1
Fragmented national implementations
eIDAS gave rise to diverse national implementations, making cross-border adoption complex and challenging. Interoperability between member states remained limited.
eIDAS2: The EU digital
identity regulation
Understand what it is, who is affected and when compliance is required
- EUDI wallets by end of 2026
- Wallet acceptance by end of 2027
The Regulation
What is eIDAS2?
The eIDAS2 regulation (EU 2024/1183) introduces European Digital Identity (EUDI) wallets for every EU citizen, enabling them to securely store and share digital credentials — such as their national ID, driving licence, or professional qualifications — across borders, industries, and applications. The regulation was adopted by the European Parliament on 29 February 2024 and entered into force in May 2024. Governments and businesses across the EU have until 2026–2027 to comply.
Official Law
In Force since May 2024
Regulation (EU) 2024/1183, adopted by the European Parliament on 29 February 2024.
Government Deadline
EUDI wallets by end of 2026
Every EU member state must offer at least one eIDAS2-compliant EUDI wallet for citizens.
Business Deadline
Accept wallets by end of 2027
Businesses in the EU must be able to accept wallets for user auth and identification.
Background
Why eIDAS2 was created
The original eIDAS (2016) regulation left three fundamental problems unsolved.
2
Limited to electronic signatures
eIDAS focused on electronic signatures and did not provide a framework for holistic digital identities — covering education, work, financial, insurance or health data.
3
Relied on physical presence
eIDAS strongly relied on physical presence for identity proofing, which conflicted with digital-first services and proved untenable during the COVID-19 pandemic.
What it introduces
The main goals of eIDAS2
Secure, private, user-controlled digital identities for trusted cross-border interactions.
Digital identity wallets for citizens
Every EU citizen receives a digital identity wallet to collect, store, manage and share verified credentials with third parties.
Governments must issue credentials
Member states must provide EUDI wallets and issue government-attested credentials (e.g. PID ) to citizens.
Businesses must accept credentials
Businesses and public services must accept EUDI wallet credentials for user authentication, onboarding and identity verification.
Privacy and security by design
High levels of security and privacy are required. Wallets must support selective disclosure so users share only the minimum data required.
Deadlines
The eIDAS2 compliance timeline
Key dates every government and business needs to know.
- May 2024
Regulation in force
Regulation (EU) 2024/1183 entered into force. Member states and businesses began preparation and implementation.
- End of 2026
Governments & large platforms
Member states must launch at least one EUDI wallet. Very Large Online Platforms (≥ 45 M EU users) must accept them for user authentication.
- End of 2027
Large private-sector businesses
Private-sector businesses requiring strong user authentication (banking, energy, transport…) that are not micro or small enterprises must enable EUDI wallet usage.
Source: Regulation (EU) 2024/1183 and eIDAS2 Implementing Acts
Glossary
Key terms explained
Concepts, credential types, and technical standards you need to know.
The Framework
ARF
Architecture & reference framework
The ARF is the technical companion to eIDAS2 describing how the “law” could be implemented. It defines the high-level requirements for each actor (Issuers, Verifiers and Wallet Providers), how actors must interact, and the common trust infrastructure needed for the ecosystem to function.
LSPs
Large-scale pilots
EU-funded cross-border projects implementing the ARF in real services across Member States — validating protocols, data formats, and wallet components end-to-end. Four pilots (POTENTIAL, EWC, NOBID, DC4EU) have concluded; two (APTITUDE, WE BUILD) launched in 2025 and are currently active.
EU Law
Implementing acts
The implementing acts turn the high-level eIDAS2 regulation into concrete rules and laws, building on the ARF and LSP results. They cover core functionality, protocols, credential data handling, certification registers — everything needed for ID wallets to become a reality across member states.
Credential types
eIDAS2 defines four credential categories in descending order of assurance and legal weight.
PID
Person identification data
The core "digital ID" including attributes like name, date of birth, place of birth and nationality. It is issued by appointed institutions (PID Providers) in each member state and must be held by every certified eIDAS2 wallet to be valid.
PuB-EAA
Public body electronic attestation of attributes
Official government documents issued in digital form by public-sector bodies such as civil registries, tax authorities, and immigration authorities. Documents can include birth certificates, residence permits, and tax IDs. PuB-EAAs carry the same legal weight as their paper originals.
QEAA
Qualified electronic attestation of attributes
Digital credentials based on verified data sets from public authorities, e.g. a company formation document sourced from an official companies register. They are issued by Qualified Trust Service Providers (QTSPs) and carry the same legal weight as their paper equivalents.
EAA
Electronic attestation of attributes
Everyday credentials like boarding passes, online learning badges, membership cards and gym passes. EAAs can be issued by any business (Non-Qualified EAA Provider) to streamline operations, reduce costs, and improve the user experience.
Protocols & standards
eIDAS2 mandates specific exchange protocols and credential formats across all ecosystem actors.
Protocol
OID4VCI & OID4VP + HAIP
OID4VCI (OpenID for Verifiable Credential Issuance) and OID4VP (OpenID for Verifiable Presentations) are the protocols enabling credential exchange — credential delivery from Issuer to wallet, and presentation from wallet to Verifier. Both must be implemented with the HAIP profile.
Credential Format
SD-JWT VC (IETF)
SD-JWT VC (IETF) is the credential format next to ISO/IEC 18013-5 (mDL/mdoc) which is mandated for PIDs, PuB-EAAs and QEAAs. SD-JWT VCs provide selective disclosure, meaning holders can share individual attributes — such as age — without revealing the full credential.
Credential Format
ISO/IEC 18013-5 (mDL / mdoc)
The ISO mobile driving licence standard (mDL/mdoc) is the credential format next to SD-JWT VC (IETF) which is mandated for PIDs, PuB-EAAs and QEAAs. Compared to SD-JWT VCs and W3C VCs that only support online verification, mDL/mdoc supports both online verification (via ISO/IEC 18013-7) and offline proximity checks. It also supports selective disclosure.
Credential Format
W3C verifiable credentials
The W3C VC (VCDM v2.0) credential format is the only optional format under eIDAS2. It can only be used for non-qualified Electronic Attestations of Attributes (EAAs) compared to SD-JWT VC and mDL / mdoc which can be used for all credential types including EAAs. W3C VCs compared to SD-JWT VCs and mDL/mdoc don't support selective disclosure.
The starting point
Roles under eIDAS2
Every government or business affected by eIDAS2 plays one or more of these three roles.
Issuer
Issuers are governments and businesses that attest claims about a user or legal entity in the form of a digital credential. They must be registered in the trust infrastructure and issue credentials in the formats and via the protocols defined by eIDAS2 while maintaining the lifecycle of the credential.
- Issue credentials in the defined formats: SD-JWT VC (IETF), ISO/IEC 18013-5 (mDL/mdoc), W3C VC (VCDM v2.0)
- Get registered in the eIDAS2 Trusted Lists and maintain presence
- Implement OID4VCI for credential delivery to EUDI wallets
- Manage credential lifecycle: issuance, updates, suspension and revocation
Verifier (Relying Party)
Verifiers are governments and businesses that request and verify claims about a user — for example, checking that a user is over 18, or that their income meets a threshold. Under eIDAS2, verifiers must be registered in the ecosystem and support the required protocols and formats.
- Register as a verifier and state which attributes you will request
- Support OID4VP / ISO-18013-7 for online verification
- Support ISO/IEC 18013-5 for offline (proximity) verification
- Support credential formats: ISO/IEC 18013-5 (mDL/mdoc), SD-JWT VC (IETF), W3C VC (VCDM v2.0)
Wallet Provider
Wallet providers provision wallets for users and ensure they comply with all security and privacy requirements. Under eIDAS2, wallet providers can be either member states or certified organisations. There is also a market for non-certified wallets for everyday use cases where certification is not required.
- Issue Wallet Unit Attestations (WUAs) to establish trust within the ecosystem
- Support all required credential formats: ISO/IEC 18013-5 (mDL/mdoc), SD-JWT VC (IETF), W3C VC (VCDM v2.0)
- Support the OID4VCI and OID4VP protocols for credential exchange
- Manage the full wallet lifecycle: activation, management, and revocation
Implementation
Build vs. buy: the three options
Most organizations choose to build apps while buying or owning the underlying infrastructure.
Build apps, buy infra
Only build UI and applications. Outsource the technical complexity to a proven, standards-compliant provider. Maximum speed to market with minimum technical risk.
Build apps, own infra
Use open-source infrastructure. Own the full stack and retain maximum control, while offloading the protocol implementation to a proven open-source solution.
Build Everything
Implement the full stack in-house: credential standards, exchange protocols, key management, and revocation. High complexity and significant ongoing maintenance cost.
walt.id & eIDAS2
The infrastructure layer for eIDAS2 compliance
EU trusted. Standard & regulatory compliant. Gov & enterprise proven.
- Issuer, Verifier and Wallet infrastructure
- A complete stack covering credential issuance, wallet infrastructure, and verification — with self-managed on-premise Community and Enterprise editions.
- All required credential & protocol standards
- ISO/IEC 18013-5, SD-JWT VC (IETF) and W3C VCs. OID4VCI and OID4VP.
- Trusted European Solution
- We were involved in the creation of EU ID standards; our solutions are used across EU large-scale pilots and work with the EUDI Wallet reference implementation.
- Works with your infrastructure
- Integrates with any KMS/HSM, database, cloud provider, or IAM system — including AWS, Azure, GCP, Kubernetes, Keycloak, and more. No lock-in, full data control.
- Fully regulatory compliant
- Fully aligned with eIDAS2, the ARF and Implementing Acts. GDPR compliance and data sovereignty via self-managed infrastructure.
- Build or Buy
- Build for free with the open-source Community Stack or launch and scale quickly with the Enterprise Stack.
Used by +35.000 developers and organisations
Open Source
Community Stack
The easiest way to get started and build. Own infrastructure and develop your platform based on the leading open source stack.
Enterprise
Enterprise Stack
Everything you need to roll-out and scale. The fast and worry-free way to build ID platforms, ship complex use cases and ensure compliance.
Trusted by leading organizations
FAQs
Frequently asked questions about eIDAS2
Clear answers to the most common questions about the EU digital identity regulation.
What is eIDAS2?
eIDAS2 (Regulation (EU) 2024/1183) is the EU's revised electronic identification and trust services regulation. It introduces European Digital Identity (EUDI) wallets for every EU citizen, enabling them to store and share verified digital credentials — such as their national ID, driving licence or professional qualifications — across borders and applications. It was adopted by the European Parliament on 29 February 2024 and entered into force in May 2024.
Who must comply with eIDAS2?
Three groups are directly affected. First, EU member state governments, which must launch at least one EUDI wallet per member state by the end of 2026. Second, Very Large Online Platforms (≥ 45 million average monthly EU users), which must accept EUDI wallets. Third, businesses that require strong user authentication (banking, energy, transport…) and are not micro or small enterprises — they must enable EUDI wallet usage by the end of 2027.
What is the EUDIW?
The EU Digital Identity Wallet (EUDIW) is the digital wallet every EU citizen receives under eIDAS2. It stores government-issued credentials (PID) and other electronic attestations, allowing users to securely share verified information with any service provider across the EU. Users control exactly what is shared through selective disclosure, ensuring only the minimum necessary data is revealed.
What is a PID under eIDAS2?
The Person Identification Data (PID) is the core digital credential that every eIDAS2 wallet must hold. It is issued by appointed institutions in each member state and contains mandatory attributes including family name, given name, date of birth, place of birth and nationality. It acts as the user's digital ID, recognised across all member states, and is required to activate and use an eIDAS2-certified wallet.
What is the Architecture and Reference Framework (ARF)?
The ARF is the technical companion to the eIDAS2 regulation. It defines the high-level requirements for each ecosystem actor (Issuers, Verifiers and Wallet Providers), how those parties must interact to ensure security, privacy and EU-wide interoperability, and the common trust infrastructure (issuer catalogues, trusted lists) needed for the ecosystem to function. The ARF is published and maintained on the EUDI Wallet Dev Hub on GitHub.
What are the Large-Scale Pilots (LSPs)?
The Large-Scale Pilots are EU-funded, cross-border projects that implement the ARF in real services. Four pilots have successfully concluded — POTENTIAL (government, banking, telecom, mDL, signatures, health), EWC (Digital Travel Credentials), NOBID (payments), and DC4EU (education and social security). Two further pilots started in 2025 and are currently active: APTITUDE and WE BUILD. Their findings feed back into refining the ARF and the implementing acts.
What credential formats and protocols does eIDAS2 mandate?
eIDAS2 mandates support for ISO/IEC 18013-5 (mDL/mdoc) and SD-JWT VC (IETF) as the primary credential formats, with W3C VC VCDM v2.0 also supported for EAAs. For issuance, OpenID for Verifiable Credential Issuance (OID4VCI) with the HAIP profile is required, together with ISO/IEC 18013-7 for remote mdoc flows. For verification, OpenID for Verifiable Presentations (OID4VP) and ISO/IEC 18013-5 (offline) are required.
How does walt.id help with eIDAS2 compliance?
walt.id provides an all-in-one solution for eIDAS2 compliance enabling issuance, verification and wallets.