This piece has been co-authored by Renate Prinz, partner, and Dr. Cornelius Hille, associate, at McDermott, Will & Emery.
The European Union’s European Digital Identity Framework Regulation (eIDAS 2.0) introduces a standardised framework for digital identity and trust services across all EU Member States, massively benefiting anti-money laundering efforts while still protecting
individuals’ personal data.
eIDAS 2.0, which came into effect at the end of 2024, complements the regulatory requirements of the Second Payment Services Directive (PSD2), particularly in implementing Strong Customer Authentication, which is a key requirement of PSD2. One of the primary
uses of eIDAS 2.0 will be digital Know-Your-Customer (KYC) identification in compliance with relevant anti-money laundering (AML) laws. One of the key benefits of the framework is streamlined and secure customer onboarding, particularly in the financial sector.
The regulation facilitates the implementation of EUDI-Wallets, which are expected to come into effect from 2027, and will make all online financial services requiring customer identification, easier and more reliable, even across borders. This will reduce
friction and improve the user experience by allowing for easy and safe online authentication and verification across the entire European Union, covering services such as bank account opening, qualified electronic signatures, and mobile driving licenses.
The introduction of EUDI-Wallets aim to provide a unified and secure way for individuals to store and manage their electronic identification data. EUDI-Wallets will enable users to selectively disclose their data, ensuring that only the necessary information
is shared with the respective service providers. This selective disclosure mechanism is crucial for maintaining privacy while easily accessing various digital services.
The regulation will have a material impact on the digitalisation of EU markets and, accordingly, provide for various innovative business opportunities. Digital businesses can develop new services, such as identity-verified digital wallets, automated contract
execution, and seamless cross-border payments. The harmonised legal framework will also reduce compliance complexity and operational costs.
Electronic identification and trust services
The primary goals of eIDAS 2.0 are to:
- Create harmonised conditions under which EU Member States can acknowledge electronic identification to provide for and recognise EUDI-Wallets. EUDI-Wallets must be open-source licensed to ensure general transparency, so that the software can be scrutinised
properly for potential security vulnerabilities, thereby protecting user data from potential breaches. Member States may, however, restrict the disclosure of specific components for justified reasons, balancing transparency with security.
- Establish rules for trust services, in particular for electronic transactions, to ensure that electronic documents and transactions are tamper-proof and legally binding.
- Create a legal framework for electronic signatures, seals, time stamps, documents, registered delivery services, archiving, and ledgers, amongst others.
eIDAS 2.0 promotes interoperability and the standardisation of electronic identification and trust services across the EU. This ensures that technical as well as privacy and data protection standards are consistently applied, regardless of the Member State
in which the services are used. Standardisation in this context is also expected to facilitate the development of secure and privacy-enhancing technologies that can be widely adopted.
Given the value of the information that will be stored digitally as a result of eIDAS 2.0, it is crucial to examine its privacy and data protection implications.
Data protection under eIDAS 2.0
eIDAS 2.0 is designed to ensure that users of electronic identification means and trust ser-vices have full control over their personal data. Accordingly, service providers must ensure the confidentiality, integrity, and authenticity of the data processed.
Under the General Data Protection Regulation (GDPR), data subjects have the right to access, rectify, and fully erase their data. The GDPR takes precedence over eIDAS 2.0, empowering individuals to securely manage their digital identities.
In addition, eIDAS 2.0 emphasises the importance of user consent and transparency in the processing of personal data. Service providers are—in line with and subject to GDPR—required to obtain explicit consent from users before processing their data, and
must provide clear and transparent information about how the data will be used. This ensures that users are fully informed and can make confident decisions about their data.
Trust services under eIDAS 2.0, such as electronic signatures and seals, are designed with data minimisation principles in mind. These services ensure that only the necessary data is processed for the intended purpose, reducing the risk of unnecessary and
unwanted data exposure.
In the event of a security breach, eIDAS 2.0 requires service providers to notify the relevant supervisory bodies and affected users without undue delay. This prompt notification helps mitigate the impact of breaches on user privacy and ensures that protective
and corrective measures are taken swiftly. The regulation also outlines the responsibilities of supervisory bodies in investigating and addressing such breaches. Insofar as this regards financial ser-vices, eIDAS 2.0 must be read in conjunction with the Digital
Operational Resilience Act (DORA).
In addition, the regulation explicitly promotes the use of pseudonyms, allowing users to engage in certain transactions without revealing their true identities, thereby additionally enhancing privacy. The exception is where the identification of the user
is required by EU or national law, as would be the case in most financial services transactions, where stricter rules require a complete set of clear personal data for KYC purposes.
The relevance of eIDAS 2.0 to the future of the EU AML regime
The new Regulation on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing (Anti-Money Laundering Regulation, AMLR) emphasises the high importance of customer due diligence in preventing money laundering
and terrorist financing.
eIDAS 2.0 is expected to play a significant role in this context as money laundering and terrorist financing often involve a high number of cross-border transactions involving multiple jurisdictions. The interoperability of electronic identification processes
under eIDAS 2.0 enables financial institutions and other entities to verify the identity of customers from different EU Member States seamlessly. This EU-wide standardisation will also likely simplify spotting suspicious customers or activities across borders.
The AMLR advocates for a risk-based approach to managing financial transactions and correlating AML risks. eIDAS 2.0 provides the necessary tools for implementing this approach smoothly and cost-effectively by using secure electronic identification and trust
services. These tools also enable obliged entities to know their clients and assess and effectively mitigate the risks associated with their customers and transactions.
The cornerstone of a trustworthy digital environment
The provisions of eIDAS 2.0 for electronic identification and trust services empower users to control their personal data and engage in secure electronic transactions. By aligning with the GDPR and promoting transparency, user control, and data minimisation,
eIDAS 2.0 ensures that privacy and data protection standards are still upheld in this new digital landscape.
Furthermore, the integration of eIDAS 2.0 with the new AMLR enhances the effectiveness of anti-money laundering measures by providing reliable electronic identification means and facilitating cross-border co-operation, while upgrading and simplifying the
customer experience of KYC.
As the reliance on secure digital services continues to grow, the robust privacy, data protection, and AML framework established by and around eIDAS 2.0 will be crucial in maintaining user trust and safeguarding personal data in the European Union’s digital
future.