NEWVenvera speaks your language: the full platform, in English, German, Spanish and Bulgarian.See what’s new →
The eIDAS 2.0 Deadline: What Happens by 24 December 2027
Learn

The eIDAS 2.0 Deadline: What Happens by 24 December 2027

·Alexander Sverdlov

The single eIDAS 2.0 date that binds private organisations is 24 December 2027. On that day, private relying parties that are required - by EU or national law, or by contract - to use strong user authentication for online identification must also accept the EU Digital Identity Wallet, whenever a user voluntarily chooses to present one. The duty sits in Article 5f of the amended eIDAS Regulation. It does not fall on every company: microenterprises and small enterprises are carved out, and the trigger is the strong-authentication requirement, not the industry label you file your accounts under. This guide sets out what happens by 24 December 2027, who it binds, how the date was fixed, and what to do in 2026 and 2027 to be ready.

Regulation (EU) 2024/1183 amends the original eIDAS Regulation (Regulation (EU) No 910/2014) and entered into force on 20 May 2024. From there the framework runs on a sequence of fixed milestones rather than one switch-on date. First, the facts at a glance.

Governing lawRegulation (EU) 2024/1183, amending Regulation (EU) No 910/2014 (the eIDAS Regulation), establishing the European Digital Identity Framework and the EU Digital Identity Wallet.
Entered into force20 May 2024
Wallet technical rules in forceThe first implementing regulations were published in the Official Journal on 4 December 2024 and entered into force on 24 December 2024. This is the date that starts the transition clock.
Member States provide a wallet24 December 2026 - at least one EU Digital Identity Wallet per Member State, 24 months after the implementing acts (the Commission frames this as "by the end of 2026").
Relying-party acceptance deadline24 December 2027 - 36 months after the implementing acts entered into force, under Article 5f.
Who is boundPrivate relying parties legally or contractually required to use strong user authentication for online identification, with the exception of microenterprises and small enterprises.
Sectors named in Article 5fTransport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education and telecommunications - listed as examples ("including in the areas of"), not a closed gating list.
eIDAS 2.0 timeline from entry into force on 20 May 2024 to the relying party wallet acceptance deadline on 24 December 2027

Who the 24 December 2027 deadline actually binds

The acceptance duty lives in Article 5f of the amended Regulation, and its wording matters. It applies to private relying parties that "are required by Union or national law to use strong user authentication for online identification or where strong user authentication for online identification is required by contractual obligation". Those parties must, no later than 36 months from the entry into force of the wallet implementing acts and only upon the voluntary request of the user, also accept European Digital Identity Wallets provided under the Regulation.

Two points are commonly misread. First, the trigger is the strong-authentication requirement, not your sector. Article 5f names transport, energy, banking, financial services, social security, health, drinking water, postal services, digital infrastructure, education and telecommunications, but it introduces them with the words "including in the areas of". That phrase makes the list illustrative. If you are legally or contractually required to use strong user authentication and you are not exempt, the duty can reach you even if your activity is not on that list; equally, being in a named sector does not by itself create the duty if no strong-authentication requirement applies to you. Second, microenterprises and small enterprises, as defined in Commission Recommendation 2003/361/EC, are excepted, so the acceptance obligation targets larger relying parties.

Calculation showing 24 December 2024 implementing acts entry into force plus 36 months equals the 24 December 2027 relying party deadline

Where the 24 December 2027 date comes from

The deadline is not a round-number guess. Article 5f pegs the acceptance duty to "36 months from the date of entry into force of the implementing acts" that set the wallet's technical rules. Those first implementing regulations were published in the Official Journal on 4 December 2024 and, twenty days later, entered into force on 24 December 2024. Add 36 months and you land on 24 December 2027.

The same anchor sets the earlier milestone. Member States must provide at least one European Digital Identity Wallet within 24 months of the implementing acts, which puts wallet availability at 24 December 2026 - the Commission describes this as making wallets available to citizens by the end of 2026. The ordering is deliberate: wallets have to exist before anyone can be required to accept them, so the 2026 provision milestone sits a year ahead of the 2027 acceptance deadline, giving relying parties real wallets to test against during the run-up.

What a relying party must actually do

Accepting the wallet is the headline duty, but it is not the only one. Under Article 5b, a relying party that intends to rely on European Digital Identity Wallets must register in the Member State where it is established, declare the attributes it intends to request, and then not request data beyond what it registered. In practice that means three things: register in your home Member State, design your identity flow to ask only for the attributes you genuinely need, and build the technical capability to accept and validate a wallet presentation. The acceptance obligation only bites "upon the voluntary request of the user", so the wallet is an option you must support, not a credential you can force on everyone.

This is the relying-party track. It runs in parallel with a separate, continuous track for trust service providers, and the two should not be confused.

Split of eIDAS 2.0 obligations between relying parties with the 2027 acceptance deadline and trust service providers with 24 month reassessment and 24 hour incident reporting

If you operate qualified trust services, your duties do not turn on the 2027 date at all. Under Article 20, qualified trust service providers must be audited at their own expense at least every 24 months by a conformity assessment body. Under Article 19, both qualified and non-qualified trust service providers must notify the supervisory body of any security breach or loss of integrity with a significant impact "without undue delay but in any event within 24 hours after having become aware of it". These are ongoing rhythms, not one-off deadlines, and they apply regardless of what happens in December 2027.

What to do in 2026

2026 is the year to prepare without pressure. Start by confirming scope: work through the Article 5f trigger - do you have a legal or contractual strong-authentication requirement, and do the microenterprise and small-enterprise thresholds exclude you - so you know whether the acceptance duty applies to you at all. Then run a gap assessment against the wallet requirements and map what is missing. As Member State wallets go live toward 24 December 2026, pilot wallet acceptance in a test flow so that the integration work is understood well before it becomes urgent.

eIDAS 2.0 readiness milestones by half year across 2026 and 2027, from scope confirmation to going live

What to do in 2027

2027 is delivery year. In the first half, integrate the wallet into your live identity and login journeys and test them in production conditions, not just in a demo. In the second half, complete your Article 5b registration in your home Member State and go live before 24 December 2027. Leaving integration and registration to the final weeks is the main avoidable risk, because acceptance has to work for real users on real wallets, and identity flows rarely behave the same in production as they do in a sandbox.

A practical readiness path

The window looks generous, but the work is real, and it breaks into six steps. Confirm scope against the Article 5f trigger. Inventory every identity and authentication flow that could accept the wallet. Run a gap assessment against the eIDAS wallet requirements. Reuse the security evidence you already hold from adjacent obligations. Plan the wallet integration and complete your Member State registration. Then test and go live before 24 December 2027.

Six step eIDAS 2.0 readiness path from confirming scope to going live before 24 December 2027

Frequently Asked Questions

What exactly happens on 24 December 2027?

Private relying parties that are legally or contractually required to use strong user authentication for online identification must, from that date, also accept the EU Digital Identity Wallet whenever a user voluntarily chooses to present one. The date is 36 months after the wallet implementing acts entered into force on 24 December 2024, and the obligation sits in Article 5f of the amended eIDAS Regulation.

Does the acceptance duty apply to my sector automatically?

No. Article 5f names sectors such as transport, energy, banking, financial services, health, education and telecommunications, but it introduces them with the words "including in the areas of", which makes the list illustrative rather than a closed gate. The actual trigger is a legal or contractual requirement to use strong user authentication. If that requirement applies to you and you are not exempt, the duty can reach you even outside the named sectors.

Are small companies exempt?

Yes, in part. Microenterprises and small enterprises, as defined in Commission Recommendation 2003/361/EC, are excepted from the Article 5f acceptance duty, so the obligation is aimed at larger relying parties. Check your headcount and turnover against that definition before assuming the duty applies.

When will the wallets actually exist?

Each Member State must provide at least one EU Digital Identity Wallet within 24 months of the implementing acts, which puts availability at 24 December 2026. The European Commission describes this as making wallets available to citizens by the end of 2026. That is why the acceptance deadline sits a year later: relying parties need real wallets to test against first.

Is eIDAS 2.0 a brand-new regulation?

No. Regulation (EU) 2024/1183 amends the original eIDAS Regulation, Regulation (EU) No 910/2014, rather than replacing it. Existing trust services carry forward, and the wallet framework and the relying-party acceptance duty are added on top. If you already run trust services, the Article 19 and Article 20 obligations you know continue to apply.

Getting eIDAS 2.0 ready with Venvera

Scope is the first thing to get right, because whether the Article 5f duty applies to you at all decides how much work sits ahead. The Venvera eIDAS 2.0 module turns the trigger test, the registration duties and the readiness path into a tracked gap assessment, so you can see where you stand rather than guess. Because the wallet requirements overlap with security controls you may already operate, the crosswalk engine lets you reuse evidence from adjacent frameworks such as NIS2 instead of rebuilding the same controls twice.

If you want a fast baseline before you plan the 2026 and 2027 work, run a free compliance check and use the scope questions above as your starting point. Because eIDAS 2.0 amends rather than replaces the original Regulation, your existing trust services carry forward while the wallet acceptance duty is layered on top.

Primary sources

This guide is drawn from the Regulation and official guidance: Regulation (EU) 2024/1183 (the amending Regulation, including Article 5b, Article 5f, Article 19 and Article 20); the European Commission's European Digital Identity (EUDI) Regulation pages; and the Commission's EU Digital Identity Wallet documentation on the implementing regulations and the end-of-2026 wallet milestone. Always confirm the current text before relying on a specific date or article.

Alexander Sverdlov

Alexander Sverdlov

CEO & Founder

Alexander is the founder of Venvera and a 20+ year veteran of European cybersecurity and compliance. He has led security and risk programmes for regulated financial institutions, fintechs and SaaS companies operating under DORA, NIS2, GDPR, ISO 27001 and the EU AI Act. Before Venvera, he founded Atlant Security, an offensive security consultancy that ran penetration tests, red-team exercises and ISO 27001 readiness programmes for clients across the EU and the Middle East. He writes on the cross-framework realities of running modern compliance: how to map one control to many obligations, where the spreadsheets fall apart, and what regulators are actually asking for once the auditor sits down.

More articles by Alexander

RELATED POSTS