eIDAS 2.0 Levels of Assurance: A Guide for Digital Identity

Standardized Trust: eIDAS 2.0 establishes a unified framework for digital identity across the EU, ensuring interoperability and mutual recognition of electronic identification schemes.

Three Levels of Assurance: The regulation defines 'low,' 'substantial,' and 'high' LoAs, each with specific requirements for identity proofing, authentication, and security measures, corresponding to the risk associated with the transaction.

Impact on Businesses: Companies operating in the EU must understand and implement appropriate LoAs for their services, influencing their identity verification processes, fraud prevention strategies, and compliance efforts.

Reusable KYC and Didit: Didit's eIDAS2-compatible Reusable KYC module aligns perfectly with the goals of eIDAS 2.0, enabling users to verify once and securely share their identity across multiple platforms, enhancing efficiency and user experience.

The digital world is constantly evolving, and with it, the need for robust and reliable ways to prove identity online. In the European Union, the eIDAS Regulation (electronic IDentification, Authentication and trust Services) has been the cornerstone of digital trust since 2014. Now, eIDAS 2.0 is set to usher in a new era, with a particular focus on enhancing the security and interoperability of digital identity across member states.

A central pillar of eIDAS 2.0, and indeed the original regulation, is the concept of 'Levels of Assurance' (LoA). These levels define the degree of confidence in the identity asserted by a person, providing a standardized way to assess the reliability of electronic identification. For any business or individual operating within the EU's digital single market, understanding these LoAs is not just beneficial but essential.

What are eIDAS Levels of Assurance?

eIDAS 2.0 defines three distinct Levels of Assurance for electronic identification means: Low, Substantial, and High. These levels are not arbitrary; they are meticulously defined based on the confidence that can be placed in a person's identity claim, considering the rigor of the identity proofing process, the security of the credential, and the robustness of the authentication mechanism.

• Low: This level provides a limited degree of confidence in the asserted identity. It typically involves basic identification methods where the risk of identity theft or misuse is considered low. For example, accessing a public library's online catalog might only require a 'low' LoA, relying on a username and password with minimal identity verification during registration.

• Substantial: This level provides a substantial degree of confidence in the asserted identity. It requires more stringent identity proofing and authentication processes, suitable for transactions where the risk of identity theft or misuse is moderate. A common example would be online banking access, where users might need to authenticate with a two-factor method after an initial, more thorough registration process involving ID document verification.

• High: This level provides a high degree of confidence in the asserted identity. It demands the most rigorous identity proofing and authentication methods, designed for transactions with significant risks, such as high-value financial transfers, sensitive government services, or accessing critical infrastructure. This often involves face-to-face verification, biometric checks, and cryptographic security measures, like those provided by NFC document reading for e-passports.

Each LoA dictates specific technical and organizational requirements, from the type of data collected during identity verification to the cryptographic strength of the authentication methods used. The goal is to ensure that the level of trust in a digital identity is commensurate with the potential risks of the transaction being performed.

The Implications of eIDAS 2.0 for Businesses

eIDAS 2.0, with its emphasis on the European Digital Identity Wallet (EUDIW) and strengthened LoAs, will have profound implications for businesses across the EU. Companies will need to:

• Adapt Identity Verification Processes: Businesses will need to assess their current identity verification workflows to ensure they meet the appropriate LoA for their services. For instance, a fintech company offering micro-loans might need to move from 'low' to 'substantial' or even 'high' LoA for their onboarding process, requiring more advanced ID verification and biometric checks.

• Enhance Fraud Detection: Higher LoAs inherently lead to better fraud prevention. By requiring more robust identity proofing, businesses can significantly reduce the risk of synthetic identity fraud, account takeovers, and other malicious activities. For example, a gaming platform that previously only asked for email verification might now implement 'substantial' LoA for withdrawals, using ID verification and liveness detection to prevent fraud and comply with AML regulations.

• Ensure Compliance: Operating within the EU means adhering to eIDAS 2.0. Non-compliance can lead to significant penalties and reputational damage. This includes not only the technical implementation of LoAs but also ensuring data privacy and security in line with GDPR.

• Leverage Interoperability: The mutual recognition of eIDAS-compliant electronic identification means across member states will simplify cross-border transactions. A Spanish citizen, having verified their identity to a 'high' LoA in their home country, could use that same verified identity to access services in Germany without needing to re-verify from scratch.

The shift towards eIDAS 2.0 is not just a regulatory burden; it's an opportunity for businesses to build stronger trust with their customers, streamline onboarding, and expand their reach across the European digital landscape.

Practical Examples of LoA in Action

To better understand how LoAs apply in real-world scenarios, let's consider a few examples:

• Online Retailer (Low LoA): A customer wants to browse products and make a small purchase (e.g., under €50). A 'low' LoA might be sufficient, requiring only an email address and password for account creation. The risk of fraud for such a small transaction is minimal, and the identity proofing is basic.

• Digital Bank Account Opening (Substantial/High LoA): For opening a new bank account or applying for a significant loan, a 'substantial' or 'high' LoA is crucial. This would involve robust ID document verification (e.g., scanning a passport or ID card), liveness detection to prevent deepfake attacks, and potentially a face match against the document photo. Some high-value accounts might even require NFC document reading for cryptographic assurance.

• E-Health Services (Substantial/High LoA): Accessing sensitive medical records or engaging in teleconsultations typically requires a 'substantial' or 'high' LoA. This ensures that only the authorized patient or healthcare professional can access sensitive health data, often involving multi-factor authentication linked to a government-issued ID.

• Age Verification for Restricted Content (Substantial LoA): Platforms offering age-restricted content (e.g., gambling, adult content, alcohol sales) need to reliably verify user age. An 'Age Estimation' module that triggers full ID verification if the estimate is near the threshold, combined with liveness detection, would constitute a 'substantial' LoA, preventing minors from accessing inappropriate content.

How Didit Helps: Aligning with eIDAS 2.0 and Reusable KYC

Didit is at the forefront of digital identity, offering an all-in-one platform that directly addresses the challenges and opportunities presented by eIDAS 2.0. Our comprehensive suite of identity verification, biometrics, fraud detection, and compliance tools are designed to help businesses meet the varying Levels of Assurance with ease and efficiency.

Didit's modular architecture allows businesses to construct custom identity workflows that align precisely with the required LoA for any given transaction. For a 'low' LoA, a simple email verification and IP analysis might suffice. For 'substantial' or 'high' LoAs, Didit offers:

• ID Document Verification: Supports 14,000+ document types across 220+ countries, providing robust identity proofing.

• NFC Document Reading: For government-grade identity assurance, aligning with the highest LoA requirements.

• Passive and Active Liveness Detection: To combat spoofing and deepfakes, ensuring the user is a real, live person.

• Face Match 1:1: Biometrically confirms the user is the legitimate document owner.

• AML Screening: Real-time checks against global watchlists for compliance.

Crucially, Didit’s Reusable KYC module is specifically designed to be eIDAS2-compatible. This allows users to verify their identity once to a high LoA and then securely reuse their credentials across multiple platforms with biometric re-authentication. This not only significantly enhances user experience by reducing friction but also aligns perfectly with the EUDIW's vision of a portable and trusted digital identity.

By leveraging Didit, businesses can ensure they are compliant with eIDAS 2.0, optimize their identity verification costs, and provide a seamless, secure, and trustworthy experience for their users, all while maintaining the appropriate Level of Assurance for every digital interaction.

Ready to Get Started?

Navigating the complexities of eIDAS 2.0 and its Levels of Assurance doesn't have to be daunting. With Didit, you gain a powerful partner to build robust, compliant, and user-friendly digital identity solutions. Explore our platform today and see how easy it is to implement the right LoA for your business needs.

• View Pricing
• Access the Business Console
• Try a Demo
• Calculate Your ROI