Europe is entering a new era of digital identity. With the approval of eIDAS 2 and the rollout of the European Digital Identity Wallet, the foundations of how individuals and organisations authenticate, share data, and build trust online are being fundamentally redefined. This transformation goes far beyond regulatory compliance, reshaping Identity and Access Management, cybersecurity strategies, and user experience across the entire digital economy
In July 2014, the European Union laid the first stone of its digital stronghold with the approval of the eIDAS regulation. It was a pioneering move aimed at standardising electronic identification and creating a secure Digital Single Market. However, today’s technological landscape is unrecognisable compared to that of a decade ago. The explosion of remote work, the mass adoption of cloud services, and the increasing sophistication of modern cyber threats have exposed the limitations of that original framework.
This is where eIDAS 2 comes in. Approved in 2024, it is neither a simple patch nor a minor update; it represents a fundamental architectural shift. For Chief Information Officers (CIOs), Chief Information Security Officers (CISOs), and business leaders, eIDAS 2 marks the critical transition from fragmented identity silos to an interoperable, secure ecosystem that is, for the first time, truly user-centric.
The implications for Identity and Access Management (IAM) are profound. As the deadline approaches for Member States to provide these wallets by the end of 2026, organisations must prepare for a paradigm shift in how they verify, onboard, and interact with their users. Is your infrastructure ready for the biggest change in digital identity of the last decade?
The necessary evolution from eIDAS 2014
The original eIDAS achieved important milestones, such as establishing the legal recognition of electronic signatures across borders. However, it suffered from significant adoption and scope limitations. It relied heavily on national identification schemes that were often technically incompatible with one another.
Under the previous regime, a user could have a digital identity in Spain that was legally valid in Germany, but practically unusable due to the lack of real integration into everyday services. According to data from the European Commission, prior to this revision, only around 60 percent of EU citizens had access to a reliable, cross-border electronic identification system.
The paradigm shift: From the State to the User
eIDAS 2 addresses these gaps by shifting the centre of gravity of identity. The focus moves decisively from the issuer of the identity, the State or a large corporation, to the holder of the identity, the User.
This decentralised approach aligns with modern privacy expectations and with the technical principles of Self-Sovereign Identity (SSI).
The objective is to ensure that citizens and businesses can operate seamlessly in any Member State while retaining control over their data. It is no longer about a company “owning” your data, but about you “granting” access to it under your own conditions.
EUDI Wallet: The crown jewel of digital identity
At the heart of the eIDAS 2 regulation lies the European Digital Identity Wallet (EUDI Wallet). This is the technological vehicle that will drive mass adoption. By the end of 2026, all Member States are required to provide this digital wallet application to their citizens free of charge.
The EUDI Wallet is designed to be a comprehensive repository of the “digital self”. The wallet will store:
- Legal identity: Digital ID card or passport.
- Attributes and credentials: Driving licence, electronic medical prescriptions (ePrescriptions).
- Educational certifications: Verifiable university degrees.
- Financial data: Banking credentials or payment methods.
This transforms the mobile device into a universal tool for interacting with both the physical and digital worlds.
A crucial point is that eIDAS 2 expands the scope of entities required to accept the wallet. Large platforms designated as “gatekeepers” such as major technology companies like Google, Apple, Amazon, and leading banks will be legally obliged to accept the EUDI Wallet for strong user authentication.
eIDAS 2 and IAM: The Revolution of the European Digital Identity Wallet and the Future of Cybersecurity
Technical architecture: How eIDAS 2 works under the hood
To ensure that the EUDI Wallet functions seamlessly across 27 countries with disparate infrastructures, the EU has developed the Architecture Reference Framework (ARF). This technical blueprint ensures that a wallet issued in France “speaks the same language” as a service in Poland.
Radical transparency: Open source and GitHub
In an unprecedented move towards open source transparency, the European Commission maintains the versions and roadmap of the ARF publicly on GitHub. This allows the global technical community, including cybersecurity experts at Devoteam, to examine the code, suggest improvements, and ensure the framework is robust before mass deployment.
Key standards: OIDC and Verifiable Credentials
At the protocol level, we are seeing convergence towards modern standards such as OIDC4VP (OpenID Connect for Verifiable Presentations) and W3C Verifiable Credentials. For IT teams, this means future integrations will be based on open web standards, making it easier to connect with microservices architectures.
Privacy by design: The user takes control
eIDAS 2 enforces Privacy by Design and by Default, fundamentally altering the philosophy of data collection:
- Zero-Knowledge Proofs (ZKP): The regulation popularises selective disclosure. A user will be able to prove they are over 18 without revealing their exact date of birth. This benefits organisations by minimising compliance risks under the GDPR.
- Unobservability: To prevent mass profiling, infrastructure providers are prohibited from tracking user activity, and support for pseudonyms is required.
The seismic impact on Identity and Access Management (IAM)
For technology leaders, the intersection of eIDAS 2 and IAM is where the real transformation takes place. The regulation reinforces key concepts:
- Redefining the role of the Identity Provider (IdP): Companies will move from being custodians of identities to becoming Verifiers. The EUDI Wallet acts as a federated “super-IdP”.
- The end of passwords: The regulation pushes towards passwordless authentication, leveraging secure device biometrics such as Face ID and fingerprint recognition.
- Enterprises as issuers: Universities, insurers, and B2B companies will become issuers of verifiable credentials, integrating their IAM systems to “mint” certifications directly into users’ wallets.
Strategic business opportunities beyond compliance
Viewing eIDAS 2 purely as a regulatory obligation is a mistake. It offers a compelling business case:
- Instant KYC: The EUDI Wallet enables near-instant, legally binding Know Your Customer processes, eliminating friction in banking or telecommunications onboarding.
- QWACs against phishing: The regulation revitalises Qualified Web Authentication Certificates (QWACs), allowing companies to prove their real identity to users and combat impersonation.
Critical challenges on the roadmap to 2027
Despite the optimism, the path ahead includes obstacles that CIOs must map today:
- Technical debt: Adapting legacy IAM systems to support the new ARF protocols will require strategic audits and, in many cases, modernisation towards API-based platforms.
- Cybersecurity: By centralising identity attributes, the EUDI Wallet becomes a high-value target. Enterprise applications that rely on it must be reinforced against advanced social engineering attacks.
Leading the transition to digital trust
eIDAS 2 is the master blueprint for the next decade of the European digital economy. By mandating the EUDI Wallet, decentralising attributes, and enforcing strong authentication, the EU is building a coherent and secure ecosystem.
For the IAM sector, this creates a landscape full of opportunities. Organisations that view eIDAS 2 as a strategic enabler to improve customer experience and reduce fraud will lead the market in trust and operational efficiency.