The impact of eIDAS 2.0 on privacy, anti-money laundering

Europe’s digital future: eIDAS 2.0’s impact on privacy, anti-money laundering

Overview


The European Union’s European Digital Identity Framework Regulation (eIDAS 2.0) introduces a standardised framework for digital identity and trust services across all EU Member States, massively benefiting anti-money laundering efforts while still protecting individuals’ personal data.

In Depth


eIDAS 2.0, which came into effect at the end of 2024, complements the regulatory requirements of the Second Payment Services Directive (PSD2), particularly in implementing Strong Customer Authentication, which is a key requirement of PSD2. One of the primary uses of eIDAS 2.0 will be digital Know-Your-Customer (KYC) identification in compliance with relevant Anti-Money Laundering (AML) laws. One of the key benefits, therefore, is streamlined and secure customer onboarding, particularly in the financial sector.

One of the primary uses of eIDAS 2.0 will be digital KYC identification.

As a direct result, eIDAS 2.0 facilitates the implementation of EUDI-Wallets, which are expected to come into effect from 2027, and will make all online financial services requiring customer identification, easier and more reliable, even across borders. This will reduce friction and improve the user experience by allowing for easy and safe online authentication and verification across the entire European Union, covering services such as bank account opening, qualified electronic signatures, and mobile driving licenses. The introduction of EUDI-Wallets under eIDAS 2.0 aims to provide a unified and secure way for individuals to store and manage their electronic identification data. EUDI-Wallets will enable users to selectively disclose their data, ensuring that only the necessary information is shared with the respective service providers. This selective disclosure mechanism is crucial for maintaining privacy while easily accessing various digital services.

eIDAS 2.0 will have a material impact on the digitalisation of EU markets and, accordingly, provide for various innovative business opportunities. Digital businesses can develop new services, such as identity-verified digital wallets, automated contract execution, and seamless cross-border payments. The harmonised legal framework will also reduce compliance complexity and operational costs.

eIDAS 2.0 facilitates the implementation of EUDI-Wallets.

Electronic Identification and Trust Services

The primary goals of eIDAS 2.0 are to:

  • Create harmonised conditions under which EU Member States can acknowledge electronic identification to provide for and recognise EUDI-Wallets. eIDAS 2.0 also allows that EUDI-Wallets must be open-source licensed. The rationale is to ensure general transparency so that the software can be scrutinised properly for potential security vulnerabilities, thereby protecting user data from potential breaches. Member States may, however, restrict the disclosure of specific components for justified reasons, balancing transparency with security.
  • Establish rules for trust services, in particular for electronic transactions, to ensure that electronic documents and transactions are tamper-proof and legally binding.
  • Create a legal framework for electronic signatures, seals, time stamps, documents, registered delivery services, archiving, and ledgers, amongst others.

eIDAS 2.0 promotes interoperability and the standardisation of electronic identification and trust services across the European Union. This ensures that technical as well as privacy and data protection standards are consistently applied, regardless of the Member State in which the services are used. Standardisation in this context is also expected to facilitate the development of secure and privacy-enhancing technologies that can be widely adopted.

Given the value of the information that will be stored digitally as a result of eIDAS 2.0, it is crucial to examine its privacy and data protection implications.

eIDAS 2.0 will have a material impact on the digitalisation of EU markets.

Data Protection Under eIDAS 2.0

eIDAS 2.0 is designed to ensure that users of electronic identification means and trust services have full control over their personal data. Accordingly, service providers must ensure the confidentiality, integrity, and authenticity of the data processed.

Under the General Data Protection Regulation ((EU) 2016/679, GDPR), data subjects have the right to access, rectify, and fully erase their data. The GDPR takes precedence over eIDAS 2.0, empowering individuals to securely manage their digital identities.

In addition, eIDAS 2.0 emphasises the importance of user consent and transparency in the processing of personal data. Service providers are – in line with and subject to GDPR – required to obtain explicit consent from users before processing their data, and must provide clear and transparent information about how the data will be used. This ensures that users are fully informed and can make confident decisions about their data.

Trust services under eIDAS 2.0, such as electronic signatures and seals, are designed with data minimisation principles in mind. These services ensure that only the necessary data is processed for the intended purpose, reducing the risk of unnecessary and unwanted data exposure. eIDAS 2.0 facilitates cross-border data transfers by establishing a harmonised framework for electronic identification and trust services across the entire European Union. This is particularly relevant for ensuring that data protection standards are maintained when personal data is transferred between EU Member States and will help reduce the risks associated with cross-border data transfers.

In the event of a security breach, eIDAS 2.0 requires service providers to notify the relevant supervisory bodies and affected users without undue delay. This prompt notification helps mitigate the impact of breaches on user privacy and ensures that protective and corrective measures are taken swiftly. eIDAS 2.0 also outlines the responsibilities of supervisory bodies in investigating and addressing such breaches. Insofar as this regards financial services, eIDAS 2.0 must be read in conjunction with the Digital Operational Resilience Act (Regulation (EU) 2022/2554, DORA).

In addition, eIDAS 2.0 explicitly promotes the use of pseudonyms, allowing users to engage in certain transactions without revealing their true identities, thereby additionally enhancing privacy. The exception is where the identification of the user is required by EU or national law, as would be the case in most financial services transactions, where stricter rules require a complete set of clear personal data for KYC purposes.

How eIDAS 2.0 Affects the Future of the EU AML Regime

The new Regulation on the Prevention of the Use of the Financial System for the Purposes of Money Laundering or Terrorist Financing ((EU) 2024/1624 Anti-Money Laundering Regulation, AMLR) emphasises the high importance of customer due diligence in preventing money laundering and terrorist financing. eIDAS 2.0 is expected to play a significant role in this context as money laundering and terrorist financing often involve a high number of cross-border transactions involving multiple jurisdictions. The interoperability of electronic identification processes under eIDAS 2.0 enables financial institutions and other entities to verify the identity of customers from different EU Member States seamlessly. This EU-wide standardisation will also likely simplify spotting suspicious customers or activities across borders.

The AMLR advocates for a risk-based approach to managing financial transactions and correlating AML risks. eIDAS 2.0 provides the necessary tools for implementing this approach smoothly and cost-effectively by using secure electronic identification and trust services. These tools also enable obliged entities to know their clients and assess and effectively mitigate the risks associated with their customers and transactions.

The Cornerstone of a Trustworthy Digital Environment

The provisions of eIDAS 2.0 for electronic identification and trust services empower users to control their personal data and engage in secure electronic transactions. By aligning with the GDPR and promoting transparency, user control, and data minimisation, eIDAS 2.0 ensures that privacy and data protection standards are still upheld in this new digital landscape.

Furthermore, the integration of eIDAS 2.0 with the new AMLR enhances the effectiveness of anti-money laundering measures by providing reliable electronic identification means and facilitating cross-border co-operation, while upgrading and simplifying the customer experience of KYC.

As the reliance on secure digital services continues to grow, the robust privacy, data protection, and AML framework established by and around eIDAS 2.0 will be crucial in maintaining user trust and safeguarding personal data in the European Union’s digital future.