All About eIDAS 2.0: What Businesses Need To Know
The regulation on electronic identification, authentication, and trust services – better known as the eIDAS Regulation – came into force in 2014, with member states expected to comply by 2016. It formed part of the European Union’s mission to ensure a fair, open, and secure digital environment across the block.
However, after evaluating the impact of eIDAS in 2020, the European Commission determined that it had not met expectations and needed amending. The Commission announced eIDAS had "only partially achieved its objective of enabling cross-border access to public online services." It was also found that the regulation did not address the needs of sectors such as education, and that only 14 member states had adopted a government electronic identification (eID), with just 59% of citizens having access to a trusted eID.
The solution, the Commission decided, was to develop an amendment called a "framework for a European digital identity," which is better known as eIDAS 2.0.
This article explores the key elements of eIDAS 2.0 and demonstrates how it differs from the original legislation. You will also find the prospective timeline for implementing the new elements.
What is eIDAS 2.0?
eIDAS 2.0 is an extension of eIDAS, meant to reflect the increase in digitization across Europe and to address the shortcomings of the original regulation in ensuring that all citizens can participate in this digital future in a safe and secure manner.
It is the result of a review that was mandated in Article 49 of the original eIDAS Regulation, which stated "The Commission shall review the application of this Regulation and shall report to the European Parliament and to the Council no later than 1 July 2020."
This led to a European Commission proposal put forward in June 2021 to update the European digital identity framework, on which the European Parliament and European Council agreed in November 2023. On February 29, 2024, the proposal was approved.
eIDAS 2.0’s main objectives are to:
- Provide trusted, secure cross-border digital identification processes that meet modern demands
- Aid both public and private services to take advantage of cross-border digital ID solutions
- Give citizens total control of their personal data and keep their digital identification processes secure
- Create a level playing field for accepting EU-qualified trust services
How is eIDAS 2.0 different from eIDAS 1.0?
There are a number of differences between the original eIDAS and eIDAS 2.0. They include:
| Element | eIDAS 1.0 | eIDAS 2.0 |
| Digital IDs | No obligation for member states to develop and notify a national eID | Member states must provide citizens and legal entities with eID wallets |
| Qualified trust services | Primarily focused on electronic signatures, electronic seals, timestamps, electronic delivery services, and certificate services for website authentication | Includes additional trust services such as electronic ledgers and archiving services, and extends the framework to cover the validation of electronic signatures and seals in a broader context |
| Sector | Concentrated on cross-border access to public services | Broadens scope to better provide Europe-wide access to eIDs and authentication for private-sector organizations |
| Interoperability | No provision for interoperability between different member states’ eIDs | Promotes interoperability across member states’ eIDs |
| User control | Only allowed for a narrow range of IDs with limited user control | Mandates self-sovereign identity (SSI) to give citizens more control over their identifying information |
Key elements of eIDAS 2.0
European Digital Identity (EUDI) Wallet
One of the major developments in eIDAS 2.0 is the development of the EUDI (sometimes referred to as the EDIW), a digital wallet for all citizens, to help them identify themselves and confirm personal information in a more straightforward manner and in a way that is recognized across the entire European Union. Currently, only 14% of key public-service providers across the European Union allow cross-border authentication with an eID system. eIDAS 2.0 hopes to change that.
People use apps on smartphones and other devices to identify themselves both online and offline. The wallet can be used to store and exchange government information, such as name, date of birth, and nationality, as well as store and exchange other public and private information that might be convenient to have close at hand.
Citizens can use the EUDI to prove their age, open bank accounts, access public services, check into hotels, and a range of other actions. The wallet includes the person’s eID, along with their electronic signature.
The idea is to create one, central identity for citizens online, rather than having to create new accounts for each platform they use and having to find the same pieces of corroborating information each time. This gives people more control.
Cross-border interoperability
The EUDI helps eIDAS 2.0 enact its mission for greater interoperability across the EU. It sets standards for EUDI and digital identities, in general, to ensure that they meet strict security and data protection requirements. By following the technical standard, each member state’s systems should be set up to better facilitate the acceptance and use of digital IDs across Europe and beyond.
This benefits citizens but also businesses. The ability to easily identify and verify customers across the continent helps create access to new markets in a seamless manner and without the red tape that can often slow the process or make it prohibitively expensive.
Trust services
eIDAS 2.0 will cover a greater range of trust services than its predecessor. Whereas the original eIDAS included electronic signatures and seals, timestamping, verification, and website authentication, the new legislation expands to include electronic archiving and ledgers. It also encompasses services such as seal creation devices and the management of electronic signatures made remotely to increase the security of these activities.
The eIDAS 2.0 toolbox, designed to help stakeholders get up to speed with the new regulations, will include measures to check a wider range of documentation, allowing a more in-depth verification process. This will help sectors such as education and travel. In these areas, the verification process requires more than simply identifying who someone is. For example, for car rentals, you need to prove both your identity for security purposes and the fact that you are eligible to drive by authenticating your driving license, too.
eIDAS 2.0 will achieve this through a Qualified Electronic Attestation of Attributes (QEAA). The trust service provider checks these additional documents, including licenses, permits, birth certificates, educational qualifications, and similar attributes. These can then be stored in the person’s EUDI Wallet.
When should eIDAS 2.0 come into force?
Now that eIDAS 2.0 has been passed by the European Parliament and European Council, it could enter into force relatively quickly. Of course, the requirements of the legislation will take awhile to implement, but there will be a timetable issued now that it is confirmed and that will be published soon to help stakeholders prepare.
Currently, the roadmap for eIDAS 2.0 looks like this:
- April 11, 2024 – Regulation text was published in the Official Journal of the European Union
- May 2024 – eIDAS 2.0 passes into law
- October 2026 – Member states must have EUDIs ready to use by citizens
Which countries and sectors will be affected by eIDAS 2.0?
eIDAS 2.0 affects all EU nations as well as those in the European Economic Area (EEA). Where people use digital identities, the new framework will be in place for those enacting the transaction and those who are the subject of the process.
This will affect all sectors that provide online services, require customer verification, or operate using online transactions. However, one of the reasons behind the EU updating the legislation is to help sectors that many critics of the original eIDAS felt were not served by that regulation. eIDAS will provide a more substantial framework for all sectors.
In its proposal on eIDAS 2.0, the European Parliament provides examples of sectors that could particularly benefit from the new digital wallet system. It says:
"Private relying parties providing services such as in the areas of transport, energy, banking and financial services, social security, health, drinking water, postal services, digital infrastructure, telecommunications, or education should accept the use of EDIWs for the provision of services where strong user authentication for online identification is required by Union or national law."
How can organizations get ready for eIDAS 2.0?
Identify relevant changes
The first step toward eIDAS 2.0 compliance is understanding what changes you will have to make to your processes. One of the key changes will be that companies must accept the new EUID when verifying and authenticating customers. This will change your onboarding processes.
Theoretically, it should streamline the procedure because customers simply connect with their wallet, rather than registering, verifying, applying, adding payment details, scanning, and uploading ID documents, and waiting for you to manually verify them. But you will need to have this new process tested and in place.
Keep an eye out for updates
With a new piece of legislation, there may be new information being released in the run-up to its implementation and the development of the technical standards. This means that you should set a reminder to check for any relevant updates on a regular basis. Check the industry press and set Google alerts so that you stay up to date with the latest on eIDAS 2.0.
Identify gaps and allocate resources
Look into your current systems and identify gaps that must be addressed before eIDAS 2.0 comes into force. Privacy and data protection are at the core of the new regulation, so ensure your current processes meet the requirements on data handling as specified in the General Data Protection Regulation (GDPR).
Once you have identified gaps, allocate resources to fill them in time to maintain compliance. You may have to redesign your systems and you will certainly need to train employees on the new obligations, so work this into your budget.
Collaborate
Work with your eID partners and trust service providers to discuss the upcoming changes and to consider what is required of you. Some of the work will be done by these third parties, but only by interacting with them can you truly understand what you need to do to prepare for compliance.
Prepare for new opportunities
With streamlined cross-border transactions becoming a reality under the new regulation, this provides opportunities for your business. Think about how you can capitalize on them. Have your website translated into other European languages, consider how you can deliver your products and services across the continent in a cost-effective manner, and put these changes into practice ready for the rollout of the EUID.
FAQ
Will there be any changes to the EU Trusted Lists under eIDAS 2.0?
While specific changes to the EU Trusted Lists under eIDAS 2.0 are subject to the final regulatory text, it is anticipated that the list will continue to play a key role in providing a public record of qualified trust service providers (QTSPs) and their services. There may be updates to reflect new services or standards introduced by eIDAS 2.0, but that will become clear as the regulation progresses.
How does eIDAS 2.0 align with other EU regulations like GDPR?
eIDAS 2.0 is designed to complement and align with other EU regulations, including GDPR. It aims to ensure that electronic identification and trust services not only meet high-security standards but also respect privacy and data protection principles, providing a cohesive legal framework for digital transactions.
What challenges might organizations face in complying with eIDAS 2.0?
Organizations may face challenges such as the need for technological upgrades, alignment of internal policies with the new regulation, training staff on new procedures, and ensuring interoperability with EU-wide eID systems.
Additionally, staying informed about the evolving regulatory landscape and integrating with qualified trust services can be complex.
Conclusion
eIDAS 2.0 will require close attention from businesses across all sectors in all EU and EEA countries. It brings opportunities thanks to the ability to do business across borders and when streamlining digital transactions and onboarding, but it also requires entities to ensure they are working with compliant digital identification services that will help them take advantage.
Entrust Signhost provides a digital identification service to remotely onboard customers according to the market's highest standards with as little friction as possible, helping you improve customer experience. Sign up today to create a free account and find out how Entrust Signhost can help you.
References and further reading
- EU/EEA Trusted List
- eIDAS toolbox
- European Council on EU digital wallet
- CERRE on eIDAS 2.0
- Updating the European digital identity framework
*Disclaimer: This content does not constitute legal advice. The suitability, enforceability or admissibility of electronic documents will likely depend on many factors such as the country or state where you operate, the country or state where the electronic document will be distributed as well as the type of electronic document involved. Appropriate legal counsel should be consulted to analyze any potential legal implications and questions related to the use of electronic documents.