eIDAS 2.0 Implementation Guide: What Organizations Need to Do Before December 2026

The deadline of 31 December 2026 tends to appear in discussions about eIDAS 2.0 as a future obligation — something on a roadmap, noted and deferred. It's worth being precise about what it actually is. Regulation (EU) 2024/1183 entered into force on 20 May 2024. Every EU member state is legally required to make at least one certified European Digital Identity Wallet available to citizens and businesses by the end of this year. That's not a policy aspiration. It's a binding obligation with implementing acts already published and interoperability testing already completed between multiple member states.

For organizations in regulated sectors — banking, insurance, healthcare, telecommunications, energy — the practical implications arrive one year later. By late 2027, those sectors must accept the EUDI Wallet as an authentication method. But the preparation for acceptance doesn't start in 2027. It starts now, because the integration work, the conformity assessment, and the identity verification workflow redesign required to accept a wallet-based credential take time that organizations in catch-up mode won't have.

We've been building digital identity middleware for over twenty years. The Portuguese Citizen Card middleware, which Caixa Mágica developed and has maintained since the early 2000s, runs on every computer in Portugal that handles Citizen Card authentication — a deployment that eventually reached the entire adult population. That experience shapes how we read eIDAS 2.0: not as a regulatory compliance project, but as an infrastructure transition with specific technical and institutional requirements that determine whether it works in practice for the people who depend on it.

May 2024
eIDAS 2.0 (Regulation EU 2024/1183) enters into force
April 2026
Commission publishes Implementing Regulation (EU) 2026/798 on wallet enrolment
31 Dec 2026
All 27 member states must provide at least one certified EUDI Wallet
Late 2027
Regulated sectors (banking, healthcare, telecoms, energy) must accept the wallet

What eIDAS 2.0 changes, and what it doesn't

The original eIDAS regulation of 2014 established a legal framework for electronic identification and trust services across the EU. It succeeded in harmonising qualified electronic signatures and cross-border recognition of national eIDs, but it had structural limitations: coverage was uneven across member states, adoption by the private sector was voluntary, and the system wasn't designed for mobile-first use. For organizations trying to implement cross-border digital identity in practice, the eIDAS 1.0 landscape meant navigating a patchwork of national systems with different technical architectures and different levels of assurance.

eIDAS 2.0 changes this in three ways that matter operationally. First, it mandates universal availability — every citizen and resident in the EU will have access to a wallet, not just those in member states that chose to implement a strong national eID scheme. Second, it mandates private-sector acceptance — the voluntary nature of eIDAS 1.0 private-sector participation is replaced by an obligation for regulated sectors and very large online platforms. Third, it introduces selective disclosure at the architecture level — citizens can prove specific attributes (age, professional qualification, address) without revealing unrelated personal data, which changes the design requirements for identity verification workflows significantly.

What eIDAS 2.0 doesn't change

eIDAS 2.0 doesn't just extend eIDAS 1.0. It replaces the assumption that digital identity is optional for the private sector with a legal requirement to accept it.

What it doesn't change is the fundamental engineering challenge of digital identity: making a system work reliably for people who need it, in the conditions in which they actually use it, across the institutional and legal frameworks of multiple jurisdictions. The Cabo Verde middleware project — where we built an offline-first digital identity system for a ten-island archipelago — is a reminder that the hardest problems in digital identity aren't in the specification. They're in the gap between specification and deployment at scale.

Who needs to do what, and by when

The obligations under eIDAS 2.0 fall on different actors at different times. It's worth mapping them precisely, because the common framing — "the deadline is 2026" — obscures the fact that different organizations face different obligations on different timelines.

Deadline: 31 December 2026
Member States
Must provide at least one certified EUDI Wallet to citizens and businesses. The wallet must support the Architecture Reference Framework (ARF), pass conformity assessment, and be interoperable with wallets issued by other member states. Early-mover states (Germany, Netherlands, Italy) are in final delivery phases. Readiness varies significantly across the 27.
Deadline: Late 2027
Regulated Sectors
Banks, insurers, telecoms, healthcare providers, energy companies, and very large online platforms (45M+ EU users) must accept the EUDI Wallet for identity verification. Acceptance requires registration as a relying party with national authorities and support for ISO/IEC 18013-5 and W3C Verifiable Credentials.
Immediate preparation
ICT Providers
Organizations developing middleware, authentication systems, or identity verification workflows for regulated sectors need to assess compatibility with the EUDI ARF now. Integration work takes months. Organizations waiting for wallet rollout to begin integration will find themselves behind the acceptance deadline.
Ongoing from 2026
Trust Service Providers
Qualified Trust Service Providers (QTSPs) must update certifications and integrate wallet authentication. The transition affects electronic signature workflows, KYC processes, and any service that currently relies on national eID schemes for identity verification.
Non-EU organizations providing services to EU users that fall within regulated sectors or operate as very large online platforms are also in scope.

The technical layer that most eIDAS 2.0 implementation discussions skip

Most of the public conversation about eIDAS 2.0 focuses on the policy framework: which sectors are obligated, what the deadlines are, how cross-border recognition will work. The technical layer receives less attention, which is where most implementation projects encounter the problems that delay them.

The EUDI Wallet ecosystem is built on three technical specifications that every relying party needs to support: ISO/IEC 18013-5 (the standard for mobile document presentation, originally designed for mobile driving licences), W3C Verifiable Credentials (the data model for selective disclosure of identity attributes), and the EUDI Architecture Reference Framework, which specifies how these interact with national wallet implementations, trust registries, and interoperability across member states.

For organizations whose authentication systems were built for eIDAS 1.0 — which used different data formats, different assurance levels, and different interaction models — this isn't an update. It's a redesign of the identity verification flow. The middleware layer that sits between the wallet and the application needs to handle credential presentation from different member state wallets, validate against the relevant trust registry, enforce selective disclosure so only the required attributes are accessed, and produce an audit record of the verification.

What a wallet-based verification flow requires
Wallet presentation
Citizen presents credential from EUDI Wallet via ISO/IEC 18013-5
Trust validation
Middleware validates credential against national trust registry and ARF specifications
Selective disclosure
Only the attributes required for this transaction are accessed — age, not date of birth; professional status, not full identity
Audit record
Verification logged for regulatory purposes, with no central storage of citizen data
The middleware layer must handle credentials from all 27 member state wallets — each with potentially different implementation details within the ARF specifications.

What the Portuguese Citizen Card experience says about eIDAS 2.0

The Portuguese Citizen Card middleware has been in production for over twenty years. It's been through multiple card generations, operating system changes, browser updates, and regulatory evolutions. The most consistent lesson from that experience isn't technical — it's institutional. Digital identity infrastructure that works reliably at national scale requires sustained alignment between the bodies responsible for the legal framework, the document itself, and the software. When any of those three changes without coordination, the middleware breaks in ways that affect every citizen who tries to use their card.

eIDAS 2.0 adds a fourth dimension that the Citizen Card never had to manage: interoperability across 27 independent national implementations, each built to the same ARF specification but with implementation choices that will differ in practice. The ARF is detailed and technically rigorous. What it can't fully specify is the real-world behaviour of 27 wallet implementations at the moment they go into production simultaneously, with millions of users attempting cross-border verification for the first time.

The specification is not the implementation. The gap between them is where the real engineering work of digital identity lives — and where experience with national-scale deployments matters most.

This is not an argument against eIDAS 2.0. It's an argument for approaching the implementation with the seriousness it deserves, rather than treating it as a software update that will be handled closer to the deadline. Organizations that have started the integration work now — building against the ARF, testing against available wallet implementations, and establishing the institutional relationships required for relying party registration — are in a materially better position than those treating late 2027 as the real deadline.

The data sovereignty question that the policy discussion understates

One of the most consequential architectural choices in eIDAS 2.0 is one that tends to get described in terms of privacy: selective disclosure. A citizen can prove they are over 18 without sharing their date of birth. They can prove professional qualification without sharing their full identity. This is described as a privacy feature, which it is. But it has a structural implication for how identity verification systems need to be designed that goes beyond privacy.

Systems built for eIDAS 1.0 and pre-eIDAS identity verification typically requested and stored a defined set of identity attributes — name, date of birth, identification number — and retained them as part of the user record. Selective disclosure under eIDAS 2.0 means that the attribute presented during verification may not be the same as the attribute stored, and in many cases the application should not be storing personal data at all — only a confirmation that the verification occurred. This requires a redesign of data models, storage architectures, and audit trails that is not a minor update to existing systems.

eIDAS 2.0 implementation: what organizations should be doing now

The practical preparation for eIDAS 2.0 acceptance isn't a single project. It's a sequence of decisions that build on each other, and the earlier in the sequence an organization is, the more time it has to course-correct before the acceptance obligation arrives.

Map your current identity verification flows against eIDAS 2.0 requirements. Identify which flows involve attributes that will be presented via wallet, and what changes are required to accept selective disclosure credentials.
Assess middleware compatibility with ISO/IEC 18013-5 and W3C Verifiable Credentials. If your authentication infrastructure was built for eIDAS 1.0 or national eID schemes, this is the most time-consuming part of the preparation.
Register as a relying party with your national authority. This is a prerequisite for accepting wallet credentials and requires time — both for the registration process and for the technical integration it unlocks.
Redesign data storage and audit models for selective disclosure. The assumption that you will receive and store a fixed set of identity attributes needs to be revisited for every verification flow that will accept wallet credentials.
Test against available wallet implementations before the December 2026 deadline. Early-mover member states have wallet implementations in late beta. Testing now identifies interoperability issues before they affect production users.

What eIDAS 2.0 doesn't resolve on its own

It's worth being honest about what the regulation can and can't deliver. eIDAS 2.0 establishes a legal framework that, when fully operational, will give every EU citizen access to a portable, interoperable digital identity. That's a significant achievement in the context of Europe's fragmented pre-2024 landscape. What it doesn't guarantee is that the 27 wallet implementations will all be functionally complete by 31 December 2026, that relying party registration will be straightforward in every member state, or that the user experience of wallet-based authentication will be smooth enough for widespread voluntary adoption.

An independent assessment published in April 2026 found that three countries appear almost certain to meet the December deadline with full functionality, five are very likely, eight are likely, and the remaining eleven face varying degrees of risk. The launch will be real but uneven. For organizations planning their eIDAS 2.0 integration, this means the testing environment will not be uniform, and the assumption that wallet availability in one member state implies the same functionality in another needs to be verified rather than assumed.

None of this is an argument for waiting. It's an argument for building the integration with enough lead time to absorb the variability that a parallel rollout across 27 member states will inevitably produce. The organizations that treat the late 2027 acceptance deadline as the start of their preparation will discover that their competitors, who started in 2025 and 2026, are already through the hard part.

Caixa Mágica Software
Caixa Mágica Team
Caixa Mágica Software is a Portuguese software company with 20+ years of experience delivering custom software, AI solutions and nearshore development teams for European businesses.
eID Box · Caixa Mágica Software
Digital identity middleware built on 20 years of national-scale deployment
From Portugal's Citizen Card to Cabo Verde's offline-first eID system. eID Box integrates smart card and wallet-based authentication for applications that need to work in the real world.