Compliance Officers

eIDAS 2.0 (Regulation (EU) 2024/1183) fundamentally expands the regulatory perimeter for digital identity in Europe. Unlike the original 2014 regulation, which primarily addressed trust services and voluntary eID scheme notification, eIDAS 2.0 creates binding obligations for private sector organizations. If your organization falls into a mandatory acceptance category, compliance is not optional. The regulation intersects with multiple existing regulatory frameworks, including GDPR, the Digital Services Act (DSA), PSD2, and anti-money laundering directives.

For compliance officers, this means a new layer of obligations that must be mapped against your existing compliance program. You must assess whether your organization qualifies as a mandatory relying party, understand the data protection implications of wallet-based identity verification, and establish processes for relying party registration, attribute request management, and regulatory reporting.

eIDAS 2.0 defines specific categories of organizations that must accept the European Digital Identity Wallet when users choose to present it. Very large online platforms, as defined under the Digital Services Act, must accept the wallet for user authentication. Financial institutions performing customer due diligence under anti-money laundering regulations must accept it for identity verification. Healthcare providers must accept it when EU or national law requires patient identity verification. Public sector bodies must accept it for access to digital public services.

Non-compliance carries consequences. Member States must establish penalty frameworks for organizations that fail to meet their acceptance obligations. The specific penalties will vary by Member State, but the regulation requires them to be effective, proportionate, and dissuasive. Compliance officers must monitor national transposition measures to understand the specific enforcement landscape in each jurisdiction where their organization operates.

The intersection of eIDAS 2.0 and GDPR is one of the most critical areas for compliance officers. Every wallet-based identity transaction involves personal data processing, and GDPR obligations apply in full. The good news is that eIDAS 2.0 was designed with GDPR alignment in mind. Selective disclosure enables data minimization by allowing users to share only the specific attributes a relying party needs. The regulation explicitly requires relying parties to request only attributes that are strictly necessary for the service.

However, new complexities arise. You must establish a valid legal basis for processing wallet-derived personal data, whether that is contractual necessity, legal obligation, or legitimate interest. Privacy impact assessments should be conducted for wallet integration projects. The user consent mechanism built into the wallet (where users approve each attribute request) complements but does not replace your GDPR obligations. Your privacy notices must be updated to cover wallet-based data collection, and your data retention policies must account for credential verification records.

eIDAS 2.0 introduces specific audit and reporting obligations for relying parties. Organizations must maintain records of their wallet-based identity verification transactions, including what attributes were requested, when, and for what purpose. These records must be available for inspection by the national supervisory body. If your organization also operates as a trust service provider or attribute provider, additional audit requirements apply, including regular conformity assessments by accredited bodies.

You should establish internal audit procedures for wallet-based identity processes. Track compliance metrics such as the ratio of attribute requests to actual service requirements (to verify data minimization), response times for supervisory body inquiries, and incident reporting completeness. Build a compliance calendar that accounts for the phased implementation timeline, with particular attention to the deadlines set in implementing acts for your sector and jurisdiction.

Before your organization can access EUDIW data, you must register as a relying party with the supervisory body in the Member State where you are established. The registration requires you to declare which attributes you intend to request from wallet holders and the specific purposes for which you need them. This declaration is a binding commitment: requesting attributes beyond what you have registered is a compliance violation.

The registration process serves as a privacy safeguard and an accountability mechanism. Supervisory bodies will review registrations to ensure that attribute requests are proportionate to the stated service purpose. Compliance officers should prepare by mapping every service touchpoint where wallet identity will be used, documenting the minimum necessary attributes for each use case, and drafting the registration declaration. Organizations operating across multiple Member States may need to register in each jurisdiction, depending on national transposition approaches.

One of the core principles of eIDAS 2.0 is cross-border recognition: a wallet issued in any Member State must be accepted across all Member States. For compliance officers at multinational organizations, this simplifies some aspects of identity verification (one wallet standard replaces 27 national approaches) but introduces coordination challenges. National transposition of the regulation will vary, penalty frameworks will differ, and supervisory body expectations may diverge.

Build a jurisdictional compliance map that tracks implementation timelines, penalty frameworks, and supervisory body requirements for each Member State where your organization operates. Establish relationships with legal counsel in key jurisdictions and participate in industry working groups that monitor national transposition. The phased rollout of implementing acts means that compliance requirements will emerge incrementally through 2026 and 2027, requiring continuous monitoring and adaptation of your compliance program.