eIDAS 2.0: The digital identity revolution reshaping financial services

This podcast episode is based on the Deloitte Luxembourg article below and includes content generated, assisted, or edited using artificial intelligence technology. It has been reviewed by a human prior to publication. The voices featured are synthetic. This podcast is provided for general information purposes only and does not constitute any kind of professional advice rendered by Deloitte Luxembourg. Deloitte Luxembourg accepts no liability for any loss or damage whatsoever sustained by any person who uses or relies on the content of this podcast. 

Introduction  

Imagine opening a bank account from your sofa. No paperwork, no branch visits, no waiting. You tap your phone, share your verified digital identity, and you're set up within minutes. This isn't science fiction, it's the practical reality eIDAS 2.0 is designed to enable by December 2027.

Europe's digital identity landscape is undergoing its most consequential shift since the early internet era began. Regulation (EU) 2024/1183, commonly known as eIDAS 2.0, expands trusted digital identification beyond public services and into the core of private-sector activity, especially financial services. For Luxembourg— home to over 120 banks, 3,500 investment funds, and a thriving fintech ecosystem—this marks both a compliance imperative and a strategic inflection point.

The timeline is tight and non-negotiable. Member States must roll out certified digital identity wallets by November 2026. Just thirteen months later, large companies in regulated sectors will be required to accept the EUDI Wallet for authentication. Simultaneously, the Anti-Money Laundering Regulation (AMLR) will enter full application in July 2027, reinforcing and complementing the new identity framework. According to the European Commission's Architecture and Reference Framework, the longer-term objective is even more ambitious: 80% wallet adoption among EU citizens by 2030.

For Luxembourg’s financial institutions, the real question is no longer whether this transformation will happen, but whether they will help shape it, or be forced to catch up.

Source: Deloitte, own analysis and elaboration.

Click here to enlarge

Source: Deloitte, own analysis and elaboration.

Click here to enlarge

eIDAS 2.0 and the EUDI Wallet: Beyond compliance

The original eIDAS Regulation, introduced in 2014, marked an important step forward for digital identity in Europe but fell short of critical mass. Only 14% of key public services across Member States enabled cross-border authentication with electronic IDs, and private-sector adoption remained limited. The root causes were structural: fragmented national implementations, no mandatory acceptance requirements, and the absence of harmonized technical standards.

eIDAS 2.0 directly addresses these shortcomings. Every Member State must now issue a European Digital Identity Wallets to any citizen or resident who requests one, ensuring universal availability. Large relying parties in regulated sectors face mandatory acceptance by December 2027. Crucially, detailed technical specifications defined in the EUDI Wallet Architecture and Reference Framework establishe a common foundation for true interoperability across all 27 Member States.

At its core, the wallet is designed to be simple to use. It functions as a secure digital container on a user’s mobile device that stores verified credentials. These credentials fall into three main categories:

• Person identification data (PID): Core identity attributes issued by Member States at the highest assurance level— functionally equivalent to presenting a government-issued passport.
• Qualified electronic attestations of attributes (QEAA): Certified credentials issued by qualified trust service providers, covering items such as educational qualifications, professional licenses and financial status.
• Qualified Electronic Signatures (QES): Legally binding digital signatures with the same legal effect as handwritten signatures.

The most significant innovation is selective disclosure. Instead of sharing full identity records, users can reveal only what is strictly necessary for a given transaction. For example, a bank verifying eligibility for an age-restricted investment product receives confirmation that the client is over 18, without access to the exact birth date or unrelated personal data. If address verification is required, only that attribute is shared. This privacy-by-design model, aligned with GDPR principles, fundamentally reshapes how personal data moves through financial services.

The wallet’s capabilities extend beyond online interactions. It can also operate offline via NFC and Bluetooth, supporting use cases such as airport controls, in-person onboarding, and retail age verification without continuous connectivity. For financial institutions running multi-channel models, this enables consistent identity verification across web platforms, mobile apps, and physical locations.

Luxembourg's role as a highly international financial center creates a distinct advantages. Deep experience with cross-border regulation, combined with strong digital infrastructure, positions the Grand Duchy to help define implementation best practices and influence emerging European standards, not just comply with them.

Convergence of eIDAS 2.0 and AMLR: The end of KYC fragmentation

Today’s cross-border financial landscape is defined by inconsistency, and it frustrates institutions and customers alike. Anti-Money Laundering Directives may be European in origin, but in practice they have been implemented twenty-seven different ways across twenty-seven Member States. Some jurisdictions allow video-based remote identification; while others still require in-person verification.

Some recognize certain identity documents; others do not. This regulatory patchwork increases compliance costs, and complicates operational design, and adds avoidable friction to  customer journeys. For Luxembourg-based institutions, the burden is particularly acute considering the pan-European client base and the sheer volume of counterparties to be handled for some specific financial products.

Industry analysis consistently shows how costly and cumbersome this fragmentation has become. Cross-border identity verification can take weeks, and often forces customers (and financial instritutions back-offices) through multiple, duplicative checks. The operational drag is significant, and so is the drop-off in customer experience.

In July 2027, the new Anti-Money Laundering Regulation will apply directly across all Member States, eliminating national variations and interpretive layers. This marks a structural shift from directive-based guidance to uniformly binding rules.

Under the new framework, only three digital identity verification methods will be permitted: national digital IDs notified under eIDAS, the European Digital Identity (EUDI) Wallet, and qualified trust services provided by trust service providers certified in accordance with eIDAS requirements.

Country-specific or locally approved identification schemes that are not notified or otherwise aligned with the eIDAS framework will no longer be valid after July 2027. In practical terms, identity verification shifts from a patchwork of national approaches toward a harmonized set of EU-recognized methods.

The operational benefits are transformative 

Customer onboarding that once required appointments, document collection, and days of manual verification can be reduced to a matter of minutes. Clients share verified identity attestations directly from their EUDI Wallet, eliminating repetitive checks and paperwork.  Tink's analysis of payments and financial services impact indicates that onboarding times in payments and financial services could fall by as much as 90%.

Cross-border operations stand to gain even more. A client verified in Germany can reuse the same trusted credentials to open a banking relationship in Luxembourg without undergoing redundant verification steps. The EUDI Wallet effectively becomes a portable, privacy-preserving repository of verified attributes, reusable across borders and institutions while maintaining strong security controls.

Qualified electronic signatures and qualified electronic attestations of attributes add a futher layer of legal certainty. They carry the same evidentiary weight as handwritten signatures and notarized documents, allowing financial institutions to rely on them without repeating underlying verification work. According to Research by Namirial, automating and standardizing KYC through these mechanisms can reduce related operational costs by 40–60%.

Oversight and implementation guidance will also become more centralized. The new Anti-Money Laundering Authority (AMLA), based in Frankfurt, will directly supervise selected high-risk financial institutions and issue Regulatory Technical Standards throughout 2026–2027, giving the market detailed, practical direction on how to operationalize the converged identity and AML framework.

Source: Deloitte, own analysis and elaboration.

Click here to enlarge

User experience and security challenges: The trust imperative

User control sits at the center of the model. Instead of oversharing personal information, individuals approve the release of specific, verified attributes. To qualify for a senior banking product, for example, the wallet can confirm the customer is over 65 without disclosing a birth date. For a mortgage application, it can provide certified income proof without exposing a full financial history. This selective disclosure approach strengthens trust while preserving privacy.

Consistency across channels is just as important as speed. Whether customers engage through a web portal, a mobile app, or in person using NFC-enabled verification, the identity experience remains the same. That uniformity reduces confusion, builds familiarity, and increases user confidence, all critical factors for large-scale adoption.

Real-world use cases already point to the scale of the opportunity. Banks can use wallet-based authentication to satisfy strong security and identity requirements with far less procedural complexity. Insurance providers can issue policies almost instantly using verified health or driving credentials. Lenders can accelerate credit decisions by relying on certified financial data and proof of employment delivered directly by the customer.

Important security questions remain 

The regulation includes a controversial element—Article 45.2—that has triggered sustained debate within the cybersecurity community. The provision would require web browsers to automatically trust certain digital certificates issued by government-approved providers. Browser makers like Mozilla, argue that this constraint could reduce their ability to respond quickly to emerging threats. If a certificate were issued in error or later compromised, browsers could be limited in their capacity to revoke trust unilaterally, potentially weakening user protection.

Privacy advocates have raised parallel concerns. Without strong technical and governance safeguards, a large-scale digital identity framework could enable cross-service tracking or correlation of user activity. Digital rights organizations initially warned of systemic surveillance risks, though later negotiation rounds introduced tighter privacy controls and clearer limits on data use and linkability.

Operational complexity presents another challenge. The framework depends on coordination among hundreds of trust service providers across 27 Member States, all expected to meet consistent assurance and security levels. Financial institutions will need to manage this moving landscape while also aligning with broader cybersecurity obligations such as NIS2 and DORA, adding another layer of governance, vendor oversight, and technical integration to their compliance programs.

Strong safeguards are built into the framework to balance innovation with user protection. The model is designed to align fully with GDPR principles, giving individuals clear control over their personal data, including rights to access, correct, and delete information where applicable. User consent and data minimization are not side features; they are structural requirements.

The debate reflects appropriate scrutiny of a system that will handle sensitive identity data for hundreds of millions of Europeans. Such examination is not a weakness but a necessary part of building a resilient and trustworthy framework.

Source: Deloitte, own analysis and elaboration. 

Click here to enlarge

Looking ahead: When AI agents need identity too 

Digital identity transformation is no longer limited to humans. As AI agents increasingly execute financial transactions autonomously—managing portfolios, initiating payments, and applying for credit—a new requirement emerges: verifying their authority and authenticity.

Know Your Agent is the natural extension of Know Your Customer (KYC) in an AI-driven environment. Financial institutions will need reliable mechanisms to authenticate not only clients, but also the AI agents acting on their behalf. The EUDI Wallet framework offers a practical path forward: government-issued digital identities can be extended to authorize specific AI agents, using the same cryptographic foundations that support trusted human verification.

This is not distant speculation. As AI agents become more capable and more autonomous, digital identity wallets can establish a verifiable chain of trust that distinguishes legitimate agents from malicious actors, strengthening defenses against AI-enabled fraud and synthetic identities.

Luxembourg's institutions investing in digital identity capabilities today are not only preparing for 2027 compliance—they are laying the groundwork for an AI-integrated financial ecosystem in which human and machine interactions operate within a shared frameworks of verified trust.

Conclusion: Act now to capture value 

The convergence of eIDAS 2.0 and the new anti-money laundering framework marks the most significant shift in digital identity and financial compliance in decades.

For Luxembourg's financial sector, success will depend on coordinated action across three distinct time horizons:

• Short term (2024–2026): Build the foundations.
  Assess current identity verification processes against upcoming requirements. Identify technology and organizational gaps. Participate in pilot programs and industry working groups to help shape emerging standards. Establish early partnerships with trust service providers before market demand tightens capacity.
• Medium term (2026–2027): Drive integration.
  Enable wallet acceptance across all customer channels—web, mobile, and branch environments. Train operational and compliance teams on updated procedures. Redesign onboarding journeys around instant verification to reduce friction and abandonment. Put robust controls in place for accepting digital signatures and electronic attestations.
• Long term (2027–2030): Capture value.
  Leverage cross-border identity portability to accelerate European expansion and convert compliance capability into competitive advantage. Launch new services built on verified digital identity. Position Luxembourg as a leading center for digital finance innovation. Explore new business models enabled by trusted digital credentials.

Market projections place the digital identity sector at $30 billion by 2030, with early movers best positioned to shape standards and capture disproportionate value. The strategic question is straightforward: will digital identity be treated primarily as a compliance obligation, or as a growth engine?

Luxembourg holds structural advantages: concentrated expertise, advanced infrastructure, and deep experience with cross-border regulation, all strong foundations for leadership in digital identity–enabled financial services.

Institutions that act decisively now—by building capabilities, redesigning processes, and rethinking customer experience—will help define the future of digital finance in Europe. The countdown to December 2027 is underway. The question is not whether to adapt, but how boldly to transform. Luxembourg’s financial sector can lead the next era of trusted digital finance, or follow it.