eIDAS 2.0: The EU Digital Identity Wallet
eIDAS 2.0 mandates an EU Digital Identity Wallet by late 2026. How the EUDI Wallet transforms KYC, document verification, and identity workflows.
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokA compliance officer at a mid-size German bank opens her inbox on a Monday morning. Three new corporate clients need onboarding this week. Each one requires certified copies of passports, utility bills, articles of incorporation, shareholder registers, and beneficial ownership declarations -- scanned, emailed, manually checked against databases, and filed in a folder that will sit untouched until the next audit. The process takes her team an average of four hours per client. By Thursday, she learns that one passport was expired, one utility bill was older than three months, and one shareholder register listed a beneficial owner who had been added to the EU sanctions list two days after submission. The week is lost. The risk is real.
This scenario -- repeated thousands of times daily across European financial institutions, law firms, real estate agencies, and insurance companies -- is precisely what the European Union intends to eliminate with eIDAS 2.0 and the European Digital Identity Wallet (EUDI Wallet). The regulation does not just digitize existing processes. It replaces the entire paradigm of document-based identity verification with real-time, cryptographically signed, user-controlled credential sharing.
What Is eIDAS 2.0?
eIDAS 2.0 refers to Regulation (EU) 2024/1183, signed on 11 April 2024 and published in the Official Journal of the European Union on 30 April 2024. It amends the original eIDAS Regulation (EU) No 910/2014, which established the first EU-wide framework for electronic identification and trust services.
The original eIDAS Regulation achieved significant results -- mutual recognition of national eIDs, legal validity for electronic signatures -- but adoption remained fragmented. Only 14% of public services across Member States accepted cross-border eIDs by 2023, and private-sector adoption was negligible. eIDAS 2.0 addresses these gaps by introducing one transformative element: the EUDI Wallet.
Key Legislative Changes
| Aspect | eIDAS 1.0 (2014) | eIDAS 2.0 (2024) |
|---|---|---|
| Scope | Public sector focus | Public and private sector |
| Wallet requirement | None | Mandatory: each Member State must offer at least one |
| Credential types | National eIDs | Verifiable credentials (diplomas, licenses, health data, corporate documents) |
| User control | Limited | Full user consent per attribute shared |
| Cross-border use | Theoretical | Mandatory mutual recognition |
| Private sector acceptance | Voluntary | Mandatory for specified industries by late 2027 |
| Security certification | National schemes | EU Cybersecurity Certification (ENISA) |
The regulation entered into force on 20 May 2024. The first set of implementing regulations was published on 4 December 2024 and entered into force 20 days later. This triggers a 24-month countdown: every Member State must provide at least one EUDI Wallet to its citizens, businesses, and residents by late 2026.
The EUDI Wallet: How It Works
The EUDI Wallet is a mobile application -- issued or endorsed by a Member State -- that stores verifiable credentials on the user's device. It is not a centralized database. The wallet holds cryptographic proofs of identity attributes (name, date of birth, nationality, address) as well as qualified electronic attestations of attributes (driving licenses, professional qualifications, company registration data, health certificates).
The Verification Flow
A typical EUDI Wallet interaction follows four steps:
- QR code scan. A relying party (bank, employer, landlord, online service) presents a QR code or deep link specifying which credentials it needs.
- Authentication. The wallet user authenticates locally -- biometrics, PIN, or device unlock -- to prove possession of the wallet.
- Data selection. The user reviews exactly which attributes will be shared and grants explicit consent. The wallet supports selective disclosure: if a service only needs to confirm that the user is over 18, only that boolean attribute is shared -- not the full date of birth, not the name, not the address.
- Instant sharing. The signed credential is transmitted directly to the relying party. The relying party can cryptographically verify its authenticity and integrity in real time -- no phone calls to issuing authorities, no waiting for database lookups.
This flow replaces the traditional model of photocopying documents, emailing scans, and manually verifying authenticity -- a process that is slow, error-prone, and fundamentally insecure.
What Credentials Can the Wallet Hold?
The regulation and its implementing acts define several categories of attestations:
- Person Identification Data (PID): name, date of birth, nationality, unique identifier
- Qualified Electronic Attestations of Attributes (QEAAs): driving licenses, educational diplomas, professional qualifications, health insurance cards
- Electronic Attestations of Attributes (EAAs): loyalty cards, membership credentials, employer attestations
- Corporate credentials: company registration data, power of representation, beneficial ownership structure
For businesses performing KYC due diligence, this means that a single wallet interaction can replace an entire stack of certified documents.
Implementation Timeline
The rollout follows a phased approach:
| Milestone | Target Date | Status |
|---|---|---|
| Regulation enters into force | 20 May 2024 | Complete |
| First implementing acts published | 4 December 2024 | Complete |
| Large-scale pilot programs (LSPs) conclude | Mid-2025 | Complete |
| Member States must offer at least one wallet | Late 2026 | In progress |
| Mandatory acceptance by specified private-sector relying parties | Late 2027 | Pending |
| EU Digital Decade target: 80% citizen adoption | 2030 | Target |
The European Commission's digital strategy page tracks progress across Member States. As of early 2026, implementation maturity varies significantly. Countries like France, Germany, and Estonia are well advanced in their pilot programs, while others -- including the Netherlands and Bulgaria -- have signaled that meeting the late 2026 deadline will be challenging.
The EU's Digital Decade Policy Programme sets an ambitious adoption target: 80% of EU citizens using a digital identity solution by 2030, with the EUDI Wallet as the primary instrument. Industry analysts consider this target aggressive, with some projecting that the 80% mark may not be reached until 2032.
Impact on KYC and Document Verification
The EUDI Wallet fundamentally changes how regulated entities perform identity verification. The shift from document-based KYC to credential-based KYC has implications across the entire compliance chain.
From Photocopies to Cryptographic Proofs
Under the current model, a customer submitting an identity document provides a copy -- a photograph or scan of a physical document. The regulated entity must then determine whether the copy is authentic, whether the document itself is valid, and whether the person presenting it is the legitimate holder. This process is inherently vulnerable to forgery, expiration, and human error.
With the EUDI Wallet, the credential is cryptographically signed by the issuing authority. The relying party receives a verifiable proof -- not a copy of a document, but a signed assertion from the government that the person's name is X, their date of birth is Y, and their nationality is Z. Forgery becomes computationally infeasible -- a decisive advantage as deepfakes and AI-generated synthetic documents make traditional document forgery easier than ever. Expiration is embedded in the credential metadata and checked automatically. The person's control over the wallet is verified through local biometric authentication.
For businesses already navigating the expanding scope of AMLD6 compliance, the EUDI Wallet offers a pathway to meet enhanced due diligence requirements with significantly lower friction and higher assurance.
Real-Time Verification vs. Batch Processing
Traditional document verification operates in batch mode: documents are collected, queued, reviewed by a compliance team, and results are communicated hours or days later. The EUDI Wallet enables real-time verification. A customer scanning a QR code at a bank branch or on a website receives instant confirmation -- or rejection -- within seconds.
This shift has direct consequences for onboarding conversion rates, customer experience, and operational costs. Financial institutions that currently spend 4-6 hours per corporate KYC file can expect to reduce verification time by 70-80% for the identity component.
Security Risks: When the Wallet Becomes the Target
The concentration of identity attributes in a single mobile application creates a high-value target for cybercriminals. A compromised EUDI Wallet does not just expose a single document -- it potentially grants access to a person's entire digital identity: name, address, financial credentials, health data, professional qualifications.
Threat Vectors
The principal risks include:
- Device compromise. Malware or physical theft of the device hosting the wallet.
- Social engineering. Phishing attacks that trick users into authenticating to malicious relying parties, sharing credentials they did not intend to share.
- Oversharing through dark patterns. Relying parties designing consent flows that nudge users into sharing more data than necessary -- a concern raised by privacy researchers at the European Identity Conference.
- Supply chain attacks. Compromised wallet implementations or trust service providers.
The regulation mandates that wallet solutions be certified under the EU Cybersecurity Act framework, with ENISA defining the certification requirements. However, the definition of "full user control" remains ambiguous across Member States, creating potential disparities in security assurance levels.
Mitigation Requirements
Regulated entities accepting EUDI Wallet credentials must implement their own controls: verifying the certification status of the wallet, checking credential revocation lists, and logging all verification events for audit purposes. The DORA regulation imposes additional ICT risk management obligations on financial entities, including for systems that process digital identity credentials.
GDPR Alignment: Data Minimization by Design
The EUDI Wallet's architecture is explicitly designed to align with GDPR principles. Several features directly implement core data protection requirements:
Selective disclosure. The wallet allows users to share only the specific attributes required for a transaction. A car rental company needs to confirm a valid driving license and minimum age -- not the customer's home address or date of birth. The wallet can share a boolean ("is over 25: yes") without revealing the underlying data.
No central database. Credentials are stored on the user's device, not in a government-operated central repository. This eliminates the single-point-of-failure risk inherent in centralized identity databases.
Right to erasure. Users can delete credentials from their wallet at any time. The regulation also requires that relying parties not retain more data than necessary and respect data minimization principles.
Consent per transaction. Every data share requires explicit user consent, with a clear presentation of which attributes will be transmitted to which party for which purpose.
Unlinkability. The architecture aims to prevent relying parties from correlating a user's transactions across different services -- though the practical implementation of this principle remains a subject of active technical debate.
For organizations processing identity documents under GDPR, the wallet model reduces the compliance burden significantly. Instead of storing copies of passports and utility bills -- with all the associated data protection obligations for secure storage, access control, retention periods, and breach notification -- the organization stores only the verification result and a cryptographic proof of the transaction.
How CheckFile Integrates EUDI Wallet Verification
The transition from document-based verification to credential-based verification will not happen overnight. For the foreseeable future, businesses will operate in a hybrid environment: some customers presenting EUDI Wallet credentials, others submitting traditional documents (scanned passports, utility bills, corporate filings).
CheckFile is designed for exactly this hybrid reality. The platform already automates the validation of traditional documents -- checking authenticity, extracting data, cross-referencing against databases, and flagging anomalies. As EUDI Wallet adoption scales across Member States, CheckFile will extend its verification workflows to accept and validate wallet-issued credentials alongside traditional document submissions.
This means a single integration point for compliance teams: whether a customer shares a cryptographically signed credential from their EUDI Wallet or uploads a scanned copy of their passport, CheckFile processes both through the same workflow, applies the same compliance rules, and produces a unified audit trail.
The result is continuity. Organizations do not need to build and maintain two separate verification systems during the transition period. They do not need to retrain compliance teams on entirely new tools. They get a single platform that evolves with the regulatory landscape.
FAQ
When will the EUDI Wallet be available in my country?
Each EU Member State must provide at least one EUDI Wallet by late 2026, following the 24-month implementation period triggered by the December 2024 implementing acts. However, readiness varies significantly. Countries like France -- where France Identite's single-use identity proofs already prefigure the EUDI Wallet experience -- Germany, and Estonia are advanced in their pilots. Others, including the Netherlands, have indicated they may not meet the deadline. Check your national digital identity authority for country-specific timelines.
Will the EUDI Wallet replace physical identity documents?
Not immediately. The EUDI Wallet is designed to complement physical documents, not replace them. For the foreseeable future, citizens will carry both. However, as private-sector acceptance becomes mandatory (expected by late 2027 for specified industries), the wallet will increasingly become the preferred -- and in some cases required -- method of identity verification for online and in-person transactions.
How does the EUDI Wallet affect my existing KYC processes?
The wallet introduces a new verification channel alongside traditional document submission. Regulated entities will need to update their onboarding workflows to accept wallet-issued credentials, verify their cryptographic signatures, and log the verification events. Existing document verification processes remain necessary for customers who do not yet have a wallet. Platforms like CheckFile enable both channels through a single integration.
Is the EUDI Wallet safe from fraud?
The wallet provides significantly stronger anti-fraud guarantees than traditional document verification. Credentials are cryptographically signed by issuing authorities and cannot be forged without breaking the underlying cryptographic algorithms. However, risks remain at the user level (device theft, social engineering) and at the implementation level (variations in security certification across Member States). Organizations should implement defense-in-depth strategies that combine wallet verification with additional fraud detection measures.
The regulatory landscape for identity verification in Europe is shifting from documents to credentials, from batch processing to real-time verification, and from centralized databases to user-controlled wallets. Whether your organization is preparing for eIDAS 2.0 compliance or optimizing existing KYC workflows, CheckFile provides the document validation infrastructure to handle both traditional and credential-based verification in a single platform. Explore our pricing plans to find the right fit for your compliance needs.