What is eIDAS?
eIDAS stands for Electronic Identification, Authentication and Trust Services. It is European Union law — originally enacted in 2014 (eIDAS 1.0) and substantially revised in 2024 (eIDAS 2.0, formally Regulation 2024/1183) — that creates a legal framework for digital identity across all 27 EU member states.
The core ambition is straightforward: a citizen in Portugal should be able to use their national digital identity credential to authenticate with a German bank, a French hospital, or a Dutch government portal — and that credential should carry legal standing equivalent to a physical ID card.
eIDAS 2.0 goes further. It mandates that every EU member state must offer at least one European Digital Identity (EUDI) Wallet — a mobile application in which citizens store and selectively disclose certified attributes: their national eID, driving license, professional qualifications, and eventually bank account credentials or KYC attestations.
Key Dates
| Date | Milestone |
|---|---|
| July 2014 | eIDAS 1.0 enters into force — cross-border recognition of national eIDs for public sector services |
| September 2018 | eIDAS 1.0 becomes fully applicable; member states begin notifying national eID schemes |
| June 2021 | European Commission proposes eIDAS 2.0 revision |
| May 2024 | eIDAS 2.0 (Regulation 2024/1183) formally published — EUDI Wallet mandate enters into force |
| November 2024 | EU Commission adopts first implementing acts (technical standards and certification requirements for EUDI Wallets) |
| Late 2026 | Member states required to issue EUDI Wallets (pilot programmes underway across 4 large-scale pilots: POTENTIAL, EWC, NOBID, DC4EU) |
| December 2027 | Banks and regulated financial institutions subject to Strong Customer Authentication (SCA) under PSD3/PSR must support EUDI Wallets as relying parties |
The December 2027 deadline is the one the payments industry is watching. It does not force banks to onboard customers exclusively via wallet presentation — but it does require them to accept it.
The Pre-eIDAS Reality: BankID Proved the Model
Before the EU mandated anything, several Nordic and Baltic countries built functioning national digital identity systems through commercial constructs between banks — not government fiat.
BankID in Norway is the clearest proof of concept. Launched in 2004 through deliberate multi-decade collaboration between Norway’s financial sector and government authorities — formalized through Bits AS (the industry’s infrastructure company) — BankID became the de facto national identity layer. Today it handles authentication for banking, tax, healthcare, and government services. Its success was not the result of a regulatory mandate. It was the result of aligned incentives: banks agreed to share infrastructure costs because universal adoption created a larger, more trusted ecosystem that benefited all participants.
Similar bank-led consortia delivered MitID in Denmark, BankID in Sweden (now processing over 8 billion authentications annually), Smart-ID in Estonia and Lithuania, and itsme in Belgium. Finland’s digital identity is largely delivered through bank-provided credentials accepted across the public and private sectors.
The lesson these systems taught Europe — and that eIDAS 2.0 attempts to codify at scale — is that cross-domain trust requires either a commercial construct or a government mandate. The Nordic countries achieved it through the former. The EU is now attempting the latter across 27 jurisdictions with divergent legal traditions, languages, and existing infrastructure.
What eIDAS Does (and Does Not) Cover in Payments
This is where the gap between legal ambition and operational reality becomes acute.
What eIDAS covers:
EU law explicitly recognizes eIDAS-compliant credentials as valid for Strong Customer Authentication (SCA). Under PSD2 today, and PSD3/PSR going forward, SCA requires two of three factors: something you know, something you have, something you are. A certified EUDI Wallet credential — cryptographically bound to a device, backed by a notified eID scheme — satisfies this requirement.
This is meaningful. It means a bank cannot arbitrarily reject a wallet-based authentication event during a payment flow. It creates a floor of interoperability.
What eIDAS actually is — and what it does not solve for banking:
The broader eIDAS vision goes well beyond authentication. eIDAS 2.0 is grounded in W3C Verifiable Credentials — a standard for cryptographically signed attestations that can be issued by any authoritative party and selectively disclosed by the holder.
The EUDI Wallet is a consumer-controlled container for these credentials. Your university could issue your diploma as a verifiable credential; you could then prove graduation to an employer by presenting just the diploma and your name — without ever asking your university to confirm it. The credential is portable, privacy-preserving (selective disclosure), and independently verifiable. This is not authentication in the narrow sense. It is a framework for trusted, decentralised assertions about identity, qualifications, and status.
However, for banking specifically, there is a gap. EU financial services regulation — the Fourth and Fifth Anti-Money Laundering Directives — imposes obligations on banks that eIDAS credentials do not automatically satisfy. A verifiable credential proves what it says (this person holds this diploma, this person has this national eID). It does not prove what the bank needs to know for AML compliance: source of funds, beneficial ownership, risk profile, sanctions screening.
The result is that eIDAS credentials:
- Do satisfy Strong Customer Authentication (SCA) requirements — a bank cannot reject a wallet-based authentication during a payment flow
- Do not automatically satisfy KYC (Know Your Customer) requirements for account opening
- Do not replace AML compliance obligations — banks retain full responsibility for customer risk assessment
- Do not override national supervisors — AML authorities in each member state can still impose enhanced due diligence for higher-risk customers
Many regulators and industry participants interpret the December 2027 relying party obligation as creating a de facto obligation to support wallet-based onboarding flows. The practical reality is more nuanced:
- A bank will not be forced to onboard every customer solely based on wallet presentation
- For higher-risk customers, banks may request additional documentation beyond what the wallet holds
- National AML supervisors retain the authority to require enhanced checks regardless of what the wallet attests
The gap between “authentication accepted” and “onboarding complete” is where the strategic tension lives.
Geographic Progress: Uneven by Design
The EU is 27 member states with 27 different starting points. The picture at mid-2026:
Countries already permitting fully digital bank onboarding via national eID:
- Estonia — eID and Smart-ID are widely used for account opening; Estonia is the benchmark
- Denmark — MitID is broadly accepted for onboarding across major banks
- Sweden — BankID dominates digital account opening; highest adoption per capita in Europe
- Belgium — itsme accepted by major retail banks; strong uptake since 2020
- Finland — bank-provided digital IDs broadly used across public and private sector onboarding
Countries with partial or emerging capability:
Germany, France, Spain, Italy, and the Netherlands are all participants in the large-scale EUDI Wallet pilots but have not yet achieved the clean, consumer-grade onboarding flows that the Nordic countries deliver. The gap is partly legal (different interpretations of AML obligations), partly commercial (incumbent identity infrastructure from national post offices, telecoms, and government portals), and partly technical (wallet certification is still being completed).
The mandate creates a floor, not a ceiling. Every member state must have at least one authorized EUDI Wallet by the compliance deadline. What “authorized” looks like in practice — how easy it is to use, how broadly it is accepted, how compelling the consumer experience is — varies enormously.
The Wallet Custody Problem: Apple, Google, and the Secure Element
Google and Apple are both pursuing EUDI Wallet certification. Their ambition is clear: if the EUDI Wallet becomes the primary identity layer for European citizens, whoever operates that wallet sits at the centre of authentication, onboarding, and eventually payments. That is a position of extraordinary leverage.
The technical problem is credential storage. Where does a certified identity credential actually live on a device? Apple’s Secure Enclave is the most secure available location on an iPhone — a dedicated hardware security module isolated from the main processor, used today for Face ID templates and payment credentials. Storing an identity credential there would provide the highest assurance level that eIDAS certification demands. (Note Android is developing its own Android Credential Manager ACM with dedicated silicon in the Titan M2 and the Android Ready Alliance.
The obstacle: Apple controls access to the Secure Enclave via an entitlement system — a fee-bearing permission that Apple grants selectively. The EU Commission’s position, reinforced by ongoing litigation and Digital Markets Act (DMA) proceedings, is that this gatekeeping is anticompetitive. Apple’s response has been incremental and contested. The result is that identity credentials for EUDI Wallets on iOS will, in the near term, be stored in less secure areas of the device — software-based secure storage backed by biometric unlock (Face ID or fingerprint), rather than hardware-anchored root of trust.
This creates a certification problem. EUDI Wallets require a defined Level of Assurance (LoA) — the EU uses three levels (Low, Substantial, High). High assurance requires hardware-bound credentials. If Apple’s entitlement structure prevents hardware binding, iOS-based EUDI Wallets may only achieve Substantial assurance — good enough for most banking authentication, but potentially insufficient for the highest-risk transactions or cross-border use cases where regulators require High LoA.
On Android, Google’s approach via the Android Keystore and StrongBox (Titan chip on Pixel, equivalent hardware on Samsung flagships) is more tractable — but Google is simultaneously pursuing its own wallet certification, creating a conflict of interest as both infrastructure provider and wallet operator.
The Strategic Question for Banks
The unresolved question is not whether banks will use EUDI Wallets for authentication and eventually onboarding. They will. The regulatory trajectory is clear.
The real strategic question is:
Will banks merely consume government-issued identity credentials, or will they become credential issuers themselves?
The European banking sector has the raw material to do the latter. Banks already hold the most verified, most legally robust identity data in the economy: KYC records, AML checks, account ownership proof, income verification and credit history. Packaging these as verifiable credentials — cryptographically signed attestations that a customer can carry in their wallet and present to third parties — would allow banks to become the identity infrastructure layer, not just consumers of a government-issued eID.
This is the model that Estonian banks have pioneered. It is the model that Norway’s BankID embodies. It is also what the European Banking Federation (EBF) and the European Credit Sector Associations are actively lobbying for — as evidenced by their 2024 call for clarity on SCA obligations under eIDAS, specifically pushing for bank-issued credentials to be recognised as valid EUDI Wallet attributes.
Many European banks see becoming a credential issuer as essential to preserving their role in the digital identity ecosystem. If they do not, the wallet becomes a government or Big Tech utility — and the bank is reduced to a regulated balance sheet with no differentiation at the customer interface.
The India Proof Point
The best working model for government-mandated, population-scale digital identity linked to payments is India/UIDAI — specifically the combination of Aadhaar (biometric identity enrolled by the government for 1.4 billion residents) and UPI (the payment rails that leverage that identity layer).
India proves the thesis: for trust to expand beyond a single domain, you need either a commercial construct or a government mandate. India used the latter at an extraordinary scale, deploying Aadhaar with both government authority and private sector buy-in across banking, telecoms, and government services simultaneously. The result is that UPI handles over 14 billion transactions per month — largely because identity verification at onboarding is fast, cheap, and universally recognized.
Europe’s challenge is that eIDAS covers authentication more than it covers true identity in the KYC sense. India’s Aadhaar is biometric, population-enrolled, and government-anchored. The EUDI Wallet is a container for credentials — some government-issued, some bank-issued, some private — with no equivalent central enrolment authority. The analogy is instructive, but the path is different. Europe is attempting to build the India Stack outcome through federation rather than centralization.
That is harder. Whether it works depends on whether the commercial construct emerges alongside the mandate — specifically, whether banks find sufficient economic incentive to invest in credential issuance, acceptance infrastructure, and consumer onboarding, and whether Big Tech platforms support rather than compete with the framework.
Will It Succeed?
We do not know yet.
The honest answer is that eIDAS 2.0 has the right architecture and the wrong timeline for most of Europe. The countries that had working commercial constructs before the mandate (Sweden, Norway, Denmark, Estonia, Belgium) will integrate the EUDI Wallet as a layer on top of existing infrastructure and largely succeed. The countries that relied on eIDAS to create a digital identity ecosystem from scratch face a harder road.
The December 2027 banking compliance deadline is real but incomplete. It mandates acceptance of wallet credentials for SCA. It does not mandate wallet-based KYC. It does not mandate bank credential issuance. It does not resolve the Apple secure element dispute. It does not specify how AML supervisors in each member state should treat wallet-attested identity for higher-risk onboarding.
What eIDAS 2.0 has done — and this is not trivial — is create a legal floor. For the first time, every EU bank has a date by which it must be able to accept a standardized digital identity credential. That shifts the conversation from “if” to “when” and “how.” It also creates pressure on Big Tech: Google and Apple cannot simply ignore a legal framework that covers 450 million people and their banking relationships.
The open question is not whether the wallet exists. It is whether the wallet matters whether it carries credentials worth presenting, whether banks accept them for the transactions that actually count, and whether the commercial incentives for credential issuance emerge before the mandate deadline creates a compliance-first, experience-last implementation.
The Nordic countries show what a successful outcome looks like. Europe has fifteen months to figure out whether it can replicate it at continental scale (see my blog on Bank ID)
Related Reading
- Why eIDAS Will Fail in Banking — December 2025
- Europe’s Siege — Digital Sovereignty Strategy — December 2025
- BankID Norway — Evolution and Success — February 2026
- Wallets and Privacy — February 2025
- Identity Driving Payments — April 2023
- Payments and Identity — UPI Continues to Lead the World — July 2023
- Separating Payment and Identity — July 2023
- Trust Assertions — Identity Will Define the Future of Payment Networks — May 2022
- Digital Wallets — Core Functions and Competitive Strategies — November 2024