What Is eIDAS 2? Everything You Need to Know

The European Union (EU) is one of the most complex and ambitious regulatory environments. With the entry into force of the second iteration of the Electronic Identification, Authentication, and Trust Services (eIDAS) Regulation, EU businesses must navigate changes and adapt to one of the region’s most significant shifts in digital identity, authentication, and trust infrastructure since 2016.

Together with the related technical standard, eIDAS 2 establishes a unified legal and technical foundation for how individuals authenticate, how identity data is shared, and how trust services operate across borders. It reshapes the European digital identity ecosystem into one that is more interoperable, more privacy-preserving, and more resilient against emerging fraud and security threats.

At the same time, these changes take place against the backdrop of global ID proofing convergence, as regulators worldwide strengthen security expectations, prioritize fraud prevention, and increasingly converge remote ID proofing and financial-services onboarding requirements. eIDAS 2 now forms part of a broader, international shift in high-assurance digital identity.

Below, we break down eIDAS 2 and deliver everything you need to know to achieve compliance with the regulation requirements. We will cover the following topics:

• What is eIDAS? 
• What is eIDAS 2? 
• Identity verification under eIDAS 2 and ETSI v2
• Who is a trust service provider?
• How to achieve eIDAS 2 compliance
• Simplify compliance with Entrust 

eIDAS – which stands for electronic Identification, Authentication, and Trust Services – is the comprehensive EU regulation that introduced the first harmonized legal framework for electronic identification and trust services across all EU Member States.

Before its adoption, the EU relied on a patchwork of national laws – Germany’s Signaturgesetz, France’s law on electronic signatures, Italy’s Codice dell’Amministrazione Digitale, Spain’s Law 59/2003, and others – each with distinct rules, security requirements, and formats. As a result, the approach to performing electronic identification and remote identity verification varied significantly from one Member State to another.

This fragmentation made cross-border digital interactions difficult. An electronic signature or identity credential valid in one Member State might not be recognized in another, forcing organizations to maintain parallel processes and undermining the trust in electronic transactions. The absence of a common framework also limited the expansion of secure online services and impeded the development of cross-border e-commerce.

The first eIDAS Regulation (EU No 910/2014) was an attempt at addressing these issues by establishing a harmonized EU-wide framework. Adopted in 2014 and fully enforced from 2016 onward, it anchored three key principles:

• Mutual recognition: All Member States were legally required to recognize each other’s notified national eID schemes.
• Interoperability: The Regulation ensured compatibility between different electronic identification solutions and trust services across the EU.
• Security: eIDAS introduced rigorous security requirements for electronic signatures, seals, timestamps, and certificates.

It also formalized the role of trust service providers (TSPs), who must be accredited and supervised before issuing qualified services.

Importantly, eIDAS applies not only to public-sector bodies but also to private-sector organizations that rely on electronic identification or trust services – including financial services, insurance, healthcare, and e-commerce. It therefore functions as a unified digital-trust infrastructure for all cross-border electronic interactions within the EU.

While the regulation significantly improved Europe’s digital-trust landscape, several limitations persisted. By 2021, the use of national eIDs across borders remained limited, private-sector adoption was uneven, and the scope of the framework no longer reflected how digital identity and trust services were being used. These gaps ultimately led to the development of an amendment to the Regulation: eIDAS 2. 

eIDAS 2 – formally the European Digital Identity Regulation (Regulation (EU) 2024/1183) – is the updated and expanded version of the original eIDAS framework. It was published in the Official Journal of the European Union in April 2024 and started a gradual entry into force on May 20, 2024.

The revision was driven by persistent limitations in the first regulation. By 2021, the use of national electronic identification schemes across borders remained low, adoption by private sector relying parties was inconsistent, and significant divergences existed between Member States in how remote identity assurance and trust services were implemented. These inconsistencies created friction for businesses operating in multiple jurisdictions, with  only 59% of EU residents able to use a trusted eID outside their home country.

eIDAS 2 represents a structural evolution of Europe’s digital identity and trust services framework. It addresses the limitations of the original framework, expands the list of regulated trust services, strengthens security and governance requirements, and – most notably – introduces the European Digital Identity (EUDI) Wallet as a mandatory component of national digital identity ecosystems.

Where the original regulation laid the foundation for cross-border trust, eIDAS 2 provides the blueprint for a more advanced, interoperable, high-assurance, and user-controlled digital identity model across the European Union.

An expanded regulatory scope

The original eIDAS Regulation (2016) laid the foundations for electronic identification and trust services in the EU, but its scope remained relatively limited; it did not anticipate the breadth of digital interactions that now rely on high-assurance identity and trust mechanisms. While the framework provided legal certainty for electronic signatures, seals, timestamps, and qualified certificates, it did not encompass several trust-service capabilities that have since become central to digital business models and cross-border interoperability.

eIDAS 2 expands this significantly. The updated regulation strengthens the role of qualified trust service providers (QTSPs) – entities certified to offer secure and reliable trust services – who must now comply with harmonized supervisory expectations aligned with EU cybersecurity law. This includes mandatory security baselines, regular audits, formalized incident reporting, and consistent requirements for key management and operational resilience across the Union.

Additionally, eIDAS 2 expanded the rule's scope to include four new qualified trust services:

1. Electronic archiving services: These services provide secure, long-term storage of electronic documents and data. These services ensure that archived data and documents remain authentic and unaltered throughout its retention period, thus preserving their integrity and legal value. This capability is essential for industries like healthcare, finance, and the public sector, where compliance requires reliable retention of sensitive data and documents with guaranteed integrity over time.
2. Electronic ledgers: This service provides a secure and immutable record of transactions and data. This ensures electronic data can be reliably tracked and verified, supporting various applications and use cases such as financial transactions, supply chain management, and more.
3. Management of remote electronic signature- and seal-creation devices (QSCD): This trust service enables e-signature vendors to manage signing and sealing processes remotely, while preserving the stringent security requirements associated with QSCDs. It enables secure cloud-based signing and sealing, supports remote work and cross-border transactions, and expands the usability of qualified signatures without compromising the signatory’s sole control over their signing keys.
4. Issuance of Qualified Electronic Attestation of Attributes: eIDAS 2 introduces Qualified Electronic Attestation of Attributes (QEAA), which allow trusted authorities to certify the accuracy of specific attributes relating to a person, organization, or device. These may include age, professional licenses, educational qualifications, or account identifiers. A QEAA takes the form of a digitally signed attestation that can be stored and used within an EU Digital Identity Wallet, facilitating privacy-preserving attribute sharing and enabling high-assurance identity-attribute exchange across the EU.

By expanding the trust-services catalog, the regulation strengthens the overall integrity, security, and interoperability of the EU’s digital-identity and trust ecosystem.

eIDAS 2 also introduces new obligations for certain private sector relying parties. Banks, telecommunications operators, and other high-value service providers will be required to accept the EU Digital Identity Wallet for defined use cases from 2027. The regulation embeds principles of sole user control and privacy-by-design, allowing individuals to disclose only the minimum set of attributes necessary for a given transaction.

Finally, this expansion resolves long-standing inconsistencies observed under eIDAS 1.0, where national supervisory authorities interpreted remote identity-verification requirements differently. Some Member States required QES-based onboarding (e.g. France), others relied on live video calls (e.g. Germany), while others accepted ETSI-conformant remote IDV (e.g., Italy and Romania). eIDAS 2 harmonizes these interpretations and provides a consistent, cross-border framework for high-assurance identity proofing and trust-service usage across the EU.

The European Digital Identity Wallet (EUDI Wallet)

Under the original eIDAS Regulation (2016), Member States could voluntarily notify their national electronic identification schemes, making those schemes legally recognizable across the EU. This voluntary model had a critical limitation: Countries without an existing eID system were under no obligation to create one. As a result, adoption rates varied significantly from state to state, and cross-border interoperability remained uneven.

eIDAS 2 replaces this approach with a mandatory and harmonized framework. By the end of 2026, every Member State must issue at least one EU Digital Identity Wallet (EUDI Wallet). This wallet will allow individuals and businesses to store and manage their national eIDs alongside verified attributes and credentials – such as driver’s licenses, diplomas, professional qualifications, or bank account information – and to share them securely and selectively. This creates a universal, portable digital identity across Europe.

The objective is to give Europeans full control over their digital identity when interacting online, enabling them to disclose only what is strictly necessary and reducing reliance on fragmented login systems or repeated identity checks. For defined public- and private-sector use cases, relying parties will be required to accept the wallet for authentication, ensuring a consistent, trusted experience across the EU.

The EUDI Wallet is built on three key pillars:

1. Security: The wallet aligns with existing EU data-protection and cybersecurity legislation, including the General Data Protection Regulation (GDPR) and the NIS2 Directive, embedding privacy-by-design principles and strong technical safeguards.
2. Convenience: The wallet makes it easier for citizens and residents to access public services, apply for jobs, open bank accounts, or conduct other cross-border activities. They can use this tool to share identity details with organizations for authentication purposes. It consolidates identity information into a single, reusable tool, removing the need for multiple logins or repeated verification steps.
3. Interoperability: The regulation establishes a common technical framework and harmonized standards to ensure that digital identity credentials stored in the wallet are accepted throughout the EU. By defining common specifications for wallets, service providers, and public authorities, it ensures interoperability between national systems. This harmonization promotes a unified, cross-border approach to digital identity, fostering trust and recognition of credentials for citizens and businesses alike.

Under eIDAS 2, every Member State must make at least one EUDI Wallet available to citizens and residents by December 2026, marking a major step toward a fully interoperable digital identity landscape in Europe. 

Taken together, these changes shift eIDAS from a fragmented digital identity framework to a harmonized, user-centric, and mandatory pan-European approach, with common rules for how digital identities and trust services are issued, verified, and accepted across the EU. 

How eIDAS 2 relates to ETSI

The European Telecommunications Standards Institute (ETSI) is an independent, non-profit standards body responsible for developing globally recognized specifications for information and communications technologies. Under eIDAS, ETSI plays a critical role: It translates the regulation’s high-level legal obligations into precise, auditable technical requirements. This work is reflected in standards such as ETSI TS 119 461 and the broader ETSI EN 319 series, which define how trust services and identity proofing must operate in practice. 

With eIDAS 2 introducing the EU Digital Identity Wallet and new qualified trust services such as QEAAs, ETSI has updated and expanded its standards to define the security, interoperability, and technical controls required for compliance. These standards serve as the technical backbone that ensures Member States and trust service providers implement eIDAS 2 consistently and securely. 

Remote identity verification is a central component of the eIDAS 2 ecosystem. To support uniformity across the EU, the regulation is paired with its dedicated operational standard, ETSI TS 119 461 v2.1.1.

The relationship between the two instruments is foundational:

• eIDAS 2 establishes the legal requirements for identity proofing.
• ETSI v2 defines how those requirements must be satisfied in practice, through specific, auditable technical controls.

The role of ETSI 119 461 v2: The technical backbone

ETSI v2 sets out the detailed requirements for remote and automated identity proofing, including:

• How identity documents must be validated and cross-checked, including MRZ and visible-zone consistency and verification of security features
• How biometric data must be captured, analyzed, and protected against spoofing, deepfakes, and presentation attacks
• How identity attributes and evidence must be matched across sources
• What evidence must be retained to support regulatory audits and supervisory oversight
• How higher-assurance onboarding must be performed under the Extended Level of Identity Proofing (LoIP)

It ensures that identity verification across the EU is not only uniform but also technically rigorous and resistant to modern fraud patterns. The eIDAS Regulation is already referenced by the European Banking Authority (EBA) guidelines for remote onboarding, AML directives, and the forthcoming AML regulation. It is also part of supervisory expectations and requirements under PSD2 and related financial-crime frameworks.

This regulatory alignment has significant implications. ETSI v2 has become the operational benchmark for remote identity verification across Europe, particularly in financial services. An identity-verification process designed in conformity with ETSI v2 will, in principle, satisfy eIDAS 2, AML/KYC obligations, and supervisory expectations simultaneously. For financial institutions, this convergence reduces fragmentation and provides a clear, harmonized framework for cross-border onboarding.

Impact on financial services

The EU is moving toward regulatory convergence between eIDAS 2 and Anti-Money Laundering (AML) frameworks, creating a unified approach to remote identity verification (IDV). This alignment makes ETSI-certified onboarding the gold standard, ensuring legal certainty and interoperability across all the EU Member States.

For financial institutions, such as banks, payment providers, and regulated financial institutions, the introduction of eIDAS 2 therefore means one harmonized framework for onboarding customers across borders. The convergence delivers:

• Lower compliance costs: A single ETSI-certified IDV process enables financial services providers to meet obligations originating from multiple regulatory frameworks (eIDAS, AMLD6, PSD2), reducing duplication and simplifying audits preparation.
• Cross-border interoperability: ETSI-compliant onboarding processes are recognized across all EU Member States, enabling consistent onboarding and streamlined expansion into new markets.
• Enhanced fraud prevention and security: ETSI v2 introduces rigorous biometric-integrity and anti-spoofing controls, mitigating risks associated with deepfakes and sophisticated presentation attacks –now critical in high-risk transaction environments.

In this wake, financial institutions need to prepare for phased compliance: 

A trust service provider (TSP) is a legal or natural person that provides one or more trust services under eIDAS and is supervised by a national authority. Their role is to ensure that digital interactions – from signing and sealing documents to timestamping data or transmitting sensitive information – are secure, authentic, and legally reliable. TSPs also uphold confidentiality and non-repudiation of information and enable the authentication of websites or signatories.

Their services provide the mechanisms to verify the authenticity and integrity of electronic documents, identities, and communications. They are a central component of the eIDAS 2 framework, ensuring that online and digital interactions achieve the same levels of assurance and legal effect as traditional paper-based processes. When a provider satisfies the most stringent requirements and is formally accredited, it becomes a Qualified Trust Service Provider (QTSP) and may provide qualified trust services that carry specific legal effects across the EU.

Under eIDAS 2, trust services include both those established under the original eIDAS Regulation and a range of new ones designed to address evolving digital identity needs. These include:

1. Electronic signatures for individuals

   An electronic signature allows individuals to sign documents digitally with integrity and authenticity guarantees, i.e. providing a secure and verifiable way to ensure the signer is who they claim to be and that the document has not been altered since the signature was applied. The regulation classifies these signatures into three levels: Simple electronic signature: Offers basic security suitable for low-risk use cases. Advanced electronic signature: Provides a higher level of security by linking the signature uniquely to the signer and allowing for the detection of any changes made to the signed data. Qualified electronic signature (QES): Issues the highest level of security and carries the same legal effect as a handwritten signature. It must be created using a qualified signature creation device (QSCD) and backed by a qualified certificate issued by a Qualified Trust Service Provider (QTSP). QSCDs typically rely on secure cryptographic hardware, such as a hardware security module (HSM), that has undergone an eIDAS certification process.

    

2. Electronic seals (ESeals)

   Electronic seals function similarly to signatures but are used by legal entities (e.g. companies) rather than individuals. They are widely used for invoices, official communications, and compliance documentation. Under eIDAS 2, seals confirm a document’s origin and integrity, verifying it was issued by a specific entity and has not been altered. Similar to electronic signatures, they can be simple, advanced, or qualified.

    

3. Electronic timestamps

   A timestamp proves that a specific electronic document or piece of data existed at a certain point in time and has not been altered since. It is a secure way to establish the origin of document creation, submission, or receipt, adding another layer of integrity and trust. eIDAS 2 strengthens timestamp requirements to support long-term and verifiable evidence that data existed at a specific moment, preserving its integrity. It is mainly used in sectors like finance, healthcare, and legal services. Electronic timestamps can either be qualified or non-qualified.

    

4. Qualified website authentication certificates (QWACs)

   In short, a QWAC is a file that proves the authenticity of a device, server, user, or entity using public key cryptography. It contains a copy of a public key from the certificate holder, which must be matched to a corresponding private key to verify its provenance. It is the European equivalent of a public TLS/SSL  certificate. Under eIDAS 2, QWACs remain critical for building trust between users and online services, especially financial institutions and government portals.

    

5. Qualified electronic registered delivery service (ERDS)

   An ERDS ensures secure electronic transmission of data with proof of sending and receipt, offering legal certainty similar to registered postal mail. It is crucial for sensitive communications such as contracts, regulatory filings, and official notices. eIDAS 2 enhances ERDS interoperability through ETSI standards, harmonizing regulatory approaches for cross-border secure messaging.

    

6. Qualified electronic attestation of attributes (QEAA)

   A QEAA allows trusted verification of personal or organizational attributes, such as name, age, professional qualifications, or licenses. This service supports identity verification and KYC processes without exposing unnecessary personal data, thanks to selective disclosure. It certifies identity attributes for wallet-based interactions and, as such, is a cornerstone for privacy-preserving digital identity in the EUDI Wallet ecosystem.

    

7. Electronic archiving of digital documents

   This service ensures long-term preservation of electronic documents with integrity and authenticity guarantees. It addresses the growing need for secure digital storage in compliance-heavy industries like healthcare, finance, and government. Archiving under eIDAS 2 requires relying on cryptographic methods to maintain trust over time.

    

8. Electronic ledger services

   Electronic ledgers provide immutable record-keeping using blockchain or similar technologies. They enable transparent, tamper-proof audit trails for financial transactions, supply chain management, and regulatory reporting. By introducing this service, eIDAS 2 supports decentralized trust models and future-proof compliance frameworks.

    

9. Remote management of QSCDs

   Remote QSCD management allows for secure remote control of signature creation devices, enabling qualified electronic signatures (QES) and seals without physical presence. This innovation supports remote work and digital transformation while maintaining the highest security standards. It is particularly relevant for cross-border business operations and cloud-based signing solutions. 

The introduction of eIDAS 2 marks a significant shift in how digital identity and trust services operate across the EU. By 2026, all Member States must support the EUDI Wallet, and organizations in regulated sectors – including financial services, telecom, and healthcare – will need to comply with new requirements for identity verification and trust services.

Compliance pathways vary depending on an organization's role in the digital-identity ecosystem. Requirements differ between relying parties – EU businesses that use identity verification and trust services – and trust service providers (TSPs), which issue those services under regulatory supervision.

EU businesses

For EU businesses that use identity verification as part of their onboarding or transaction flows, compliance will increasingly require aligning with ETSI TS 119 461 v2 and with the wallet-based authentication model introduced by eIDAS 2. In practice, this means:

• Implementing robust remote identity proofing processes with biometric integrity, spoofing resilience, and document-authenticity checks
• Integrating qualified electronic signatures or certificate  where legally required
• Preparing systems to accept EUDI Wallet–based authentication and Qualified Electronic Attestations of Attributes (QEAAs)

These changes ensure that relying parties support a consistent, high-confidence verification model across the EU.

Trust service providers

For trust service providers, compliance requires operating QSCDs, PKI infrastructures, and trust-service platforms in accordance with the technical and supervisory requirements defined under eIDAS and the relevant ETSI standards.

This includes:

• Secure generation and storage of signing keys within QSCDs
• Tightly controlled access to signing and sealing functionalities
• Reliable evidence logging, retention, and archiving
• An organizational and security framework capable of passing supervisory audits and meeting incident reporting obligations.

TSPs must use certified QSCDs to create qualified electronic signatures. These devices ensure the signature creation data – such as private keys – is generated, managed, and stored in a secure environment, preventing unauthorized access.

Service providers should also implement a robust public key infrastructure (PKI) to manage digital certificates and cryptographic keys. PKI underpins the secure issuance, distribution, and verification of digital certificates, ensuring trust in electronic signatures and other trust services. TSPs must therefore maintain compliant key-management practices, secure lifecycle controls, and alignment with all applicable eIDAS requirements.

Effective identity and access management (IAM) systems are equally critical for TSPs to manage user identities and control access to their services. These systems should incorporate strong authentication methods, such as multi-factor authentication (MFA), to verify users' identities. IAM solutions can also ensure that only authorized individuals and personnel can perform sensitive operations, such as issuing certificates or creating electronic signatures.

In both cases, the shift introduced by eIDAS 2 concerns not only the tools organizations use, but the way those tools are governed, tested, and demonstrated to regulators. Alignment with ETSI TS 119 461 v2 and the broader ETSI standards provides the clearest and most auditable pathway to demonstrating that identity verification and trust-service operations meet the new, harmonized assurance level expected across the EU. 

As a founding member of the Cloud Signature Consortium and a long-standing leader in PKI, trust infrastructure, and cybersecurity, Entrust helps organizations meet the evolving requirements of eIDAS 2.

Our solutions integrate seamlessly with KYC and AML onboarding workflows and support the robust, privacy-centric identity-verification practices expected under eIDAS 2 and financial-sector regulations.

Entrust provides ETSI-aligned identity verification that combines document verification, biometric checks, and device intelligence within an efficient, automated workflow. These capabilities help enable secure and reliable remote onboarding without video calls or manual processing, while maintaining alignment with GDPR and ETSI requirements. They also support cross-border interoperability, allowing organizations operate consistently across EU Member States.

In addition, Entrust’s leadership in PKI and trust infrastructure helps customers build and operate compliant digital-trust services on a secure and scalable foundation. Our technology supports organizations seeking to implement digital signing workflows or other trust-service architectures in ways that align with the technical expectations reflected in IDAS 2. With Entrust, organizations can move confidently into the eIDAS 2 era, supported by reliable, interoperable, and future-ready identity-verification and trust-infrastructure capabilities.