eIDAS 2.0 Digital Identity Wallet: Proof at the AML Perimeter

Every EU Member State has to provide at least one European Digital Identity Wallet to its citizens by end-2026, and a compliance team that has spent years evaluating uploaded documents could assume the wallet is a faster way to receive document copies. It is not. The eIDAS 2.0 Digital Identity Wallet does not deliver a copy of a citizen's documents — it delivers a selectively disclosed, cryptographically signed attestation drawn from the Person Identification Data and (Qualified) Electronic Attestation of Attributes framework, and operators preparing for the December 2026 rollout must redesign their AML perimeter to evaluate a proof rather than re-screen a document. For Europeans onboarding to a service in another Member State, the wallet shares only what the relying party requires.

What eIDAS 2.0 actually mandates

Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework is the statutory anchor. (1)(2) With regard to the legislative process, members of the European Parliament adopted the text in February 2024; the Official Journal published it on 30 April 2024. The original eIDAS built mutual recognition of national digital identities and trust services across the EU internal market; the years since 2014 exposed cross border limits. The amendment adds the wallet as a personal-control instrument Europeans use across Europe, stretches trust services to cover Qualified Electronic Attestation of Attributes, and turns voluntary cross border recognition into Member States' obligation. With regard to entry into force, the European Commission adopted five implementing regulations on 28 November 2024, entering force on 24 December 2024. (1)(6) Members of the eIDAS Expert Group developed the technical baseline establishing common standards every wallet provider codes against, enabling Europeans to prove identity through a digital ID layer Member States provide.

From eIDAS 1.0 to eIDAS 2.0

The amended regulation adds the wallet, the (Q)EAA framework letting a QTSP attest to attributes beyond identity, and the obligation to provide a digital ID solution to EU citizens. (2)(14) The European Commission proposed the regulation in June 2021; members of the EU co-legislators converged on the final text three years later. Member States provide the wallet free through years of national-eID infrastructure already deployed, and Europeans use it across borders.

The December 2026 deadline

Article 5a(1) requires each Member State to provide at least one wallet within 24 months of the implementing acts' entry into force — the clock runs to 6 December 2026. (1)(12) A separate 36-month private sector window — to 6 December 2027 — obliges Very Large Online Platforms, public-body services, and regulated relying parties across sectors including financial services, gambling, and adult media to accept wallet attestations. (12)(1) Approximately 449 million Europeans are the primary beneficiaries; each Member State must provide citizens secure access via a designated public sector body responsible.

The Architecture and Reference Framework

The Architecture and Reference Framework (ARF), at version 2.9.0 published 21 May 2026, specifies the technical standards, protocols, and formats every wallet, issuer, and relying party must implement. (3) The European Commission developed the reference standards and technical specifications the ARF cites; the Digital Building Blocks portal complements the regime for digital services Europeans use across the EU. (4)

What the wallet presents at the AML perimeter

The wallet does not transfer document copies. It presents a structured payload — Person Identification Data plus one or more (Q)EAA payloads — with a verifier-readable signature chain resolving into the EU trust-services regime. The relying party evaluates the signature, the issuer's qualified status, and the disclosed attributes; documents stay with the Member State authentic source. Europeans share only what the relying party needs.

The Person Identification Data (PID) block

The PID is the wallet's core identity payload — a structured set of identity data attributes derived from the citizen's authoritative source, typically the Member State's notified eID scheme. Family name, given name, date of birth, place of birth, and a unique personal identifier are common PID fields, along with the country code anchoring the scheme. (3)(6) Member States notify the wallet provider so the issuer signature resolves, and Europeans use the same identity data across the EU.

Electronic Attestation of Attributes (EAA) and Qualified EAA

An EAA is a separate attestation about an attribute not in the PID — driving licence, professional qualification, payment-account status, age assertion, education certificates. A QEAA carries the seal of a Qualified Trust Service Provider under Article 21. EAAs from authentic-source electronic registers reach QEAA status automatically; others only when checked by a QTSP. (10)(3) The wallet hands the relying party PID plus (Q)EAA payloads carrying qualified electronic signatures or qualified electronic seals, with secure storage on the device. Qualified certificates aggregated in the trust-list resolution let Europeans share verifiable digital documents without re-uploading documents.

Where the trust services chain ends and the operator's evaluation begins

The relying party verifies the issuer's signature against the EU trust-services regime. The chain ends at the Member State's list of qualified trust service providers, aggregated at EU level by the List of Trusted Lists. (2)(3) The wallet relying parties the AMLD treats as obliged entities — banks, payment institutions, crypto-asset service providers, insurers — still owe a risk-based judgement on whether the attribute is adequate for the customer due diligence context. Statutory acceptance under eIDAS 2.0 does not settle the CDD call: Europeans presenting wallet evidence are recognised under Article 5b but assessed under AML rules.

Selective disclosure: the primitive that changes the work

Selective disclosure separates the wallet from a document scanner. The holder controls which attributes are disclosed. Two mechanisms operate across the wallet ecosystem: attribute hiding (omission of fields from the payload) and Zero-Knowledge proofs that verify a predicate over an attribute without revealing the value. The relying party receives a verifiable claim without unnecessarily sharing personal data — minimisation that supports data protection under GDPR. Europeans share only what they consent to: the wallet shares the proof, not the document.

Attribute hiding versus Zero-Knowledge proofs

Attribute hiding works when the relying party needs a specific value — the country code, a date of birth driving a sanctions assertion. The wallet omits the other PID fields. Zero-Knowledge proofs work when the relying party only needs to verify a predicate — this person is over 18 — without learning the value. ETSI developed TR 119 476-1 to analyse the cryptographic primitives the reference framework cites: SD-JWT, BBS+ signatures, BBS#, and zk-SNARK schemes. (7)(3) The ETSI standards anchor the wire-format choice and the reference standards the ARF cites.

What the relying party cryptographically verifies

The relying party verifies four things on a wallet presentation. First, the issuer signature against the trust-services chain resolving into the Member State's qualified trust services list. Second, the binding of the credential to the holder — the wallet stores a device-resident key. Third, freshness via a cryptographic timestamp. Fourth, the selective disclosure check confirming disclosed values match the signed credential. The W3C Verifiable Credentials data model is the upstream open standard the reference framework implements via SD-JWT VC and ISO/IEC 18013-5. (9)(3)(7) Europeans share digital documents through the wallet without exposing the value, and the verification process between citizens and relying parties is recognised across QTSPs.

The legal effect of receiving a wallet-delivered attestation

A wallet attestation is not legally equivalent to seeing the underlying document. It is a different category of evidence with its own statutory weight. Under Article 5b of Regulation (EU) 2024/1183, Member States and relying parties must accept the wallet for identification and authentication in the contexts specified. With regard to AML rules, the obliged entity still owes a risk-based judgement, and the verification process is sequential.

Recognition under eIDAS 2.0 versus adequacy under AML rules

Wallet evidence is recognised under eIDAS 2.0 and obliges the relying party to accept it as an electronic identification means for natural and legal persons. The legal validity is settled; what remains is the AML judgement. FATF's 2020 Guidance on Digital Identity points to the risk-based approach. (8)(1) Whether the attributes are adequate for the customer due diligence context — occasional transaction, business relationship, cross border payment — is the obliged entity's call under EU laws. Europeans presenting wallet evidence remain subject to the procedures recognised under Article 24, and online onboarding flows route the result into the operator's stack.

What the operator records in the audit trail

Operators preparing for December 2026 need an evidence-record schema capturing issuer identity and qualified-trust-service status, chain validation result, attributes disclosed, verification result, and timestamp. This coexists with the document-OCR record current KYC stacks generate. The same discipline applies to verifier-private beneficial-ownership attestations under AMLR. (8)

How the relying party operationally verifies the attestation

The wallet on the citizen's smartphone presents a payload to the relying party, which parses it against the ARF technical specifications, validates the signature chain, runs the selective disclosure check, and applies the downstream AML logic. The EUDI Wallet Reference Implementation in the Commission's GitHub repository is the authoritative reference code. (3)(5) Europeans use the wallet across the EU; members of the LSP consortia coordinate the common specifications wallet providers code against, and QTSPs provide the trust-services chain through trust-list resolution. With regard to the verification process, every step is a discrete check the operator's stack must support.

The wire-format choice — SD-JWT VC and ISO/IEC 18013-5

The European Digital Identity Regulation mandates two credential formats. SD-JWT VC carries general (Q)EAA payloads. ISO/IEC 18013-5, the mobile driving licence standard, carries document credentials such as the digital driving licence and other digital documents. (3) Operators must support both: a wallet may present a driving licence as an 18013-5 mDL credential and an over-18 age assertion as an SD-JWT VC proof in the same flow. The wire-format standards form the interoperable digital signatures layer so wallets issued in one Member State present credentials a relying party in another verifies on the same basis.

Trust-list resolution and revocation checks

Each Member State publishes a qualified trust services list. (2)(3) Operators verify the issuer against the national list and check revocation before treating it as live. The List of Trusted Lists, aggregated by the European Commission, links every Member State list into one tree, letting the relying party validate the QTSP signing certificate at presentation time. The eIDAS 2.0 trust services category also covers electronic archiving alongside qualified electronic signatures and qualified electronic seals. Qualified certificates issued by each QTSP underpin the wallet's secure access pattern, and trust-list management covers online identification flows.

Integrating the verification result into the existing KYC stack

The KYC stack expects a document image and an OCR pipeline. The wallet hands it a structured set of identity data attributes and a verification result. Most production stacks expose an attribute-level interface — OCR fields fed into screening engines — and the wallet flow plugs in upstream, replacing the OCR step. The digital identification primitive shifts; the AML logic stays. Online identification becomes wire-format integration, and online services route the wallet payload through the same engines, enabling users to authenticate without resubmitting documents. (8)(5)

Where Verifyo fits — verifier-private attestations alongside the wallet rollout

The shift the regime codifies at the trust-services layer rhymes with the architecture we built into Verifyo. The proof-not-document primitive is not new — the wallet operationalises it at the citizen-credential layer for Europeans; we operationalise it at the identity-evidence layer for crypto and financial services.

The architectural rhyme: present a proof, not a document

The wallet's trust services chain operationalises the same primitive Verifyo's reusable Zero-Knowledge KYC attestations operationalise on the identity-verification side: the relying party receives a verifiable attestation, not a copy of the underlying document. Traditional KYC vendors transfer the document image to every client platform — Sumsub, Onfido, Jumio, Veriff, Persona, Socure, Trulioo all share that pattern. Verifyo's attestation shares a verifier-private proof; Europeans share neither documents nor identifiers beyond the predicate. The difference between traditional KYC vs Zero-Knowledge KYC architectures maps onto document-screening versus wallet evaluation, and users of platforms integrating Verifyo receive the equivalent private proof.

Where Verifyo's coverage maps onto the wallet's attestation universe — and where it does not

A scope-honest framing matters. The wallet's (Q)EAA channel can carry residence-address, qualification, employment, payment-account, and other attestation payloads — Verifyo does not issue those today. With regard to scope, Verifyo offers a Level 1 attestation covering identity-document verification, age (over-18 and over-21 booleans from the verified document), wallet ownership binding, and AML screening (sanctions, PEP, criminal, barred, military, adverse-media). Europeans on integrating platforms receive only the identity-evidence subset from Verifyo.

Where Verifyo's coverage maps onto the wallet's universe — the identity-evidence subset — the primitive is the same: present a verifier-private proof, never transfer the underlying document. Verifyo's reusable Zero-Knowledge KYC attestations are complementary, not a replacement. For categories Verifyo does not cover, organisations receive those from the wallet's trust-services chain via the QTSP. EU citizens use the wallet at the citizen-credential layer; users of platforms integrating Verifyo receive a verifier-private flow for the identity-evidence subset, and citizens and businesses benefit from both.

Implementation status across Member States as of W21

Implementation varies across the 27 EU Member States. Many operate digital identity infrastructures already, and the Large Scale Pilots stress-test wallet flows before the deadline. The Commission's toolbox of common standards and specifications sets the floor for cross border interoperability — approximately 449 million European citizens, businesses, and members of the public form the user base. With regard to readiness, leading Member States are years ahead; Europeans there already use a national digital identity app.

Large Scale Pilots and the four consortia

Four consortia — POTENTIAL, NOBID, DC4EU, EWC — cover over 550 companies and public authorities across 26 EU Member States plus Norway, Iceland, and Ukraine. Members of the LSP consortia test wallet flows across sectors — financial services, gambling, government services, healthcare, travel — developing common guidelines and reference standards wallet providers code against. (5)

Leading Member-State implementations

The strongest predictor of Member-State readiness is a live national digital identity app that can be upgraded rather than invented. France (France Identité), Italy (CIE and SPID, 41 million registered users), Poland (mObywatel, 10 million users), and Denmark (AltID, staged rollout under the Danish Agency for Digital Government) operate wallet-capable systems today. (13)(11) Years of pre-2024 national-eID work compound into a reliable wallet Europeans already use; citizens of those Member States will be the first to present wallet attestations.

What operators should expect first

Operators with EU-wide customer bases should expect wallet attestations from leading Member States first. The 36-month private sector window extends to 6 December 2027. (12)(1) An EU citizen resident in another Member State opening a bank account at a leading-Member-State bank in early 2027 may present a wallet attestation; the same onboarding at a late-implementer in mid-2027 may not. Cross border digital services the wallet enables — private services across the EU regulated under Article 5a(2) — roll out unevenly, and Europeans without coverage route to the existing flow.

What to do between now and December 2026

The wallet integration is three lanes of work in parallel; the compliance team finishing the build by end-2026 is making the architectural decisions today, and members of the compliance team should agree audit-trail procedures before the first leading-Member-State wallet hits production. Europeans across regulated platforms will use the wallet from December 2026 on, and the secure design carries through to citizens of every Member State.

The integration checklist

• Technical lane — support SD-JWT VC and ISO/IEC 18013-5. Build trust-list resolution against the Member States' qualified trust services lists and the EU List of Trusted Lists. Test against the EUDI Wallet Reference Implementation before any leading-Member-State wallet hits general availability.
• Legal-evaluation lane — map which (Q)EAA payloads the institution will accept for which customer due diligence contexts. Decide the adequacy regime once — by attestation type, by Member State, by customer category — and document the judgement.
• Audit-trail lane — design the evidence-record schema capturing the wallet verification result alongside the existing document-OCR record: issuer identity, chain validation status, attributes disclosed, verification result, wallet binding, and timestamp.

Closing verdict

The wallet is not faster document collection. It is a different category of evidence — and the compliance team that recognises it as such by December 2026 will integrate cleanly. Teams treating the wallet as a faster scanner will find it hands them no document, just a cryptographic attestation their existing stack does not know how to validate. The shift codified at the EU trust-services layer rhymes with the shift Verifyo built into the identity-evidence side: present a verifiable proof, not a document copy. The wallet Europeans use across the Internal Market shares the proof, not the document — citizens and regulated organisations both benefit.

Sources

(1) Council of the European Union and European Parliament. Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework. 30 April 2024. https://eur-lex.europa.eu/eli/reg/2024/1183/oj/eng

(2) Council of the European Union and European Parliament. Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation). 28 August 2014. https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng

(3) European Commission, Digital Identity Wallet GitHub Project. EUDI Wallet Architecture and Reference Framework (ARF) — v2.9.0. Released 21 May 2026. https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework

(4) European Commission, Digital Building Blocks portal. EU Digital Identity Wallet Home. Live as of 2026-05-26. https://ec.europa.eu/digital-building-blocks/sites/spaces/EUDIGITALIDENTITYWALLET/pages/694487738/EU+Digital+Identity+Wallet+Home

(5) European Commission, Digital Strategy. EU Digital Identity Wallet Pilot Implementation. Live as of 2026-05-26. https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-implementation

(6) European Commission, Digital Strategy. Implementing Regulation for European Digital Identity Wallets. Adopted 28 November 2024; entry into force 24 December 2024. https://digital-strategy.ec.europa.eu/en/library/implementing-regulation-european-digital-identity-wallets

(7) European Telecommunications Standards Institute (ETSI). ETSI TR 119 476-1 V1.3.1 — Electronic Signatures and Infrastructures (ESI); Analysis of selective disclosure and zero-knowledge proofs applied to Electronic Attestation of Attributes. August 2025. https://www.etsi.org/deliver/etsi_tr/119400_119499/11947601/01.03.01_60/tr_11947601v010301p.pdf

(8) Financial Action Task Force (FATF). Guidance on Digital Identity. March 2020. https://www.fatf-gafi.org/en/publications/Financialinclusionandnpoissues/Digital-identity-guidance.html

(9) World Wide Web Consortium (W3C). Verifiable Credentials Data Model v2.0. W3C Recommendation, 15 May 2025. https://www.w3.org/TR/vc-data-model-2.0/

(10) Bundesdruckerei Gruppe GmbH. QEAA Put Simply: Importance of Qualified Electronic Attestation of Attributes for the EUid Wallet. 28 November 2023. https://www.bundesdruckerei.de/en/innovation-hub/qeaa-put-simply

(11) Danish Agency for Digital Government (Digitaliseringsstyrelsen). eIDAS2 and the Digital Identity Wallet. Live as of 2026-05-26. https://en.digst.dk/systems/eid-and-single-digital-gateway/eidas2-and-the-digital-identity-wallet

(12) Baker McKenzie. European Union: EUDI Wallet Harmonizes Identification and Age-Gating. 27 March 2026. https://www.bakermckenzie.com/en/insight/publications/2026/03/european-union-eudi-wallet-harmonizes-identification-and-age-gating

(13) Namirial. EUDI Wallet: how prepared are the various EU countries? 9 April 2026. https://www.namirial.com/en/blog/stories/status-check-eudi-wallet/

(14) InfoCert S.p.A. (Tinexta Group). eIDAS — what is it and what changes with eIDAS 2.0. Live as of 2026-05-26. https://infocert.digital/blog/eidas