Compliance and regulations
Integrating with EU Digital Identity Wallets requires compliance with multiple regulations and technical standards. This page explains what you need to know about eIDAS 2.0, the Architecture Reference Framework (ARF), and how Truvity EUDIW Connector addresses these requirements so you can focus on your business logic.
This documentation provides technical guidance on compliance requirements. For legal interpretation of regulations, consult your legal counsel.
eIDAS 2.0
The eIDAS 2.0 Regulation (Regulation EU 2024/1183) establishes the legal framework for European Digital Identity Wallets across the EU. It defines:
- Attestation providers: Member states issue Personal Identification Data (PID), while qualified and non-qualified attestation providers issue Electronic Attestations of Attributes (EAA).
- Relying Parties: Relying Parties and Relying Party Intermediaries registered with member state authorities can verify credentials.
- Protection: The regulation mandates protection of user privacy, data minimization, and secure credential exchange.
- Trust establishment: Trust is established through digital certificates, trusted lists (registries of authorized entities), and revocation mechanisms.
A key principle is that users control their digital identity. Organizations can request but never force sharing of credentials.
The ARF enforces data minimization through two mechanisms. First, Relying Parties must register which attributes they intend to request, and Wallet Units can verify that a request does not exceed this registration. Second, selective disclosure allows Relying Parties to request only specific attributes within an attestation rather than the entire attestation.
User approval to present attributes from a Wallet Unit is not the same as GDPR consent for data processing. You must independently ensure you have a lawful basis under GDPR Article 6 for processing the personal data you receive. The ARF also enables users to request data deletion from Relying Parties through their Wallet Unit dashboard, in accordance with GDPR Article 17. Ensure you have procedures in place to handle such requests.
Effective dates:
- December 31, 2026: All EU member states must offer EUDI Wallets to citizens.
- December 31, 2027: All businesses and online platforms must accept EUDI Wallets.
For a detailed explanation of the eIDAS 2.0 legal framework and RPI obligations, see eIDAS 2.0 requirements.
Commission Implementing Regulations (Implementing Acts)
eIDAS 2.0 is supported by several Implementing Regulations that provide technical details. Some of the most important include:
Commission Implementing Regulation (EU) 2024/2977 covers person identification data and electronic attestations of attributes requirements. It specifies mandatory and optional attributes for PID and EAA, as well as issuance requirements.
Commission Implementing Regulation (EU) 2024/2979 addresses wallet integrity and core functionalities, detailing security features, cryptographic requirements, and user interface standards. This regulation is primarily relevant to wallet providers rather than Relying Parties.
Commission Implementing Regulation (EU) 2024/2980 establishes requirements for Member State notifications to the Commission about trusted entities in the EUDI Wallet ecosystem, including wallet providers, PID providers, and registrars.
Commission Implementing Regulation (EU) 2024/2982 defines the protocols and interfaces for the EUDI Framework, covering credential issuance, attribute presentation to Relying Parties, data erasure requests, and Relying Party reporting to supervisory authorities.
Commission Implementing Regulation (EU) 2025/848 establishes rules for the registration of wallet-relying parties, including requirements for national registers, the information that Relying Parties must provide during registration, access certificates, and registration certificates.
For a summary table of all Implementing Regulations, see eIDAS 2.0 requirements.
Architecture Reference Framework (ARF)
The Architecture Reference Framework (ARF) is the technical blueprint that defines how EUDI Wallets, attestation providers, and Relying Parties interact. It translates eIDAS 2.0 legal requirements into specific technical specifications.
High-level requirements
The ARF defines hundreds of requirements organized by topic. Key categories relevant to Relying Parties include:
| Category | Description | Examples |
|---|---|---|
| RP Registration | Requirements for registering as a Relying Party | Certificate issuance, intended use declaration |
| Presentation Protocol | How to request and receive credentials | Authorization Request structure, response handling |
| Trust Evaluation | Verifying credential authenticity | Signature validation, revocation checking |
| Privacy Protection | User data handling requirements | Selective disclosure, data minimization |
| RPI Operations | Requirements for intermediaries | No data storage, transparent operation |
For the detailed ARF structure, requirement categories, and how the ARF translates eIDAS 2.0 into technical specifications, see Architecture Reference Framework (ARF).
High Assurance Interoperability Profile (HAIP)
The High Assurance Interoperability Profile (HAIP) ensures:
- Cross-border interoperability: Wallets and RPs from different member states work together seamlessly.
- High assurance level: Cryptographic strength suitable for government and financial services.
- Consistent implementation: All parties follow the same security requirements.
The EUDIW Connector follows HAIP specifications to ensure compatibility with official EUDI Wallets across all EU member states.
For detailed HAIP specifications, cryptographic requirements, and how the connector implements the profile, see High Assurance Interoperability Profile (HAIP).
Ephemeral data model
The connector uses an ephemeral data model as a security architecture choice that minimizes the attack surface. Credential data is processed in memory, verified, delivered to your callback, and then deleted. No user attributes persist in the connector. This design reduces the risk of data breaches by ensuring sensitive identity data does not accumulate in storage.
Certificate requirements
The EUDI ecosystem uses two types of certificates for Relying Parties:
Access certificates authenticate the Relying Party to EUDI Wallets during credential requests. They function like digital ID cards, proving that a request comes from a legitimate, registered party. The ARF distinguishes between a Relying Party (the legal entity) and a Relying Party Instance (the technical system that interacts with Wallet Units). Each Relying Party Instance requires its own access certificate.
Registration certificates describe the Relying Party's registered intended uses and the attributes it has registered to request. These contain your organization's declared purposes (for example, "KYC for bank account opening") and the specific credential types and attributes you intend to request. Registration certificates are optional—not all member states issue them. When a registration certificate is not available, the Wallet Unit retrieves the same information from the Registrar's online service.
To obtain these certificates, you first register with a Registrar in your member state. After successful registration, an Access Certificate Authority issues your access certificates, and a Provider of Registration Certificates may issue registration certificates if the member state supports them. You then configure these certificates in the connector. For detailed information on certificate lifecycle and trust chain validation, see Certificates in EUDI.
Further reading
- What is the EUDIW Connector?—product introduction and deployment
- EUDI Wallet ecosystem context—roles, terminology, and architecture
- Use cases—real-world implementation scenarios