--- title: "eIDAS 2.0 and AI in EU Trust Services and Digital Identity (2026) | Impetora" description: "How Regulation (EU) 2024/1183 (eIDAS 2.0) governs AI used in qualified trust services and the EU Digital Identity Wallet, identity proofing, KYC overlap." url: https://impetora.com/answers/eidas-ai-trust-services-eu locale: en datePublished: 2026-04-28 dateModified: 2026-04-28 author: Impetora --- # eIDAS 2.0 and AI in EU trust services and digital identity > Regulation (EU) 2024/1183, which amends the original eIDAS Regulation 910/2014, was adopted on 11 April 2024 and is the legal basis for the European Digital Identity Wallet (EUDIW) plus a modernised qualified trust services regime. AI systems are increasingly deployed inside identity proofing, signature creation, document validation and KYC flows that interface with eIDAS-regulated services, and the regulation imposes specific obligations on the integrity and oversight of those automated components [1]. *Updated 2026-04-28. By Impetora.* ## What does eIDAS 2.0 cover and where does AI fit in? The original eIDAS Regulation (EU) 910/2014 created the EU framework for electronic identification and trust services: electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services, website authentication certificates and the legal recognition of electronic identification means notified by member states. Regulation (EU) 2024/1183 amends that framework to introduce the European Digital Identity Wallet, expand the catalogue of qualified trust services to include qualified electronic attestations of attributes (QEAAs), qualified electronic ledgers and qualified electronic archiving, and impose stricter security and interoperability requirements [1]. AI-driven components routinely sit inside the workflows that depend on eIDAS. Identity proofing in qualified trust service provider (QTSP) onboarding now typically uses AI for document authenticity checks, biometric liveness detection and selfie-to-document matching. KYC flows in financial services use AI for the same reason, often interfacing with eIDAS-notified electronic identification means or the EUDIW once it rolls out. Signature creation and validation services use AI for document understanding and compliance checks. Each of these touch points sits inside the eIDAS regulatory perimeter when the output is a qualified service or feeds an eIDAS-notified flow. The Implementing and Delegated Acts under eIDAS 2.0 - including the Implementing Regulations on the EUDIW architecture and the trust framework, adopted in 2024 and 2025 - flesh out the technical baseline, including identity-proofing levels and the cryptographic and operational requirements for QTSPs. ## What do QTSPs have to do when they use AI in identity proofing? Article 24 of eIDAS (as amended) sets out the requirements for qualified trust service providers when issuing qualified certificates. Identity verification of natural and legal persons must be carried out using one of: physical presence, electronic identification means at substantial or high level of assurance, qualified electronic signature/seal certificate previously issued, or "other identification methods which ensure the identification of the natural person with a level of assurance equivalent to physical presence" subject to confirmation by a conformity assessment body. That last route is where AI-driven remote identity verification (RIV) lives. The 2024 Implementing Regulation on remote identity proofing for trust services, drafted by ENISA and adopted by the Commission, sets the minimum security and reliability requirements: liveness detection, authenticity checks on the identity document, secure capture of biometric data, fraud-detection signals, and human review thresholds. AI components are explicitly permitted, but the QTSP must demonstrate to the supervisory body and the conformity assessment body that the AI component meets the equivalent-to-physical-presence threshold and that the overall process is auditable [2]. The supervisory body in each member state retains the power to inspect, audit and ultimately withdraw qualified status. ENISA publishes guidance on remote identity proofing and on the security framework for qualified trust services, including specific guidance on AI-based fraud-detection components. ## How does the EU Digital Identity Wallet affect AI workflows? The EUDIW is the flagship deliverable of eIDAS 2.0. Member states must offer at least one wallet to natural and legal persons by the end of 2026 (with the precise national rollout dates varying), and private-sector relying parties in defined sectors - banking, telecom, transport, energy, healthcare and large platforms - must accept the wallet for authentication where they currently require strong customer authentication. The wallet allows holders to store and selectively disclose identity attributes, qualified electronic attestations, mobile driving licences, payment credentials and education credentials. For AI workflows, the wallet changes two things. First, the authoritative identity payload is now presented through a standardised, cryptographically signed credential rather than being inferred from a photographed document. Identity proofing AI in many flows can be replaced or substantially augmented by a wallet presentation. Second, AI systems that consume wallet credentials must respect the selective-disclosure model and the data-minimisation principles in Article 5a of eIDAS 2.0 - asking for only the attributes that are necessary for the service. The Architecture Reference Framework (ARF), maintained by the eIDAS Expert Group and the Commission, is the operative technical specification. ARF version 1.5 (2025) is the current baseline for wallet implementations and integrating systems [3]. ## What is the EU Trusted List and how does AI fit into the supervision model? Each member state maintains a national trusted list of qualified trust service providers and the qualified trust services they offer. The Commission publishes the consolidated EU/EEA list. Inclusion on the trusted list is the legal effect of qualified status, and removal is the operative supervisory sanction available to national supervisory bodies. A QTSP that uses an AI-driven identity-proofing component and fails to meet the equivalent-to-physical-presence threshold can be removed from the list, which extinguishes the legal effect of all certificates it issues going forward. Conformity assessment bodies (CABs) audit QTSPs against ETSI standards (EN 319 401, EN 319 411-1/2 and the related technical specifications) every two years. The CABs are increasingly trained to audit AI components specifically: model performance metrics, false-acceptance and false-rejection rates, bias and demographic robustness, drift monitoring and human-review thresholds. The 2024 ENISA guidance on remote identity proofing is the operative cross-reference for what auditors expect to see. ## How does eIDAS 2.0 interact with the EU AI Act and GDPR? AI used for biometric identification at distance is high-risk under the EU AI Act (Regulation 2024/1689) Annex III, point 1, and remote-biometric-identification AI in identity-proofing flows is therefore subject to the full Article 9 risk management, Article 10 data governance, Article 14 human oversight and Article 15 accuracy/robustness/cybersecurity obligations on top of eIDAS. GDPR adds the lawful-basis question (special category data under Article 9 GDPR for biometric data when used for unique identification), retention limits and data-subject rights. For a QTSP that uses AI-driven identity proofing, the practical compliance stack is: eIDAS sets the trust-service-specific security and reliability requirements, the AI Act sets the AI system's lifecycle obligations as a high-risk system, GDPR governs the personal data dimension, and DORA (where the QTSP is in scope as a digital infrastructure entity under NIS2 or as a financial entity) governs the operational resilience layer. Mature QTSPs run a single integrated programme rather than four parallel ones. ## How does Impetora support eIDAS 2.0 AI engagements? Impetora's TRACE methodology was built around AI systems that have to survive supervisory and conformity-assessment review, and eIDAS QTSPs face exactly that shape of audit. Trust covers the policy, residency and audit-trail layer, including the identity-proofing process documentation that supervisory bodies and CABs review. Readiness covers the data and workflow audit on which the technical documentation, biometric data-protection assessment and ETSI conformance evidence depend. Architecture covers production-grade design with logging, monitoring and human-oversight integration that meets the equivalent-to-physical-presence threshold. Citations and Evidence covers the audit-trail layer that survives CAB review and AI Act post-market monitoring. The practical path for a QTSP or wallet-relying-party AI engagement: scope the system against the specific eIDAS service or wallet flow, document the identity-proofing process and human-review thresholds, integrate the ETSI conformance and AI Act technical documentation as one evidence base, and prepare for both the biennial CAB audit and the AI Act post-market monitoring rhythm. ## Frequently asked questions ### What is the legal status of eIDAS 2.0? Regulation (EU) 2024/1183 was adopted on 11 April 2024 and entered into force 20 days after publication in the Official Journal. It amends the original eIDAS Regulation 910/2014 rather than replacing it, so the consolidated text governs trust services and electronic identification across the EU. Implementing and Delegated Acts on the wallet architecture and trust framework have been adopted in waves through 2024 and 2025. ### Can AI-driven remote identity verification meet the eIDAS qualified-trust-service threshold? Yes, where the AI component is part of an overall process that the QTSP can demonstrate is equivalent to physical presence under Article 24, and where the process meets the security and reliability requirements set in the 2024 Implementing Regulation on remote identity proofing. The QTSP must satisfy the supervisory body and the conformity assessment body that liveness, document authenticity, biometric matching and fraud-detection components meet the threshold and that the overall process is auditable. ### Is biometric identity proofing AI a high-risk AI system under the EU AI Act? Yes. Annex III, point 1 of Regulation (EU) 2024/1689 classifies AI systems intended to be used for remote biometric identification of natural persons as high-risk. Identity-proofing AI in QTSP onboarding therefore inherits the full Article 9-15 obligations on risk management, data governance, technical documentation, transparency, human oversight and accuracy/robustness/cybersecurity in addition to the eIDAS-specific reliability requirements. ### When do member states have to roll out the EU Digital Identity Wallet? Member states must offer at least one wallet to natural and legal persons by 2026, with the precise national rollout dates set by national implementation plans. Several member states are running large-scale pilots through 2024-2025 under the EU Digital Identity Architecture and Reference Framework, and the first production rollouts are expected during 2026. Acceptance by private-sector relying parties in defined sectors becomes mandatory in stages following national rollout. ### Does eIDAS 2.0 apply to non-EU AI vendors? Through the contractual chain. A non-EU AI vendor providing remote identity verification services to an EU QTSP becomes part of the QTSP's regulated supply chain, and the vendor must support the security, audit and incident-cooperation obligations that eIDAS imposes on the QTSP. The supervisory body's power runs against the QTSP, but the QTSP's contract with the vendor must give the QTSP the rights it needs to comply. ### Where can I find the official eIDAS 2.0 text and ENISA guidance? The amending regulation is published as Regulation (EU) 2024/1183 on EUR-Lex; the consolidated eIDAS text incorporates 910/2014 and 2024/1183. The European Commission's Digital Strategy site maintains the policy landing page and the ARF for the wallet. ENISA publishes the technical guidance on remote identity proofing, qualified trust service security requirements and the threat landscape for trust services. ## Sources cited 1. Regulation (EU) 2024/1183 amending Regulation 910/2014 (eIDAS 2.0). European Union, Official Journal, 2024-04-11. https://eur-lex.europa.eu/eli/reg/2024/1183/oj 2. Guidance on remote identity proofing for trust services. ENISA - European Union Agency for Cybersecurity, 2024. https://www.enisa.europa.eu/topics/trust-services 3. EU Digital Identity Architecture and Reference Framework (ARF). European Commission - DG CONNECT, 2025. https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet 4. Regulation (EU) 910/2014 (original eIDAS). European Union, Official Journal, 2014-07-23. https://eur-lex.europa.eu/eli/reg/910/2014/oj 5. Regulation (EU) 2024/1689 (Artificial Intelligence Act). European Union, Official Journal, 2024-07-12. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689 6. ETSI EN 319 401 - General policy requirements for trust service providers. ETSI, 2023. https://www.etsi.org/standards