Chapter 4: eIDAS 2.0 — The EU's Digital Identity Mandate
What you'll learn:
- What eIDAS 1.0 was, and why it fell short
- What eIDAS 2.0 actually requires — in practical terms, not legal language
- The Architecture and Reference Framework: the technical blueprint
- The rollout timeline and what it means for builders
- Who is affected and what they must do
Where we came from: eIDAS 1.0
In 2014, the EU passed the original eIDAS regulation — Electronic Identification, Authentication and Trust Services. Its goal was to let Europeans use their national eID schemes across EU borders. A German citizen should be able to use their German digital identity to access services in France, and vice versa.
The ambition was right. The execution was limited.
eIDAS 1.0 created a framework for cross-border recognition of national eID schemes — but left everything else to individual member states. Each country could design its own eID system however it liked. Germany built the Online-Ausweisfunction (ePA). Austria built A-Trust. France built FranceConnect. Belgium built itsme. These systems were technically incompatible. Most citizens never used them. And critically, none of them worked for private services — eIDAS 1.0 applied only to public sector interactions.
The result was a decade of low adoption and continued dependence on private identity providers — email addresses, social logins, and third-party KYC vendors — for anything that actually mattered commercially.
What eIDAS 2.0 changes
In 2021, the European Commission proposed a comprehensive revision. After two years of legislative negotiation, eIDAS 2.0 was formally adopted in April 2024. It makes five decisions that the original regulation did not.
1. Every EU citizen gets a wallet
Every EU member state must offer a European Digital Identity (EUDI) wallet to every citizen and resident who wants one. This is not optional. The wallet is a mobile application (or equivalent) that can receive, store, and present digital credentials.
2. The wallet must use specific standards
Rather than leaving the technical choice to member states — which produced the fragmentation of eIDAS 1.0 — eIDAS 2.0 mandates specific protocols and formats. The technical specification is the Architecture and Reference Framework (ARF), maintained by the EU Commission and updated regularly. The mandated standards are:
| Layer | Standard | Purpose |
|---|---|---|
| Credential format | SD-JWT | Signed credentials with selective disclosure |
| Credential format | ISO/IEC 18013-5 mdoc | Mobile driving licence format |
| Issuance protocol | OID4VCI | Delivering credentials into the wallet |
| Presentation protocol | OID4VP | Presenting credentials to verifiers |
| Trust anchor | did:web + X.509 | Verifying issuer identity |
3. Private companies must accept the wallet
This is the most commercially significant change. Banks, financial services firms, telecoms operators, transport providers, and large online platforms operating in the EU are required to accept the EUDI wallet for identity verification. The regulation names specific sectors. For regulated industries — banking (KYC/AML), telecoms (SIM registration), healthcare — this is mandatory. For large platforms with more than 45 million monthly active users in the EU, acceptance is also compulsory.
4. Users cannot be forced to use it
The wallet is a right, not a requirement. Citizens who do not want a digital identity wallet cannot be denied services — member states must maintain alternatives. Privacy is architecturally enforced: the specification requires that verifiers cannot correlate presentations from different interactions, and that the wallet does not log what the user does with it.
5. The wallet must work across the EU
A wallet issued by one member state must be accepted by services in all other member states. This is the original eIDAS 1.0 promise — but now backed by mandatory technical standards that make it achievable.
The Architecture and Reference Framework
The ARF is the document that turns regulation into technical specification. It is not a law — it is the blueprint that issuers, wallet providers, and verifiers must implement to be compliant. The European Commission publishes it openly and updates it as the standards mature.
The ARF defines:
- Trust model — which entities can issue credentials, how issuers are registered, how verifiers are authorised
- Wallet attestation — how a wallet proves to an issuer that it is a genuine, certified EUDI wallet (using a wallet attestation credential, itself issued via OID4VCI)
- Credential schemas — the standard fields for common credential types (person identification data, driving licence, vehicle registration, diplomas)
- Privacy requirements — unlinkability between presentations, no contact with the issuer during verification, user consent for every presentation
Developer note: The ARF is freely available at architecture-and-reference-framework. The specification changes frequently as the working groups resolve open questions. If you are building for EUDI compliance, track the ARF version you are implementing against.
The trust model
One of the most practically important decisions in eIDAS 2.0 is how trust is established between issuers, wallets, and verifiers. Rather than relying on a single EU-wide database, the model uses a hierarchy of trust anchors.
A verifier receiving a credential from a German wallet can validate:
- The credential's cryptographic signature (using the issuer's public key)
- That the issuer is registered in Germany's trust anchor
- That Germany's trust anchor is on the EU's trusted member state list
This chain-of-trust model works without any live connection to the issuer. The verification is done against published, static documents.
The rollout timeline
eIDAS 2.0 is not a future aspiration — it is an active implementation programme. The key milestones:
| Date | Milestone |
|---|---|
| April 2024 | eIDAS 2.0 regulation formally adopted |
| 2024–2025 | Implementing acts and technical specifications finalised |
| 2025 | Large-scale pilots (LSPs) conclude — four EU pilot programmes testing real EUDI wallets |
| Mid-2026 | Member states must offer EUDI wallets to citizens |
| Mid-2026 | Regulated private sectors must begin accepting wallets |
| 2027 | Full rollout across all mandated sectors |
The four large-scale pilot programmes — POTENTIAL, EWC (European Wallet Consortium), DC4EU, and NOBID — ran real trials in 2023–2025, testing everything from age verification at online shops to cross-border benefit applications. Their findings fed directly into the ARF.
Business significance: Mid-2026 is not distant. Any organisation building identity verification infrastructure for the European market in 2024 or 2025 needs to be planning for EUDI wallet compatibility now. Building a proprietary KYC integration today without an OID4VP migration path is building technical debt.
What eIDAS 2.0 means for different audiences
If you work in a regulated financial institution: Your KYC processes will need to accept credentials from EUDI wallets presented via OID4VP. The credential you receive will be an SD-JWT containing person identification data signed by a member state authority. Your verification service needs to implement OID4VP and the eIDAS trust chain resolution.
If you are building a wallet: You must implement both OID4VCI (to receive credentials from issuers) and OID4VP (to present them to verifiers). Your wallet must also obtain a wallet attestation — a credential proving your wallet is a certified EUDI wallet — before issuers will issue real credentials to you.
If you are a public sector issuer: You must implement OID4VCI to issue the mandated credential types (person identification data at minimum) to EUDI wallets. Your credentials must be signed SD-JWTs. Your issuer must be registered in your member state's trust anchor.
If you are a private sector issuer (bank, employer, university): You are not required to issue credentials, but you may. Banks issuing "account holder" credentials, employers issuing employment certificates, and universities issuing degree credentials are all supported by the framework.
Summary
eIDAS 1.0 created the idea of cross-border digital identity in the EU. eIDAS 2.0 makes it real. It mandates a specific technical stack (OID4VCI, OID4VP, SD-JWT, did:web), requires every member state to issue wallets, and compels regulated private sectors to accept them. The Architecture and Reference Framework provides the technical blueprint.
| Feature | eIDAS 1.0 (2014) | eIDAS 2.0 (2024) |
|---|---|---|
| National eID schemes | Each state chooses | Standardised on ARF |
| Credential format | Varies | SD-JWT + mdoc |
| Private sector | Not covered | Mandatory for regulated sectors |
| Wallet | No requirement | Every citizen by 2026 |
| Interoperability | Limited, in practice | Technical standard mandated |
The next chapter looks at the generation of technology that attempted to build this ecosystem before eIDAS 2.0 existed — and why it proved so difficult.