The European Digital Identity Framework, or eIDAS 2.0, represents a significant evolution in how digital identity, authentication, and trust services operate across the European Union. Unlike its predecessor, eIDAS 2.0 introduces a phased implementation approach that acknowledges the varying complexities across different sectors.
Understanding this timeline is crucial for organizations to prepare adequately and avoid compliance issues, says Jon Shamah, European eID and digital transformation expert. “eIDAS 2.0 is a phased implementation. The technical aspects are being worked on now, and the implementing acts are designed to be a living, evolving entity.” This evolving nature makes it essential for organizations to stay informed about their specific compliance deadlines.
Understanding the architectural foundation
Before examining the sector-specific deadlines, it’s important to understand the architectural framework that underpins eIDAS 2.0. The Architectural Reference Framework (ARF) serves as the technical blueprint for implementation. The ARF defines the structure, components, interfaces, and interactions of the European Digital Identity Wallet ecosystem, providing technical specifications for how wallets, issuers, and relying parties should work together. It covers everything from security requirements and data models to communication protocols and user interfaces.
The ARF is moving fast, notes Jon, reflecting the complexity of establishing a comprehensive digital identity framework across the EU, as well as the consultative approach taken in its development.
The implementing acts, which arethe technical details of the legislation, continue to evolve alongside the ARF. This creates a situation where organizations must prepare for compliance while the exact technical specifications are still being refined. As Shamah explains, “the implementing acts are the extension of the framework: they explain how to put eIDAS 2.0 into action.”
Compliance deadlines
Priority sectors
eIDAS 2.0 has selected several priority sectors, which includes the public sector, parts of the financial sector, telecommunications, the legal sector, general healthcare, and country-level transport systems, as well as large online platforms.
These priority sectors were selected due to their fundamental role in society and the economy. Government agencies and administrations, being directly under EU member state control, are expected to lead by example. The inclusion of education, healthcare, finance, large online service providers, and telecommunications reflects the essential nature of these services and the high volume of sensitive identity transactions they process. Organisations in these sectors are required to comply only if they are mandated responsibility by a government body or publicly regulated .
The first major compliance deadline for eIDAS 2 falls at the end of 2026, targeting these high-priority sectors that form the backbone of public services and critical infrastructure.
For organizations in these sectors, preparations should already be underway. This includes evaluating current identity management systems, understanding the requirements for interacting with EU Digital Identity Wallets, and potentially engaging with Qualified Trust Service Providers (QTSPs) to facilitate compliance.
Extended sectors
The second phase of implementation extends to 2027, encompassing a broader range of sectors.
According to Jon, “this deadline grants additional time to specific sectors such as private health care, universities and student institutions, small and medium enterprises, NGOs, and local transport.”
This extension acknowledges the resource constraints that smaller organizations and non-governmental entities often face. By providing an additional year, the framework aims to ensure that compliance does not create undue hardship while still maintaining the ultimate goal of a comprehensive digital identity ecosystem.
Small and medium enterprises (SMEs) in particular benefit from this extended timeline, though it’s worth noting that not all SMEs are covered by the extension: some larger SMEs fall under the 2026 deadline,Jon points out.
Exemptions and special considerations
While eIDAS 2.0 aims to be comprehensive, there are exemptions for certain types of organizations, particularly the smallest businesses.
“The very small companies don’t need to comply,” Jon notes, “but most companies will need to be able to accept wallets.” This creates an interesting dynamic where even organizations exempt from active compliance may find it beneficial to adapt to the framework to meet customer expectations and remain competitive.
It’s also worth noting that eIDAS 2.0 operates at Level of Assurance 3 (LoA3), which is the highest level outside of defense and security applications. This means that all implementations, regardless of sector or deadline, must meet stringent security and verification standards.
Preparing for compliance: The role of QTSPs
A key consideration for organizations preparing for eIDAS 2.0 compliance is whether to become a Qualified Trust Service Provider (QTSP) or to work with existing ones. For most organizations, the latter option will be more practical.
QTSPs play a central role in the eIDAS framework: they are the certified entities that can issue qualified electronic signatures, seals, timestamps, and provide other trust services that carry the highest legal standing. Under eIDAS 2.0, QTSPs are authorized to issue qualified attestations of attributes: the verifiable credentials that populate users’ digital wallets. They serve as the trust anchor of the entire system, undergoing rigorous certification and regular audits to ensure their security and reliability. By operating under strict regulatory oversight, QTSPs provide the assurance that digital identities and signatures are as legally binding as their physical counterparts.
However, the QTSP services are usually not an organization’s core focus. “Being a QTSP is really laborious. It’s a hassle,” Jon emphasizes. “f I’m a university, do I want the hassle of being certified and issuing a diploma with certification? I’m not a QTSP. My primary job is being a university.”
This perspective applies across sectors. Organizations in healthcare, transport, telecommunications, and other areas typically want to focus on their core business, not on the backend infrastructure of digital identity. By working with established QTSPs, they can achieve compliance without diverting significant resources from their primary operations.
Technical implementation challenges
Regardless of which deadline applies, organizations face several common technical challenges in complying to eIDAS 2.0.
One of the most significant is ensuring resilience. As Jon points out, “If as an administration you are issuing credentials, and these credentials are critical, what happens if your system is out of action for a week? You can’t issue verifiable credentials, some people may not get jobs, and then you can get sued. There’s a liability impact.”
Cloud-based solutions, often provided by QTSPs, can help address these resilience concerns by reducing single points of failure. Another challenge is adapting to the wallet-centric approach of eIDAS 2.0. Organizations need to develop or modify their systems to interact with users’ digital wallets, which represents a fundamental shift from traditional identity verification methods.
Cross-border considerations
The cross-border nature of eIDAS 2.0 adds another layer of complexity to the implementation timeline. Organizations operating in multiple EU member states need to ensure compliance across all jurisdictions, which may involve navigating slightly different national interpretations of the framework.
“The whole idea of making everything cross-border – wallets, transactions, and businesses – means that an interaction in the Netherlands is, by law, still recognizable in another country,” says Jon. While this is ultimately beneficial for a unified digital market, it requires careful planning during the implementation phase.
He adds that for multinational organizations, it may be prudent to align all operations with the earliest applicable deadline, rather than trying to manage different compliance timelines in different countries. This approach can simplify planning and reduce the risk of oversights.
Looking beyond the deadlines: a continuous evolution
It’s important to recognize that compliance with eIDAS 2.0 is not a one-time effort. The framework continues to evolve, and organizations need to stay informed about changes that could affect their implementation.
“The implementing acts are designed to be a living, evolving document,” Jon notes. “The architectural reference framework keeps being updated.” This means that even after meeting the initial compliance deadlines, organizations will need to monitor developments and potentially make adjustments to their systems and processes.
This continuous evolution reflects the rapid pace of change in digital technology and the framework’s goal of remaining relevant and secure in the face of emerging threats and opportunities. Organizations that view eIDAS 2.0 compliance as an ongoing journey rather than a destination will be better positioned to adapt to future changes.
Conclusion
The implementation timeline for eIDAS 2.0 provides a structured approach to building a comprehensive digital identity framework across the European Union. With major deadlines in 2026 and 2027, organizations have time to prepare – but that preparation should begin now.
For priority sectors facing the 2026 deadline, such asgovernment agencies, education, certain financial services, telecommunications, legal, healthcare, and national transport, the urgency is particularly high. Those with the 2027 deadline, includingprivate healthcare, universities, SMEs, NGOs, and local transport, have a bit more breathing room but should still be actively planning their approach.
Regardless of the applicable deadline, most organizations will benefit from partnering with established QTSPs rather than attempting to become one themselves. This allows them to focus on their core business while ensuring compliance with the technical and certification requirements of eIDAS 2.0.
As Jon succinctly puts it, the evolution to eIDAS 2.0 is “an enabling legislation to go digital in a big way.” Organizations that embrace this perspective and prepare thoughtfully for their compliance deadlines will not just meet regulatory requirements but position themselves to thrive in Europe’s increasingly digital economy.
