EU-AMLR, eIDAS 2.0 & EUDI Wallet

What is the EU AMLR timeline?

Regulation (EU) 2024/1624 (EU AMLR) has been in force since July 9, 2024; the key obligations are directly applicable as of July 10, 2027. By then, obligated entities should have adapted their governance, processes, data quality, control systems, and identification/onboarding procedures to meet the new requirements.

What is Changing for Obligated Entities with the EU-AMLR?

The EU AMLR (Anti-Money Laundering Regulation, Regulation (EU) 2024/1624) is the EU regulation on combating money laundering and terrorist financing that entered into force on July 9, 2024.

It establishes a more uniform set of rules across the EU for obligated entities. In particular, it strengthens risk-based due diligence obligations, transparency requirements, ongoing monitoring, documented risk management, and a more harmonized supervisory framework.

Obligated entities should view these requirements as a transition to an EU-wide harmonized AML/CFT operational model, not merely as an adjustment of individual KYC forms. The focus is on the following aspects and uniform, strengthened AML/CFT obligations:

In addition, there is an obligation to use digital tools (e.g., for transaction monitoring, AI monitoring). Requirements such as enhanced risk management and transaction monitoring must be ensured by the obligated entities.

Which Entities Must Comply with EU-AMLR in the Future?

The regulation applies to “obliged entities” in the financial and non-financial sectors, including in particular credit institutions, payment and e-money institutions, crypto-asset service providers, certain insurance and securities firms, as well as traditional DNFBPs such as notaries, lawyers, tax advisors, real estate agents, and dealers in high-value goods.

Newly added entities that will also be subject to the EU-AMLR in the future include crowdfunding platforms, (professional) soccer clubs, and consumer credit intermediaries (including the branches and subsidiaries of obliged entities), for which, however, different deadlines apply.

What is the Difference Between EU-AMLR, AMLD6, and the AMLA?

EU AMLR, AMLD6, and the AMLA are components of the EU AML package for a unified anti-money laundering framework. In short: The AMLR is the directly applicable regulation governing substantive obligations; AMLD6 supplements the framework where national implementation is still required; and the AMLA is the EU supervisory authority that will gradually assume direct supervision of selected institutions starting in 2028.

• AMLR: Regulation (EU) 2024/1624: Uniform “Single Rulebook”:
  Direct rules for KYC, KYB, CDD, and risk management for obligated entities across the EU (starting in 2027).
• AMLD6: Directive
  Supplementary national implementation: penalties, FIU cooperation, supervision; must be transposed into national law (e.g., GwG).
• AMLA: EU Authority (Frankfurt) Supervision & Enforcement: Direct monitoring of high-risk firms, coordination of national authorities, sanctions.

What Role Does the AMLA Play Within the EU-AMLR Framework?

The AMLA (Anti-Money Laundering Authority), based in Frankfurt, coordinates European AML/CFT supervision and develops technical standards. Starting January 1, 2028, it will assume direct supervision of the selected 40 most complex cross-border financial groups.

What due diligence obligations must companies ensure to comply with EU-AMLR requirements?

Under the EU-AMLR, obligated firms must fulfill clearly defined, risk-based due diligence obligations toward their customers.

Core obligations (Art. 20 EU-AMLR):

• Establish and verify identity
• Identify beneficial owners, verify their identity, and understand the ownership structure
• Understand the purpose and nature of the business relationship or transaction
• Conduct sanctions screening for customers, owners, and controlling persons
• Assess business activity/occupation
• Continuously monitor the relationship and transactions (including the source of funds)
• Check PEP status (PEP = politically exposed persons)
• Identify and verify third parties (such as beneficiaries or authorized representatives).

Risk Levels

Obligated entities must take additional measures in cases of increased risk. This applies, for example, to politically exposed persons or individuals and entities based in high-risk countries, for whom identity verification and re-evaluation must be conducted annually and documented in an audit-proof manner.

What Changes Will the EU-AMLR Bring to KYC?

With the EU-AMLR, Know-Your-Customer processes will become more harmonized across the EU, more risk-based, and more documentation-intensive. The focus is on reliable identification, ongoing updates, clear risk classification, and technically robust evidence.

• Standardized Data Set:
  More mandatory information (such as place of birth, tax ID, residence, and all nationalities) must be recorded.
• KYC Cycles:
  Under the EU-AMLR, KYC cycles must be conducted in a more risk-based manner, for example in connection with PEPs and high-risk countries. Certain events also require a trigger-based review (such as a change of address).
• Digital focus:
  eIDAS-compliant procedures are prioritized (eID, EUDI wallet, video identification procedures with QES) . Other legally permissible procedures, such as video identification procedures without QES, remain relevant, although the final design depends on technical and regulatory details.
• Enhanced CDD:
  Stricter checks for high-risk cases (such as HNWIs, geographic risks) and ongoing monitoring.

The Regulatory Technical Standards (RTS) for Customer Due Diligence (CDD) in the financial sector are still in the consultation phase and are scheduled to be adopted in July 2026. WebID is monitoring this closely and will make the necessary adjustments to the relevant identification procedures as soon as the RTS/CDD requirements are finalized.

What Changes Will the EU-AMLR Bring for KYB?

The EU AMLR will also standardize Know-Your-Business (KYB) requirements, focusing more strongly on beneficial owners, control structures, traceability, and data quality. Robust documentation, plausibility checks, and the ability to map complex ownership structures in an audit-proof manner remain particularly important. For companies, this primarily means: greater transparency regarding beneficial owners, shorter review cycles, and less room for national interpretation.

• Uniform EU processes and rules:
  In the future, KYB will be assessed EU-wide according to a “single rulebook.”
• More data on UBOs:
  More information on beneficial owners must be collected, documented in an audit-proof manner, and validated, such as identity and residence data.
• Greater focus on ownership and control structures:
  Even complex chains of ownership and other forms of control must be clearly traced.
• Greater digitalization and standardization:
  Digital processes and eIDAS-compliant solutions are becoming more important, especially for remote onboarding.

How Are EU-AMLR, eIDAS 2.0, and the EUDI-Wallet Related?

• The EU-AMLR defines the AML/CFT obligations that all implementation measures in all EU member states must comply with.
• eIDAS 2.0 (Electronic Identification, Authentication and Trust Services) provides the legal framework within the EU for electronic identification and trust services and defines the technical standards according to which these requirements must be implemented.
• The EUDI Wallet is the future European identity and attribute wallet within this framework and thus ultimately a potential building block for fulfilling identification and authentication requirements. At the functional level, it enables the selective sharing of attributes and cross-border use for administrative and onboarding processes.

What Are the Advantages and Disadvantages of the EUD-Wallet?

Pro’s

Con’s

Increased Efficiency & Cost Reduction: Fast, automated identity verification (“KYC in seconds”) and the reduction of manual checks can save time and money during onboarding and contract signing.· Legally binding signatures: EU-wide valid signatures for contracts and documents can accelerate processes and minimize fraud. Security & compliance: Cryptographically secured attributes and automated checks for AMLR/PSD3 meet EU requirements (mandatory acceptance in regulated industries starting in 2027) and strengthen trust. Interoperability & Competitive Advantage: Due to its EU-wide and cross-border applications, the EUDI Wallet is particularly attractive for SMEs and FinTechs that operate across Europe.

High implementation costs: Adapting IT systems, obtaining required certifications, and conducting integration tests entail significant initial expenses for APIs and training, posing a major burden for SMEs without large IT departments. Security & Data Protection Risks: The wallet could become a target for identity theft and/or social engineering attacks, necessitating additional measures (such as DORA controls), including addressing potential liability issues in the event of a breach. Mandatory acceptance & dependency: Regulated industries, such as banking & insurance, e-commerce, and others, must accept the EUDI wallet and operate with parallel systems during a transition phase, which may come at the expense of flexibility and customer experience.