eIDAS 2.0 requirements
If you plan to verify credentials from EU Digital Identity Wallets (EUDI Wallets), you need to understand the legal framework that governs the ecosystem. The eIDAS 2.0 Regulation (EU) 2024/1183 establishes the rules for digital identity across the European Union, defining how wallets work, what Relying Parties must do, and how user privacy is protected.
The Truvity EUDIW Connector implements the technical requirements derived from eIDAS 2.0, so you can focus on your business logic while the connector handles protocol compliance.
What eIDAS 2.0 introduces
The regulation builds on the original 2014 eIDAS framework to create a unified architecture for digital identity. Key elements include:
- EUDI Wallets: Personal apps that allow users to store and present digital credentials
- Personal Identification Data (PID): The digital equivalent of a national ID card, containing core identity attributes
- Electronic Attestations of Attributes (EAA): Verified credentials from trusted sources (for example, driving licenses, diplomas, or bank account proofs)
- Relying Parties (RPs): Organizations that request and verify these credentials
Core principles
- User control: Users must explicitly consent to share data and can choose exactly which attributes to disclose
- Data minimization: You must request only the data strictly necessary for your specific service
- Privacy by design: The architecture prevents tracking user behavior across different services
- Cross-border interoperability: A credential issued in one member state must be accepted by Relying Parties in all other member states
Key regulations
Regulation (EU) 2024/1183 is the core eIDAS 2.0 regulation. It defines the EUDI Wallet, trust services, and the obligations for all ecosystem participants.
The Commission has adopted Implementing Regulations that define the technical specifications for the framework:
| Regulation | Type | Scope |
|---|---|---|
| (EU) 2024/1183 | Core regulation | The eIDAS 2.0 regulation defining the EUDI Wallet and trust services |
| (EU) 2024/2977 | Implementing Regulation | Person identification data and electronic attestations of attributes |
| (EU) 2024/2979 | Implementing Regulation | Integrity and core functionalities of EUDI Wallets |
| (EU) 2024/2980 | Implementing Regulation | Notifications to the Commission concerning the EUDI Wallet ecosystem |
| (EU) 2024/2982 | Implementing Regulation | Protocols and interfaces for the EUDI Framework |
| (EU) 2025/848 | Implementing Regulation | Registration of wallet-relying parties |
Requirements for Relying Parties
Any organization that verifies credentials from an EUDI Wallet must comply with Article 6b and related provisions.
Registration and authentication
To verify credentials, you must register with the relevant member state authority. This involves:
- Declaring intended use: You specify exactly why you need the data (for example, "age verification for restricted goods")
- Identity verification: You are identified by valid X.509 certificates
- Access certificates authenticate you to the wallet during a transaction
- Registration certificates prove your authorization to request specific data types
For details on certificate types and management, see certificates.
Transparency and consent
When you request data, the EUDI Wallet displays a consent screen to the user:
- Identity display: The user sees your authenticated name, verified through your X.509 certificate
- Purpose display: The wallet shows the specific reason for the request
- Explicit consent: The user must actively approve the transaction
Data protection
As a Relying Party, you act as a Data Controller under GDPR. Key obligations include:
- Lawful basis: Establishing a legal basis for processing the requested attributes
- Storage limitation: Data must not be kept longer than necessary for the service
- Unlinkability: You should not collude with other parties to track users across contexts
The intermediary role
The eIDAS 2.0 regulation and the Architecture Reference Framework (ARF) define the role of an intermediary—a party that acts on behalf of Relying Parties to interact with EUDI Wallets. This documentation uses the term Relying Party Intermediary (RPI) as a shorthand for this role.
An intermediary performs all tasks assigned to a Relying Party on behalf of the intermediated RP. This includes registration, wallet authentication, trust evaluation, revocation checking, and all other RP obligations defined in the ARF—not just the technical verification step.
When you register with a Registrar, the registration process also records whether you intend to use an intermediary, and if so, which one.
The data storage restriction
Article 5b(10) of eIDAS 2.0 establishes a binding restriction on intermediaries:
"Intermediaries acting on behalf of relying parties shall be deemed to be relying parties and shall not store data about the content of the transaction."
This provision has two effects. First, intermediaries bear the same legal obligations as Relying Parties. Second, intermediaries must not retain data about the content of the transaction. To comply, an intermediary must operate using an ephemeral data model:
- Receive the encrypted presentation from the wallet
- Decrypt and verify the data in memory using ephemeral keys
- Forward the verified data to the Relying Party through a callback
- Delete the personal data from its system after forwarding
Implications for integration
The Article 5b(10) data storage restriction shapes how verification systems deliver results. Because an intermediary cannot store transactional data, integrations use callbacks to receive results rather than polling for past records. The connector implements this pattern through the Presented Credentials Event, delivering verified attributes to your system after verification completes.
Further reading
- Architecture Reference Framework—the technical blueprint derived from eIDAS 2.0
- Ephemeral data model—how the connector handles data without persistence
- OID4VP protocol—the verification protocol mandated by eIDAS 2.0