A Guide to eIDAS Implementing Acts: Wallet Rules & ID Proofing

Key Takeaways:

Implementing Acts make eIDAS 2.0 operational: Implementing Acts define how the EU Digital Identity Wallet works in practice, covering security, data models, interoperability, certification, and conformance.

Identity proofing is directly impacted: The Acts reference established technical standards used in identity verification, making wallet-based onboarding predictable, auditable, and scalable for regulated services.

ETSI v2 is the practical backbone: ETSI TS 119 461 v2 and EN 319 401 define baseline vs. extended identity proofing and trust service controls – which are critical for meeting high assurance in remote onboarding.

Convergence by 2027: The EU AML Regulation (AMLR) applies from July 10,  2027, dovetailing with mandatory EUDI Wallet acceptance for defined use cases and ETSI v2 identity proofing standards to reduce national divergence and increase legal certainty for CDD.

An Implementing Act is an EU legal instrument that translates high-level regulation into detailed, enforceable rules. Under eIDAS 2.0, implementing acts define the technical and operational requirements for the EU Digital Identity Wallet (EUDI Wallet) including security architecture, data formats, interoperability protocols, and certification.

In short, eIDAS 2.0 sets the vision for a wallet-based and harmonized digital identity framework; the implementing acts make the vision actionable across the Member States.

With eIDAS 2.0, the European Commission adopted a suite of implementing acts, rolled out in successive batches between 2024 and 2025, that define how wallets, Person Identification Data (PID), and electronic attestations of attributes (EAAs) must function. These rules specify integrity controls, lifecycle management, interoperability requirements, ecosystem notifications, and certification schemes. In other words, these acts translate the wallet vision into concrete, testable requirements that public agencies, Qualified Trust Service Providers (QTSPs), and private parties can build against.

Two key impacts for identity programs:

• Cross-border consistency: Relying parties can integrate once and rely on the same wallet trust model across the EU, rather than managing country-specific exceptions.
• Higher assurance with less friction: Wallet credentials and qualified attestations are designed for selective disclosure, integrity, and auditability, improving trust while reducing user friction.

Wallet specifications, certification, issuance, and acceptance obligations are deliberately staggered between 2024 and 2027 to allow ecosystems to adapt.

While the requirements are spread across multiple implementing acts adopted between 2024 and 2025, five themes matter most to identity and onboarding teams:

• Security architecture and core functions: Requirements for wallet integrity, secure key management, consent logging, revocation handling, portability, and event recording, ensuring PID and attributes remain trustworthy and traceable.
• PID and attestations (issuance/lifecycle): Rules governing issuance, validation, updating, and revocation of PID and EAAs, including issuer eligibility, binding to the wallet holder, and freshness checks for relying parties.
• Protocols and interfaces interoperability): Standardized APIs and protocol suites enabling interoperability between wallets, issuers, and relying parties across borders. The Acts reference established standards such as W3C Verifiable Credentials and ISO mobile driver’s license profiles to avoid tailored, country-specific integrations.
• Notifications and governance: Mechanisms for Member States and ecosystem participants to notify the Commission, supporting transparency, market oversight, and corrective action.
• Certification and conformance: A scheme to certify wallets and components against the Acts’ requirements, giving relying parties and supervisors a clear basis for acceptance and audit.

A wallet is only as strong as the identity proofing behind it. This is where standards from ETSI play a central role.

ETSI TS 119 461 v2 (from February 2025) defines policy and security requirements for identity proofing components used by trust services. This includes clarifying attended vs. unattended remote flows, liveness and injection-attack defenses, evidence handling, operator oversight, and decision logging. The standard introduces two Levels of Identity Proofing (LoIP):

• Baseline: Suitable for standard AML/KYC use cases and allows for fully automated checks.
• Extended: Comparable (and considered equivalent) to physical presence, requiring hybrid verification with human-in-the-loop and typically used for higher-risk onboarding and qualified services.

Together, the eIDAS Implementing Acts and the corresponding ETSI v2 standards close the loop: Wallets are specified in detail, and identity proofing expectations are clearly defined. This will enable identity evidence to be trusted, reused, and audited across borders – exactly what financial services need to reduce onboarding discrepancies and regulatory uncertainty.

For financial institutions and other regulated firms, the implementing acts reduce ambiguity about how wallets operate and how attributes are issued, disclosed, and verified. This delivers tangible benefits:

• Lower integration risk: Clear technical specifications reduce uncertainty during implementation.
• Higher assurance: Certified wallets combined with ETSI-aligned proofing increase supervisory confidence.
• Less duplication: Reusable PID and verified attributes reduce repeated document uploads and manual checks.
• Cross-border scale: A single onboarding model can serve all 27 Member States with fewer local exceptions.

Organizations can start preparing now by aligning identity and onboarding programs with the emerging EU framework. The following priorities will help future-proof your identity and compliance strategy:

• Baseline to ETSI v2 + EN 319 401: Ensure your IDV flows satisfy Baseline LoIP today and can step up to Extended when risk or regulation requires it, with clear evidence logging and audit trails.
• Plan for wallet acceptance: Identify journeys that already require strong authentication or higher-risk onboarding and prepare for mandatory wallet acceptance for defined use cases from 2027, following Member State wallet issuance by the end of 2026.
• Align with EBA Remote Onboarding Guidelines: Confirm that risk-sensitive policies, outsourcing controls, and security measures remain aligned.
• Prepare for AMLR: With unified customer due diligence applying from July 10,  2027, use this transition period to prepare for retiring country-specific flows and move toward a single rulebook approach.