The eIDAS Regulation 2.0 in the Context of the EU-AMLR

The amended eIDAS Regulation 2.0 (Electronic Identification, Authentication, and Trust Services) establishes uniform and binding technological standards for digital identification and authentication across Europe. All 28 EU member states committed, as part of the adoption of the eIDAS 2.0 Regulation on March 26, 2024, to provide their citizens and all legal entities with at least one standardized, interoperable EUDI-Wallet solution by the end of 2026. According to the German Minister for Digital Affairs, Dr. Karsten Wildberger, the German EUDI-Wallet is expected to be available in early 2027.

Interaction between the EU-AMLR and eIDAS 2.0

Article 22 of the EU-AMLR stipulates that obligated entities must use only certain reliable methods of remote identification approved in the eIDAS Regulation. Article 24 of the eIDAS Regulation, on the other hand, outlines how qualified trust service providers must verify the identities of natural and legal persons for whom they issue certificates (such as for the issuance of a QES).

The aim is to enable interoperable, cross-border verifications while reducing redundancies and improving the resilience of the European economic and financial area.

eIDAS 2.0 Permissible Identification Methods

Strictly speaking, Art. 22(6)(b) AMLR lists two types of methods: electronic identification means with a “substantial” or “high” assurance level under the eIDAS Regulation, as well as qualified trust services. The former includes, for example, state-notified methods such as the eID or the EUDI-Wallet. The second category primarily includes the qualified electronic signature (QES). Although the text of the law itself does not explicitly state that these methods generally take precedence over other procedures, Recital 66 suggests that they are of particular importance compared to the QES, though not necessarily in relation to other methods such as established video identification procedures.

Strictly speaking, as of December 24, 2027, exactly 36 months after the implementing acts enter into force, companies subject to regulatory obligations must accept the EUDI-Wallet as a means of identification and authentication pursuant to the two regulations (Article 5a(23) and Article 5c(6) of the eIDAS Regulation).

The amended eIDAS Regulation aims to harmonize trust services and permits the following identity solutions:

• National notified solutions (eID)
• the EUDI-Wallet
• Solutions certified by a conformity assessment body (such as TÜV NORD CERT) that are used in the context of issuing a qualified electronic signature. The WebID Identity Hub, for example, includes various established, GwG/AML-compliant, as well as certified and thus eIDAS-compliant identity procedures that can also be used after the EU-AMLR comes into force.

What does the eIDAS Regulation 2.0 Mean for Businesses?

A key requirement is certainly that obligated businesses must provide the EUDI-Wallet as an identification method in accordance with the EU Implementing Act by January 1, 2028, at the latest.

If other identification methods are offered, they must meet the criteria mentioned above.

However, gatekeepers such as search engines, app stores, or messengers—that is, platforms offering predefined digital services (“core platform services”)—must also integrate the EUDI-Wallet as a login option in the future, in accordance with the Digital Markets Act (DMA).

How Companies Can Get Ready for eIDAS 2.0

Even though the widespread rollout of the EUDI-Wallet in accordance with eIDAS requirements will still take some time, companies should already be assessing the extent to which their strategies, processes, and systems comply with the updated eIDAS Regulation 2.0.

1. Assess technical integration
   Affected companies should evaluate early on how they can integrate the EUDI Wallet into their existing authentication and onboarding processes and how they can update their existing identity verification procedures to be eIDAS-compliant in order to also meet future AMLR requirements.
2. Analyze compliance requirements
   Financial institutions, telecommunications providers, and other obligated entities must adapt their KYC/KYB and AMLR processes and verify whether their existing identity procedures meet eIDAS requirements.
3. Optimize security architecture
   The implementation of eIDAS 2.0 standards should be integrated into existing IAM (Identity & Access Management) systems.
4. Offer freedom of choice
   Wallets generally represent a low-barrier, user-friendly solution that can simplify digital onboarding. However, regulated companies can better expand their competitive advantage by redesigning the customer journey accordingly and allowing their customers to choose the identification method that best suits their individual needs.

With the WebID Identity Hub, for example, obligated companies benefit from an ID ecosystem that orchestrates the freedom of choice among identification solutions in an eIDAS-certified and AMLR-compliant manner. In this way, they lay the foundation for sustainable compliance, stable processes, and high user satisfaction.