eIDAS 1.0 aimed to harmonise identity assurance in the European Union. Through failing to designate levels of assurance for qualified certificate issuance and to define how to reach each level, it led to Member States creating their own patchwork of local identity verification frameworks. This imbalanced the qualified trust services competitive landscape because some carried a heavier regulatory burden than others.
eIDAS 2.0 solves this problem. It prescribes a level of assurance for qualified certificate issuance. Through an Implementing Act, it brings technical specifications for identity verification in the context of qualified certificate issuance. The Implementing Act is at the proposal stage at the time of writing and adoption is expected in the second half of May 2025. It will reshape qualified trust service businesses in several dimensions: revenue opportunity, operational costs, compliance, risk, and customer experience.
Among other things, the proposal requires NFC document chip verification in remote self-service qualified certificate issuance flows. Alternatively, it allows for human-in-the-loop video document presentation with stringent requirements on skilled people performing document security feature verification.
Once adopted, the new rules on identity verification will shape a new competitive landscape of qualified trust services. This paper examines the new dynamics through the lens of automated NFC document verification in the context of eIDAS 2.0. Qualified Trust Services Providers (QTSPs) that do not want to bring NFC into their portfolios should invest in people and processes to spot deepfakes and perform document verification by video stream. They must monitor state-of-the-art AI tools, tactics and procedures of attackers and invest in technologies that may or may not be able to spot new and evolving GenAI-powered threats to video-based verification.
QTSPs that have been legally constrained on using NFC, or relied on lenient assurance levels in member states’ jurisdictions will now have to catch up and implement NFC quickly to remain competitive.
QTSPs that already have mature NFC document verification that complies with ETSI TS 119 461 can focus on expanding market footprint into new territories that will remove legal barriers to using document chips.
This document explores the regulatory, technical and commercial aspects that change business requirements for QTSPs. It is not legal advice, and readers are encouraged to validate the research contained herein. Appendix A and Appendix B contain more details and links to resources.
eIDAS 1.0[1] created a framework for the cross-border provision of trust services, defining eSignatures, eSeals, and time stamps for the European market. One of its goals was to create a harmonised European trust services market where a qualified trust service “issued in one Member State [would] be recognised as a qualified electronic [trust service] in all other Member States”[2]. But the definition of trust services and the principle of their mutual recognition across Member States (MS) came without a common framework for a key component that underpins trust services: Identity Verification (IDV).
eIDAS 1.0 led to the creation of a patchwork of Member-State specific IDV aimed at solving this original weakness of the regulation. The diversity of IDV frameworks, combined with the principle of mutual recognition, led to a disharmonious European trust services market.
The differences between IDV standards meant that the QTSPs registered in one MS could rely on lenient identity verification standards, while the QTSPs of another MS had to comply with stricter standards.
The principle of mutual recognition meant that the QTSPs of all MS were treated equally and competed with one another whereas national eIDAS implementations meant they were providing services under varying cost structures, with varying levels of trust, security, and user experience. This established unfairness in how European QTSPs could compete with one another. It meant higher quality services were indistinguishable from lower priced “qualified” services. It led to opaque price and quality issues for buyers of QTSP services and undermined trust in qualified certificates across borders.
eIDAS 2.0[3] specifies a level of assurance (LoA) "high" must be used to issue qualified certificates (see details in Appendix A). The proposal for a new implementing act on IDV[4] under eIDAS is also set to harmonise the technical requirements for verifying identities under each LoA (see detailed research in Appendix B). The technical harmonisation of IDV relies on the technical specifications of a standard issued by the European Telecommunications Standards Institute (ETSI). The implementing act draft proposal adapts a small number of sections C3 of the Technical Specifications of ETSI 119 461 (the TS) but for the most part adopts it as is. If adopted, the proposal for an implementing act should lead to more fairness in competition in the trust services market.
QTSPs won’t be able to use lower standards of identity verification in lenient MS to compete on price. This could mean that certain QTSPs may soon have an opportunity to become competitive in markets that they once were priced out of. QTSPs that once were protected from competition because of a lower regulatory and cost burden may have to innovate or find new business models so as to remain competitive.
QTSPs that relied on a substantial LoA will have to upgrade to high LoA by May 21st, 2026. They will have several options: hybrid or self-service identity verification (more details in Annex B).
This increased competition is likely to benefit customers of QTSPs. The harmonisation of identity verification standards should increase transparency: it will be easier to know what you’re buying.
To service QTSPs, IPSPs need to offer a LoA High identity verification service or face losing market share. Those that already have a high LoA are likely to be at an advantage, with substantial LoA providers being blocked from the market until they upgrade.
eIDAS 2.0 will adopt the Technical Specification of ETSI 119 461 [5] that deal with several different aspects of IDV, from document verification to biometric verification, both in-person and remote.
There are two types of remote flows mentioned in ETSI 119 461 that can be used for qualified certificate issuance: fully self-service flows and hybrid flows.
In this remote IDV context, a candidate for a qualified certificate verifies their identity in self-service mode, using a fully automated IDV system. They aren’t assisted by an agent. In this context, the TS make the use of at least one digital identity document mandatory [6].
In other words, when remotely verifying their identity in a fully self-service flow to obtain a qualified certificate, a user may only rely on the NFC chip of an identity document. An optical verification of a document won't suffice in this scenario.
In Hybrid (human-in-the-loop) scenarios [7], where a user is remote and part of the verification is attended by a registration officer, document verification may not be done manually. [8] In this verification context, both digital documents and physical documents may be used and must be presented in a live video stream.
There are cost implications of training expert document verifiers to be on hand 24/7, user experience issues of performing correct presentation of documents to show optically varying devices, and still the ever-growing threat of deepfake-enabled attackers fooling even trained professionals.
At the time of writing, countries like France or Germany still restrict access to the chip in identity cards and passports. QTSPs registered in those countries may therefore not enable users from those countries to go through self-service flows. Unsurprisingly, ETSI opposes national laws that restrict access to the chip, calling such restriction a threat to secure IDV [9].
A recent court case[11] is adding pressure to change the laws restricting use of NFC. The CJEU ruled the Regulation 2019/1157 [10] on eID cards invalid. The Commission has until the end of 2026 to change the eID regulation. [12]
A draft proposal for reforming Regulation 2019/1157 was published on December 13th, 2024. The changes proposed include that access to “the facial image stored in the storage medium of identity cards and residence documents” be granted including to “private entities for the purposes of verifying the authenticity of the document and/or verifying the identity of the Holder”. [13] Such access by private entities will require the consent of the holder, [14] compliance with EU norms on data protection. [15]
When the proposal for a Reform of the 2019/1157 Regulation on eID cards will be adopted, QTSPs will be able to rely on self-service IDV flows to issue qualified certificates to any person holding a chipped identity document issued in the EU.
There are obvious cost savings linked to operating a self-service certificate issuance flow. Those, together with the high penetration of chipped documents in the EU[16] as well as the user experience benefits of using chip verification rather than document liveness, place QTSPs operating self-service qualified certificate issuance flows in a better position than their competitors relying on hybrid flows.
Hybrid identity verification will likely become a fall back to self-service IDV for citizens that cannot rely on a chipped identity document to use a self-service flow, or for QTSPs established and operating in countries that do not allow chip verification.
QTSPs solely relying on hybrid flows are likely to be at a disadvantage compared to their competitors delivering certificates in self-service flow because of the cost of operating an assisted flow and lower user experience.
QTSPs relying on hybrid flows are encouraged by the TS to rely on a chip verification[17]. They may still rely on optical verification of a physical document, but in this case the user journey involves many more steps than using chip verification. The TS require taking photos of front and rear of documents, live video presentation of two optically varying devices (holograms) and proving the legitimate document holder is presenting the document requires high data bandwidth and low latency (see Appendix B for the technical specifications on optical document verification).
QTSPs find themselves in different states of readiness for the reorgnisation of the market that eIDAS 2 and its integration of the TS are about to generate. Some will have more catching up to do that others.
TSPs from states that restricted chip access - Provided that those restrictions are lifted, QTSPs from states that restricted access to the chip of identity documents will need to catch up fast. They will compete with the QTSPs of states that have a long history of doing chip verification. Those will be ready to penetrate their market with cheaper, more user friendly self-service qualified certificate issuance services.
QTSPs from states that never restricted chip access - those will be advantaged, especially if they support most chipped identity documents. For those, coverage will become important. Support of multiple chipped documents will enable them to extend their market outreach beyond their national borders. Those that only support their national identity documents will need to catch up.
The QTSPs of States that required video-ident, such as Spain, will need to catch up with full self-service flows. They will compete with the QTSPs of Member States that did not require video-ident and allowed chip verification, such as the Netherlands.
The Implementing Act Draft Proposal should be adopted in the second half of May, 2025 [18]. It is expected to be adopted as is. QTSPs that submitted a conformity assessment before May 20th, 2024 will have until May 21st, 2026 to submit a new conformity assessment [19]. They will be assessed based on the TS of ETSI 119 461, as integrated in eIDAS 2.0, as opposed to being assessed on national frameworks like the PVID in France.
As for countries that restrict access to the chip in their digital identity documents, such as France and Germany, it’s expected that a reform of Regulation 2019/1157 on eID cards will force them to let private companies access the chip in identity cards.
QTSPs looking for NFC document verification to offer low-cost, high availability, fully automated IDV should allocate product marketing resources to assess building or buying the capability. QTSPs that have been legally constrained on using NFC, or relied on lenient assurance levels in member states’ jurisdictions will now have to catch up and implement NFC quickly to remain competitive.
QTSPs that already have mature NFC document verification that complies with ETSI TS 119 461 can focus on expanding market footprint into new territories that will remove legal barriers to using document chips.
Article 24 of eIDAS 1.0 established a list of methods for remote IDV in the context of remote qualified certificate issuance. Could be used for instance "electronic identification means, for which prior to the issuance of the qualified certificate, a physical presence of the natural person or of an authorised representative of the legal person was ensured and which meets the requirements set out in Article 8 with regard to the assurance levels ‘substantial’ or ‘high’". [20] This introduced the possibility to use either of a High Level of Assurance (LoA) or a Substantial LoA [21] IDV method to issue a qualified certificate.
But eIDAS 1.0 failed to provide clear, harmonized technical requirements to be met under each LoA. While an Implementation Act on "setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of [eIDAS 1.0]" [22] was indeed published in September 2015, much was left to the interpretation of individual MS. The Implementing act under eIDAS 1.0 on IDV failed to designate with precision what identity attributes should be verified in the context of eIDAS certificate issuance: "(5) Depending on the context in which an aspect of evidence of identity needs to be verified, authoritative sources can take many forms, such as registries, documents, bodies inter alia. Authoritative sources may be different in the various Member States even in a similar context”. [23]
The same implementing act makes the MS’s identity verification tradition the basis IDV in the context of eIDAS trust services provision. It sets out that in this context, IDV “should take into account different systems and practices, while ensuring sufficiently high assurance in order to establish the necessary trust. Therefore, acceptance of procedures used previously for a purpose other than the issuance of electronic identification means should be made conditional upon confirmation that those procedures fulfil the requirements foreseen for the corresponding assurance level". [24]
This left it up to the eIDAS supervisory body [25] of each Member State not only to determine what LoA should be used for issuing qualified certificates but also to create technical specifications for identity verification in the context of qualified certificate issuance.
This openness to interpretation meant some Member States went as far as creating entire national identity verification frameworks, creating a fragmented patchwork of local identity verification implementations by QTSPs. To illustrate this, France’s national identity verification framework under eIDAS (PVID) [26] contains 46 pages of requirements QTSPs must follow to verify identities. Romania’s equivalent [27] contains 16 pages of requirements.
Under eIDAS 1.0, a qualified certificate could be issued using a high or substantial LoA IDV [28]. The biggest change that IDAS 2.0 brings is only allowing High LoA IDV for issuing qualified certificates [29].
A substantial LoA will no longer be sufficient to issue a qualified trust certificate.
On April 15th 2025, the EU Commission published a Draft Proposal for an Implementing Act on “laying down rules for the application of [eIDAS 2.0] as regards reference standards for the verification of the identity and attributes of person to whom the qualified certificate or the qualified electronic attestation of attributes is to be issued” (the Implementing Act Draft Proposal). [30]
Its ambition is to “ensure legal certainty and trustworthiness of the result of the verification process” by creating a framework so that “verifications [are] be carried out in the same manner by all qualified trust service providers issuing a qualified certificate or a qualified electronic attestation of attributes”. [31]
The Implementing Act Draft Proposal designates the Technical Specification of ETSI TS 119 461 (the TS) as the new common framework for identity verification for QTSPs. The TS was published in February 2025 with the ambition to: “be applicable for reference from an implementing act according to Article 24.1c of the amended eIDAS regulation, setting out minimum technical specifications, standards and procedures with respect to the verification of identity and attributes in accordance with Articles 24.1, 24.1a, and 24.1b of the amended eIDAS regulation”.
Appendix B dives into how the TS define digital identity documents and what technical standards it sets for their verification.
The TS define a digital identity document as follows: “identity document that is issued in a machine-processable form, that is digitally signed by the issuer, and that is in purely digital form”. According to the notes under this definition, the candidate to a qualified certificate in this verification context may rely on “an electronic Machine Readable Travel Document (eMRTD) contained in a passport or national identity card”. The notes exclude “optical scanning of a physical identity document” from the definition of digital document.
When remotely verifying their identity in a fully self-service flow, a qualified certificate candidate may therefore only rely on the chip of an identity. This excludes candidates that do not have a chipped document from using self-services flows for qualified certificate application. Verifying a picture of an identity document using AI and computer vision, in this verification context, is no longer sufficient to issue a qualified certificate.
While users may only experience a chip scan, the TS mean that Identity Proofing Service Provider (IPSP), section 8.3.2 of the TS set out requirements on what happens behind the scenes to ensure that the chipped data is authentic and that the chip is not a copy of an original.
The verification must be done in an environment that is controlled by “the actor responsible for the identity proofing process in a manner that ensures authenticity, integrity, and confidentiality of the document content”. [33] For instance, the IPSP should not let users perform the verification of chipped data locally on a users’ untrusted phone. This should be done on a trusted server, where the IPSP has full control over the verification process.
A document may only be deemed valid when the “digital signature on the document is successfully validated”. [34] This may mean that “the cryptographic checks of the signature (including checks of hashes of individual data objects that have been signed indirectly) succeeded as well as all checks prescribed by the signature validation policy have been passed”. [35] For eMRTD documents following the ICAO 9303 part 10 [2] standard [36], the hashes of the chipped data need to be checked against the Country Signing Certificates.[37, 38]
When available, the IPSP should check document validity against a revoked, suspended, or reported as lost/stolen database. [39] This stops an authentic but invalid document being used for IDV. Note that only a handful of countries make such services available to IPSPs. There isn’t to this date an international service that IPSP may call to comply with this requirement.
The IPSP needs to ensure that the chip is not a copy of an original.[40, 41]
The face photo contained in the digital identity document must be extracted to enable binding to applicant. [42]
When a physical document is checked in this context, document verification implies several steps both for the user and behind the scenes. The quality requirements of the verification context, and the document security requirements may exclude some users.
Below are some of the key requirements for remote physical document verification.
The IPSP must check that:
The physical document verification must be done:
NOTES
[1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, referred to in this article as eIDAS 1.0
[2] Articles art. 25(3), 35(3) and 41(3) eIDAS 1
[3] Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework, referred to as eIDAS 2.0
[4] COMMISSION IMPLEMENTING REGULATION laying down rules for the application of [eIDAS] as regards reference standards for the verification of the identity and attributes of person to whom the qualified certificate or the qualified electronic attestation of attributes is to be issued, draft proposal
[5] ETSI TS 119 461 V2.1.1 (2025-02) "Electronic Signatures and Trust Infrastructures (ESI) - Policy and security requirements for trust service components providing identity proofing of trust service subjects",
[6] See USE-9.2.3.4-01X of ETSI TS 119 461 V2.1.1 (2025-02)
[7] Governed by sections 9.2.3.3 and 9.2.2.3 of ETSI TS 119 461 V2.1.1 (2025-02)
[8] see [CONDITIONAL] QTS-C.3.4-04 of ETSI TS 119 461 V2.1.1 (2025-02)
[9] see “Annex B (informative) - Threats to identity proofing”, of ETSI TS 119 461 V2.1.1 (2025-02)
[10] Proposal for a COUNCIL REGULATION on strengthening the security of identity cards of Union citizens and of residence documents, issued to Union citizens and their family members exercising their right of free movement, 13/12/2024
[11] See CJEU Case C-61/22 / Judgment, RL v Landeshauptstadt Wiesbaden
[12] "2. The effects of Regulation 2019/1157 are to be maintained until the entry into force, within a reasonable period which may not exceed two years from 1 January of the year following the date of delivery of the present judgment, of a new regulation based on Article 77(3) TFEU and intended to replace it" - CJEU Case C-61/22 / Judgment, RL v Landeshauptstadt Wiesbaden
[13] Preamble, subsection 20, Proposal for a COUNCIL REGULATION on strengthening the security of identity cards of Union citizens and of residence documents, issued to Union citizens and their family members exercising their right of free movement, 13/12/2024
[14] article 11(6) of Proposal for a COUNCIL REGULATION on strengthening the security of identity cards of Union citizens and of residence documents, issued to Union citizens and their family members exercising their right of free movement, 13/12/2024
[15] Art. 11(7) of Proposal for a COUNCIL REGULATION on strengthening the security of identity cards of Union citizens and of residence documents, issued to Union citizens and their family members exercising their right of free movement, 13/12/2024
[16] In Europe, all Member States are required to issue identity cards with chips since Regulation 2019/1157. Penetration of chipped identity documents within the European population is high and growing.
[17] "NOTE 2: A digital identity document will yield more reliable evidence validation than a physical identity document", [CONDITIONAL] USE-9.2.2.3-01X
[18] Track the progress of the reform on the Commission’s website
[19] Subsection 3 Proposal for an Implementing Act on “laying down rules for the application of [eIDAS] as regards reference standards for the verification of the identity and attributes of person to whom the qualified certificate or the qualified electronic attestation of attributes is to be issued”
[20] eIDAS 1.0, art. 24 (1)(d)
[21] Those are defined under eIDAS 1 under article 8(2)(b) and (c)
[22] COMMISSION IMPLEMENTING REGULATION (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market,
[23] COMMISSION IMPLEMENTING REGULATION (EU) 2015/1502 of 8 September 2015 (5)
[24] COMMISSION IMPLEMENTING REGULATION (EU) 2015/1502 of 8 September 2015 (6)
[25] eIDAS supervisory bodies are governed by section 2 of eIDAS. They are designated by their Member State. Their mission is to “supervise qualified trust service providers established in the territory of the designating Member State to ensure, (…) that those qualified trust service providers and the qualified trust services that they provide meet the requirements laid down in this Regulation”” Art. 17(3)(a) eIDAS 1.0
[26] Prestataire de Vérification d’Identité à Distance - https://cyber.gouv.fr/sites/default/files/document/PVID_referentiel-exigences_v1.1.pdf
[27] Norma din 2021 privind reglementarea, recunoaşterea, aprobarea sau acceptarea procedurii de identificare a persoanei la distanţă utilizând mijloace video - https://www.adr.gov.ro/identificare-la-distanta-prin-mijloace-video/
[28] Article 24(1)(b) eIDAS 1.0
[29] “Article 24 is amended as follows:
(a) paragraph 1 is replaced by the following:
‘1. When issuing a qualified certificate or a qualified electronic attestation of attributes, a qualified trust service provider shall verify the identity and, if applicable, any specific attributes of the natural or legal person to whom the qualified certificate or the qualified electronic attestation of attributes is to be issued.
1a. The verification of the identity referred to in paragraph 1 shall be performed, by appropriate means, by the qualified trust service provider, either directly or by means of a third party, on the basis of one of the following methods or, when needed, on a combination thereof in accordance with the implementing acts referred to in paragraph 1c:
(a) by means of the European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 with regard to assurance level high;
(b) by means of a certificate of a qualified electronic signature or of a qualified electronic seal, issued in compliance with point (a), (c) or (d);
(c) by using other identification methods which ensure the identification of the person with a high level of confidence, the conformity of which shall be confirmed by a conformity assessment body;”, eIDAS 2.0
[31] Subsection 2 of the Recitals of the Proposal
[32] Section 1 Electronic Signatures and Trust Infrastructures (ESI); Policy and security requirements for trust service components, providing identity proofing of trust service subjects
[33] CONDITIONAL] VAL-8.3.2-01
[34] VAL-8.3.2-02
[35] VAL-8.3.2-02, referring to ETSI 319 102-1 - V1.1.1 - Electronic Signatures and Infrastructures (ESI);Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation, art. 5.1.1
[36] ICAO 9303 part 10 [2] is a standard which governs the chip inside identity documents
[37] VAL-8.3.2-02
[38] More on Country Signing Certificates and the role they play in digital document authenticity verification in this blog post: https://www.inverid.com/blog/authenticity-electronic-passports
[39] CONDITIONAL] VAL-8.3.2-03
[40] For more information on what clone detection is, check this blog article: https://www.inverid.com/blog/cloning-detection-epassports
[41] CONDITIONAL] VAL-8.3.2-04X
[42] VAL-8.3.2-06
[43] [CONDITIONAL] USE-9.2.3.3-03X referring to VAL-8.3.3-01
[44] [CONDITIONAL] USE-9.2.3.3-03X referring to [CONDITIONAL] VAL-8.3.3-02X
[45] [CONDITIONAL] VAL-8.3.3-12X
[46] [CONDITIONAL] VAL-8.3.3-07A – this implies that government-issued identity documents which contain too little security elements may not be used in this verification context.
[47] VAL-8.3.3-07B
[48] [CONDITIONAL] USE-9.2.3.3-03X referring to VAL-8.3.3-03
[49] [CONDITIONAL] USE-9.2.3.3-03X referring to [CONDITIONAL] VAL-8.3.3-04A and B
[50] [CONDITIONAL] VAL-8.3.3-04A
[51] [CONDITIONAL] VAL-8.3.3-05C
[52] [CONDITIONAL] USE-9.2.3.3-03X referring to [CONDITIONAL] VAL-8.3.3-05A and B