since September 2018 under the original eIDAS Regulation, while the European Digital Identity (EUDI) Wallet introduced by eIDAS 2.0 helps simplify this by providing a unified approach to sharing verified credentials.

Yet, while the eIDAS regulations have created a single EU digital identity framework, there are still challenges to contend with, including:

• Slow adoption of eID in some EU member states and age groups (e.g., less than 15% of people use eID in Bulgaria, Germany, Romania, and Slovakia, compared to over 90% in Denmark, Estonia, Finland, and the Netherlands). 
• Signification variation in levels of assurance between different member states’ eIDs, meaning some are more useful than others.
• The potential for data breaches to be even more damaging if all of a citizen’s sensitive personal information is stored in a single system.

To address these concerns, EU member states will need to make efforts to boost eID adoption and ensure their individual national schemes can meet appropriate levels of assurance in a suitable timeframe. Data security must also be a top priority, with continuous threat assessment and proactive measures to keep EUDI systems secure.

EU digital sovereignty vs Big Tech dominance

Geopolitical stakes of European digital identity

EU digital sovereignty has been a growing concern within the bloc for several years. Specific worries include citizens’ loss of control over their data and the influence of non-EU technology companies. These foreign tech companies “do not always obey European rules and fundamental values” and often “put data appropriation and valuation at the heart of their strategy”, according to one EU Commission report. 

In this context, digital sovereignty has been defined as “Europe's ability to act independently in the digital world”. Both eIDAS regulations have played a part in facilitating this concept, with eIDAS 1.0 aiming to create a European technical framework for secure cross-border transactions, and eIDAS 2.0 delivering a European digital identity solution that is not reliant on overseas Big Tech firms (in the form of the EUDI Wallet) and mutual recognition of member states’ eIDs.

eIDAS 2.0 and GDPR: Friends or rivals?

eIDAS 2.0 is intended to integrate effectively with the EU’s General Data Protection Regulation (GDPR). 

According to Recital 7 of GDPR: “Natural persons should have control of their own personal data”. The EUDI Wallet scheme makes this easier by allowing users to share only the minimum necessary personal information for a specific situation. For example, if someone needs to verify their nationality, they should be able to share only that information and keep any other sensitive information private.

The concept of EU digital sovereignty also means less reliance on overseas technology platforms that may not comply with GDPR rules when handling users’ data. Obliged entities operating within the EU will need to accept verified credentials issued via the EUDI Wallet as part of their eIDAS compliance obligations, giving EU citizens and official residents greater control over their data across a wide range of settings.

eIDAS 2.0: Business opportunities and compliance costs

New revenue streams for identity providers

eIDAS 2.0 and the EUDI Wallet scheme may boost the market for digital identity verification solutions and Trust Service Providers (TSPs). 

Fintech identity verification is likely to increasingly rely on technologies such as biometric verification, potentially boosting demand for these advanced tools. Because the new regulation places digital signatures on an equal footing with traditional paper signatures, TSPs that provide eSignature services could also see increased demand for their services.

What regulated industries must prepare for

Regulated industries must be ready to ensure their eIDAS compliance frameworks meet the new requirements of eIDAS 2.0 by the end of 2026. This is particularly important for digital onboarding and KYC processes.

KYC onboarding requirements under eIDAS 2.0 include:

• The technical capacity to accept the EUDI Wallet for authentication purposes
• Adoption of W3C Verifiable Credentials
• Conforming to the technical specifications for eIDs set by EU member states

eIDAS 2.0 FAQ

• What is eIDAS 2.0?

  eIDAS 2.0 is the commonly used name for the European Digital Identity Regulation (Regulation (EU) 2024/1183). It amends the previous eIDAS Regulation (Regulation (EU) 910/2014), establishing a requirement for EU member states to provide EU Digital Identity Wallets for their citizens.

• When does eIDAS 2.0 take effect?

  eIDAS 2.0 came into force across the EU on May 20, 2024. Under this new eIDAS regulation, Member States are required, subject to the adoption of implementing acts, to provide at least one EU Digital Identity Wallet to citizens and residents within a defined implementation period (generally expected to be around 24 months following the adoption of the relevant technical framework).

• How does eIDAS 2.0 affect KYC?

  eIDAS 2.0 should have a positive impact on Know Your Customer (KYC) onboarding processes, by enabling broader availability of high-assurance electronic identification means and electronic attestations of attributes that can be used to facilitate identity verification. One advantage of EU Digital Identity Wallets for digital KYC is that they allow the holder to selectively disclose the information contained within the Wallet, so users can reveal only what is required for a transaction, minimizing exposure of their personal data. So, the benefits of eIDAS for KYC include making it simpler and more secure for institutions, and more straightforward and less risky for consumers.

• What is the European Digital Identity Wallet?

  The European Digital Identity Wallet (or ‘EU Digital Wallet’) is intended to be made available by Member States to citizens and residents in accordance with eIDAS 2.0. It allows them to store and share digital credentials, including their electronic ID and driver’s license. They are also sometimes called ‘eIDAS Wallets’ after the eIDAS 2.0 regulation that established the requirement for EU member states to offer the technology, although the Regulation refers to “EU Digital Identity Wallets”.

• Is eIDAS 2.0 compliance mandatory?

  eIDAS compliance is mandatory for entities providing qualified trust services, as well as for certain public and private sector relying parties in defined circumstances. Acceptance of EU Digital Identity Wallets may be required for certain services where identification or authentication is mandated under Union or national law; however, this obligation is not universally linked to Strong Customer Authentication (SCA) requirements under other Union legislation.