Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/eIDAS/eIDAS 2.0
🪪Digital identity

European Digital Identity Framework (eIDAS 2) — Regulation (EU) 2024/1183

Analysis from 12 May 20263 sourcesOriginal version of Regulation (EU) 2024/1183; application of acceptance and provisioning obligations is contingent on entry into force of the implementing acts.EUR-Lex Original

What duties does eIDAS-2 place on my company — accepting the EUDI Wallet, registering as a relying party, or penalty risk as a trust service provider?

eIDAS-2 distinguishes three addressee groups: trust service providers face EU-level minimum maximum administrative fines of EUR 5 million or 1 % of worldwide annual turnover [Art. 16(2)]; private relying parties in twelve regulated sectors (e.g. banking, health, telecom) must accept the EUDI Wallet within 36 months of entry into force of the implementing acts, only upon voluntary user request [Art. 5f(2)]; relying parties register in their Member State of establishment [Art. 5b].

Short Answer

Regulation (EU) 2024/1183 amends the eIDAS Regulation 910/2014 and introduces the European Digital Identity Wallet (EUDI Wallet). Three duty tracks must be distinguished: (1) Member States provide at least one EUDI Wallet within 24 months of entry into force of the implementing acts [Art. 5a]. (2) Any party that intends to rely on the wallet — a Relying Party — registers in the Member State of establishment with intended use and data categories [Art. 5b]; private relying parties (other than micro and small enterprises) in twelve regulated sectors and providers of very large online platforms must accept the wallet upon voluntary user request [Art. 5f(2) and (3)]. (3) Qualified and non-qualified trust service providers are subject to the specific EU minimum maximum fines under Art. 16(2) and supervisory action under Art. 20.

Who is affected

Three clearly delineated addressee groups: (a) Member States — wallet provision [Art. 5a]. (b) Relying parties — registration in the Member State of establishment [Art. 5b]; acceptance obligation (i) for public sector bodies that require electronic identification [Art. 5f(1)], (ii) for private relying parties (other than micro and small enterprises) in the twelve sectors transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education and telecommunications, where strong user authentication is required by law or contract [Art. 5f(2)], and (iii) for providers of very large online platforms within the meaning of Art. 33 DSA [Art. 5f(3)]. (c) Qualified and non-qualified trust service providers — specific sanction regime with EU minimum maximum fines [Art. 16(2)].

Deadline

The principal acceptance deadline for private relying parties in the twelve regulated sectors runs for 36 months from entry into force of the implementing acts referred to in Art. 5a(23) and Art. 5c(6) [Art. 5f(2)]; Member States provide the wallet within 24 months of entry into force of the same implementing acts [Art. 5a]. The Regulation has been in force since 20 days after publication; the application date of the acceptance and provisioning obligations is contingent on entry into force of the implementing acts still to be adopted.

Risk

Sanctions differ by addressee group. For qualified and non-qualified trust service providers, Art. 16(2) sets EU minimum maximum administrative fines: for natural persons, at least EUR 5 million; for legal persons, at least EUR 5 million or 1 % of the total worldwide annual turnover of the undertaking to which the trust service provider belonged in the financial year preceding the infringement, whichever is higher. Qualified trust service providers may lose qualified status following a supervisory audit [Art. 20]. For all other addressees of the Regulation — in particular private relying parties and providers of very large online platforms — the general sanctions clause of Art. 16(1) applies: Member States lay down sanctions that are effective, proportionate and dissuasive, complemented by sector-specific enforcement (e.g. under the DSA, national telecoms or banking supervision). The Regulation does not set EU-wide minimum amounts for these addressees.

Proof

Legal status

  • In force
  • as of 2026-05-12
  • Original version of Regulation (EU) 2024/1183; application of acceptance and provisioning obligations is contingent on entry into force of the implementing acts.

Primary sources

What to do now

Legal / DPO

  • Determine whether your organisation qualifies as a relying party under Art. 5b(1) by mapping your services against the regulated sectors in Annex I (banking, health, transport, energy, education, telecom, public services) and register with the competent authority as required [Art. 5b(2)].
  • Review and update all contracts with trust service providers to ensure alignment with the strengthened requirements for qualified trust service providers, including the obligation to use certified qualified electronic signature creation devices [Art. 24, Art. 29].
  • Assess whether any attestation of attributes your organisation issues (e.g., professional licences, company registrations) requires qualified status under Art. 45a and, if so, initiate the conformity assessment process with a recognised body [Art. 20a].

Compliance

  • Establish an internal governance framework for accepting and processing EUDI Wallet-based identity presentations, including data minimisation procedures and purpose-limitation controls as required by Art. 5a(4) and Art. 5a(16).
  • Prepare a gap analysis of existing electronic identification and trust service processes against the new requirements — particularly the obligation to validate electronic attestations of attributes and check their revocation status [Art. 5d].
  • Ensure your conformity assessment documentation and supervisory audit trail are ready for the updated oversight regime, which now includes regular audits at least every 24 months for qualified trust service providers [Art. 20(1)].

IT / Security

  • Design and implement technical infrastructure for EUDI Wallet integration, ensuring support for privacy-preserving selective disclosure and unlinkability techniques as mandated by Art. 5a(16)(a) and Art. 5a(16)(b).
  • Upgrade cryptographic validation systems to handle qualified electronic signatures, qualified electronic seals, and qualified electronic attestations of attributes across all supported assurance levels [Art. 29, Art. 35, Art. 45a].
  • Conduct a security assessment of all qualified signature and seal creation devices used or planned, ensuring they meet the updated certification requirements under Art. 30 and Annex II.

Product / Engineering

  • Build user-facing authentication and consent flows that support EUDI Wallet selective attribute disclosure, ensuring the user retains full control over which data points are shared [Art. 5a(4)(c)].
  • Integrate qualified web authentication certificate (QWAC) recognition into your web services or platforms to ensure transparent presentation of verified website identity to end users [Art. 45(2)].
  • Implement electronic archiving or electronic ledger features where your product handles qualified trust service outputs, aligning with the newly introduced trust service categories under Art. 45d and Art. 45g.

Key Terms

European Digital Identity Wallet
An electronic product issued under the authority of a Member State that stores identity data and electronic attestations of attributes for authentication and cross-border transactions [Art. 5a(1)].
Relying party
A natural or legal person that relies on electronic identification, a trust service, or an electronic attestation of attributes for the purpose of providing a service [Art. 3(6)].
Qualified trust service provider
A trust service provider that has been granted qualified status by a supervisory body after successfully completing a conformity assessment [Art. 3(20)]. Its services carry a legal presumption of compliance.
Electronic attestation of attributes
An electronic attestation that allows the authentication of specific attributes of a person, such as professional qualifications or organisational affiliations [Art. 3(45a)].
Qualified web authentication certificate (QWAC)
A certificate for website authentication issued by a qualified trust service provider that links a website to the legal or natural person to whom it was issued [Art. 3(38)].
Selective disclosure
The capability of a wallet user to share only specific attributes or data elements from a broader attestation, rather than revealing the full dataset, ensuring data minimisation [Art. 5a(4)(c)].
Electronic ledger
A tamper-proof electronic record of data providing the authenticity and integrity of the data it contains, the accuracy of the date and time, and the sequential chronological ordering [Art. 3(53a)]. A new trust service category introduced by this Regulation.
?

Frequently Asked Questions

What is the European Digital Identity Wallet (EUDI Wallet)?
The EUDI Wallet is a product issued by or on behalf of a Member State that allows natural and legal persons to securely store, manage, and present identity data and electronic attestations of attributes for the purpose of authentication and electronic transactions [Art. 5a(1)]. It must be free of charge for natural persons and offer selective disclosure of attributes [Art. 5a(4)].
Which organisations must accept the EUDI Wallet?
Relying parties in sectors listed in Annex I — including banking and financial services, healthcare, transport, energy, education, telecom, water supply, and digital public services — are obliged to accept EUDI Wallet presentations when a user requests it [Art. 5b(1)]. The obligation takes effect once Member States have made wallets available.
Does the Regulation set specific fines for non-compliance?
No. Unlike the GDPR or the AI Act, this Regulation does not prescribe EU-wide fine ceilings. Instead, Art. 48 requires each Member State to establish its own penalty regime, which must be effective, proportionate, and dissuasive. The most significant risk for trust service providers is losing their qualified status [Art. 20(2)].
What is an 'electronic attestation of attributes'?
An electronic attestation of attributes is an attestation in electronic form that allows the authentication of attributes such as professional qualifications, educational diplomas, or company data [Art. 3(45a)]. When issued by a qualified trust service provider, it carries a legal presumption of accuracy and authenticity across the EU [Art. 45a].
How does the Regulation affect web browsers?
Web browsers must recognise qualified certificates for website authentication (QWACs) and display the identity information contained in them, without altering the browser's own web security and privacy mechanisms [Art. 45(2)]. This provision was one of the most debated aspects of the Regulation.
When exactly must Member States offer EUDI Wallets?
Member States must make at least one EUDI Wallet available to citizens within 24 months after the relevant implementing acts (specifying wallet standards and protocols) enter into force [Art. 5a(5)]. The Commission was required to adopt these implementing acts in staggered batches between May 2025 and May 2026 [Art. 5a(23)].
What is the relationship between this Regulation and the original eIDAS?
Regulation (EU) 2024/1183 does not replace eIDAS but amends it. It modifies Regulation (EU) No 910/2014 by inserting the EUDI Wallet provisions (Art. 5a-5f), expanding the trust services framework, and updating cross-border recognition rules [Art. 1]. The amended Regulation is informally known as 'eIDAS 2'.
3

Assessment Factors & Checklist

Premium
Start 7-day free trial
4

Questions for Your Lawyer

Premium
Start 7-day free trial
5

Conclusion & Summary

Premium
Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial

Keine Kreditkarte heute. Kündigung jederzeit.