eIDAS 2.0: Electronic Identification, Authentication and Trust Services Regulation 2.0

EU regulation (EU 2024/1183) establishing legal framework for digital identity in Europe. Requires all member states to provide EUDI Wallets by December 2026 and mandates acceptance by Very Large Online Platforms (VLOPs) by December 2027.

The journey from the original eIDAS regulation to eIDAS 2.0 spans more than a decade of European digital policy development. Understanding this history helps explain why the regulation takes the form it does.

September 2014 - eIDAS 1.0 enacted: The original Regulation (EU) No 910/2014 on electronic identification and trust services entered into force. It established mutual recognition of electronic identification means and created a framework for trust services like electronic signatures, seals, and timestamps. However, it did not mandate national eID schemes, and adoption remained uneven across member states.

June 2021 - Commission proposal: On 3 June 2021, the European Commission published its proposal to amend the eIDAS Regulation. The proposal was motivated by the failures of eIDAS 1.0 to achieve widespread adoption (only 14% of EU citizens had access to cross-border eID by 2021), the COVID-19 pandemic which accelerated demand for digital services, and the need for a citizen-controlled digital identity wallet. The proposal was part of the broader Digital Decade initiative aiming for 80% of citizens using digital ID by 2030.

March 2023 - Parliament position: The European Parliament adopted its negotiating position, strengthening privacy safeguards, adding requirements for free qualified electronic signatures for natural persons, and expanding the scope of obligated relying parties.

November 2023 - Trilogue agreement: The European Parliament, Council of the EU, and European Commission reached a political agreement in trilogue negotiations. Key compromises included balancing privacy requirements with law enforcement needs, the scope of mandatory acceptance by private sector entities, and the timeline for implementation.

29 February 2024 - Parliament vote: The European Parliament formally adopted the revised regulation with an overwhelming majority of 335 votes in favour, 190 against, and 31 abstentions.

11 April 2024 - Council adoption: The Council of the European Union formally adopted the regulation, completing the legislative process. The regulation was published in the Official Journal on 30 April 2024 and entered into force on 20 May 2024.

The eIDAS 2.0 regulation is a substantial legal text. Below are the most important articles that shape the EUDI Wallet ecosystem.

Article 5a - European Digital Identity Wallets: The cornerstone article. It mandates that each member state shall issue at least one EUDI Wallet, free of charge to natural persons, within 24 months of implementing acts. The wallet must support selective disclosure, operate at assurance level "high," and be entirely voluntary for citizens.

Article 5b - Relying parties: Defines who must accept the wallet and under what conditions. Public sector bodies must accept EUDI Wallets for authentication. Certain private sector entities, including Very Large Online Platforms under the Digital Services Act, banks for customer due diligence, and healthcare providers, must also accept the wallet within specified timeframes.

Article 5c - Certification of wallets: Requires that wallets undergo mandatory certification against common standards before they can be offered to citizens. This ensures a consistent level of security across all member states.

Articles 45a-45g - Electronic attestations of attributes: Introduces a new trust service category for issuing verifiable credentials (attestations). Distinguishes between qualified electronic attestations (QEAAs), which carry the highest legal certainty, and non-qualified attestations (EAAs).

Article 6a - Cross-border identity matching: Addresses the challenge of linking a person's identity across different national registries. Establishes rules for unique identifiers that work across borders while respecting privacy principles.

The eIDAS 2.0 regulation establishes a phased timeline for implementation, with different deadlines for different actors.

20 May 2024: Regulation enters into force. The clock starts for all implementation deadlines.

Late 2025 (12 months after implementing acts): Commission must adopt implementing acts specifying technical standards, certification requirements, and protocols. These implementing acts are developed based on the Architecture Reference Framework (ARF).

Late 2026 (24 months after implementing acts): All member states must offer at least one EUDI Wallet to their citizens and residents. Public sector bodies must accept the wallet for authentication.

Late 2027 (36 months after implementing acts): Very Large Online Platforms (as defined by the Digital Services Act) must accept the EUDI Wallet. Banks must accept the wallet for KYC/customer due diligence purposes.

Ongoing: The Commission must review the regulation every four years and report to the European Parliament and Council on its effectiveness. Implementing acts and technical specifications will be updated regularly as technology evolves.

The original eIDAS regulation (910/2014) and eIDAS 2.0 (2024/1183) share the same goal of enabling cross-border digital identity and trust services, but they take fundamentally different approaches.

eIDAS 1.0 relied on voluntary participation. Member states could choose whether to notify their national eID scheme. By 2021, only 14 out of 27 member states had notified at least one scheme, and cross-border usage remained minimal. The notification process was slow, taking years for technical integration, and there was no common user interface or experience.

eIDAS 2.0 mandates participation. Every member state must provide at least one wallet. The common architecture defined in the ARF ensures interoperability from day one. Citizens get a consistent experience regardless of which country issued their wallet.

eIDAS 1.0 focused on authentication. The original regulation primarily addressed logging into government services. It did not provide a mechanism for sharing verified attributes or credentials beyond basic identity.

eIDAS 2.0 enables a full credential ecosystem. Through electronic attestations of attributes, the wallet can carry driving licences, diplomas, health insurance cards, professional qualifications, and much more. It also introduces free qualified electronic signatures for citizens, which were previously expensive and inaccessible.

Unlike eIDAS 1.0, which had limited enforcement teeth, eIDAS 2.0 establishes concrete mechanisms to ensure compliance.

National supervisory bodies: Each member state must designate one or more supervisory bodies responsible for overseeing the wallet ecosystem. These bodies supervise wallet providers, trust service providers, and relying parties within their jurisdiction.

Cooperation group: A new cooperation group, composed of representatives from member states and the Commission, coordinates cross-border enforcement and ensures consistent application of the regulation across the EU.

Sanctions: Member states must lay down rules on sanctions for infringements. While the regulation does not prescribe specific fine amounts (unlike GDPR), it requires that sanctions be effective, proportionate, and dissuasive.

Mandatory certification: Wallets cannot be offered to the public without passing certification. If a wallet is found to have security vulnerabilities after certification, the supervisory body can suspend or revoke its certification, effectively forcing it off the market until issues are resolved.