Is eIDAS 2.0 keeping you up at night? The complexity can be overwhelming. We provide a clear path to implementation for EU member state authorities navigating eIDAS 2.0.
eIDAS 2.0 keeps us up at night. As a technology provider, we are faced with the challenge of defining how to implement the requirements in a way that is compliant, scalable, interoperable, privacy-preserving, secure, etc.
eIDAS 2.0 and its complexity
The regulation (EU) Nr. 910/2014, also known as eIDAS 2.0, can be challenging and overwhelming. The regulation itself is 74 pages long—without implementing acts, the Architecture Reference Framework (ARF), etc.—making it complex and difficult to navigate. In addition, most EU countries already have established eID schemes, serving hundreds of thousands or even millions of users, with integrated services. On top of that, each country has its own specific laws, regulations and requirements, adding another layer of complexity to the implementation process.
A structured approach is essential
Navigating this landscape requires a structured approach, balancing compliance, interoperability, and national constraints while ensuring implementation of eIDAS 2.0.
With the publication of the implementing acts in December 2024 and the implementation deadline set for the end of 2026, governments in the EU must act now and define an implementation and procurement strategy.
Requirements, some examples
The regulation, implementing act from December 2024 and the Architecture Reference Framework provide guidance. Additionally, two more implementing acts are expected in 2025, which will bring further clarity. However, they do not define everything in detail, leaving many critical decisions to be made.
Here are some examples:
Core Implementation Decisions
Core Implementation Decisions encompass critical areas where regulations provide clear guidance but require specific implementation choices. These include:
- Non-technical considerations, such as how the wallet will be provided—should it be issued directly by the country, managed by a third party under a mandate, or should independent wallets be allowed as long as they meet national recognition standards? Or, should we integrate the EUDI wallet in an existing eID/signature app or introduce a standalone EUDI wallet app?
- On the technical side, several critical choices must also be made. Which Credential/PID standard should be used—ISO 18013, IETF, or W3C? What signature scheme should be implemented? And how should holder and/or device binding be done?
Trust List
Trust is a cornerstone of eIDAS 2.0. Member states will be responsible for identifying and notifying trusted entities, while relying parties must be registered to interact with EUDI Wallets. This requires each member state to establish a Trust Management and onboard relying parties accordingly. There are two key aspects to consider. Again, a non-technical topic, the Governance: Who is responsible for managing and maintaining the Trust List? And a technical: What mechanisms will be used to enforce and verify trust?
Wallet Unit Attestation
When a user installs an EUDI Wallet, it requires a Wallet Unit Attestation. This attestation serves as proof that the user is operating a valid EUDI Wallet. Different technical approaches are possible for implementing Wallet Unit Attestation, and choosing the right one will be crucial for privacy, scalability and user experience.
Level of Assurance (Onboarding, Management, Usage)
For a PID (Personal Identification Data) in the EUDI Wallet, a high level of assurance (LoA High) is required. The technical specifications for the complete lifecycle (onboarding, managing, and using) of PIDs to meet this standard are outlined in Regulation (EU) 2015/1502. However, while the regulation provides a structured framework, it does not prescribe a single implementation approach. LoA High can be achieved through different methods, allowing flexibility to align with local requirements and regulations. Each member state must determine the most suitable approach based on its national infrastructure, existing identity systems, and specific security considerations.
These decisions are far from easy, as every choice comes with its own set of advantages and disadvantages. In some cases, it may even lead to technical deadlocks.
Approach: Timeline and Roadmap
A successful eIDAS 2.0 implementation relies on timely decisions regarding governance and processes. However, the technical implementation is sometimes overlooked or underestimated.
It’s not uncommon to hear statements like, “The technical implementation is not the problem; that can be done quickly.”
In reality, technical implementation is a critical factor that requires careful planning. While some topics may seem straightforward at first, the complexity often lies in the detail, integration, interoperability, security, and scalability. Rushing or underestimating these aspects can lead to unforeseen challenges and delays.
To ensure a robust eIDAS 2.0 infrastructure, governance and process decisions must go hand in hand with the technical implementation.
We are convinced that both areas must be covered and must work together. As decisions on both areas impact the other and cannot be seen independently.
Our approach is structured into two phases: BUILD I and BUILD II. Each phase is composed of two key areas—a non-technical area and a technical area. We are convinced that both areas must be addressed in parallel and work in close coordination. Decisions made in one area impact the other, meaning they cannot be treated as separate, isolated aspects. A well-balanced approach ensures that governance, regulatory, and strategic decisions align seamlessly with the technical implementation. This interdependence is crucial to achieving a smooth, scalable, and future-proof eIDAS 2.0 deployment.
BUILD I: Laying the foundation for success
In the BUILD I phase, technical development can be carried out with manageable resources. This phase provides an opportunity to test concepts, integrations, identify gaps in governance and processes, and uncover technical deadlocks caused by conflicting requirements—allowing them to be resolved early on.
The outcome of BUILD I is not a disposable MVP. It is a base for BUILD II and the final production environment. It serves as a critical learning phase, ensuring that decisions are well-informed and that the transition to full-scale implementation is smooth. Skipping BUILD I would mean entering BUILD II with unvalidated assumptions, untested technology, leading to compressed timelines, increased pressure, and higher costs. A structured implementation strategy significantly reduces risks and ensures a robust eIDAS 2.0 implementation.
BUILD II: Scaling up and integrating with existing systems
Ideally, by the time BUILD II begins, all major decisions have been made, and the technical concepts are well-defined. This allows the team to shift its focus towards scaling up, integrating with existing systems, establishing a support organization, and preparing for production. With a solid foundation from BUILD I, the BUILD II phase becomes an execution-focused phase rather than one filled with last-minute problem-solving. This structured approach ensures a smoother transition to production, minimizes risks, and allows for a more predictable and efficient implementation of eIDAS 2.0.
How Procivis helps you implement eIDAS 2.0
Two years ago, we started our development with the uncertainty of eIDAS 2.0 in mind. Back in 2022, many questions remained unanswered regarding technical standards and implementation. Given this uncertainty, we made a strategic decision:
We needed to develop a solution with flexibility built into both the architecture and the source code. This approach allowed us to adapt to evolving regulations, incorporate emerging standards, and ensure long-term viability.
With the flexibility, we positioned ourselves to respond swiftly to changes, making our solution future-proof while maintaining compliance with eIDAS 2.0 as it evolved.
Procivis One is the only technology provider that covers the following aspects:
- Fully supports all key eIDAS 2.0 standards, including ISO/IEC 18013-5 and W3C VCDM 1.1, as referenced in December 2024 in the first batch of the eIDAS 2.0 implementing acts.
- Offers its solution in an open source license model conforming to the eIDAS requirement.
- We provide possible solutions for advanced eIDAS 2.0 topics like trust list management
- We provide integration with APIs and documentation
- Procivis One is highly performant and scalable and enables seamless integration into existing IT landscapes—ensuring compliance while reducing complexity.
Beyond compliance, an efficient eIDAS 2.0 implementation can significantly reduce costs and operational complexity. By leveraging a highly scalable and interoperable solution, and development costs can be minimized, deployment accelerated, and expensive system overhauls avoided. Learn more about the additional benefits from Procivis One or get in touch with us.
