Your Bank's First 3 Steps to eIDAS 2.0 Compliance

TL;DR

• By December 2027, all EU banks will be legally mandated to accept the European Digital Identity (EUDI) Wallet for any process requiring Strong Customer Authentication (SCA).
• The EUDI Wallet replaces manual verification by storing government-verified Person Identification Data (PID), trusted attributes (EAAs), and Qualified Electronic Signatures (QES).
• Banks must immediately map all customer journeys requiring SCA, such as KYC onboarding and login, to determine exactly where wallet data will replace current friction and unlock high-value workflows.
• Legacy banking systems are architecturally mismatched with the new decentralized model, making direct integration risky and expensive.
• The best practice is to implement a specialized "translation layer" that bridges complex wallet cryptography with stable internal systems without requiring a core overhaul.
• Planning must begin during the 2026 budget cycle to align resources and technology roadmaps with the non-negotiable 2027 deadline.

eIDAS 2.0 is more than a new regulation – it's the blueprint for the next decade of trusted digital banking in Europe. While the future possibilities are endless, the starting point is a legal certainty: in 2027, all EU banks will be legally required to accept the new European Digital Identity (EUDI) Wallet for any process requiring Strong Customer Authentication (SCA). This is a non-negotiable compliance deadline.

This immediate challenge is all about how you will ‘Comply’. It means integrating the wallet into the core of your digital experiences, from a customer logging into their account to the identity verification step of a new KYC onboarding.

But compliance is just the beginning. Once this foundation is in place, you can leverage it to ‘Compete’ in the new digital identity ecosystem. This is where the true strategic value lies, allowing you to move beyond just accepting data to issuing your own trusted information or enabling entirely new, secure digital workflows.

This article breaks down the path to compliance into three clear steps, mentioning the legal obligations, the practical user journeys, and the architectural concepts.

Step 1: Understand the Legal Obligations & The Core Technology

Before you can plan a project, every stakeholder needs a shared understanding of the core requirements. This section provides that foundational briefing, covering the non-negotiable legal and technical facts that will shape your entire strategy.

The "Why": The Legal Mandate for Banks (SCA)

The core legal driver for banks is straightforward. Regulations you already follow, such as the Payment Services Directive (PSD2), require Strong Customer Authentication to secure transactions and account access. The new eIDAS 2.0 regulation now adds the EUDI Wallet as a mandatory, recognized method for performing this authentication.

The legislation is direct and unambiguous.

‘Where private relying parties … are required by Union or national law to use strong user authentication for online identification or where strong user authentication for online identification is required by contractual obligation … also accept European Digital Identity Wallets that are provided in accordance with this Regulation.'
– eIDAS 2.0, Article 5f(2)

This means the choice is not if you will accept the wallet, but how you will implement it into your existing digital platforms.

The "What": The EUDI Wallet

So, what is the EUDI Wallet? In simple terms, it's a secure, government-backed mobile app that puts users in complete control of their identity data. It allows them to store and share verified information with explicit consent, replacing the need for physical documents or manual data entry.

The wallet holds three key types of data:

• Person Identification Data (PID): This is the essential, government-verified data about a person, such as their name and date of birth. Think of this as the digital equivalent of showing a passport, anchored in the legal authority of an EU Member State.
• Electronic Attestations of Attributes (EAAs): These are verified claims from other trusted sources. Think of them as digital, verifiable proofs of a university degree, a professional license, or even a statement of account ownership from another bank.
• Create Qualified Electronic Signatures (QES): The wallet gives users the ability to create digital signatures with the same legal force as a handwritten signature, valid across the entire EU.

The "Who": Key Actors in the Ecosystem

The EUDI Wallet ecosystem is built on a foundation of trust between several key actors. Understanding their distinct roles is crucial for any project planning.

• User (Wallet Holder): The citizen who controls the wallet and must consent to all data sharing.
• Wallet Provider: The government-approved entity that issues and maintains the wallet app itself.
• Relying Party: The organization requesting and relying on the user's data to provide a service, such as your bank.‍
• PID/(Q)EAA Provider: The authoritative sources (e.g., a government civil registry, a university, or even another bank) that issue trusted data into the wallet.

Step 2: Map Your Wallet Integration Points

Before you can build, you need a blueprint. This step involves analyzing your existing processes to determine exactly where the EUDI Wallet will integrate. This is a practical task for your product, compliance, and business analysis teams to collaborate on.

The first task is to identify every single customer journey that currently requires Strong Customer Authentication. Common examples include initial customer onboarding (KYC), logging in, authorizing high-value transfers, and changing personal details. Once you have this list, the next step is to specify the exact data attributes you need from the wallet to serve the customer in each journey. For a KYC check, this might be a full name and address; for a transfer, it might simply be an authentication confirmation. Finally, it's crucial to document these new, wallet-enabled workflows. These "to-be" process diagrams become the official source of truth for your product and IT teams.

Use Case in Action: New Customer Onboarding (KYC)

Now, let’s make this very practical. Think about the friction in your current digital onboarding flow: the manual data entry, the requests for scanned IDs, time spent waiting for verification, and the customers who drop off out of frustration.

Here is what that same process looks like with the EUDI Wallet:

• Request: Your bank's website or app initiates a request for the specific data needed for KYC, then displays a secure QR code or a link.
• Scan & Review: The user interacts with the prompt, which opens their EUDI Wallet. The app clearly shows them, "Bank ABC is asking for your Full Name, Date of Birth, and Address. Do you approve?”
• Consent: The user approves the request using their phone's biometrics or a PIN, giving explicit, secure, and fully logged consent.
• Transfer: The wallet sends the cryptographically signed, government-verified data directly to your bank's system.
• Verification: Your system automatically verifies the data's authenticity. The KYC check is complete, and the account is opened.

The entire process takes seconds. It dramatically reduces the risk of identity fraud and provides an excellent customer experience.

Step 3: Plan Your Integration and Bridge the Gap

With your requirements understood and your integration points mapped, the final step is to build an actionable roadmap. This begins by confronting the core technical challenge: connecting a brand-new identity paradigm to the reality of your existing infrastructure.

Why Wallet Integration is More Complex Than a Standard API

To a decision-maker, this might sound like a standard software project. Why can’t the wallet just connect to your systems via an API like any other service? The answer lies in a fundamental shift in how identity data is managed.

• A New Paradigm: Your current systems – from your core banking platform to your CRM – were built for a centralized world where the bank is the primary holder of customer data. The EUDI Wallet operates on a decentralized model where the user is in control. This is an architectural mismatch. Legacy systems aren't designed to "ask" a user's device for cryptographically signed proof; they are designed to look up data in their own trusted database.
• Specialized Cryptography: This isn't about standard web security. Verifying data from a wallet requires your systems to handle advanced public-key cryptography and check complex digital signatures. These Self-Sovereign Identity (SSI) principles require a specialized skill set that is not typically found in most enterprise IT teams.
• Formal Trust Frameworks: Connecting to a service like SharePoint is an internal IT matter. Connecting to the EUDI Wallet ecosystem requires your bank to formally enroll and register as a trusted Relying Party. This is a significant compliance and governance effort that goes far beyond simply getting an API key.

Download your free whitepaper on eIDAS 2.0 and the European Digital Identity Wallet

• A business guide to prepare for eIDAS 2.0
• Learn how to future-proof your data
• Stay competitive with secure, market-ready tools
• Explore the available technologies and use cases
  

Best Practice: Don't Rework Your Core, Build a Bridge

Given this complexity, attempting to rewrite your existing banking systems to handle wallets directly is extremely risky, expensive, and slow. The established best practice is to isolate the complexity.

This involves creating a dedicated "translation layer" or "adapter." This modern service acts as a secure bridge between the complex new wallet ecosystem and your stable legacy systems. It does the hard work: it communicates with the different types of wallets, handles all the advanced cryptography, and verifies the data according to the new open standards. Once the data is proven authentic, this layer then passes simple, verified information ("Yes, this person's identity is valid") to your internal systems in a format they can easily understand and use.

This approach identifies the key stakeholders for the project: it requires a leader who can coordinate the CISO (who owns security), the Head of Digital Onboarding (who owns the customer experience), and the IT Manager or CTO (who owns the legacy connection).

Building this translation layer is where a specialized platform can de-risk the entire project. Platforms like Truvity are designed specifically to act as this secure bridge, handling the complex cryptography and wallet protocols on your behalf. This allows you to meet the compliance deadline by connecting the new world to the old, without undertaking a costly and risky overhaul of your core infrastructure.

Planning for Strategic Opportunity

Once you have a plan to bridge the technical gap for compliance, you can focus on the strategic roadmap. This is where you leverage your new infrastructure to compete. The two main opportunities are becoming a trusted data issuer by providing attributes like 'proof of funds', and leveraging Qualified Electronic Signatures (QES) to fully digitize high-value workflows like mortgage applications. Both require a clear business case and a plan to navigate the certification processes, but they unlock significant new value.

Conclusion & Your Next Move

Getting ready for eIDAS 2.0 doesn't have to be an overwhelming process. By breaking it down into a clear, achievable project, you can move forward with confidence. The three-step framework of Understand, Map, and Plan provides a repeatable methodology for any bank. By first tackling the mandatory "Comply" work tied to the 2027 deadline, you build the foundation to unlock the powerful "Compete" opportunities of tomorrow – becoming a trusted data issuer and a provider of seamless, digitally signed agreements.

With the 2026 budget cycle well underway, now is the critical time to start this planning. Ensuring your organization's roadmap and resources are aligned for this shift is essential for staying ahead of the regulatory curve and positioning your bank to win in the new era of digital trust.

To help you get started, we invite you to book a complimentary 30-minute eIDAS 2.0 strategy session with our experts. We can help you navigate the complexities and build a clear, actionable plan for your organization.