All about eIDAS 2: Dates, approach, news and EUDI wallet

eIDAS2: Dates, approach, news and EUDI wallet

Index

    icon newsletter
    Get the latest news right in your inbox

    The eIDAS 2 Regulation is a reality. After years of debate about its scope and arduous negotiations by EU member states and parliamentary groups in the European Parliament, eIDAS 2.0 has been approved with a large majority of the chamber's support. How does it affect you?

    Next, we will review the latest news on the new standard, analyze the latest changes surrounding its approval and analyze how both citizens and companies can make use of all the advantages offered by eIDAS2.

    Latest news about eIDAS 2

    In November 2023, negotiations for the proposal and draft update of eIDAS (electronic IDentification, Authentication and trust Services) Regulation were finalized. After that, a final text was drafted, which was approved by all member states during the Spanish presidency of the Council of the European Union. 

    eIDAS 2 is the legal framework we must turn to in order to understand e-services and citizen identification in the European Union. From now on, European countries have a deadline to implement a series of changes that will transform the way in which citizens, companies and institutions interact with each other. New, more agile, simpler and, above all, more secure ways of doing business.

    With 335 votes in favor, eIDAS 2 finally saw the light of day on February 29, 2024. In our previous article we already went over all the differences and substantial changes between eIDAS and eIDAS 2, but let's make a summary:

    What is eIDAS 2

    eIDAS 2 is a revision of Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the European internal market. Now, it is intended to go much, much further with intention of providing European companies, organizations and citizens with digital tools with which to identify themselves, share information and perform sensitive transactions with total data security.

    • It reinforces security of electronic identification and trust services, providing new methods of identification (new digital identification document within EUDI Wallet) and authentication, as well as expanding the number of trust services to address use cases that were ambiguously resolved by the previous standard.
    • New types of credentials are introduced, such as verifiable credentials. These allow users to demonstrate and share their chosen attributes (age, qualifications, permissions, credit score, etc.) without revealing unnecessary personal information.
    • Promotion of digital self-sovereign identity, where users have greater control over their personal data, based on an official digital ID from EU and each state.
    • Facilitates cross-border interoperability of trust services.
    • It extends the scope of eIDAS to new sectors, such as healthcare, mobility and education. It also expands the obligations of FinTech and other BFSIs to identify their clients.
    • New security levels have been defined: A fourth "very high" security level has been introduced for high-risk transactions.

    Thus, by amending the previous standard, we have a new framework for a European Digital Identity (COM(2021)0281 - C9-0200/2021 - 2021/0136(COD)) or eIDAS 2 Regulation. Its publication in the OJ-EU (European Union’s Official Journal) is imminent. It is important to highlight that eIDAS2 will coexist and must be related to other important rules such as PSD3, AML6, DORA Regulation, NIS2, GDPR and the associated regulations in each member state as well as the mandates of sector regulators (such as SEPBLAC and ENS in markets such as Spain).

    eIDAS2 - The new European Digital Identity impact

    Digital identity in eIDAS 2 Regulation

    From now on, all EU citizens, as well as residents, will have the ability to easily manage their identity data and offer it if they wish and in a segmented way to companies, administrations and other citizens. This involves actions to request, select, combine, store, store, delete, share and submit data related to their identity in a secure manner (regarding GDPR)

    The main objective of eIDAS 2 is to provide users with a European digital identity wallet that is fully portable, secure and easy to use for the purposes we have described above. As a transitional measure, until unalterable certified solutions are implemented, such as protection measures within users' devices, European digital identity wallets can use certified external protection measures to protect cryptographic and other sensitive data. This Regulation also recognizes national conditions related to the issuance and use of certified external protection measures.

    The new understanding of digital identity in eIDAS 2.0 is expected to promote economic value creation by facilitating access to goods and services, as well as reducing the costs associated for businesses with electronic identification and authentication procedures thanks to even more agile and powerful RegTech solutions. This includes reducing the costs of onboarding, KYC, Due Diligence and other processes.

    Mitigation of cybercrime risks is expected to be expanded thanks to renewed eIDAS regulation, such as identity theft, data theft and online fraud. In addition, it seeks to boost the efficiency and secure digital transformation of small and medium-sized enterprises (SMEs) in the EU.

    In EU Official Proposal COM/2021/281 final (specifically in point one of the memorandum) we can see the key objectives of eIDAS 2, which focus on facilitating the cross-border use of highly secure and trusted electronic identity solutions

    In addition, it is intended that both individuals and legal entities can use these digital identity solutions effectively. These solutions must be equipped to share specific identity data according to the needs of each service. It also seeks to ensure equal acceptance of qualified trust services in the European Union. To achieve these objectives, eIDAS 2 proposes an "EUDI e-wallet and e-wallet" system that enables the electronic identification of individuals while maintaining full control over their personal data.

    Digital identity in eIDAS 2 Regulation

    EUDI and eIDAS 2: New ID wallet for everyone

    EUDI (European Union Digital Identity) is the system proposed by eIDAS 2 to build a digital identification documentation model for Europe's citizens, residents and businesses. The new regulation introduces the "European Digital Identity Portfolio" (EUDI) as a secure means for EU citizens to store and manage their identification data, attributes and credentials. This tool will allow users to:

    • Identify and authenticate yourself online.
    • Securely sign electronic documents with qualified electronic signature directly from EUDI Wallet.
    • Generate pseudonyms to protect your privacy when accessing online services (while showing that you are a real person, but without revealing your identity).
    • Secure access to public and private services.

    Their use will be voluntary, without discrimination for those who choose not to use them. EU member states are obliged by eIDAS 2.0 to provide at least one wallet within the next twenty-four months. It is a public product and service to identify EU citizens both face-to-face and online. These wallets will incorporate privacy protection technologies, such as zero-knowledge proofing, to ensure user privacy. The source code of the applications must be transparent and open source.

    Wallets will be offered directly on the initiative of member state entities, under mandate of the member states, or independently with state recognition (private organizations or QTSP trusted service providers developing their own digital wallet).

    European digital identity wallets will be provided free of charge and can be used to access public and private services across the European Union and should connect with organizations that require user data in order to interact with them (make them customers, partners, suppliers, recruit new employees, partners, etc.).

    How the new European Union wallet works

    Key dates, eIDAS 2.0 and EUDI Wallet in every state

    EU member countries will have 24 months to provide at least one EUDI to their citizens (as required by eIDAS 2 Article 5a(1)). The European Commission will provide guidelines and tools to facilitate implementation throughout the adaptation period.

    With the new updates and the latest developments, eIDAS 2 roadmap currently looks as follows:

    1. June 2021: The European Commission presents a proposal for a Regulation to update eIDAS based on EUDI Wallet pilot projects of different consortia (analyzed in our article on EUDI).
    2. February 2022: First outline and framework for the development of Europe's EUDI digital identity architecture.
    3. October 2022: Official publication of new trust services and technical architecture of new digital citizen identity.
    4. June 2023: The European Commission publishes a guide for the implementation of eIDAS2.
    5. November 2023: Preparation of the final text and completion of details.
    6. February 2024: Vote and approval of the standard.
    7. H1 2024: Implementation of acts with technical specifications and processes for EUDI Wallet according to results of pilot projects.
    8. September 2024: Deadline for Member States to transpose eIDAS 2 into national legislation.
    9. Q4 2024 and H1 2025: QTSP work that will implement EUDI Wallet in member states, with processes and technical development.
    10. September 2026: Deadline for trusted service providers to adapt to new eIDAS2 requirements and EU member states to deliver their EUDI Wallet.
    11. 2025-2026: First years of development, improvements and monitoring by the European Commission. Adaptation period for citizens, companies and institutions. Verification of attributes of authentication systems within 24 months of approval (Article 45e of eIDAS 2).
    12. 2025-2027: Specification and development of requirements for SCA (Strong Customer Authentication) in online identification (Article 5f(2)) with EUDI Wallet. Definition of requirements for large online platforms (Article 5f(3)) and acceptance by all public administrations of EUDI Wallet as a means of authentication (Article 5f(1)).
    13. 2030: Target of 80% of EU citizens and companies actively using EUDI Wallet under the eIDAS 2.0 standards adapted by organizations, companies and institutions.

    In the meantime, the use of certified external protection measures will be allowed on a transitional basis (current eIDAS 1 qualified trust services). This approach will be implemented without interfering with national regulations on issuance and use of certified external protection measures related to the new eIDAS2 Regulation. Other identification methods can coexist with EUDI and eIDAS 2 (being optional, secondary and non-preferable) so that users who do not voluntarily choose to use EUDI Wallet can identify themselves and share data with companies and other organizations (also subject to the GDPR).

    eidas 2.0

    How to adapt to new eIDAS2 standards? 

    This new landscape for digital identity management challenges companies to adapt to its requirements in order to continue operating securely and efficiently. RegTech technology companies play a key role in this process by offering innovative solutions that enable companies to meet eIDAS 2 requirements efficiently and effectively. These solutions may include digital identification platforms, identity management systems, electronic authentication services and digital signature tools, among others.

    In addition to providing specific tools and technologies, consulting and advice is offered to help companies understand and comply with eIDAS 2 regulatory requirements. This may include conducting risk assessments, implementing compliance policies and procedures, and training staff on the proper use of new technologies and processes.

    1. Familiarize yourself with the regulations: It is essential to understand the technical, legal and operational requirements of eIDAS 2. The European Commission and QTSPs in each country provide information and resources to facilitate this process.
    2. Assess the impact on the company: It is necessary to analyze which processes and systems are affected by eIDAS 2 and what measures are needed to adapt them.
    3. Select a suitable technological solution: Choose a RegTech company that offers reliable solutions adapted to the specific needs of each company.
    4. Implement the technology solution: Integrate the new technology seamlessly, securely and efficiently into the company's existing systems.
    5. Train staff: Train employees in the use of new tools and procedures for digital identity management.
    6. Monitor and update: It is important to continuously monitor compliance and update technology solutions as needed.

    Adaptation to eIDAS 2 is a necessary process and one that will bring great economic growth and cost savings for companies looking to take advantage of the benefits of secure digital identity in European markets. RegTech companies become strategic partners to facilitate this process and provide reliable and efficient technological solutions. EUDI has the potential to:

      • Reduce the administrative burden for citizens and businesses.
      • Encourage mobility and cross-border sales within the EU.
      • Develop new interoperable digital services.
      • Facilitate access to public and private services in a safe and comfortable way.

    The implementation of eIDAS 2 will have a substantial impact on the digital operations of any company, especially those involved in electronic transactions of a moderate risk level such as BFSIs, telcos or utilities. It is essential to carefully assess how these new regulations will influence the internal processes of each organization and especially those related to the customer, in order to take the relevant measures to ensure compliance with the requirements established by eIDAS 2.

    As a RegTech QTSP company officialized by European Union, we thoroughly understand these changes and help our clients deal with the transition through easy integration of simple and affordable solutions. To comply with these emerging regulations we must ensure security and reliability of all our electronic transactions in any operation.

    Start adapting to eIDAS 2 today. Talk to our experts

    eIDAS 2: Use cases for citizens and companies

    Use cases for eIDAS2 EUDI portfolio can be found in almost all areas of life, economy and in any sector or industry. Below is an ordered list of use cases, the most comprehensive you can find on the web to date. 

    The name EAA stands suits for Electronic Authentication Attribute and QEAA for Qualified Electronic Authentication Attribute, as established in various EUDI Wallet pilots. ODIs refer to the use of an organization identity and PDs to those based on data protocols. Frequency of use is an estimate based on surveys of European citizens as users in different industries.

    Public transportation and mobility:

    • Public transportation passes (EAA, 1200 times/year)
    • Single tickets (EAA, 25 times/year)
    • Student cards (EAA, 50 times/year)
    • Vehicle leasing (PID, QEAA, 5 times/year)
    • Carsharing and motosharing (PID, QEAA, 15 times/year)
    • Merchant Ship Master's Permit (QEAA, ODI, 5 times/year)
    • Driving license documentation of all types (QEAA, PD, 40 times/year)

    Education:

    • Student identification cards (EAA, 25 times/year)
    • Scholarship/Internship Identification Cards (EAA, 25 times/year)
    • Online Learning Certificates (EAA, 5 times/year)
    • Library cards (EAA, 10 times/year)

    Public administration:

    • Citizen Municipal Card (QEAA, 120 times/year)
    • Municipal service subscriptions (EAA, 20 times/year)
    • Social passes (EAA, 20 times/year)
    • Leisure passes (EAA, 120 times/year)
    • Street Musician Permit (QEAA, 50 times/year)
    • Fishing permit and license (QEAA, 30 times/year)
    • Street Trading Permit (QEAA, 50 times/year)
    • Food handler's permit (QEAA, 40 times/year)
    • Infection protection inspections permit (QEAA, 5 times/year)
    • Permit to trade or peddling (QEAA, 5 times/year)
    • Volunteer card (QEAA, 10 times/year)
    • Electronic voting (ODI, QEAA, EAA, PID, 0.5 times/year)

    Leisure and culture:

    • Event tickets (EAA, 20 times/year)
    • Participation/start-up fee (EAA, 20 times/year)
    • Membership card (EAA, 50 times/year)
    • Access management (EAA, 50 times/year)
    • Recreational Craft Driving License (QEAA, 5 times/year)

    Identification and authentication:

    • Employee Identification Document (EAA, 200 times/year)
    • Access management (EAA, 400 times/year)
    • Login without password (EAA, 1000 times/year)
    • Password reset (EAA, 3 times/year)
    • Call Center Authentication (EAA, 100 times/year)
    • Similar use cases in social networks (EAA, 100 times/year)
    • Qualified electronic signature of all types of documentation (QEAA, 25 times/year)
    • Data modification (QEAA, 5 times/year)

    Banking, Insurance, Finance (BFSI):

    • Payments (QEAA, 100 times/year)
    • Strong SCA customer authentication (EAA, 100 times/year)
    • Know Your Customer Processes (EAA, 10 times/year)
    • Proof of insurance (QEAA, 5 times/year)
    • Authentication from the call center (EAA, 15 times/year)
    • Contracting of new services (QEAA, 5 times/year)
    • Credit scoring, risk assessment and CDD controls (QEAA, 5 times/year)

    Telecommunications sector:

    • SIM card request (PID, QEAA, 0.3 times/year)
    • SIM card replacement (PID, QEAA, 0.3 times/year)
    • Contracting of new services (QEAA, 1x/year)

    Retail trade and services:

    • Customer card (EAA, 50 times/year)
    • Discount coupon (EAA, 110 times/year)
    • Cash on hand/payments (QEAA, 100 times/year)
    • Customer registration/deregistration (10 times/year)
    • Age verification (QEAA, 5 times/year)
    • Product warranty (EAA, 10 times/year)
    • Login without password (EAA, 300 times/year)
    • Customer registration (PD. QEAA, 10 times/year)
    • Age verification (QEAA, 5 times/year)

    Travel and hospitality:

    • Turnover (PD, QEAA, 5 times/year)
    • Cure and guest card (QEAA, 15 times/year)
    • Hotel card/room (EAA, 114 times/year)
    • Customer card (EAA, 5 times/year)
    • Travel voucher (EAA, 3 times/year)
    • Authentication for self-check-in (EAA, 15 times/year)

    Companies:

    • Organizational identity (ODI, QEAA, 50 times/year)
    • Master data management (ODI, QEAA, EAA, 50 times/year)
    • Supplier registration (QEAA, EAA, 50 times/year)
    • CO2 Test - Supply Chain/Logistics (EAA, 20 times/year)
    • Product pass (EAA, 1400 times/year)
    • Authentication for office and tool access (EAA, 300 times/year)
    • Bookings, control of schedules, working days, etc. (EAA, 300 times/year)
    • Powers of attorney and internal company compliance (ODI, QEAA, 50 times/year)
    • Sign NDAs (EAA, 10 times/year)

    Health and socio-health:

    • Electronic prescriptions (QEAA, 10 times/year)
    • Informed consents (EAA, 5 times/year)
    • Data collection/history (EAA, 5 times/year)
    • Appointment management (QEAA, 15 times/year)

    These are just a few examples of EUDI Wallet use cases. As eIDAS 2 technologies and tools develop and become more widely adopted, new and innovative use cases are likely to emerge.

    eBook: Digital Identity and eSignature Trends 2023-2025
    Tags
    Newsletter icon

    Get the latest news right in your inbox

    Ft
    aifintech
    regtech
    etica
    techbehemoths
    finnovating
    ecija

    Trust, identity and automation services

    Tecalis creates disruptive digital product to make the most innovative companies grow and evolve. We drive growth and digital transformation processes to bring the future to businesses today.
    Identity

    KYC (Know Your Customer) Video Identity Verification, Digital Onboarding and Authentication (MFA/2FA) solutions and services enable our customers to provide their users with an agile and secure experience.

    Our RPA (Robot Process Automation) software enables the creation of sustainable, scalable, productive and efficient business models through BPM (Business Process Management), allowing unlimited growth.

    Digitization

    Advanced and Qualified Electronic Signature and Certified Communication services (Electronic Burofax) allow customer acquisition, contracting and acceptance processes that used to take days or weeks to be completed and approved in minutes or seconds.

    Customer Onboarding (eKYC), Digital Signature (eSignature) services and Automated Fraud Prevention are making it possible for companies to operate online and without borders.

    Trust

    As an EU-certified Trust Services Provider and an established RegTech partner, we help organizations comply with the most demanding regulatory standards in their sector and region, including AML (Anti-Money Laundering), eIDAS (Electronic IDentification, Authentication and etrust Services), GDPR (General Data Protection Regulation), SCA (Strong Customer Authentication) or PSD2 (Payment Services Directive) regulations thanks to Tecalis Anti-Fraud Controls and Document Verification.