eIDAS 2.0: Key Implications for Financial Institutions in the Dutch Market

With eIDAS 2.0 having entered into force on 20 May 2024, and full implementation required by 24 December 2026 in each Member State, Europe's digital identity infrastructure is undergoing a fundamental transformation. Whilst the original eIDAS Regulation from 2014 established a framework for cross-border electronic identification and trust services, the revised regulation places the European Digital Identity Wallet (EUDI Wallet) at the centre of digital transactions. From December 2027, 'relying parties' that require strong online authentication, including banks, payment service providers (PSPs) and electronic money institutions that require strong online authentication must accept all recognised EUDI Wallets. This development will likely significantly impact operational processes, customer onboarding procedures and compliance frameworks. 

Background: From eIDAS 1.0 to eIDAS 2.0

The original eIDAS Regulation of 2014 created an EU-wide framework for electronic identification and electronic trust services, intended to allow citizens and businesses to use national digital identities across borders. However, its practical impact remained limited, due to several persistent shortcomings: many EU citizens lacked access to a secure digital identity, only a small number of national eID schemes were formally notified, cross-border use of eIDs was minimal, and Member States implemented the trust services framework inconsistently in the absence of harmonised technical requirements.

These shortcomings prompted a substantial revision. The revised eIDAS Regulation (eIDAS 2.0) introduces two major reforms: the European Digital Identity Wallet and a set of new trust services designed to modernise and expand the existing system. It is important to clarify that ‘trust services’ in the eIDAS context refers exclusively to electronic trust-enabling services (such as electronic signatures, seals, time stamps, and registered delivery services). 

The new framework aims to create a more coherent and future-proof system that supports a wider range of digital transactions across Member States, whilst addressing the fragmented user experience under eIDAS 1.0, strengthening cybersecurity requirements and giving users greater control over their personal data. Each Member State must ensure that at least one certified EUDI Wallet is made available to citizens and residents by December 2027.

The EUDI Wallet: Structure and Functionality

The EUDI Wallet is designed to contain two categories of data. First, it includes a minimum set of Personal Identification Data (PID) issued by a competent authority designated by the Member State. Mandatory attributes comprise current surname, first names, date of birth and unique identification, with optional attributes including surname at birth, place of birth, current address and gender.

Second, the Wallet may also contain Electronic Attestations of Attributes (EAAs), cryptographically verifiable proofs of specific characteristics or entitlements. Examples include proof of age, driving entitlements, professional qualifications or payment account details such as an IBAN. These attestations function as 'verifiable credentials' that enable selective disclosure of information.

Important safeguards protect user autonomy and accessibility: attributes may only be added with the user's explicit consent, and the user decides which information is shared with which service provider. The EUDI Wallet is voluntary, and service providers may not refuse access solely because a user does not present a EUDI Wallet. Member States must make the EUDI Wallet available free of charge to ensure broad accessibility.

Key Implementation Uncertainties

The Dutch Payment Association (Betaalvereniging Nederland) has noted that, although the legal text of eIDAS 2.0 and the first implementing acts have been finalised, the precise scope of the obligation to accept the EUDI Wallet in payment contexts remains unclear. 

eIDAS 2.0 relies on ‘strong user authentication’ (SUA) for accessing and using the EUDI Wallet, which in practice will often involve two-factor authentication (2FA). However, the revised Payment Services Directive (PSD2) requires compliance with ‘strong customer authentication’ (SCA), which not only includes 2FA but also imposes additional technical requirements, such as dynamic linking (the cryptographic linkage of transaction amount and payee to the authentication process). This creates a potential compliance challenge: payment service providers may be required under eIDAS 2.0 to accept the EUDI Wallet as a 2FA-based authentication tool, while under PSD2 they must comply with the full set of SCA requirements. This makes it unclear how PSPs are expected to comply with both frameworks simultaneously. Although eIDAS 2.0 may oblige PSPs to accept the EUDI Wallet as a 2FA-based authentication tool, it does not require PSPs to support payment initiation through the Wallet or to issue EEAs. As a result, the practical extent of PSPs’ acceptance obligations under eIDAS 2.0 remains uncertain. These uncertainties may be addressed by the forthcoming EU payments legislation (the proposed Payment Service Regulation (PSR) and the revised Payment Service Directive (PSD3)). However, it remains uncertain whether the relevant Regulatory Technical Standards will be adopted before the December 2027 mandatory acceptance deadline.

Beyond authentication and payment initiation requirements, the EUDI Wallet framework also raises questions about the regulatory classification of service providers in the payment services ecosystem. Under the proposed PSR, entities providing certain EUDI Wallet-related technical services to PSPs may fall within the definition of technical service providers (TSPs). In such cases, PSPs would be required to treat their reliance on these entities as an outsourcing arrangement, triggering the applicable oversight and contractual requirements.

Dutch Regulatory Perspective: AFM and DNB

The Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) has indicated that the EUDI Wallet is expected to influence several of its key supervisory themes. First, the wallet will play a role in the ongoing digitalisation of financial services by enabling more reliable and secure digital interactions. It is also expected to support developments in embedded finance, as the wallet can facilitate the sharing of consumer data and may encourage further innovation in integrated financial services. In addition, the AFM notes that the EUDI Wallet could contribute to greater internationalisation by improving the usability of financial services across EU borders and lowering barriers for cross-border transactions.

While the EUDI Wallet may simplify customer processes, the AFM also highlights several risks that require attention. As the EUDI Wallet reduces friction in accessing financial services, consumers may fail to adequately consider the long-term consequences before entering into financial agreements. Furthermore, cross-border products that may become available through the use of a EUDI Wallet may be subject to less effective supervision, and individuals with limited digital skills or without suitable mobile devices may encounter accessibility challenges.

The Dutch Central Bank (De Nederlandsche Bank, DNB) has clarified that institutions subject to the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en terrorismefinanciering, the Wwft) may verify a customer’s identity using electronic identification tools, provided these tools meet an assurance level of ‘substantial’ or ‘high’ under the eIDAS Regulation. This means that, once the EUDI Wallet is introduced and meets these standards, it can be used as a valid method for Wwft-compliant customer identification.

Dutch Implementation: The NL-Wallet

The Ministry of the Interior is developing a reference wallet, known as the NL-Wallet. This government-issued wallet is expected to become the first certified EUDI Wallet available to Dutch citizens and residents. The NL-Wallet offers the core functionalities required under the EUDI framework and will exist as a standalone public application. It provides a secure and reliable baseline that demonstrates how EUDI Wallets should function in practice.

Following the launch of the NL-Wallet, the Netherlands will adopt an open admission system that allows commercial providers to offer their own certified EUDI Wallets. These commercial wallets must meet the same legal and technical requirements as the NL-Wallet, but they may integrate additional services or be embedded directly into a company’s existing app. This means that organisations wishing to offer their services, including financial services, onboarding processes and identity verification, within a single application may choose to develop and certify their own EUDI-compliant wallet. In the Netherlands the Dutch Digital Infrastructure Inspectorate (Rijksinspectie Digitale Infrastructuur, RDI) is expected to issue EUDI Wallet certification, which already supervises electronic trust services under eIDAS 1.0.

Recommended Actions for Financial Institutions

Financial institutions operating in the Dutch market should commence preparation for the introduction of the EUDI Wallet, notwithstanding remaining regulatory uncertainties. Priority should be given to ensuring technical and operational readiness to accept the EUDI Wallet for strong customer authentication by December 2027. Institutions should further consider how wallet-based identification and authentication can be integrated into existing onboarding and customer due diligence processes whilst maintaining compliance with the Payment Services Directive (PSD2), the Wwft and related regulatory frameworks. Ongoing developments, including the WE BUILD Large Scale Pilot and forthcoming guidance from DNB, the AFM and the European Commission, will provide further clarity on practical implementation and the interaction between eIDAS 2.0, PSD2 SCA requirements and the emerging PSR/PSD3 framework.

At the same time, institutions should review their data governance and ethics frameworks, given that the EUDI Wallet may facilitate more extensive data sharing in an Open Finance environment. Ensuring accessibility also remains essential: the AFM has warned that the EUDI Wallet may pose challenges for customers with limited digital skills or inadequate mobile devices, requiring institutions to retain alternative identification methods and assess potential impact on digitally underserved segments. Institutions should evaluate how wallet acceptance affects their liability for identity verification, fraud prevention and data protection. Finally, if the proposed PSR is adopted in its current form, certain EUDI Wallet-related service providers may be classified as technical service providers, which would require payment service providers to treat their reliance on such parties as an outsourcing arrangement.

Conclusion

The eIDAS 2.0 Regulation marks a significant regulatory development for financial institutions operating in or serving the Dutch market. With the mandatory acceptance deadline of December 2027 approaching, institutions should assess how the introduction of the EUDI Wallet may affect their compliance obligations, onboarding processes and broader customer interaction flows.

Whilst the EUDI Wallet framework offers opportunities to improve processes and strengthen security, important questions remain about technical feasibility, the scope of acceptance obligations in relation to PSD2 and the impact on customer protection. Proactive engagement with industry initiatives, close monitoring of supervisory guidance and timely preparation of technical infrastructure will be essential for a compliant implementation.