The EU eIDAS2.0
regulation
The regulation is in force. Acceptance obligations start december 2026.
eIDAS 2.0 changes what organisations are legally required to accept, what they may be required to issue, and how they must handle trusted digital proofs in existing processes.
This is not a regulation about wallets. It is a regulation about trust infrastructure: who can issue trusted credentials, under which conditions they must be accepted, and what evidence must be retained when a digital proof is used to make a decision.
The obligations vary by sector and role. But for most organisations in regulated industries, the question is no longer whether to prepare. It is how quickly the obligation reaches their specific processes.
Organisations that currently rely on manual document checks, uploaded PDFs, screen-scraped data or informal identity verification will need to replace those processes with standards-based credential acceptance.
eIDAS 2.0 does not add a new channel alongside existing ones: it defines the standard by which trusted digital proofs must be issued, accepted and verified going forward.
What this requires from your organisation.
eIDAS 2.0 creates obligations across six operational areas. The weight of each depends on whether your organisation acts as a relying party, an issuer, or both.
Relying-party acceptance
Public services requiring identity data must accept EUDI Wallet presentations by end of 2026. Regulated private services requiring strong authentication follow within 36 months of the relevant Implementing Acts. Very Large Online Platforms are subject to mandatory acceptance under the DSA.
Acceptance is not optional once the obligation applies. It requires verified credential processing, trust registry lookups and a documented acceptance policy.
Issuer obligations
Public bodies, qualified trust service providers and private organisations issuing professional certificates, mandates or role-based credentials will need conformant issuance infrastructure.
Conformant issuance requires support for SD-JWT VC, mdoc or W3C VC formats, integration with trust registries, revocation infrastructure and audit-ready issuance records.
Trust frameworks
The eIDAS 2.0 Architecture and Reference Framework (ARF) defines the trust model. Credential types, issuer authorisations and wallet certifications are registered in national and European trust registries.
Relying parties must resolve trust at the point of verification: confirming the issuer is listed, the credential type is accepted, and the presenting wallet is certified.
Policy enforcement
Accepting a credential is not a binary act. Organisations must evaluate whether a presented proof meets specific requirements: the right credential type, issued by an authorised issuer, within a valid period, not revoked and sufficient for the specific process or access decision.
This requires a policy engine that evaluates these conditions in real time and returns a documented go/no-go decision.
Auditability
Every credential verification used to support a business decision must be traceable. Regulators, auditors and insurers require evidence that a specific proof was checked, that the issuer was trusted and that the policy applied was appropriate.
Immutable verification records, signed at the time of the decision, are the basis for demonstrating compliance and defending decisions after the fact.
Integration with IAM, ERP and GRC
eIDAS 2.0 does not replace existing systems. It adds a trust layer that must connect to identity and access management platforms, ERP procurement and invoicing workflows, and GRC compliance tracking.
Verification results must flow into the systems that act on them. Evidence must be retained in the systems that report on them.
What this requires in practice.
Each of the six areas above requires infrastructure: APIs for credential verification, trust registry connectors, policy configuration, revocation checking and signed audit records.
Most organisations will not build this infrastructure from scratch. They will integrate it into existing systems as a trust layer that handles credential operations and returns structured results to the systems already in place.
The integration points are well-defined. The standards are published. The missing piece for most organisations is a production-ready layer that implements those standards and connects to their stack.
Sphereon provides that layer. The VDX platform handles OID4VCI issuance, OID4VP verification, trust registry resolution, policy enforcement and audit evidence generation as a single, production-ready infrastructure component.
VDX connects to existing IAM, ERP and GRC systems without requiring organisations to rebuild their identity or compliance architecture.
Prepare your organisation for eIDAS 2.0.
Discuss your acceptance obligations, issuer requirements
and integration approach with the Sphereon team.