eIDAS 2.0 Explained: Steps to Ensure Compliance

Regulation (EU) 2024/1183, known as eIDAS 2.0 (“electronic IDentification, Authentication, and Trust Services”) is the update to Regulation (EU) No 910/2014.

It entered into force on May 20, 2024, establishing a European Digital Identity Framework and making cross-border electronic identification a reality.

This article serves as your comprehensive guide to understanding the implications of this eIDAS Regulation revision and outlines the essential steps your company must take to be compliant.

What is eIDAS 2.0?

In June 2021, the European Commission unveiled a proposal to update the existing eIDAS Regulation (No 910/2014).

This proposed update, commonly referred to as eIDAS 2.0, stands as a response to the ever-evolving technological landscape and the dynamic needs of the EU digital market and seeks to improve the security and reliability of electronic identification and trust services.

To accomplish this, the main shift in the regulation is the creation of a unified European Digital Identity with a Digital Identity Wallet as a key component.

While we'll delve deeper into this concept shortly, it's essential to recognize that the new eIDAS regulation encompasses more than just the EU Digital Identity Wallet.

eIDAS 2.0 expands the regulation's scope to include more types of electronic trust services, including electronic registered delivery services, electronic certificates for authentication, and electronic seals for digital documents. This means it regulates new services like attestation of attributes and electronic ledgers, among others.

Moreover, eIDAS 2.0 places a strong emphasis on interoperability and security, which are areas to be improved within the current eIDAS regulation. It achieves this by offering technical standards and specifications to reduce fragmentation and by imposing new security requirements for cryptographic algorithms and key management while increasing the focus on data protection.

Understanding the European Digital Identity (EUDI) Wallet

The EUDI Wallet is a mobile application that the Member States will provide free of charge to their citizens, residents, and businesses to store and manage digital credentials and control their digital identity by deciding first-hand who can access their data.

Essentially, the EUDI Wallet offers a secure and standardized means for citizens to demonstrate their identity and personal information across the European Union and to authenticate when accessing different online services, including government services, e-commerce, and other internet platforms.

To put it in perspective, think of the EUDI Wallet as similar to the digital payment card wallets we already have on our smartphones, like Apple Pay, Google Pay, or Samsung Pay, but with a broader range of credentials, including national IDs, driver's licenses, academic diplomas, health records or employee cards.

Public and private authorities cryptographically sign these digital credentials, enabling automatic identity verification. This is a novel form of identification, and as an organization, you must prepare to embrace it.

It is important to note that the EUDI Wallet is not intended to replace the current digital and physical documents, as its usage is optional. Instead, it provides a portable and convenient digital version of these documents.

Moreover, beyond convenience, the goal of the EUDI Wallet is to boost digital trust and security while giving users full control over what data they share with third parties and the ability to monitor such sharing.

Who is impacted by eIDAS 2.0?

The eIDAS 2.0 regulation is set to significantly impact the European Union, with repercussions and opportunities extending to governments, businesses, and citizens alike.

The regulation stipulates that all Member States must introduce at least one European Digital Identity Wallet built on common technical standards aligned with the Architecture and Reference Framework (ARF) and follow compulsory certification to ensure the utmost levels of security and interoperability.

The Gataca Wallet adheres to the EUDI Wallet specifications and reference implementations to ensure compliance.

However, the reach of the European Digital Identity Wallet is not confined solely to the public sector. Private service providers required to use strong user authentication for online identification, including those in transportation, energy, banking and finance, social security, healthcare, telecommunications, and education, must accept European Digital Identity Wallets as an authentication method.

Additionally, very large online platforms (with more than 45 million users), which require user authentication for accessing their services, are also obligated to accept and facilitate the use of European Digital Identity Wallets.

It's essential to stress that for users, the use of the wallet is optional. However, the objective is to equip over 80% of the European population by 2030 with a digital wallet that will allow them to prove their identity and authenticate themselves when accessing online services.

In fact, the Europe Decentralized Identity Market is projected to experience substantial growth, with a forecasted CAGR of 77.8% during the period from 2022 to 2028.

When is eIDAS 2.0 mandatory?

eIDAS 2.0 entered into force on May 2024. We are currently waiting for the Implementing Acts' approval with the technical specifications for the EU Digital Identity Wallets, which may take 6 to 12 months.

Once approved, Member States will have to provide Digital Identity Wallets within 24 months after the adoption of the Implementing Acts, and impacted organizations will have to accept them as an authentication method in the following year.

However, we are already seeing different countries and organizations rolling out their EUDI Wallet implementations.

Why is eIDAS 2.0 an opportunity for organizations?

The introduction of eIDAS 2.0 and the EUDI Wallet presents a mix of challenges and opportunities for citizens, governments, and both public and private sector service providers.

For organizations, the initial challenges, such as investing in technology integration and navigating new regulations, are apparent. However, the anticipated benefits far outweigh these hurdles, which can be effectively addressed with solutions like Gataca’s.

The adoption of the EUDI Wallet offers several advantages that benefit both organizations and citizens:

• Increased Security: With EUDI Wallets, data is less susceptible to large-scale breaches by using biometrics, strong encryption, and distributed storage. This ensures data integrity and reduces the likelihood of identity theft.
• Enhanced User Experience: Managing multiple digital identities has become a considerable burden for users, who are often asked to create a digital identity for each service they want to access. With an ID Wallet, users have passwordless access to online services by simply scanning a QR code to share their credentials, reducing onboarding abandonment rates and increasing retention.

According to the Baymard Institute, in the eCommerce sector, 28% of users mentioned as the second most important reason for dropping out the fact that the site requests them to use a specific account.

• Cut Costs: One of the advantages is the potential for efficiency gains, achieved through reduced operational expenses related to customer identity verification processes, decreased expenditures on fraud prevention, and lowered storage costs for attributes and attestations.

According to the European Commission impact assessment study, the estimated savings from more efficient onboarding procedures for financial services in the EU would range between $860 million and $1.7 billion per year and the estimated savings from reduced fraud could range between €1.1 billion and €4.3 billion.

• Reduced Identity Fraud: Credentials are issued and cryptographically signed by trusted authorities, facilitating automatic identity verification. This ensures that only verified individuals access your organization's services, mitigating losses from fraud, errors, and fines linked to inaccurate customer identification and verification of transactions.
• Enhanced Privacy and Control: Individuals gain greater control over their personal information using an ID Wallet. They can choose what data to share and with whom, increasing data protection and reducing the risk of privacy breaches.
• Cross-border Interoperability: The EUDI Wallet is designed to work seamlessly across different industries and countries, not limited to the European Union.

The European Digital Identity Wallet and its benefits are currently being assessed through the Large Scale Pilots (LSPs) initiative. These pilot projects, led by the EU, feature the participation of over 250 early adopters from private and public organizations across nearly every Member State and aim to evaluate the EUDI Wallet in real-world scenarios like opening bank accounts, applying for university admissions, or requesting a SIM card.

To learn more about use cases, check out our blog on 35 use cases of decentralized identities.

How to prepare for eIDAS 2.0 Regulation: Step-by-Step Checklist

Preparing for eIDAS 2.0 and implementing authentication through digital identity wallets is a multifaceted process that requires a holistic approach to address data privacy, security, and user experience. To ensure a successful implementation and ongoing compliance, it's crucial to involve legal, IT, and product teams.

Here's a step-by-step checklist to guide you through this process:

Step 1: Understanding eIDAS 2.0 Requirements

Start by gaining a solid understanding of the eIDAS 2.0 regulation and its specific requirements for your organization. These key resources are a good starting point:

• Examine the 'EU Legislation in Progress' briefing and the Legislative Train Schedule for updates on legislative milestones and concise summaries.
• Take a deeper dive into the legal text.
• Familiarize with the technical specifications your chosen technology must comply with by reading the Architecture and Reference Framework (ARF).

Step 2: Building a Pilot

Conduct a pilot project to assess the feasibility and gather insights before implementing decentralized identity technology organization-wide to ensure compliance with eIDAS 2.0. Here's what you should do:

a. Assess Current Systems and Processes:

• Processes: Evaluate your organization's existing identity verification and authentication processes.
• Data: Identify which customer data you are collecting and their sources of trust (who issues/attests to the veracity of the information)
• Systems: identify which systems are used in customer onboarding, authentication and data storage processes.

b. Define Specific Use Cases:

• List several use cases and evaluate complexity, necessary stakeholders, generated impact, and capability to scale.
• Choose one that allows you to demonstrate the benefits and that can be expanded gradually to a larger customer base as you gain experience.
• Beyond identity verification and authentication processes, explore the possibility to issue credentials to your users
• Create user stories and journey maps to visualize how users interact with the ID Wallet in the selected use case.
• Estimate volumes for active users and issued credentials

c. Identify and Engage Stakeholders:

• Engage and get commitment from all impacted stakeholders, including internal teams, decision-makers, customers, national authorities, regulators, and partners.
• Do not underestimate the need to liaise with them, as their support is key to aligning with eIDAS 2.0 requirements.

d. Choose the Right Technology Partner:

• Select a decentralized identity technology solution that complies with the EUDI Wallet and eIDAS 2.0 standards and requirements.
• Consider factors like a strong track record and expertise in decentralized identity technology, deployment options (on-premise versus cloud strategies), industry expertise, implementation times, scalability, customization, user-friendliness, and support quality.

e. Plan and Design:

• Create a high level plan with prerequisites, architecture, technical specifications, and integration requirements.
• Set clear deadlines, milestones, and service levels for pilot users.

f. Execute the Pilot and Gather Results:

• Assess how the implementation of ID Wallets aligns with eIDAS 2.0 and gather user feedback.
• Refine user experience and address any issues before full-scale implementation.

Step 3: Incremental Scaling

A successful pilot serves as a foundation for incremental scaling. Here's what to do in this phase:

• Expand the use of decentralized identity technology to different and more complex use cases or to a larger user base as you gain confidence and as the organization's or regulatory needs evolve.
• Educate employees, especially the IT department, to ensure compliance and understanding of the new solution.
• Promote and educate your user base on using digital identity wallets for authentication and facilitate customer support if needed.
• Establish ongoing monitoring and auditing procedures to ensure continuous compliance with eIDAS 2.0.

This process can be time-intensive from start to finish, so now that eIDAS 2.0 has been adopted and you must be compliant in the next two years, we recommend to start a pilot to test and refine your systems before it takes full effect.

How can Gataca help?

Gataca stands ready to assist governments and organizations in achieving trusted digital identities that comply with eIDAS.

As a domain expert in decentralized digital identity, we've deployed our technology across governments, banks, universities, and different organizations with successful implementations of our solutions.

Moreover, both Gataca Studio and Gataca Wallet are aligned with eIDAS 2.0 and EUDI Wallet specifications, ensuring compliance with the regulation.

Speak to Gataca to explore how our solutions can cater to your organization's specific compliance needs, or get started with our solutions here.