Building Secure and Compliant Identity Verification in the Age of eIDAS 2.0

Across the European Union, eIDAS (electronic Identification, Authentication and Trust Services) is one of the key regulations that defines how citizens, businesses, and authorities have to interact with each other in the digital environment. Adopted in 2016, eIDAS sets standards for electronic identification and so-called trust services – for instance, electronic signatures and time stamps, which confirm the date and time of a digital action. These standards apply in all EU member states and create legal certainty for digital interactions throughout the Union.

The updated version (eIDAS 2.0) brought several crucial features to the original eIDAS framework. First of all, it introduced the European Digital Identity Wallet that each EU member state must make available to its citizens by the end of 2026. The wallet is meant to simplify digital interactions across borders even further as it allows people to identify themselves, store, and share verified data, as well as access both public and private services. At the same time, as digital identity becomes easier to use at scale, the question of how personal data is processed becomes even more important.

Taken together, eIDAS and eIDAS 2.0 play a major role in creating a unified identity verification ecosystem across Europe. However, as digital onboarding becomes more standardized, businesses need to think not only about compliance, but also about how their verification systems are built. What really matters is whether sensitive user data can be processed without ever leaving the secure perimeter within on-premise or on-device architecture. For businesses, this means that aligning KYC workflows with the new framework is only part of the task. Equally important is choosing technologies that support compliance without storing and transmitting sensitive data anywhere.

Key eIDAS and eIDAS 2.0 Concepts

Before looking in more detail at what eIDAS regulates and which standards it sets, it is worth clarifying a few key concepts:

Trust Services. These are electronic services that make digital interactions legally and technically reliable. Under eIDAS, they include services such as electronic signatures, electronic seals, time stamps, website authentication certificates, and more. Providers of these services are called Trust Service Providers (TSP), and if they are in the EU Trusted Lists they are considered qualified (QTSP).

Personal Identification Data (PID). It is a basic set of personal data that is sufficient to identify the user. This set includes full name, date of birth, passport number, etc.

Attribute. An attribute is a specific fact about a person. It can be something like age, address, a university degree, or driving privileges and restrictions. One of the main ideas behind eIDAS is that digital services do not always need to request raw identity document copies – in many cases, they only need one verified attribute, such as proof that a user is over 18. 

Electronic Attestation of Attributes (EAA). An electronic form of the document that proves one or more attributes. EAAs can be both qualified and non-qualified – whether they were issued by Qualified Trust Service Providers or not. A non-qualified EAA can be, for example, your electronic fitness club card (unless, of course, your fitness club is in the EU Trusted Lists). Qualified EAAs have the same legal effect as lawfully issued paper attestations and can be stored in and shared through EU Digital Identity Wallets.

EU Digital Identity Wallet (EUDI Wallet). In most cases, it is a mobile app where users can store and manage their PID as well as electronic attestations of attributes. Activation of this wallet is completely optional for the users, however, each EU member state is required to provide at least one official EUDI Wallet for its citizens and residents by the end of 2026. This wallet, in fact, is something similar to government super apps used by numerous Asian countries as it lets people identify themselves online and keep their ID documents, diplomas, and medical records all together in electronic form. When using the EUDI Wallet for registration, the services get only the attributes they require – not raw document copies.

Provider of Person Identification Data. This is the official term for the party (frequently mentioned as the “issuer”) responsible for issuing, verifying, and revoking PID. Providers cryptographically bind this data to people’s wallet units – in other words, they fill the wallets with the core identity data. In practice, these providers are typically public authorities. Other verified credentials stored in the wallet may come from a much wider range of organizations, including universities and healthcare providers.

Relying Party. It is the organization that relies on electronic identification, the wallet, or a trust service during KYC, client onboarding, and other workflows. In simple terms, this is the service provider that asks the user for identity data or attributes before granting access to its products.

Levels of Assurance (LoA). eIDAS uses three assurance levels for electronic identification: low, substantial, and high. The higher the level, the higher the confidence that the person is really who they claim to be. The level is determined through compliance with various standards covering areas such as enrollment, identity proofing and verification, authentication, and management of the identification means.

What eIDAS and eIDAS 2.0 Each Bring to Identity Verification

The first version of eIDAS made digital identity and trust services usable on a European scale. Its rules standardized how electronic identification means must be issued and used, which made onboarding in digital services seamless for customers regardless of which EU country they come from. eIDAS also created a common legal framework for trust services such as electronic signatures, electronic seals, time stamps, electronic registered delivery services, and website authentication certificates.

Most importantly, eIDAS defines three Levels of Assurance (LoA) – each containing a set of standards for electronic identification. These standards are exactly what KYC providers and identity verification vendors need to align with if they want to present themselves as eIDAS-compliant. 

“Low” level offers a basic degree of certainty about a claimed identity, “substantial” calls for more rigorous checks with fewer chances of misuse, and “high” is intended to deliver maximum assurance, backed by the strongest protections against identity fraud. Companies choose the level they need based on their risk exposure, the sensitivity of the data they handle, and any other regulatory obligations that apply to their services.

The second version of eIDAS expanded the framework in two major ways: it introduced the EU Digital Identity Wallet and added several new trust services, one of the most important being Electronic Attestation of Attributes. Simply put, EAAs are what make the wallet model work, because they allow trusted, verified attributes to be issued and stored in the wallet for later use. 

Wallet units are meant to be legally accepted throughout the Union, which gives users a way to rely on the same digital identity tools in different member states. As the wallet is built around selective data sharing, the user can share only the attribute a service actually needs. For instance, if a social media platform only needs proof that a user is over 18, the wallet can provide that age-related attribute without disclosing the user’s ID image or other personal data.

Both eIDAS generations helped to solve the same fundamental problem: the lack of a common trusted framework for digital interactions between EU member states. Before eIDAS, national rules for electronic identification and trust services differed, and the technologies used in different countries were often not interoperable. That made cross-border digital transactions harder, less predictable, and in many cases not worth the legal or technical risk.

The Main Strength and Weakness of eIDAS Identity Verification Standards

One of the main strengths of eIDAS identity verification standards is that they create a common framework for the entire European Union. Instead of forcing companies to navigate completely different identity rules in every market, eIDAS sets shared principles for electronic identification and various trust services. In practical terms, this means that an identity verification approach designed to align with eIDAS can serve as a strong foundation for operating in different EU member states, rather than being rebuilt from scratch for each country. That legal and technical consistency is one of the biggest advantages the regulation brings to the European digital economy.

The main weakness of eIDAS identity verification standards, in our opinion, is that they do not actively support the development of on-premise / on-device verification technologies – the ones that truly protect citizens’ personal data from breaches and ensure frictionless identity verification workflows. Frameworks that regulate storage and transmission may reduce risk, but they do not remove the risk surface itself. Every time identity data is collected or transferred, it creates a new opportunity for leakage, and regulatory compliance alone cannot fully remove that vulnerability.

It may seem that eIDAS is building a unified and secure identity verification ecosystem across Europe. In many ways, it is certainly creating a more consistent and convenient one. But does this really mean security? At OCR Studio, we believe that true protection can only be delivered by technologies that do not require personal data to be stored or transmitted in the first place. In identity verification, the safest architecture is not the one that manages sensitive data more carefully, but the one that removes the need to handle it at all.

How to Build a Secure and Compliant Identity Verification

Since each eIDAS assurance level is largely built around the principle of minimizing the storage and transfer of personal data, on-premise / on-device technologies are the most effective way to build an identity verification system that is both compliant and genuinely secure. From a technological point of view, such systems outperform architectures that rely on cloud infrastructure or external servers, as they are not vulnerable to third-party outages and can operate even without a stable internet connection.

Below, we look at the key eIDAS identity verification standards and show why modern on-device technologies align with them in full:

“Electronic communication channels used to exchange personal or sensitive information are protected against eavesdropping, manipulation and replay”

In some on-device systems, lightweight neural networks make it possible to perform ID scanning directly on the user’s smartphone, tablet, or desktop in real time. This removes the need to “exchange” that data with external servers. Personal information remains outside any communication channels, which greatly reduces the possibility of “eavesdropping, manipulation, and replay” which occurs during transmission.

“All media containing personal, cryptographic or other sensitive information are stored, transported and disposed of in a safe and secure manner”

Because on-device systems process data locally, they reduce the need to store or transmit sensitive information beyond the user’s device. This applies both to the data extracted from identity documents and to ID images – at no point are they sent to external servers for processing.

“Collect the relevant identity data required for identity proofing and verification”

Some on-device systems are able not just to extract textual data, but also to determine which document fields contain the relevant information. If the service requires the user’s age, the on-device system will find the “date of birth” field and automatically determine whether the user is old enough. It may seem like a simple task for today’s OCR technologies, but performing age checks without data storage and transmission is far beyond the capabilities of many solutions on the market.

“The person can be assumed to be in possession of evidence recognised by the Member State in which the application for the electronic identity means is being made and representing the claimed identity”

In order to verify that the user is the legitimate document holder, verification systems usually conduct selfie-to-ID checks by comparing the presenter’s selfie with the ID photo. On-device systems perform the same checks with the same accuracy while not transmitting sensitive biometric data anywhere. Some on-device systems are additionally able to detect presentation attacks when fraudsters use screen recaptures and photocopies – this ensures that the user is genuinely present.

“The evidence can be assumed to be genuine, or to exist according to an authoritative source and the evidence appears to be valid”

To meet this requirement, an identity verification system you choose must be able to assess whether the document presented by the user appears genuine and valid. Some on-device solutions do this by combining ID recognition with document forensics technologies. Based on a single document photo, they can detect substituted fields and photos, masked data blocks, composited image fragments, injected foreign elements, as well as deepfakes, AI-generated, and morphed IDs. They can also check validity periods and cross-validate data from the VIZ, MRZ, and NFC to identify inconsistencies that may indicate tampering or fraud.

“Providers comply with any legal requirements incumbent on them in connection with operation and delivery of the service, including the types of information that may be sought, how identity proofing is conducted, what information may be retained and for how long”

On-device architecture, because it does not require data storage or transmission, helps businesses comply with the most stringent data protection requirements. Such systems are compatible not only with EU regulations like eIDAS or GDPR but also with any Asian, MENA, Latin American, and other data privacy frameworks.

“Retain, as far as it is permitted by national law or other national administrative arrangement, and protect records for as long as they are required for the purpose of auditing and investigation of security breaches, and retention, after which the records shall be securely destroyed”

This requirement is not about storing all personal data by default, but about keeping the system auditable. The real challenge is architectural: how can identity data be processed locally while traceability is preserved? In our view, data should not be transferred for processing, but only for strictly limited and secure audit purposes. Future approaches may include selective logging, encrypted audit records, or mechanisms that preserve auditability without exposing raw personal data. This is not a limitation of the on-device model, but a broader challenge for the next generation of identity verification systems.

As you can see, on-premise technologies fully meet the key eIDAS requirements while avoiding the framework’s main weakness. Because they do not require data storage or transmission, they provide much stronger protection against personal data leaks than alternative approaches. Such technologies can support identity verification workflows at any required assurance level, from “low” to “high”.

On-Premise Architecture Goes Beyond eIDAS Compliance

Meeting eIDAS requirements is essential for any company operating in the EU. However, compliance alone is not enough to guarantee real protection of customer data. To build a truly secure KYC, businesses need to look beyond formal compliance and pay close attention to the technical characteristics of the identity verification solutions they use. In our view, the safest choice is not a vendor that merely minimizes personal data collection, but one that removes the need for collecting and transmitting that data at every stage.

About OCR Studio

OCR Studio, a developer of optical character recognition technologies, offers a wide range of on-premise ID scanning and verification solutions for fintech, retail, and travel industries. All processing is performed on the end user’s device or within your company’s secure perimeter, with no data transmitted to external services. This helps businesses keep sensitive ID data under control and support compliance with major European data protection frameworks.

Learn more about OCR Studio products