The EU has eliminated restrictions on companies accessing the chip in identity cards imposed by member States like France and Germany. From 10/07/2025, companies across all EU Member States will be able to avoid costly, inefficient, document verification systems and rely on secure ID card chips instead. This comes because of the reform of Regulation (EU) 2019/1157[1].
Today’s identity fraud landscape is dominated by AI. It’s easier than ever to produce fake identity documents and deepfakes. With AI, attackers can cheat identity verification systems at scale, low cost, and no risk.
Companies will need more than AI to fight AI. The cryptography in ID card chips is the best defence against deepfakes. Attackers cannot defeat chip verification because deepfakes don’t have chips in their fake IDs.[2]
Today French and German companies can fight the persistent threat of deepfakes in the most secure way, now that access to the chip is possible.
In what may have seemed like a good idea at the time (August 2021), a number of States in the EU opposed private companies accessing chips in the newly issued eID cards. This was the case in France and Germany. In those States, only certain categories of civil servants could access the chip, such as border and police forces.
This forced companies to use unreliable document verification methods, although technically the ID card chips carried verifiable data, laws restricted access to the higher assurance capability.
In France, identity verification was governed by the PVID which required documents to be checked using Optical Character Recognition and document liveness. A human operator needed to manually check the document behind the scenes. Not only were the checks unreliable, but the impact of those requirements on speed, throughput, and costs were high.
These rules were put in place long before Deepfakes and Generative AI became mainstream technologies.
Regulation (EU) 2025/1208[3] replaced Regulation (EU) 2019/1157 following a dispute[4] on the legality of the latter.
Article 11(6) of Regulation 2025/1208 grants access to the portrait contained in the chip to private entities such as companies. Access is allowed for the purposes of verifying both the authenticity and the identity of the holder. The consent of the holder must be obtained to access the portrait inside the chip. Storage is limited to what is strictly necessary and the article points to EU data protection law.
The chip in eID cards contains the same information about the ID card holder as is printed, but with much higher quality and assurances. Why not see for yourself with this app?
The user’s high-resolution, full colour face-image is stored in the chip and can be read perfectly every time – no need for multiple attempts at taking the perfect photo of a plastic ID card with all its holograms, reflections and poor lighting conditions.
The extra data you don’t see printed, but is in the chip, are the data integrity and authenticity checks. Cryptography protects from a single pixel or character change and enables companies to verify that data is officially issued by the member state.
Regulation (EU) 2025/1208 forces EU Member States to lift the ban on accessing chipped data for private entities. The ban is lifted on accessing the portrait in the chip.
Countries like France and Germany will have to update their legislations to allow access to the portrait in the chip. This does not stop France and Germany making new legislation to ban access by private entities to the rest of the data groups in the chip. The ICAO technical standards place strong cryptographic protections on fingerprints and iris data, and these remain inaccessible to private companies.
Regulation (EU) 2019/1157 created common rules for identity cards in Europe. From its entry into force in August 2021, each new generation of an EU ID card had to have a chip compliant with the ICAO Doc 9303 standard (the same standard that governs passports).
[legend: With Regulation 2019/1157 all EU ID cards are the same size as a bank card and have a chip]
By harmonising rules on EU ID cards and strengthening their security, Regulation 2019/1157 aimed at reinforcing “the safety and security of the peoples of Europe”.[5] It would facilitate the verification of documents across Europe, and make identity fraud harder for criminals.
[legend – before Regulation 2019/1157, some documents were easier to forge than others]
[1] REGULATION (EU) 2019/1157 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement, recital (1)
[2] See this post on the conversation between one of the most “talented” fake document issuer and ethical hacker Jonathan Spedale: the chip is the only thing that cannot successfully be faked.
[3] Council Regulation (EU) 2025/1208 of 12 June 2025 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement
[4] CJEU Case C-61/22 / Judgment, RL v Landeshauptstadt Wiesbaden
[5] Regulation (EU) 2019/1157