A Guide to the eIDAS Implementing Acts

As the digital economy grows, trust in online identities, transactions, and communications has never been more essential. Within the European Union, that trust is governed by the eIDAS Regulation — a legal framework that standardizes electronic identification and trust services across all member states.

Now, with the introduction of eIDAS 2 and its accompanying Implementing Acts, the EU is taking a bold step forward to ensure secure, seamless digital interactions across borders.

In this article, we’ll break down what eIDAS is, what’s changing under the 2024/1183 regulation, and how the upcoming Implementing Act will shape the future of digital identity in Europe.

eIDAS stands for electronic identification, authentication, and trust services. It's an EU regulation (910/2014) that creates a framework for secure digital interactions across EU member states. It acts as the digital trust infrastructure for the European Union, ensuring that when someone signs a document, logs into a system, or proves their identity online, it’s legally recognized and trustworthy across borders.

At a high level, the eIDAS regulation:

• Allows businesses, citizens, and governments to interact online securely.
• Mandates that a digital signature or ID issued in one EU country must be recognized across all others.

eIDAS laid the foundation for the qualified trust service provider model, which enables electronic transactions with a legal effect equivalent to paper-based signatures. Over time, the eIDAS framework has also helped harmonize electronic identification standards across member state systems, improving access to public services, cross-border commerce, and digital onboarding experiences.

Who Must Comply With eIDAS?

The eIDAS regulation applies to all public sector bodies within EU member states, as well as private sector organizations that offer services relying on electronic identification or trust services. This includes banks, insurance companies, healthcare providers, educational institutions, and any business conducting cross-border electronic transactions.

Critically, even non-EU organizations that interact with EU citizens — such as global SaaS platforms or e-commerce providers — may fall under eIDAS obligations if they need to recognize EU-issued credentials or trust services.

eIDAS 2 is an update to the original regulation, officially called Regulation (EU) 2024/1183, adopted in early 2024. It strengthens the original law and addresses limitations, especially around digital identity.

Since its implementation, the original eIDAS regulation has been instrumental in standardizing trust services and digital signatures across the EU. However, it faced criticism for its limited uptake in the area of electronic identification. Many member states developed siloed solutions, and adoption by private sector players lagged due to a lack of clear interoperability requirements and flexible implementation guidance.

Citizens also had little access to convenient cross-border digital identity tools. For example, someone from Germany moving to France would often find that their national eID was not accepted for public or private services abroad. eIDAS 2 aims to fix that with a more robust and user-friendly system, particularly through the introduction of the European Digital Identity Wallet (EUDI Wallet).

Key Changes in eIDAS 2

The new EU regulation introduced several notable adjustments and requirements:

• European Digital Identity Wallet: Citizens and residents will have a government-issued digital identity wallet on their phone, letting them prove their identity or qualifications (e.g., driver’s license, diploma) across the EU. The wallet also supports use cases like logging into online services, submitting official documents, or accessing eHealth records.
• Private sector participation: Not just government portals — private companies like banks, telecoms, or airlines may have to accept EUDI Wallets. This expansion ensures that digital identity becomes a part of everyday commercial life, not just public administration.
• Expanded trust services: New types of trust services are recognized, such as electronic archiving, electronic ledgers, and electronic attestation of attributes. This expansion widens the scope of legally regulated services under eIDAS, accommodating newer technologies and business models.
• Interoperability standards: The EU wants seamless use across borders, which requires strict technical specifications and procedural standards. These will be defined in accompanying Implementing Acts and ensure that member state systems and private entities follow consistent protocols for electronic identification and electronic transactions.

May 2025 is a key milestone for eIDAS 2 — it’s when the first eIDAS Implementing Act for the EUDI Wallet takes effect.

Learn more about eIDAS in our eBook: “eIDAS for Dummies.”

EU laws like eIDAS 2 often need specific rules to be enforceable. That's where Implementing Acts come in — they define the technical specifications, processes, and standards countries need to apply the law. In this case, the eIDAS 2 Implementing Acts will:

• Define how the EUDI Wallet should function in terms of user experience, data privacy, security, accessibility, etc.
• Set certification requirements for identity and trust service providers.
• Clarify how private entities need to integrate and accept digital IDs.
• Outline interoperability framework rules for systems across different countries.

A major Implementing Act is expected to take effectin 2025, and it's central to how the European Digital Identity Wallet will be deployed. Early guidance indicates this act will cover:

• Wallet architecture and specifications: Including device-level security controls, cryptographic key usage, and data format requirements.
• UX requirements: Standardized user experience expectations for consent prompts, accessibility, and cross-border user flows.
• Technical standards: Conformance with European reference standards, and interfaces that support interoperability with trust services and existing infrastructures.
• Private-sector rules: Responsibilities and liability for service providers that accept the wallet for electronic form or transaction-based use cases.
• Security and compliance protocols: Risk mitigation strategies for authentication, signing, and attribute exchange.

Organizations that want to continue operating in or expanding into EU markets must proactively prepare for eIDAS 2 and its associated Implementing Acts. Here’s how:

1. Audit Your Current Digital Identity and KYC Processes

Evaluate how your organization verifies identity today. Does it rely on local standards, or is it ready to recognize qualified certificate formats and eIDs from EU member states? Assess whether your current processes can accommodate EUDI Wallet credentials for authentication or onboarding.

2. Identify Gaps in Interoperability With EU-Issued Credentials

Check whether your systems can accept inputs from foreign identity schemes, especially those based on eIDAS requirements. Cross-reference your platforms against the EU Trusted List of notified eID schemes and look for inconsistencies in identity assurance level or trust model compatibility.

3. Evaluate Your Trust Service Providers for Certification Readiness

If you rely on third parties for electronic signature or electronic seal services, confirm their qualified status and whether they are preparing for changes under eIDAS 2. Qualified trust service providers will need to meet new technical and compliance criteria outlined in future commission implementing decision updates.

4. Integrate Wallet Compatibility Into Future Product/Service Planning

Any service that involves identity, attributes, or signatures may need to be wallet-compatible. Ensure your development roadmap includes wallet API support, token formats, and secure document handling, particularly for electronic registered delivery service or secure archiving use cases.

5. Monitor EU Guidance and Final Implementing Acts Closely

The landscape is still evolving. Keep a close eye on updates from the European Commission, the eIDAS Committee, and official publications in the Official Journal of the EU. These sources will provide legally binding clarifications on scope, obligations, and enforcement timelines.

6. Coordinate With Legal and IT Teams To Assess Risk Exposure

Legal teams must assess what eIDAS 2 means for contractual relationships and liabilities, especially around identity assurance or cross-border electronic transactions. Meanwhile, IT teams need to determine whether their cryptographic infrastructure meets future audit and compliance requirements.

Below are key examples of such Implementing Acts, including their publication dates and official references:

1. Commission Implementing Decision (EU) 2015/1505

• Title: On the publication of the list of trusted lists of certification service providers
• Date: 8 September 2015
• Purpose: Establishes the format and procedures for publishing and accessing trusted lists of qualified trust service providers.
• Reference: EUR-Lex 2015/1505

2. Commission Implementing Regulation (EU) 2015/806

• Title: On establishing specifications relating to formats of advanced electronic signatures and advanced seals
• Date: 22 May 2015
• Purpose: Defines acceptable formats for advanced electronic signatures and seals to ensure interoperability.
• Reference: EUR-Lex 2015/806

3. Commission Implementing Decision (EU) 2016/650

• Title: On the procedural arrangements for cooperation between Member States on electronic identification
• Date: 25 April 2016
• Purpose: Lays out how member states should cooperate and notify each other about national eID schemes.
• Reference: EUR-Lex 2016/650

4. Commission Implementing Regulation (EU) 2016/1376

• Title: On laying down specifications relating to the form of the EU trust mark for qualified trust services
• Date: 11 August 2016
• Purpose: Defines the visual design and usage rules for the EU trust mark.
• Reference: EUR-Lex 2016/1376

5. Upcoming: Implementing Act for the European Digital Identity Wallet (EUDI Wallet)

• Expected Date: 2025
• Purpose: Will define architecture, security, and interoperability standards for the EUDI Wallet under eIDAS 2.
• Reference: Not yet published in final form.

Entrust offers a robust, standards-based approach to eIDAS 2 compliance through its suite of cryptographic solutions, including hardware security modules (HSMs).

For organizations that need to issue or manage qualified electronic signatures, Entrust provides a complete solution: the nShield HSM combined with the Entrust Signature Activation Module (SAM) — together forming a qualified signature creation device (QSCD) as defined under eIDAS.

This solution ensures that private keys used to create digital signatures are securely generated, stored, and activated in compliance with strict EU requirements. The architecture supports remote signing, scalable deployment, and alignment with current and upcoming mandates.

Whether you’re modernizing your identity infrastructure, preparing for digital wallet integration, or enabling cross-border electronic identification and trust services, Entrust delivers the cryptographic foundation you need to move forward with confidence.

Ready to meet the demands of eIDAS 2? Connect with our team to learn how Entrust’s solutions can help you stay compliant and competitive.