eIDAS 2.0 Levels of Assurance, Mapped to Didit's Checks

eIDAS 2.0 is the EU's framework for electronic identification and trust services — the rules that govern how a digital identity can be trusted across borders, and the basis for the upcoming European Digital Identity Wallet. At its core sits a deceptively simple idea: not all identity proofing is equal. eIDAS grades electronic identification into three Levels of Assurance (LoA) — Low, Substantial, and High — each demanding progressively stronger evidence that the person behind a digital identity is who they claim to be.

If you're building in a regulated EU market, you need to know which level your onboarding reaches, and what it takes to climb. This post maps the three levels to the checks Didit performs — document verification, Near-Field Communication (NFC) chip reading, active and passive liveness, and biometric face match — and shows how to compose them to support higher assurance.

Key takeaways

• eIDAS 2.0 defines three Levels of Assurance for electronic identification: Low, Substantial, High — each tied to how rigorously identity is proofed and how resistant the process is to attack.
• The level depends on the strength of identity evidence, the binding between the person and that evidence, and the resistance to spoofing and impersonation.
• Didit's checks map directly to the higher tiers: authoritative document verification, cryptographic NFC chip reading, liveness, and biometric face match.
• Didit's Presentation Attack Detection is independently tested to iBeta Level 1 (ISO/IEC 30107-3) with 0% attack success across 360 attempts — concrete, audited spoof resistance.
• Didit is aligned to and supports eIDAS 2.0 assurance requirements; it is not a certified Qualified Trust Service Provider (QTSP) — frame Didit's role as supplying the high-assurance proofing layer, not issuing qualified certificates.
• A higher-assurance flow is composable: stack document + NFC + liveness + face match through Didit's no-code Workflow Builder, starting from a $0.33 core flow with 500 free checks per month.

What the standard requires

eIDAS Levels of Assurance describe the degree of confidence in a claimed identity. The Commission's implementing rules break the requirements down across the identity lifecycle — enrolment (proofing the identity), the means of identification, and the management and authentication that follow. The three levels:

• Low — a limited degree of confidence. Identity proofing can rely on relatively weak evidence; the goal is to reduce the risk of misuse, not eliminate it. Suitable for low-risk services.
• Substantial — a substantial degree of confidence. Proofing must verify the identity against an authoritative source and confirm the applicant is the genuine holder of the claimed identity. The process must be resistant to a meaningful range of attacks.
• High — the highest degree of confidence. Requires verification against authoritative sources, strong binding of the person to genuine identity evidence, and resistance to sophisticated attacks — including presentation attacks against any biometric step.

The practical lever between Substantial and High is the quality of the evidence (does it come from a tamper-proof, authoritative source?) and the strength of anti-spoofing controls (can the process defeat masks, replays, deepfakes, and document forgeries?).

Why it matters

Picking the wrong assurance level cuts both ways. Aim too low and your service fails to meet the legal threshold for the activity — for a regulated financial relationship, "Low" simply isn't enough. Aim too high without the right tooling and you bolt on expensive, friction-heavy steps that drive applicants away.

eIDAS 2.0 also matters because the European Digital Identity Wallet — which member states must offer to citizens — is built on these levels. Services that want to accept or issue identity attestations need to understand which assurance level their proofing reaches. Choosing a verification stack whose checks clearly support Substantial-to-High assurance future-proofs you for that ecosystem.

How Didit helps

Didit supplies the high-assurance identity-proofing layer that eIDAS Substantial and High depend on. Each check maps to an assurance requirement:

Check	What it proves	Assurance contribution
ID Verification ($0.15)	The document is authentic, valid, and intact — across 14,000+ document types	Authoritative evidence of identity
NFC Reading ($0.15)	The chip's cryptographically signed data is genuine and untampered	Highest-strength evidence; resistance to forgery
Passive Liveness ($0.10)	A real, present human — no replay or static image	Resistance to presentation attacks
Active Liveness ($0.15)	Active proof of presence under challenge	Stronger anti-spoofing for High-tier flows
Face Match 1:1 ($0.05)	The live person matches the document photo	Binding of person to identity evidence

The anti-spoofing claim isn't a marketing line: Didit's Presentation Attack Detection is independently tested by iBeta to Level 1 of ISO/IEC 30107-3, achieving a 0% attack success rate / 0% IAPAR across 360 attack attempts — direct, audited evidence of the resistance higher assurance levels require.

Compose these checks in Didit's no-code Workflow Builder to hit your target level: a Low-risk service might run document + passive liveness; a Substantial flow adds face match; a High flow layers NFC chip reading and active liveness. The core verification flow (ID + passive liveness + face match + IP analysis) starts at $0.33, with 500 free checks every month.

Deep dive: from Substantial to High, in practice

The jump from Substantial to High hinges on two things: where the identity evidence comes from, and how hard the process is to fool.

Evidence strength. A photographed identity card, read by optical character recognition, is solid evidence — but a chip read directly off the document via NFC is stronger, because the chip's data is cryptographically signed by the issuing authority and cannot be silently altered. Layering NFC on top of visual document verification moves you toward the authoritative-source bar that High demands.

Attack resistance. High assurance requires the process to resist sophisticated impersonation. That's where liveness and Presentation Attack Detection do the work. Active liveness challenges the user in real time; the iBeta Level 1 result quantifies how well Didit's detection holds up against printed photos, video replays, masks, and other presentation attacks — 360 attempts, zero successes.

A note on scope: Didit provides the proofing and authentication evidence that supports these levels. It does not issue qualified certificates and is not a certified Qualified Trust Service Provider. Treat Didit as the engine that brings your onboarding up to Substantial or High assurance — aligned to and supporting eIDAS 2.0 — rather than as the qualified-trust layer itself.

Use cases

• Regulated EU financial services that must meet at least Substantial assurance for account opening.
• Crypto VASPs under MiCA and the EU AML Single Rulebook needing high-assurance customer proofing.
• Public-sector and eGovernment services preparing to interoperate with the European Digital Identity Wallet.
• Age-gated platforms (iGaming, restricted goods) that need strong, attack-resistant proof of identity and age.

Frequently asked questions

What are the eIDAS 2.0 levels of assurance?

Low, Substantial, and High — three tiers describing the degree of confidence in a claimed electronic identity, based on the strength of identity proofing and resistance to attack.

Can Didit get my onboarding to High assurance?

Didit supplies the checks that support High assurance — authoritative document verification, NFC chip reading, active liveness with audited Presentation Attack Detection, and biometric face match. The formal assurance level of a complete electronic identification scheme is determined by the scheme's overall design and certification; Didit provides the high-assurance proofing layer within it.

Is Didit an eIDAS-certified Qualified Trust Service Provider?

No. Didit is aligned to and supports eIDAS 2.0 assurance requirements but does not issue qualified certificates and is not a certified QTSP.

Why does NFC reading matter for assurance?

The NFC chip in a modern passport or ID card holds data cryptographically signed by the issuing authority. Reading it directly gives stronger, harder-to-forge evidence than a photo of the document alone.

How does Didit prove its liveness is attack-resistant?

Through independent iBeta testing to Level 1 of ISO/IEC 30107-3, which recorded a 0% attack success rate across 360 presentation-attack attempts.

Ready to get started?

See Didit's attestations on the trust hub, explore the ID Verification product, and review per-check pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, with a core verification flow from $0.33.