Two deadlines are converging on the same calendar window.

Regulation (EU) 2024/1624 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLR) requires obliged entities to have AMLR-compliant Customer Due Diligence (CDD) processes in place by July 10, 2027. The EU Digital Identity framework requires financial institutions and other regulated relying parties to accept the EUDI Wallet for identity verification by December 2027. Both deadlines concern the same thing: how your organisation verifies who it is dealing with.

For compliance and procurement teams, the two frameworks are not parallel tracks. They are designed to work together. Understanding what the EUDI Wallet is, what it requires from your systems, and what level of assurance it provides is now a prerequisite for building a CDD process that is compliant on both dimensions.

From eIDAS to eIDAS 2.0

The original eIDAS Regulation (Regulation (EU) 910/2014) established a legal framework for electronic identification and trust services across the EU. It introduced three levels of identity assurance, created the category of Qualified Trust Service Providers (QTSP), and gave legal validity to electronic signatures. What it did not do was create a common digital identity instrument that citizens could use across borders and across sectors.

eIDAS 2.0, adopted in 2024, changes this in two material ways. First, it requires every EU Member State to make at least one EUDI Wallet available to all citizens and residents by December 2026. Second, it creates a mandatory acceptance obligation for defined categories of organisations, including financial institutions, that must accept EUDI Wallet credentials by December 2027.

The shift is from a framework that enabled digital identity to a framework that mandates it.

What is the EUDI Wallet?

The EUDI Wallet is a mobile application,  issued or certified by a Member State, that allows citizens to store and present verified identity credentials, attributes, and documents digitally. It is not a login app or a two-factor authentication tool. It is a cryptographically secured identity container that can present verified attributes to any relying party, online or in person, with the user’s explicit consent.

At the technical level, the wallet operates on Verifiable Credentials standards. For remote presentation, it uses the OpenID for Verifiable Presentation protocol (OpenID4VP). For proximity-based use, presenting a credential in person, it uses ISO/IEC 18013-5, the same standard used for mobile driving licences. Credentials stored in the wallet are issued by trusted sources: Member State authorities, QTSPs, or other authorised issuers.

The wallet holds a Personal Identification Data (PID) set (name, date of birth, address, national identity number) verified against the issuing authority’s records. It can also hold Qualified Electronic Attestations of Attributes (QEAA): verified claims about a person’s attributes, such as professional qualifications, age, or financial status, issued by a QTSP.

The three levels of assurance and why the level matters for AML

eIDAS defines three levels of identity assurance: Low, Substantial, and High. The level reflects the robustness of the identity verification process used to establish the credential in the first place, and the strength of authentication required to present it.

• Low assurance involves limited confidence in the claimed identity. It is appropriate for low-risk interactions where misidentification has minimal consequence.
• Substantial assurance requires identity to have been established through a process that includes verification of the identity document and confirmation that the person presenting it is its legitimate holder. It supports most regulated verification requirements, including KYC under the AML framework.
• High assurance requires the same as Substantial, plus verification that the authentication mechanism itself is bound to the specific individual and resistant to compromise. It is the appropriate standard for high-value transactions, access to sensitive data, and EDD scenarios under the AMLR.

For AML onboarding, only Substantial or High assurance is appropriate. The AMLR and the draft EBA Regulatory Technical Standards confirm this: verification via EUDI Wallet satisfies CDD requirements when the wallet credential was issued at the correct assurance level and the presentation uses a compliant authentication mechanism. A Low assurance credential does not meet the CDD standard.

This distinction matters directly for procurement. When evaluating identification providers, the relevant question is not “does this system use digital identity?” but “at which assurance level was the identity established, and can it be demonstrated on audit?”

Selective disclosure: Only what is required

One of the most compliance-relevant features of the EUDI Wallet is selective disclosure.

Under the legacy document-based approach, verifying a customer’s identity means receiving a copy of their full identity document (name, address, date of birth, document number, expiry date, photograph) regardless of how much of that information the verification actually requires. An age verification check, for example, does not require the person’s home address. A payment account verification does not require their document number.

The EUDI Wallet changes this through cryptographic selective disclosure. The wallet holder can present a subset of their verified attributes without revealing the rest. A relying party can receive a confirmed “over 18” response without receiving the date of birth. A KYC check can receive verified name and nationality without receiving the document number or expiry date.

For obliged entities, this has two direct implications. First, it aligns with the AMLR’s principle of proportionate data collection as you collect what your specific compliance obligation requires, and no more. Second, it reduces your data liability. Identity data you do not receive cannot be exposed in a breach, and cannot create a GDPR compliance burden for data you have no right to retain.

The technical mechanism behind this involves zero-knowledge proof cryptography: the wallet proves that the statements “this person is over 18″, “this person’s name is X” is true, without exposing the underlying data point unless the relying party has a documented basis to receive it.

The mandatory acceptance obligation

The acceptance timeline is defined clearly in the implementing acts of the eIDAS 2.0 Regulation.

Organisations that are legally required to use strong user authentication, a category that explicitly includes banks and financial services providers, must accept EUDI Wallet credentials upon request within 36 months of the implementing acts entering into force. That deadline falls in December 2027, five months after the AMLR implementation date.

The obligation is not optional for covered organisations. It is not limited to customer-facing channels. And it is not satisfied by accepting other forms of digital identity. If a customer presents a valid EUDI Wallet credential for onboarding or re-verification, you must have a system capable of processing it.

Member States must issue wallets to citizens by December 2026. From that point, customers can begin presenting EUDI Wallet credentials for onboarding. Organisations that are not ready will face a compliance gap in the same period when AMLA is beginning direct supervision activities. Organisations that have not started gap analysis by mid-2026 are on a compressed timeline.

What QEAA means for CDD evidence

Qualified Electronic Attestations of Attributes (QEAA) are a specific credential type introduced by eIDAS 2.0 for verified claims about a person’s attributes, issued by a Qualified Trust Service Provider.

In the context of CDD, a QEAA can carry verified identity attributes (name, date of birth, nationality, tax identification number) with the same legal weight as an identity document, because they are issued by a trusted authority against verified source data. Under the AMLR and the EBA draft RTS, a QEAA issued at High or Substantial assurance satisfies the identity verification requirement for CDD, including for remote onboarding.

This is the mechanism by which the two frameworks interlock. The AMLR requires auditable, structured CDD data. The EUDI Wallet, through QEAA, delivers exactly that: a cryptographically verified attribute set, presented with user consent, at a defined assurance level, with a timestamped presentation event that the relying party can log as part of their CDD record.

What this means for your systems and procurement

The practical preparation for EUDI Wallet acceptance involves three workstreams.

• Technical integration. Your onboarding and re-verification systems must be capable of processing OpenID4VP-based credential presentations from EUDI Wallet holders. This is an API and identity protocol integration, not a workflow adjustment. It requires technical scoping, vendor evaluation, and implementation lead time.
• Assurance level validation. Your CDD policy must specify which assurance level is required for each customer category — Substantial for standard onboarding, High for EDD scenarios. Your systems must be capable of verifying and logging the assurance level of each credential received.
• Data minimisation architecture. Your CDD workflows must be designed to request only the attributes required for the specific verification purpose. Requesting more than is needed violates both the AMLR proportionality principle and GDPR. This requires a review of which attributes are requested at each onboarding and re-verification step.

The broader procurement question is whether your identification infrastructure, current or planned, is being built around the framework that will govern verification from 2027 onward, or around legacy document-based processes that are being superseded.

Where Identyum stands in this framework

Identyum’s ID Wallet received eIDAS 2.0 High Level of Assurance certification in 2025, meaning the identity establishment process, storage architecture, and authentication mechanisms meet the highest defined standard under the regulation.

Identyum has been a member of the EUDI Wallet Consortium (EWC), a part of the European Commission’s Large Scale Pilots programme, since December 2022. Participation in the Large Scale Pilots means that Identyum’s wallet architecture has been tested against the reference framework that defines how EUDI Wallets interoperate across Member States.

The storage architecture meets FIPS 140-2 Level 3, eIDAS EAL4+ and QSCD standards. Selective disclosure is supported natively: when a relying party requests identity verification through Identify, the scope of attributes delivered is defined by the requesting organisation’s compliance obligation, not by what the document contains.

For obliged entities evaluating their identification infrastructure ahead of the 2027 deadlines, the relevant question is whether their current or planned provider is operating within the eIDAS 2.0 framework at the correct assurance level, with the technical and legal capacity to deliver what both the AMLR and the EUDI Wallet obligation require.

Two deadlines, one decision

July 2027 and December 2027 are the same compliance decision presented with a five-month gap. Both require the same underlying infrastructure: a digital identity verification process that operates at High or Substantial assurance, produces an auditable record, and is capable of receiving and processing EUDI Wallet credentials.

Organisations that build their CDD infrastructure around this standard now will meet both deadlines without disruption. Organisations that defer the decision will find that the implementation timeline and the compliance deadline are moving toward each other.

To learn more about how Identyum supports eIDAS 2.0-compliant identification and AMLR-ready CDD, visit identyum.com/identity-verification or reach us at [email protected].