“Any organization that needs to maintain the highest level of trust, particularly government agencies and official data providers, will effectively need to become a Qualified Trust Service Provider (QTSP). While there’s some uncertainty about whether all these organizations need formal certification, the regulation is clear: they must operate at the same standards as a QTSP and prove their compliance through independent verification,” explains Dick Dekkers, independent digital identity expert and advisor.
With the eIDAS 2.0 legislation coming into force in 2026 and the European Commission’s ambitious target of 80% adoption by 2030, we spoke with Dick about the upcoming European digital identity regulation, its tight implementation timeline, and the significant challenges organizations face as they scramble to prepare. Drawing on his extensive background working on major government initiatives like Digi-D (Dutch Digital ID system) and GovUK Verify, Dick offers valuable insights into how this regulation will rapidly transform digital identity across the EU and why organizations need to act now before it’s too late.
How do you explain eIDAS 2.0 to someone at a birthday party?
eIDAS 2.0 is a European Union regulation that requires all member states to provide their citizens with a digital identity. This digital identity will function like a wallet app on your phone, similar to Apple Wallet or Google Wallet. The wallet will contain various credentials that prove who you are online – whether a full digital driving license or simply verification that you’re over 18 and eligible to buy alcohol. By 2026, every EU citizen should have access to this digital wallet, allowing them to verify their identity for online services securely.
The law states that by 2026, all European countries must comply with this regulation and provide a wallet to their citizens. What’s the current status?
The readiness for eIDAS 2.0 varies depending on the type of organization. Based on my conversations with governments, potential providers, and other stakeholders in the ecosystem, I see different levels of maturity. National governments generally understand what they need to do, but the situation becomes more challenging at lower levels. Government departments tasked with digitalization often have only a vague concept of their responsibilities without a clear understanding of the specific actions required.
Service providers are actively developing solutions to comply with the regulation. However, there’s another critical group – the relying parties who must trust identities provided through these wallets. Take banks, for example. When a customer proves their identity online through a digital wallet, the bank must accept and trust that verification. This requires significant changes to their infrastructure, compliance procedures, and terms and conditions. Most of these organizations don’t yet fully grasp the complexity of these adjustments or the scope of changes needed to their systems and processes.
What tips do you have for organizations still investigating?
My advice is simple: start talking to providers now. While initiating these conversations might not seem logical at first glance, engaging with experts who have a clear understanding of the requirements is essential—whether through public or private partnerships. These discussions aren’t commitments; you don’t need to decide immediately who you’ll work with exclusively. The goal is to understand what preparation steps you need to take. This early engagement is critical because the implementation timeframes for eIDAS 2.0 are extremely short, leaving little room for delay or indecision.
Providers of trust services must become recognized QTSPs. Can you explain this concept?
QTSP stands for Qualified Trust Service Provider. This is an organization that provides information you can inherently trust, with “qualified” indicating it meets the highest possible standards. Think of a QTSP as a digital notary – an officially designated trusted source that verifies information as genuine and authentic. When you receive data from a QTSP, you can rely on it being trustworthy throughout your entire process. While achieving this status carries tremendous operational implications and requirements, the core concept is straightforward: if an organization is a certified QTSP, there’s no reason to doubt the validity of the information they provide.
Which organizations need to become QTSPs?
Any organization that needs to maintain the highest level of trust will need to become a QTSP. This primarily applies to government entities and official data providers – they effectively all need to meet QTSP standards. While there’s some ambiguity about whether formal certification is required in every case, the regulation is clear on the expectations: these organizations must operate at the same rigorous standards as a certified QTSP and demonstrate compliance through independent verification. So even without explicit certification requirements, they essentially need to function as QTSPs in practice.
What challenges do these organizations face in becoming QTSPs?
The main challenge in becoming a QTSP is the sheer complexity involved. This process impacts organizations on multiple levels. First, you must comply with an extensive and complicated set of standards and requirements. Second, there are significant legal implications regarding liability. Third, you must meet very strict infrastructure and security requirements.
Beyond the initial certification, it becomes an ongoing operational burden. You’ll need annual recertification, which means maintaining comprehensive documentation and ensuring that your actual operations perfectly match your documented processes. This continuous auditing creates a significant administrative overhead.
Perhaps most importantly, you assume liability for the authenticity of the data you provide. For example, if I certify that a person is who they claim to be, I take legal responsibility for that verification. This combination of legal risk and operational demands creates a substantial burden for organizations seeking QTSP status.
Can you explain the certification process?
The QTSP certification process typically involves three distinct stages. In the preliminary assessment, an independent auditor evaluates your readiness by examining your operations and infrastructure, then identifies areas needing attention. The first formal stage focuses on reviewing your documentation. The second stage compares your actual operations against your documented processes to ensure they match.
This certification process is time-consuming, but what makes it particularly challenging is the limited number of qualified auditors available. Even if your organization is fully prepared, securing certification will take considerable time if you don’t book auditors well in advance. This is a critical consideration because demand for these auditors will be extremely high – not just from wallet providers, but also from official data providers, government entities at various levels, and verifying organizations. Everyone involved in the eIDAS 2.0 ecosystem will need these auditors’ services, creating a significant bottleneck with only a handful of qualified professionals available.
What is the European Union’s role in this process?
The European Commission plays the central role in establishing both the eIDAS 2.0 regulation and all the associated standards. They define the comprehensive set of rules that organizations must comply with, typically covering operational security, infrastructure requirements, and legal documentation. Once these standards are established, independent auditors step in to evaluate organizations against each specific requirement, determining whether they meet the necessary compliance levels. This creates a clear separation between the rule-making function of the Commission and the assessment function of external auditors.
What benefits does QTSP status offer to customers or individuals?
The primary benefit of working with a QTSP, regardless of your role in the ecosystem, is the exceptional level of trust it provides. When a QTSP shares information about an identity or attribute, you can be completely confident in its authenticity. It’s comparable to working with a notary – no one questions the legality, impartiality, or trustworthiness of information verified by a notary. QTSPs bring that same level of unquestionable trust to the digital identity space.
Does becoming a QTSP offer competitive advantages?
Becoming a QTSP is mandatory in some instances, but it also offers clear competitive advantages in others. After all, who wouldn’t prefer working with a provider or source that has proven itself to be secure, operationally sound, and fully compliant? Organizations with QTSP status demonstrate that they have end-to-end operations that are thoroughly vetted and trusted, making them more attractive partners in the digital identity ecosystem.
Looking ahead five years, what do you expect?
The official timeline for eIDAS 2.0 establishes that by October-November 2026, all EU member states must provide at least one digital wallet to their citizens. Following that, within 12 months, designated relying parties including government entities, banks, telecom providers, healthcare organizations, and several other key sectors must be prepared to accept these wallets as valid identification methods.
The European Commission has set an ambitious target of 80% adoption by 2030. This means that within approximately five years, digital identity wallets should become a common everyday tool for most Europeans. The vision is that these wallets will become as routine as mobile payment systems like Apple Pay or Google Pay – you’ll simply take out your phone to access your digital driving license or other credentials. This represents a fundamental shift in how identity verification will work across the European Union.
