eIDAS 2.0 Regulation Officially Approved - EU Digital Identity Framework Established

European Parliament approves eIDAS 2.0 (EU 2024/1183) establishing legal framework for EUDI Wallets across all 27 member states.

Timeline of eIDAS 2.0: From Proposal to Adoption

The journey toward eIDAS 2.0 began in June 2021 when European Commission President Ursula von der Leyen announced the European Digital Identity framework as part of the Commission's digital strategy. The formal legislative proposal was presented on June 3, 2021, initiating one of the most significant digital policy initiatives in European history. The proposal recognized that the original eIDAS regulation from 2014, while pioneering in establishing mutual recognition of electronic identification, had fallen short of creating a truly unified European digital identity ecosystem.

The legislative process followed the EU's ordinary legislative procedure, involving extensive negotiations between the European Parliament, the Council of the EU, and the European Commission in what are known as trilogue negotiations. These discussions spanned nearly three years, reflecting the complexity and political sensitivity of creating a mandatory digital identity framework that affects the daily lives of over 450 million EU citizens. Key debates centered on the balance between convenience and privacy, the role of the private sector, and the technical architecture that would underpin the system.

A political agreement was reached in November 2023, with the European Parliament voting overwhelmingly in favor on February 29, 2024, with 335 votes in favor, 190 against, and 31 abstentions. The Council formally adopted the regulation on March 26, 2024, and it was published in the Official Journal of the European Union on April 30, 2024, entering into force on May 20, 2024. This timeline places eIDAS 2.0 among the fastest-processed major digital regulations in EU history, reflecting the political priority attached to digital identity by EU institutions.

Key Articles and Provisions of eIDAS 2.0

Article 5a establishes the obligation for each member state to issue at least one European Digital Identity Wallet within 24 months of the implementing acts being adopted. The wallet must be free of charge to natural persons for basic functionality, technically interoperable across all member states, and available on mobile devices with secure element access. Member states may develop their own wallet solutions or adopt solutions from other member states, creating a competitive marketplace for wallet implementations while ensuring pan-European interoperability.

Article 5b defines the relying party framework, specifying which entities must accept EUDI Wallets and under what conditions. Very Large Online Platforms as defined under the Digital Services Act (platforms with over 45 million monthly active users in the EU) must accept EUDI Wallets for user authentication when login services are offered. Financial services institutions must accept wallets for KYC purposes. Government digital services must accept wallets for citizen authentication. This tiered approach creates a phased adoption that begins with government services in 2026 and expands to the private sector in 2027.

Articles 45a through 45g introduce the concept of Qualified Electronic Attestations of Attributes (QEAAs), which are verifiable credentials issued by qualified trust service providers. These attestations can represent a wide range of identity attributes beyond basic identification, including professional qualifications, educational diplomas, health insurance credentials, and driving licenses. QEAAs must be accepted across borders with the same legal validity as their paper equivalents, creating a truly portable system of verifiable credentials.

The regulation also significantly strengthens privacy protections through Article 6a, which establishes the principle that wallet users must have full control over their personal data. Relying parties cannot require more data than strictly necessary for the service being accessed, and wallet providers are prohibited from tracking user behavior or correlating transactions across different relying parties. The regulation mandates the use of privacy-enhancing technologies such as selective disclosure and unlinkability, ensuring that the wallet cannot become a surveillance tool.

What Changed from eIDAS 1.0 to eIDAS 2.0

The original eIDAS regulation, adopted in 2014 and fully applicable from September 2018, established mutual recognition of notified electronic identification schemes between member states. However, notification remained voluntary, and by 2021, only 14 of the then 27 member states had notified eID schemes under the framework. Cross-border usage remained negligible, with the European Commission estimating that only 14% of key public services across the EU accepted cross-border eID. The voluntary approach had clearly failed to create the unified digital identity ecosystem that the EU envisioned.

eIDAS 2.0 addresses these shortcomings through several fundamental changes. First, it shifts from a voluntary notification model to a mandatory wallet provision model: every member state must now provide a digital identity wallet, eliminating the patchy coverage that undermined eIDAS 1.0. Second, it expands the scope from government-to-government recognition to include the private sector, requiring acceptance by major platforms and financial services. Third, it introduces the concept of attestations of attributes, moving beyond simple identity verification to a complete verifiable credentials ecosystem.

The trust services framework also received significant updates. eIDAS 2.0 introduces new categories of qualified trust services, including electronic ledgers (relevant for blockchain-based services), electronic attestations of attributes, and management of remote electronic signature creation devices. The regulation also updates existing trust service provisions to align with modern cryptographic standards and emerging technologies. Qualified website authentication certificates (QWACs), which were controversial under eIDAS 1.0 due to browser implementation concerns, received clarified provisions intended to resolve the standoff between EU regulators and browser vendors.

Perhaps the most significant philosophical shift between eIDAS 1.0 and 2.0 is the move from a government-centric model to a citizen-centric model. Under eIDAS 1.0, the focus was on enabling governments to recognize each other's identity systems. Under eIDAS 2.0, the focus is on putting citizens in control of their own digital identity through a personal wallet that they carry on their smartphone. This shift reflects broader trends in digital identity thinking, influenced by self-sovereign identity principles and the recognition that citizens, not institutions, should be at the center of the identity ecosystem.

Implementation Deadlines and Member State Obligations

The eIDAS 2.0 regulation establishes a carefully sequenced timeline of deadlines that member states and the European Commission must meet. Within 6 months of entry into force (by November 2024), the Commission must publish the first set of implementing acts covering the technical specifications for wallet interoperability. Within 12 months (by May 2025), additional implementing acts must cover the certification framework, trust infrastructure, and the detailed technical protocols for credential issuance and presentation.

Member states have 24 months from the adoption of the relevant implementing acts to deploy their EUDI Wallets. Given the expected timeline for implementing acts, this places the practical wallet deployment deadline around December 2026 for most provisions. Each member state must designate a national wallet provider (which may be a government agency or a certified private entity), establish the necessary trust infrastructure including qualified trust service providers, and ensure that all government digital services are updated to accept wallet credentials.

The regulation also establishes a governance framework through the European Digital Identity Cooperation Group, consisting of representatives from all member states and chaired by the Commission. This group oversees the implementation process, resolves interoperability issues, maintains the trusted list of wallet providers and trust service providers, and ensures consistent application of the regulation across the EU. The cooperation group builds on the existing eIDAS expert group but with significantly expanded responsibilities and decision-making authority.

For businesses, the timeline creates a clear preparation path. Financial institutions and Very Large Online Platforms should begin technical preparation immediately, as the December 2027 deadline allows approximately three years for integration. However, given that government services must be ready by December 2026, businesses serving government contracts or public sector clients may face earlier practical deadlines. Industry associations including the European Banking Federation and DigitalEurope have called on members to begin integration planning no later than early 2025 to ensure readiness.

Technical Standards and the Architecture Reference Framework

The technical backbone of eIDAS 2.0 implementation is the Architecture Reference Framework (ARF), developed by the European Commission in collaboration with member state experts and industry stakeholders. The ARF defines the technical architecture, protocols, and data formats that EUDI Wallets must support to ensure pan-European interoperability. As of its latest version, the ARF specifies two primary credential formats: SD-JWT VC (Selective Disclosure JSON Web Token Verifiable Credentials) for most attestations, and ISO mdoc (mobile document) format based on ISO 18013-5 for mobile driving licenses and similar documents.

The protocol stack defined in the ARF relies on OpenID4VCI (OpenID for Verifiable Credential Issuance) for the process by which credentials are issued to wallets, and OpenID4VP (OpenID for Verifiable Presentations) for the process by which wallet holders present credentials to relying parties. These protocols were chosen for their maturity, broad industry support, and alignment with existing web standards. The ARF also specifies the use of device-bound keys stored in secure hardware elements on the user's smartphone, ensuring that credentials cannot be copied or used on unauthorized devices.

The trust infrastructure specified in the ARF includes a hierarchical system of trusted lists maintained at both national and EU level. These lists identify authorized wallet providers, qualified trust service providers, and authorized relying parties. The trust model ensures that a wallet issued in France can verify a credential issued in Germany against a trust anchor maintained by the German government, all without requiring bilateral agreements between member states. This multilateral trust framework is a significant advancement over the bilateral notification model of eIDAS 1.0.

EU Large-Scale Pilot Programs

To validate the technical architecture and identify implementation challenges before the mandatory deadlines, the European Commission funded four Large-Scale Pilot (LSP) programs under the Digital Europe Programme, collectively receiving approximately 46 million euros in EU funding. These pilots, launched in 2023, involve over 250 organizations across all EU member states and test EUDI Wallet functionality in real-world scenarios.

The EU Digital Identity Wallet Consortium (EWC) focuses on travel and organizational identity use cases, testing scenarios such as digital travel credentials at airports and professional qualification verification. The POTENTIAL consortium addresses government services, banking, and telecommunications, testing wallet-based onboarding at major European banks and mobile operators. The NOBID consortium concentrates on payment and transaction use cases in the Nordic and Baltic regions. The DC4EU consortium focuses on educational credentials and social security, testing cross-border diploma recognition and healthcare credential exchange.

Early results from these pilots have been broadly positive but have also identified significant challenges. Interoperability between different wallet implementations remains a work in progress, with pilots revealing inconsistencies in how different member states implement the ARF specifications. User experience testing has highlighted the need for simpler, more intuitive credential sharing flows, as participants often struggled with the concept of selective disclosure. The pilots have also uncovered gaps in the trust infrastructure, particularly around the process for revoking compromised credentials in real-time across borders.

The feedback from these pilot programs is actively shaping the final implementing acts and ARF updates. The Commission has committed to incorporating pilot findings into the technical specifications before the mandatory deadlines take effect, creating an iterative development process that aims to ensure the production EUDI Wallet ecosystem benefits from extensive real-world testing. This approach distinguishes eIDAS 2.0 implementation from many previous EU digital initiatives, which were often deployed based on theoretical specifications without comparable pre-launch validation.