eIDAS 2.0: readiness, regulation and the race to 2026

Søren Eller Thomsen and Mark Medum Bundgaard at Partisia describe the progress that the EU is making towards a universal digital identity system

 

The clock is ticking. By November 2026, every EU Member State must make at least one certified EU Digital Identity Wallet (EUDI Wallet) available to its citizens. The deadline is more than a compliance milestone; it is a forcing function that is already reshaping investment roadmaps for banks, telecoms, healthcare providers and wallet vendors across the continent.

 

In practical terms, it means that the year 2025 is the final full development year. Anyone who has not started building, testing or is in the process of being certified by early next year will struggle to be compatible with and pass the conformance requirements for the new‑ID ecosystem.

 

Regulation

The Architecture and Reference Framework (ARF) is the technical foundation of eIDAS 2.0. Rather than being a fixed standard, it behaves like a continuously updated technical blueprint: every few weeks, feedback from member states’ experts and lessons learned from the EU’s four Large‑Scale Pilot consortia flow back into revised drafts. These pilots involve more than 350 public‑ and private‑sector organisations across 26 member states, testing everything from mobile driving licences to social security claims. As a result, the ARF is evolving with real‑world feedback, giving developers a practical path toward implementation.

 

That constant revision cycle is powerful but demanding: development plans must remain flexible while still converging towards harmonised attribute definitions and aligned credential schemas. The remaining challenges are increasingly organisational rather than technical, which in itself shows how far the infrastructure has matured.

 

International examples reinforce this point. Japan’s My Number card benefited from tight integration into mobile operating systems and even mild gamification to encourage uptake. Singapore’s SingPass proved how pre-filled forms and fine-grained consent mechanisms can drive citizen adoption. The broader lesson is that trust often follows usability, not just regulation.

 

Laying the digital groundwork for digital identities

Although eIDAS 2.0 does not mandate specific technologies, two technologies have the potential to become central in such ecosystems: blockchain for auditability and multi-party computation (MPC) for privacy. Blockchain can provide a decentralised, tamper-evident log of credential issuance and revocation events, ensuring integrity without reliance on a single authority. This supports use cases where transparency and traceability are essential, such as public‑sector credential registries or audit trails for consent.

 

MPC, meanwhile, allows data to be used for verification or computation without being fully revealed or reconstructed. This is particularly effective for wallet backup and key management.

 

In our work to support the eIDAS rollout, our expertise in cryptography has proven essential in building systems where privacy and security are preserved by default, even when credentials or biometric data are used in high‑assurance environments. One of Partisia’s co-founders, Professor Ivan Damgård, is recognised as a pioneer and co-creator of modern multi-party computation, and his foundational work continues to influence how privacy-preserving technologies are applied to digital identity today.

 

From readiness to implementation

Today, we are also applying these techniques in international real-life projects. For example, we are partnering with Trust Stamp on a solution that combines biometric tokenisation with Multi-Party Computation (MPC), linking facial or fingerprint data to wallet credentials without exposing raw biometric templates, supporting high‑assurance identity verification.

 

In Japan, under a proof‑of‑concept led by TOPPAN Edge, university employees and visitors at the Okinawa Institute of Science and Technology are using a mobile wallet for campus access, usage of technology monitoring and more via secure NFC - anchored in blockchain and MPC for privacy-preserving decentralised identity.

 

Biometric holder binding is essential for high-assurance use cases where the credential must be tied to the physical person, but it raises inherent privacy risks. Unlike passwords, biometric data cannot be reset and is, by default, considered personal data and therefore sensitive. This makes protection critical. Many current wallet models now keep biometrics entirely on-device, secured within trusted execution environments or secure enclaves.

 

However, trusting only the user’s device is unsatisfactory from a verifier’s perspective, as a liveness check must also be performed in relation to an authentication. This is where advanced cryptographic techniques, such as MPC, can help strike a workable balance between security and privacy compliance.

 

Emerging privacy-preserving technologies

Techniques like selective disclosure also support compliance with the GDPR’s principle of data minimisation. A verifier can learn only what is required, such as whether a user is over 18, without accessing their full date of birth. In more advanced configurations, modern cryptographic schemes based on zero-knowledge proofs like BBS+ signatures allow credentials to be presented in different contexts without being linkable back to the same holder. More recent work by Google researchers Frigo and Shelat demonstrates how zero-knowledge proofs can be made compatible with modern smartphone secure hardware, enabling both privacy and high assurance.

 

Credentials for non-human actors

Beyond human users, decentralised credentials are being tested in the IoT space, with connected devices like smart locks, vehicle keys and industrial equipment able to present verifiable credentials over Bluetooth or NFC. These credentials can prove the legitimacy of the device or service without exposing user data, creating potential for secure access control without centralised tracking.

 

Scalability is no longer theoretical. Estonia’s e-residency and e-notary services already demonstrate large-scale wallet-based digital identity in action, handling high volumes of authentications and digital signatures for both domestic and cross-border users. These systems show that the infrastructure can meet both public trust and real-world demand.

 

Certification remains one of the most complex aspects of implementation. Providers must simultaneously address wallet conformance testing, Qualified Trust Service Provider (QTSP) status, and national identity scheme integration, often while ARF guidance is still in flux. The most effective strategy is to stay tightly aligned with the regulatory working groups and pilot communities and to adopt privacy-first technologies that reduce future technical debt. Viewing certification as a one-time hurdle is a risk; continuous assurance will likely become the norm as requirements evolve.

 

The future with eIDAS 2.0

The outlook is that all European citizens will soon carry a wallet that works anywhere from Lisbon to Ljubljana. Yet the real transformation lies beyond technical compliance: it lies in handing back control of personal data to the citizens, enabling trust-based interactions that are privacy-respecting by design.

 

Whether through zero-knowledge proof-backed wallets, decentralised devices, or embedded biometrics, the next 18 months will define whether Europe sets a global precedent—or simply builds the rails for the next iteration of innovation.

 

---

 

Søren Eller Thomsen is a Cryptographic Engineer, and Mark Medum Bundgaard is CPO, at Partisia 

 

Main image courtesy of iStockPhoto.com and MF3d