eIDAS 2.0 regulation: the end of document-based KYC
01 June 2026For decades, identity verification in financial institutions has rested on a simple premise: an official document, authentic and valid, is enough to establish a person's identity. That assumption shaped the entire KYC apparatus, defined onboarding processes, and framed the way organisations thought about trust. The eIDAS 2.0 regulation, which came into force in May 2024, calls that premise into question. It does so not by adding another layer of document control, but by changing the very object of the control: from the verification of isolated documents to the construction of a continuous, verifiable chain of trust.
💡 Key takeaways
- The eIDAS 2.0 regulation (Regulation EU 2024/1183) came into force in May 2024 and shifts identity proof from documents to cryptographically signed, verifiable attestations.
- The EU Digital Identity Wallet (EUDIW) is the regulation's central instrument, and each member state must make one available by late 2026.
- Three levels of assurance, low, substantial, and high, let institutions match identity controls to real risk, operationalising the AMLR's risk-based approach.
- By December 2027, banks, payment institutions, and crypto-asset service providers must accept eIDAS credentials for strong authentication and identification.
- The hard part is not adding a channel but orchestration: correlating wallet attestations, documents, and behavioural signals into explainable decisions.
What the eIDAS 2.0 regulation actually is
The eIDAS 2.0 regulation (Regulation EU 2024/1183) is the European Union framework for electronic identification and trust services that came into force in May 2024. It amends the original 2014 eIDAS regulation and introduces the European Digital Identity Wallet, allowing citizens and businesses to prove their identity across the EU through cryptographically signed attestations rather than paper or PDF documents. For financial institutions, it sets the rules for how digital identity credentials can be accepted in KYC and authentication.
That single change carries a deeper consequence. It moves the point of trust away from the medium, the document, toward proof that is verifiable and cannot be reproduced. A document can be perfectly authentic and still be used fraudulently, whether stolen, misappropriated, or folded into a synthetic identity. An attestation issued under the eIDAS 2.0 regulation carries its own proof of origin, which is something a paper or PDF document never could.
From eIDAS 1.0 to eIDAS 2.0: from recognition framework to identity infrastructure
The difference between the two regulations is architectural. eIDAS 1.0, adopted in 2014, was essentially passive. It created a framework for the cross-border recognition of electronic signatures, seals, and website authentication certificates, ensuring that a credential issued in one member state would be accepted in another. That secured transactions, but it never answered the harder question of digital identity, namely how to prove who you are online without repeating a document check at every interaction.
eIDAS 2.0 answers that question by issuing identity rather than merely recognising it. Instead of a document to be presented and re-verified, identity becomes a set of cryptographically signed attestations that the holder controls and shares selectively, through the European Digital Identity Wallet (EUDIW) that each member state must make available by late 2026. The regulation stops being a recognition layer and becomes an identity infrastructure.
The EU Digital Identity Wallet: verifiable attestations, not digitised documents
The EUDIW should not be understood as a digital ID card in the traditional sense. It functions as a system that produces verifiable attestations, issued by Qualified Trust Service Providers (QTSPs) and covering various identity attributes: civil data, professional qualifications, driving licences, and diplomas.
The fundamental difference from a PDF document or a passport photo lies in the nature of the proof produced. An eIDAS attestation is cryptographically signed by the issuing authority, time-stamped, and can be verified without having to query the authority again. This architecture creates a certified anchor that generative AI, which today makes it possible to mass-produce visually flawless fake documents, cannot reproduce.
For financial institutions, this changes the nature of KYC control. Instead of collecting heterogeneous, unstructured document copies that may already be out of date by the time they are used, they receive attributes verified at source, machine-readable, whose validity is cryptographically proven. The EUDIW does not replace all controls. It shifts the point of trust from the manual verification of document authenticity to the automated validation of digital attestations whose integrity is guaranteed by cryptography.
Levels of assurance under the eIDAS 2.0 regulation: risk proportionality made operational
The eIDAS 2.0 regulation sets out three levels of assurance: low, substantial, and high. This gradation operationally translates the principle of risk proportionality that the AMLR now imposes on financial institutions.
A wallet at a high level of assurance certifies that the identity was verified in physical presence, with a check of an authentic document and a biometric capture including liveness detection to prevent presentation attacks such as deepfakes, photos, and videos. For a financial institution accepting a high-assurance EUDIW credential, this means that most of the initial verification risk has already been borne by the qualified issuing authority.
Additional due diligence can then be lightened while the real level of trust actually increases, because the proof produced is cryptographic and non-reproducible. This equation, reduced document friction combined with increased evidentiary reliability, is exactly what the AMLR's risk-based due diligence framework calls for: demonstrating that the level of control is matched to the real risk, rather than applied indiscriminately. Conversely, a substantial level of assurance may suffice for lower-risk operations, enabling a differentiated approach rather than the current uniformity of controls.
The EU AML Package: how compliance becomes a strategic function
AMLR is coming. Are you really ready?
The AMLA regulation and technical standardisation: how the AML6 Package builds a true European single rulebook
From periodic to perpetual KYC (pKYC): why traditional models no longer work
The eIDAS 2.0 timeline: September 2026 and December 2027
Two dates structure the implementation of the eIDAS 2.0 regulation for financial institutions. By September to December 2026, each member state must make a compliant wallet available. In December 2027, regulated-sector entities, including banks, payment institutions, and crypto-asset service providers, will have to accept eIDAS credentials as a means of strong authentication and identification.
This second deadline marks the shift toward a mandatory acceptance obligation that requires rethinking onboarding and authentication architectures. Institutions will have to adapt their strong authentication journeys, including Strong Customer Authentication (SCA), to accept EUDIW credentials. That entails changes to information systems, back-office processes, and risk policies.
For compliance officers and AML/KYC officers, the next 18 months are decisive. The task is not simply to add a new onboarding channel, but to prepare for the orchestrated coexistence of several means of identification: traditional documents for clients who are not equipped, EUDIW credentials for those who are, and the ability to correlate these sources into a coherent view of the identity being checked.
Verification vs authentication: the distinction the regulation forces you to master
A confusion persists in most digital architectures, including in heavily regulated environments: the confusion between identity verification and authentication. The two notions are often used as synonyms, yet they cover radically different functions, and their poor articulation is today a major point of fragility in compliance systems.
Identity verification establishes, at a given moment, that the attributes presented, such as surname, first name, date of birth, and address, are consistent and correspond to a real identity. This is what happens during onboarding. But it proves nothing about the person who, three months later, logs into the account, changes contact details, or initiates a sensitive transfer. Authentication proves that the person interacting is indeed the one who was initially verified, throughout the entire lifecycle of the relationship. Without continuous, risk-appropriate authentication, the best initial verification becomes a blind spot for post-onboarding impersonation.
The eIDAS 2.0 regulation structures this continuous chain of trust. The wallet is not used only for onboarding. It can re-authenticate the client during sensitive operations, providing cryptographic proof that it is indeed the legitimate wallet holder who is acting. This continuity turns compliance from a one-off exercise, verify at entry, into a dynamic system that maintains trust over time.
Identity orchestration: the central operational challenge
The arrival of the EUDIW does not mean financial institutions will abandon traditional document verification overnight. The transition will be gradual, with an extended period of coexistence between classic document-based journeys and journeys based on EUDIW credentials.
The real challenge does not lie in adding a new channel, but in orchestration: the ability to correlate signals from heterogeneous sources, including EUDIW attestations, traditional documents, digital footprint, and observed behaviours, to build a coherent and evolving understanding of the identity. Adding up controls is no longer enough. What makes the difference is the ability to weigh those signals according to context and translate the analysis into explainable decisions.
Identity orchestration platforms for the eIDAS 2.0 era combine traditional document verification, biometrics with liveness detection, EUDIW attestation validation, and continuous strong authentication. This modular approach maintains inclusion, because not every client will hold a wallet immediately, while progressively building the capabilities needed for compliance that is native rather than imposed.
What financial institutions should do now
Although the eIDAS 2.0 regulatory framework has been adopted, many implementation questions remain open and will be addressed through technical specifications developed up to 2027. Institutions must track how these standards evolve, particularly around attestation revocation mechanisms, interoperability between national wallets, and standardised attribute schemes defined in the EUDI Wallet Architecture and Reference Framework.
The point is not to wait for everything to be finalised before acting, but to start now by building architectures flexible enough to absorb these developments. Organisations that treat the eIDAS 2.0 regulation as a mere technical compliance add-on will miss the essential opportunity: to rethink identity-risk management by moving from fragmented document verification to the orchestration of verifiable identity.
Conclusion
The eIDAS 2.0 regulation is not another document to file. It redefines what counts as proof of identity in the European Union and gives financial institutions a recognised way to trust digital credentials at substantial or high assurance. The institutions that prepare their onboarding, authentication, and orchestration capabilities before December 2027 will not only meet the obligation. They will turn it into a structural advantage in fraud prevention and client experience.
Frequently asked questions about the eIDAS 2.0 regulation
What is the eIDAS 2.0 regulation?
The eIDAS 2.0 regulation (Regulation EU 2024/1183) is the EU framework for electronic identification and trust services that came into force in May 2024. It amends the 2014 eIDAS regulation and introduces the European Digital Identity Wallet, letting people and businesses prove their identity across the EU through cryptographically signed attestations instead of documents.
What does eIDAS stand for?
eIDAS stands for electronic IDentification, Authentication and trust Services. It is the EU regulation that governs how electronic identities, signatures, seals, and trust services are recognised across member states. eIDAS 2.0 is the 2024 update that adds the EU Digital Identity Wallet.
When does the eIDAS 2.0 regulation apply to financial institutions?
Two dates matter. By late 2026, each member state must make a compliant EU Digital Identity Wallet available. By December 2027, regulated entities such as banks, payment institutions, and crypto-asset service providers must accept eIDAS credentials for strong authentication and identification.
What is the EU Digital Identity Wallet under eIDAS 2.0?
The EU Digital Identity Wallet (EUDIW) is the central instrument of the eIDAS 2.0 regulation. It stores cryptographically signed identity attestations issued by qualified trust service providers, which users share selectively. For financial institutions, it provides attributes verified at source rather than self-supplied document copies.
How should financial institutions prepare for the eIDAS 2.0 regulation?
They should map their current identity verification and authentication methods, identify where journeys still rely purely on documents, and build orchestration able to combine wallet attestations with traditional controls. Starting before the 2027 deadline allows a gradual transition rather than a forced rebuild.
Harmoney offers a cutting-edge digital platform that streamlines intricate onboarding and compliance procedures, featuring automated screening functionalities. Interested in discovering more about our innovative solution? Reach out to us for further details or stay in touch via our newsletter ⬇️.