eIDAS2.0 Has Arrived – What is an EUDI Wallet?

Goals of eIDAS2.0 in a nutshell

The EU has set itself several ambitious goals in its EU Digital Compass. These include:

• a European Union where 100% of essential public services are accessible online, and
• 80% of European citizens having a digital ID by 2030.

For Fintechs and other eID solution providers, the eIDAS2.0 presents huge business opportunities by encouraging private sector partners to develop digital wallets on the Member States’ behalf.

The eIDAS2.0 Regulation is a key step towards achieving these goals and aims to update the European digital identity framework and introduce a new European Digital Identity Wallet (EUDI Wallet). There is much to be done as only about half of EU countries currently have any form of digital identity system in place and even they are often limited to the public sector and are not interoperable across national borders.

For Fintechs and other eID solution providers, the eIDAS2.0 presents huge business opportunities by encouraging private sector partners to develop digital wallets on the Member States’ behalf. In addition, when implemented, an EU-wide eID solution will also enable Fintechs and other actors providing solutions that require or leverage authentication to have better business opportunities through an interoperable EU-wide authentication ecosystem. The European Commission estimates that eIDAS2.0 solutions will generate annual savings of €11 billion at the EU level.

For businesses and individuals, the eIDAS2.0 means upgrades to data processing and security.

For businesses and individuals, the eIDAS2.0 means upgrades to data processing and security. Firstly, the EU aims to minimise the processing of personal data and improve privacy and security (reducing identity theft and security breaches in the context of authentication) through eIDAS2.0. To add to this, one of the main uses of the EUDI Wallet is the know-your-customer (‘KYC’) process, as the wallet is intended to facilitate the business processes of financial institutions (and other bodies with a duty of knowing their customers) by providing reliable identification through an electronic and EU-wide interoperable identification solution.

As with all legislative changes, the revision of the eIDAS Regulation has also received its fair share of critique. Among the challenges facing the Regulation are its ambiguity and unclear wording, not to mention the strong emphasis on the Commission’s implementing acts as the chosen legislative approach. In addition, while cybersecurity and personal data protection are said to be at the heart of the Regulation, securing them is likely to be a challenge – or will at least raise many questions on interpretation. In particular, the digital identity wallet will contain sensitive personal data, which will require innovative technological solutions in order to secure it. eIDAS2.0 will also not operate in a vacuum, and one of the challenges will be to reconcile it – in addition to the GDPR – with legislation such as the DMA, PSD2 and cybersecurity legislation.

Scope of eIDAS2.0 and the most remarkable changes

eIDAS2.0 will introduce the following regulatory dimensions:

• European Digital Identity Wallets (Section 1)
• Electronic Identification Schemes (Section 2)
• Electronic Attestation Attributes (Section 9)
• Electronic Archiving Services (Section 10)
• Electronic Ledgers (Section 11)

The first of these, the EUDI Wallet, is deemed the most significant innovation of the eIDAS2.0. The purpose of the digital identity wallet is to serve both as an identity document and as a place where users can store various digital attribution certificates. The digital identity wallet will allow users to choose what information they want to share about themselves in each transaction. In addition, the wallet can be used, for example, to give consent under the EU GDPR. The wallet is intended to be suitable for transactions with both the public and private sectors, and its use is voluntary and free of charge for private individuals.

Technology will naturally play a significant role in bringing the Regulation “to life”. While the Regulation does answer some question related to “how”, “by whom” and “when” the technology should be in place, it is ultimately technology neutral and does not directly address the technologies used. What we do know is, for example, that the source code for the software components of the EUDI Wallet applications must be open source licensed. The Member States can, however, provide that, for duly justified reasons, the source code for specific components other than those installed on user devices will not be disclosed. The European Commission’s implementing legislation of November 2024 and national implementations will further clarify the Regulation with technical requirements and other details.

The renewed eIDAS Regulation sets out the requirements for the wallet applications that providers wish to certify as European identity wallets, whereas the pre-reform eIDAS Regulation was enacted mainly for implementing strong electronic identification. Of the strong electronic identification tools in use in Finland today, only the Citizen Certificate (‘Kansalaisvarmenne’) has been notified as an identification tool compliant with the first eIDAS Regulation. After the eIDAS reform, other identification instruments (such as bank identifiers and mobile authentication) can still be used in e-services. Also, different wallet applications that have not been notified to authorities under the eIDAS Regulation can still be offered after the eIDAS reform.

eIDAS2.0 also contains its own procedural requirements, including notification requirements. Under eIDAS2.0, Member States will have to register and notify the Commission of so-called Qualified Trust Service Providers. Qualified Trust Service Providers are responsible for issuing and certifying digital identifiers used in digital wallets, ensuring their legal validity and compliance with European standards. eIDAS2.0 will require Qualified Trust Service Providers schemes approved in one Member State to be approved in all EU Member States. If a qualified or non-qualified trust service provider breaches the Regulation, they will be subject to an administrative fine under the Regulation, with a maximum of at least €5 million if the trust service provider is a natural person and €5 million or 1% of the company’s total annual worldwide turnover in the preceding financial year if it is a legal person.

Member States must designate a body to oversee both the digital identity wallet framework and the trust service providers. The Commission has also set up a European Digital Identity Cooperation Group to support and facilitate cooperation between Member States.

eIDAS2.0 will most certainly affect how business is done in Finland and throughout the EU.

What next?

eIDAS2.0 entered into force on 20 May 2024. Although we now have the final text of the Regulation itself, the transitional period for the Regulation is ambitious and multi-staged. To start off, Member States must submit at least one EUDI Wallet within 24 months of the entry into force of the Commission’s (still pending) implementing acts. For the private sector, the implementation period is 36 months from the entry into force of these implementing acts. The implementing acts are intended to provide technical specifications and procedures for the EUDI Wallet and for qualified certificates for website authentication. The Commission is required to adopt the former by November 2024 and the latter by May 2025.

To add to this, the Finnish Ministry of Finance has already set up a project to implement eIDAS2.0 and amend national legislation, where necessary. Most of the changes focus on the Act on Strong Electronic Identification and Electronic Trust Services 617/2009 (in Finnish ‘tunnistus- ja luottamuspalvelulaki’). The main elements of national implementing legislation are the assignment of tasks to public authorities and the use of national regulatory discretion. By the end of the transitional period, in addition having decided to what extent it will use the leeway provided to it in relation to, for example, source code, Finland will have had to provide at least one EUDI Wallet, implement an identity linking service to public e-services, register the services where an EUDI Wallet can be used, designate a supervisory authority and a single point of contact, and enable administrative fines for trust services.

A market study earlier this year shows that the Digital and Population Data Services Agency (in Finnish ‘Digi- ja väestötietovirasto’ or ‘DVV’) is expected to have a leading role in creating the EUDI Wallet for Finland. Of course, this does not prevent other actors from launching their own EUDI Wallets too.

What does EUDI Wallet mean for Finland, your business and everyone using the Trust Network (‘Luottamusverkosto’)?

eIDAS2.0 will most certainly affect how business is done in Finland and throughout the EU. As mentioned above, one of the most notable changes will have to do with EUDI Wallets. Although providing such EUDI Wallets will likely bring about its own challenges and involve many private sector players, an even larger amount of service providers will be required to accept the use of EUDI Wallets. According to eIDAS2.0, where private sector service providers, with the exception of microenterprises and small enterprises, are (i) required by EU or national law to use strong user authentication for online identification or (ii) where strong user authentication for online identification is required by contractual obligation (including in the areas of transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education or telecommunications) those private sector service providers must, no later than 36 months from the date of entry into force of Commission’s implementing acts and only upon the voluntary request of the user, also accept EUDI Wallets that are provided in accordance with the eIDAS Regulation.

The Ministry of Finance stated that it is not yet known how the EUDI Wallet will relate to the existing national trust network.

In its briefing on the upcoming national draft legislation on 13 June 2024, the Ministry of Finance stated that it is not yet known how the EUDI Wallet will relate to the existing national trust network (in Finnish ‘Luottamusverkosto’). This will be addressed over the course of the implementation project, and the solution will eventually be documented in a government proposal. However, existing authentication solutions will not be phased out as a matter of principle. It is worth noting that the trust network is based on purely national legislation that is to remain in force as such, but the project will discuss how to bridge the two worlds. Similarly, the possibility of exploiting the deployment process of the electronic Citizen Certificate, which has not been widely used in Finland, will be explored as part of the introduction of the EUDI Wallet. National legislation will also address whether minors can use the EUDI Wallet, as this is not addressed in the current regulation.

Mark your calendars as the consultation round on the drafting of the implementing legislation will be held in March-April 2025.

For now, mark your calendars as the consultation round on the drafting of the implementing legislation will be held in March-April 2025, with the aim of the new laws coming into force in early 2026. If the European Commission adopts the eIDAS2.0 implementing legislation on schedule, Finland (and other EU countries) should have an EUDI Wallet ready in November 2026.

Both EU-based companies and international companies with EU customers should start to take steps to review and adapt their internal policies and business processes to be compliant with and take advantage of eIDAS2.0.