eIDAS 2.0 and the EUDI Wallet

TL;DR — the changes and deadlines that matter

WhatWhenWhy it mattersRegulation (EU) 2024/1183 entered into force20 May 2024The amended eIDAS framework is now law across the EUTechnical implementing acts finalised21 November 2024 (initial wave)Set the 24-month rollout clockMember states must provide at least one EUDI Wallet24 December 2026The "availability" milestoneMandatory acceptance by designated relying parties6 December 2027The "acceptance" milestone — banks, large platforms, regulated servicesAML Regulation (AMLR) applies10 July 2027Wallet-based KYC becomes a unified EU baselineNew: EUDI Wallet—A phone-based digital wallet with government-verified identity and credentialsNew: Qualified Electronic Attestations of Attributes (QEAA)—Cryptographically verifiable, qualified-tier attribute credentialsNew: Free wallet for citizens—Issuance, use, revocation must be free for natural personsNew: Selective disclosure as a design requirement—Privacy-preserving by mandate, not by choiceNew: Browser obligation for QWACs—Major browsers must recognise qualified website authentication certificatesNew: Electronic ledgers as a trust service—Blockchain-style trust services formally recognised

The two foundational changes from the 2014 framework: the EUDI Wallet itself (which didn't exist before) and the harmonised cross-border wallet acceptance regime (replacing a fragmented set of national eID schemes).

From eIDAS 1.0 to eIDAS 2.0: what actually changed

The original eIDAS Regulation (EU) 910/2014 established the foundational framework for electronic identification and trust services in the EU when it entered into force in July 2014. It created the legal categories of Simple, Advanced, and Qualified Electronic Signatures (SES / AdES / QES); the framework for Qualified Trust Service Providers (QTSPs); and the technical baseline for cross-border recognition of electronic identification schemes notified by member states.

eIDAS 1.0 had three structural weaknesses that the 2024 amendment addresses.

Voluntary national eID schemes. Member states could choose to notify electronic identification schemes for cross-border recognition. Many did not, and the schemes that were notified varied substantially in user experience, security level, and adoption. The result was that even by 2023, an EU citizen travelling between member states for routine digital interactions often couldn't use their home country's digital identity in the destination country's services.

No common user-facing layer. There was no concept of a "wallet" or single user interface across member states. Each notified eID scheme had its own app, login flow, and operating model.

Limited credential types. Beyond signatures, seals, and timestamps, the framework didn't have a robust mechanism for everyday credential exchange — proving you hold a driving licence, a professional qualification, a healthcare entitlement, or an age claim — in a privacy-preserving way.

eIDAS 2.0 addresses each:

Mandatory wallet availability. Every member state must provide at least one EUDI Wallet by 24 December 2026 — there's no opt-out. The wallet is the harmonised user-facing layer across all 27 member states.

Common technical specification. The Architectural Reference Framework (ARF), maintained by the European Commission and currently at version 2.8, sets out the technical requirements that all wallets must meet for cross-border interoperability. Implementations may vary at the UX level but must conform to the technical specification.

Rich credential types. eIDAS 2.0 introduces Electronic Attestations of Attributes (EAAs) and their qualified variant (QEAAs) as the formal credential type for everyday attributes — much broader than the signature-and-seal focus of the original framework.

For the underlying legal and conceptual continuity with the US framework, see our ESIGN Act vs UETA overview and electronic signature vs digital signature for the terminological foundation.

The EUDI Wallet: what it actually is

The European Digital Identity Wallet is, at its most concrete level, a smartphone application — provided by or on behalf of each EU member state — that allows citizens, residents, and businesses to store, manage, and selectively present digital credentials. At the regulatory level, it's the central new infrastructure introduced by eIDAS 2.0 and the mechanism through which most of the framework's operational obligations are realised.

The wallet has four functional layers:

Identity. A government-issued Person Identification Data (PID) credential establishes the holder's verified identity. The PID is issued by the member state and contains the core identity attributes (name, date of birth, nationality, document number, etc.) that meet the assurance level required for the wallet.

Attribute credentials. Beyond the PID, the wallet holds Electronic Attestations of Attributes — verifiable claims issued by trusted parties (universities, employers, healthcare providers, professional bodies, governments) about specific attributes of the holder. A diploma from a university, a driving licence from a national authority, a professional certification, a healthcare insurance entitlement — each is an EAA stored in the wallet.

Presentation. The wallet can present credentials to verifiers — websites, apps, in-person services — typically via QR code (online and offline) or NFC tap. The presentation flow supports selective disclosure: the holder reveals only the specific attributes a verifier needs, not the entire credential.

Authentication. The wallet provides Strong Customer Authentication (SCA) for online services, replacing or supplementing existing methods (passwords, SMS codes, hardware tokens) in regulated workflows including banking, healthcare, and public services.

Three ways wallets are provided. Member states can provide wallets directly (operating them as a government service), delegate to a body on the state's behalf, or accept wallets from private parties that comply with the technical standards. The regulatory framework was deliberately left open to enable both public and private wallet ecosystems. As of mid-2026, multiple member states have publicly committed to multi-wallet ecosystems where state-operated wallets coexist with private ones meeting the same technical standards.

Voluntary use, mandatory availability. Citizens cannot be required to use the wallet — alternative authentication and credential presentation methods must remain available. But the wallet must be available to every citizen who wants one, and for designated services, must be accepted when presented.

Free at the point of use. Issuance, use, and revocation of the EUDI Wallet must be free of charge for natural persons. This is a structural commitment that distinguishes the framework from private-sector digital identity products.

The new credential types

eIDAS 2.0 introduces and formalises a credential taxonomy that didn't exist in the 2014 framework. Three types matter most.

Person Identification Data (PID). The foundational identity credential issued by the member state to the wallet holder. Contains the government-verified attributes that establish identity at the appropriate assurance level (typically Level of Assurance "High" under the eIDAS assurance levels). The PID is the trust anchor for the rest of the wallet's contents.

Electronic Attestations of Attributes (EAAs). Non-qualified attribute credentials issued by entities that hold authoritative information about the attribute being attested. A university issuing an EAA confirming a degree; an employer issuing an EAA confirming employment; a sports federation issuing an EAA confirming a coaching certification. EAAs use the same cryptographic standards as qualified credentials but don't carry the qualified-tier legal effects.

Qualified Electronic Attestations of Attributes (QEAAs). EAAs issued by Qualified Trust Service Providers (QTSPs), inheriting the qualified-tier legal effects of other qualified trust services — including cross-border legal equivalence to physical credentials, formal presumption of authenticity, and the right to be relied upon by relying parties across the EU.

Public EAAs (PubEAAs). A specific subcategory of EAAs issued by public authorities (member state government bodies and certain EU institutions) that carry trust grounded in their public-sector origin rather than QTSP qualification.

The taxonomy maps naturally to the W3C Verifiable Credentials Data Model 2.0, which reached W3C Recommendation status in May 2025 and is the dominant international standard for verifiable credentials. The European Commission is formally assessing VC 2.0 for eIDAS recognition, with the assessment expected to complete in 2026. The practical alignment is already underway in most production wallet implementations.

For a deeper look at how credential-style verifiable issuance works in practice across both regulated and unregulated contexts, see our QR code certificate verification guide.

What changed for existing trust services

eIDAS 2.0 retains the existing trust service framework — electronic signatures, electronic seals, time stamps, qualified website authentication certificates, electronic registered delivery — and adds new categories while strengthening obligations on existing ones.

Electronic signatures (SES, AdES, QES). The three-tier model from eIDAS 1.0 is preserved: Simple, Advanced, and Qualified. QES retains its automatic cross-border equivalence to handwritten signatures. The new wallet creates a streamlined path for citizens to use QES via the wallet-bound qualified certificate — the wallet becomes the qualified signature creation device for many citizens, simplifying what was previously a more cumbersome hardware-token workflow. For the full QES picture and how it sits in the verifiable-signature spectrum, see our verifiable e-signature flagship guide.

Electronic seals. The corporate equivalent of electronic signatures (for legal persons rather than natural persons) is preserved with the same three-tier structure.

Time stamps. Qualified time stamps from qualified TSAs remain a foundational building block for long-term validation. PAdES-LTV and equivalent long-term validation profiles depend on them. See QR code signature validation for how qualified time stamps anchor decade-horizon verification.

Qualified Website Authentication Certificates (QWACs). eIDAS 2.0 introduces a controversial new obligation: major web browsers operating in the EU must recognise QWACs as part of their trust stores. The intent is to give EU citizens stronger guarantees about the identity of websites they visit; the implementation has been contentious because browsers historically maintained their own root stores based on their own security criteria. The technical compromise involves displaying QWAC information in a specific UX layer alongside (rather than replacing) existing TLS trust indicators.

Electronic registered delivery services. Updated with new interoperability standards via Commission Implementing Regulation (EU) 2025/1944, published 29 September 2025, which sets reference standards for sending and receiving data in qualified electronic registered delivery.

New: Electronic archiving. Qualified electronic archiving is added as a formal trust service, providing legal certainty for long-term retention of electronic documents in qualified-tier archives.

New: Electronic ledgers. Distributed-ledger-based trust services are formally recognised. This is the eIDAS 2.0 response to the rise of blockchain-anchored credentials and tokens — providing a regulated framework rather than a free-form acceptance of any blockchain claim.

The implementing acts cascade (2024–2026)

The regulation itself sets the framework; the implementing acts make it operational. Commission Implementing Regulations have been published in successive batches from late 2024 through 2026, defining the detailed technical and operational requirements. As of May 2026, 31 implementing acts have been published, with several more expected before the December 2026 deadline.

Key implementing acts to know:

Commission Implementing Regulation (EU) 2024/2977 — sets the rules for PID and EAA issuance to EUDI Wallets. Published late 2024.

Commission Implementing Regulation (EU) 2025/1944 — interoperability standards for qualified electronic registered delivery services. Published 29 September 2025.

Commission Implementing Regulation (EU) 2025/2160 — risk policies for non-qualified trust services. Published November 2025.

Commission Implementing Regulation (EU) 2025/2162 — accreditation of conformity assessment bodies for QTSPs. Published November 2025.

Commission Implementing Regulation (EU) 2026/798 — wallet enrolment rules. Published 8 April 2026; the most recent key piece as of writing.

The implementing acts cover topics including the technical architecture of the wallet, the data formats for credentials, the cryptographic algorithms required, the interoperability protocols between wallets and relying parties, the certification and conformity assessment regime for wallets and credential issuers, the security requirements, the privacy controls including selective disclosure mechanisms, the cross-border recognition framework, and the rules for trust service providers.

Each implementing act goes through a structured process: Commission draft, inter-service consultation, public feedback period (typically a month), comitology with member state representatives, and formal adoption. The Architectural Reference Framework (ARF), the technical specification, is updated in parallel — version 2.8 is current as of May 2026.

The deadlines that organisations need to track:

20 May 2024. Regulation (EU) 2024/1183 entered into force.

21 November 2024. Initial wave of implementing acts adopted, starting the 24-month clock for wallet availability.

Throughout 2025. Implementing acts cascade continues. Large-scale pilots across all 27 member states. Trust services align with new standards.

Through 2026. Additional implementing acts published. Member states finalise national wallet implementations. Conformity assessment bodies accredited. Trust service providers update systems.

24 December 2026. Every EU member state must make at least one EUDI Wallet available to its citizens. (Some member states will likely miss this deadline, per the Commission's own assessment in early 2026.)

Qualified Trust Service Providers issuing qualified electronic signatures

Private parties legally required to use strong user authentication (banks under PSD2, healthcare providers, telecoms in some contexts)

Public services using electronic identification

10 July 2027. EU Anti-Money Laundering Regulation (AMLR) applies, with wallet-based KYC as a unified baseline across the EU. Financial institutions will need to align customer due diligence flows with wallet acceptance.

2027–2030. Continuing rollout, certification, and the EU's 80% wallet adoption target by 2030.

The state of rollout in 2026

The reality on the ground is more mixed than the headline deadlines suggest. As of mid-2026:

Strongest progress has come from France, Italy, Spain, Estonia, and Poland — each with active wallet development, public timelines, and material progress on technical implementation. France's France Identité programme has been particularly visible. Poland's mObywatel ecosystem has nearly 10 million users on the version 2.0 baseline, transitioning to a version 3.0 that incorporates EUDI Wallet compliance by end of 2026.

Strong second tier includes Austria (combining ID Austria and eAusweise into a wallet-compliant programme), Belgium (BOSA's MyGov.be), Greece, Portugal, Sweden, and Denmark (with the explicit AltID staged implementation).

Slower but committed are Germany (which announced a January 2027 launch date for its state-driven wallet, before opening to private wallet operators), and several others where political and technical complexity have produced realistic-but-late timelines.

At risk of materially missing the December 2026 deadline are member states with thin public evidence of operational rollout plans — though these are increasingly the minority.

The Commission acknowledged in early 2026 that fewer than one quarter of member states had EUDI Wallet-enabled applications in active testing, raising legitimate questions about full-deadline compliance. The result is likely to be a staggered rollout rather than a synchronised December 2026 launch — some member states delivering on time, others operating in compliance gaps for some months.

For organisations relying on the framework, this has a practical implication: the 6 December 2027 acceptance deadline applies regardless of any particular member state's availability delay. Relying parties cannot use a member state's late rollout as a reason to delay their own acceptance preparation.

What organisations need to do now

The right preparation varies substantially by sector and role.

Trust service providers and would-be QTSPs. Update conformity to the latest implementing acts. Pursue qualification for new credential types (QEAAs, electronic ledgers, qualified electronic archiving). Prepare for browser-level QWAC recognition rollout. The window for becoming a QTSP for new credential types is narrowing — early entrants benefit from establishing market position before the broader ecosystem standardises.

Banks, financial services, and PSPs. Plan for EUDI Wallet acceptance for SCA by 6 December 2027. Align customer due diligence flows with AMLR's July 2027 applicability date — wallet-based KYC will become an expected baseline. Decide whether to operate as an attribute issuer (issuing EAAs about customer attributes for use elsewhere). PSD2's existing SCA framework will increasingly intersect with wallet-based authentication.

Healthcare providers and insurers. Plan for issuance of EAAs covering healthcare entitlements, insurance status, prescription rights, and immunisation records. The wallet model is the natural evolution of the COVID Digital Certificate infrastructure. See our healthcare records guide for the issuance-side perspective.

Universities and educational institutions. Plan for issuance of EAAs and QEAAs covering degrees, transcripts, and professional certifications. Open Badges 3.0, which is built on W3C VC 2.0, is the de facto current standard and is increasingly EUDI Wallet-compatible.

Employers and HR teams. Plan for issuance of employment-related credentials (employment status, role, salary, professional credentials) as EAAs alongside or instead of traditional PDF letters. Our verifiable employment verification letters guide covers the dual-format pattern.

Government and public sector. Plan for both issuance (member-state services becoming credential issuers) and acceptance (services accepting wallet-presented credentials for identification). See our permits and licences guide.

Very Large Online Platforms (VLOPs). The acceptance obligation is direct. Plan for wallet-based identification flows in user onboarding and age verification. Most large platforms are now in active implementation.

Non-EU organisations operating with EU users or customers. The framework's extraterritorial reach is real where you have EU users — wallet acceptance, age verification, and KYC obligations may apply to your services even if your primary jurisdiction is elsewhere. UK organisations post-Brexit, US platforms with EU users, and Asia-Pacific firms operating in the EU all need to plan for EUDI Wallet integration on the same timeline as EU-domiciled organisations.

For organisations under formal information security frameworks (SOC 2, ISO 27001), eIDAS 2.0 alignment is increasingly being incorporated as a control. Our CISO's guide to document trust covers the framework integration.

Cross-border and global implications

eIDAS 2.0 is an EU regulation but its effects extend beyond EU borders in several ways.

UK and post-Brexit relationship. The UK is no longer in eIDAS but has chosen a similar regulatory trajectory with its own digital identity programme. UK organisations operating with EU partners and customers will need to handle EUDI Wallet credentials whether or not the UK adopts a fully aligned framework. The UK's own trust framework and the eIDAS framework will need bridging — likely through bilateral recognition arrangements that are still being negotiated.

US-EU bridging. The US has no equivalent federal digital identity framework. State-level mobile driving licence programmes (built on ISO/IEC 18013-5, the same standard underlying parts of the EUDI Wallet) are the closest analogue. US organisations issuing credentials that will be presented in the EU will increasingly find it efficient to use W3C VC 2.0 (which aligns to eIDAS 2.0 directions) as a common standard. See our pillar guide on scan-to-verify documents for the global pattern.

Cross-border credential recognition within the EU. This is the framework's central promise: a credential issued in one member state must be recognisable in every other. The technical interoperability is being tested through cross-member-state pilots; the regulatory framework requires mutual recognition; the operational reality is that 2027-2028 will see substantial real-world cross-border use.

Norway, Iceland, and Liechtenstein. Members of the European Economic Area participate in the framework even though not EU member states.

Ukraine. Participates in some pilot work as part of the EU's pre-accession engagement.

Common misconceptions and pitfalls

A handful of misunderstandings show up frequently enough to be worth flagging.

"The EUDI Wallet is mandatory for citizens." It isn't. Citizens have a right to a wallet but no obligation to use one. Member states must offer alternative identification and credential presentation methods.

"The 2026 deadline only matters for EU organisations." Not so. Non-EU organisations with EU users or customers face acceptance obligations on the same timeline for the services they offer in the EU.

"Once we accept QES, we're compliant." Wallet acceptance is broader than just QES. The mandatory acceptance regime for designated relying parties applies to wallet-presented identification and credentials, not just qualified signatures.

"eIDAS 2.0 replaces ESIGN and UETA for US-EU business." It doesn't. US e-signature law and EU e-signature law continue to govern their respective jurisdictions. The frameworks have always been compatible at the bottom (a signature valid under one is generally enforceable in the other) and remain so. eIDAS 2.0 adds new obligations for EU-side use of wallet-based credentials; it doesn't extend US law or replace it.

"The wallet is just for identification." It's much more. Identification (PID) is the foundation, but the substantive value is in the credentials the wallet carries — diplomas, licences, insurance, employment, health records — and the selective-disclosure mechanism for sharing them.

"All wallets will look the same." Not at the UX level. The Architectural Reference Framework specifies technical interoperability, not user experience. Different member states' wallets and private-sector wallets will compete on UX even while remaining interoperable at the protocol level.

"Blockchain will be at the centre of all this." The framework recognises electronic ledgers as a trust service but doesn't mandate blockchain for anything else. Most production wallet implementations use traditional PKI-based cryptography for the substantive credential operations, with blockchain reserved for specific use cases where it adds value.

Is eIDAS 2.0 actually in force right now?

Yes. Regulation (EU) 2024/1183 entered into force on 20 May 2024 and is currently effective EU law. The operational deadlines — wallet availability December 2026, mandatory acceptance December 2027 — are upcoming, but the legal framework is already in place and being progressively activated through implementing acts.

Will EUDI Wallets work outside the EU?

Wallet credentials issued in the EU can be presented to verifiers anywhere — the underlying cryptographic standards are international (W3C VC 2.0, ISO/IEC 18013-5). Whether a non-EU verifier recognises the credential is a function of that verifier's trust framework, not the wallet's technical capability.

Do all 27 member states need to launch their wallets on the same day?

Not technically. The deadline of 24 December 2026 requires availability by that date, but the rollout is being staggered in practice. Some member states will launch ahead, others may miss the deadline. The 6 December 2027 acceptance deadline applies regardless of any member state's timing slips.

What's the difference between an EAA and a QEAA?

Both are Electronic Attestations of Attributes — verifiable claims about specific attributes of the holder. A QEAA is issued by a Qualified Trust Service Provider and carries qualified-tier legal effects including formal cross-border recognition and presumption of authenticity. An EAA is non-qualified but still cryptographically secure and verifiable; it just doesn't carry the qualified-tier legal presumptions.

Does eIDAS 2.0 require blockchain for credentials?

No. Electronic ledgers are recognised as a trust service category, providing a regulated path for organisations that want to use distributed ledger technology, but the framework is technology-neutral. Most credential issuance uses traditional PKI-based cryptography.

How does eIDAS 2.0 affect existing PAdES-signed PDFs?

PAdES remains the relevant standard for PDF signatures under eIDAS 2.0. Existing PAdES-signed documents retain their legal status. The wallet creates a new path for citizens to generate PAdES (and other format) signatures via the qualified-certificate-on-wallet mechanism, but doesn't supersede the existing format.

Can a US company become a QTSP under eIDAS 2.0?

A non-EU entity can pursue qualified status for trust services it offers in the EU through the conformity assessment framework, but this involves substantial regulatory engagement and typically a presence in an EU member state. Most non-EU organisations operate at the AdES rather than QES tier when serving EU customers.

What happens to existing notified eID schemes (Italy SPID, Germany ID Card, etc.)?

They continue to operate alongside the EUDI Wallet during a transition period. Some member states are evolving their existing schemes into the wallet model; others are deploying parallel wallets. By the late 2020s, the wallet is expected to be the dominant cross-border identification mechanism, with existing national schemes either being absorbed or operating in parallel for domestic-only contexts.

Will GDPR conflict with the EUDI Wallet's data flows?

GDPR and eIDAS 2.0 are designed to be complementary. The wallet's selective disclosure capability is, in fact, a GDPR-positive feature — it allows holders to share only the minimum data necessary for a given verification. The framework explicitly incorporates GDPR's data minimisation principle as a design requirement.

How does this affect Strong Customer Authentication under PSD2?

The EUDI Wallet provides a method that satisfies PSD2's SCA requirements, simplifying the user experience for banking transactions. Banks must be ready to accept wallet-based SCA by the 6 December 2027 deadline. PSD2's existing SCA framework continues to operate; the wallet adds a new authentication path rather than replacing alternatives.

What's the practical first step for an organisation that's not sure where to start?

Audit your current identification, authentication, and credential workflows for EU touchpoints. Identify which workflows will be subject to mandatory wallet acceptance by 6 December 2027 (typically SCA-required, regulated-sector, or VLOP-equivalent flows). Engage with at least one EUDI Wallet integration partner or QTSP to understand the technical integration. For most organisations, the work is meaningful but bounded — a multi-quarter engineering project, not a multi-year rebuild.

VerifyDoc.ai supports issuance of W3C Verifiable Credentials and PAdES-compliant signed PDFs aligned with eIDAS 2.0 directions, including the dual-format issuance pattern that bridges PDF workflows and wallet-based presentation. For the broader category architecture, see our scan-to-verify documents pillar guide; for the cryptographic foundations, QR code signature validation.