What Is eIDAS 2.0?

eIDAS 2.0 is the European Union's updated regulation governing electronic identification and trust services, requiring every EU member state to offer citizens a European Digital Identity Wallet by 2026. Building on the original 2014 eIDAS framework, the updated regulation represents the world's most comprehensive legal framework for digital identity, mandating privacy protections, cross-border interoperability, and acceptance across public and private sectors.

The original eIDAS framework

The original eIDAS Regulation (Electronic Identification, Authentication and Trust Services), adopted in 2014 and implemented in 2016, established a unified legal framework for electronic identification and trust services across all EU member states. It enabled citizens and businesses to use recognized digital identities to access public services across borders, eliminating the need for multiple logins and separate credentials for each country.

The regulation also defined legal standards for electronic signatures, seals, time stamps, and electronic delivery services. Qualified electronic signatures were granted the same legal standing as handwritten signatures, creating a foundation for trusted digital transactions across the European Single Market.

What eIDAS 2.0 changes

eIDAS 2.0 significantly expands the original framework by requiring member states to issue European Digital Identity Wallets to all citizens who want them. These wallets will allow users to securely store and present identity credentials, payment information, and other verified attributes across a wide range of public and private services.

The regulation mandates acceptance across public services and major private sectors, including banks, telecommunications providers, and large online platforms. This means the wallet won't just be helpful for government services, it will work for opening bank accounts, signing up for mobile phone plans, and accessing services from major online platforms.

Privacy protections

eIDAS 2.0 incorporates robust privacy protections into its framework. Wallets must be voluntary and free for citizens; no one can be required to use them, and there should be no cost to obtain one. The regulation requires support for selective disclosure, allowing users to share only the specific attributes needed for a transaction rather than their complete identity.

The framework accommodates both offline and online verification models. The specific transport mechanisms used in practice, such as QR codes or NFC, are defined by technical specifications and implementation profiles rather than prescribed at the policy level.

The Architecture and Reference Framework

The eIDAS Architecture and Reference Framework (ARF) provides technical guidance for implementing the regulation. It outlines a technology-neutral architecture built around key principles: user-centricity, security, privacy, and interoperability. The ARF defines functional, legal, and technical requirements for compliant systems and assigns clear roles to identity providers, attribute providers, trust service providers, and relying parties.

The framework is structured into three layers: the application layer (supporting identity and trust services), the service layer (including authentication and validation services), and the infrastructure layer (comprising technical components, such as certificate authorities). This layered approach ensures that implementations across member states can interoperate while allowing flexibility in specific technical choices.

Cross-border interoperability

A key objective of eIDAS 2.0 is to facilitate seamless cross-border identity verification. A German citizen should be able to use their digital wallet to access services in France, open a bank account in Spain, or prove their qualifications to an employer in Italy. The regulation ensures mutual recognition of digital identities across all member states.

This interoperability extends to the private sector. When a European business accepts the digital wallet for identity verification, they can trust that the credential meets consistent standards regardless of which member state issued it.

Lessons for other jurisdictions

eIDAS 2.0 represents a coordinated regulatory approach to digital identity that other jurisdictions are studying carefully. The framework illustrates how privacy protections can be mandated by law, how acceptance can be mandated across sectors, and how interoperability can be achieved through the use of common standards.

However, the European approach also illustrates implementation challenges. Years of investment have yielded slower-than-expected adoption, and repeated delays have pushed back the timeline. States and countries looking at eIDAS 2.0 as a model can learn from both its privacy-first principles and its implementation experiences, drawing on its research while potentially avoiding its pitfalls by leading with market alignment rather than granular regulation.