eIDAS 2.0 Levels of Assurance Explained: What Businesses Need to Know

Foundation of Digital TrusteIDAS 2.0 establishes a robust framework for digital identity across the EU, ensuring secure and interoperable electronic identification and trust services.

Three Levels of AssuranceThe regulation defines 'low,' 'substantial,' and 'high' levels of assurance, each dictating the strength of identity verification required for different digital services.

Impact on BusinessesCompanies operating in the EU must align their identity verification processes with eIDAS 2.0 to ensure compliance, reduce fraud, and facilitate seamless cross-border transactions.

Didit's RoleDidit offers a comprehensive identity platform that aligns with eIDAS 2.0 requirements, providing modular solutions for identity verification, biometrics, and workflow orchestration to achieve necessary assurance levels.

Understanding eIDAS 2.0 and its Core Purpose

The original eIDAS (electronic IDentification, Authentication and trust Services) regulation, enacted in 2014, laid the groundwork for digital trust within the European Union. Its primary goal was to create a common framework for electronic identification and trust services, enabling secure and seamless cross-border digital interactions. However, as the digital landscape evolved, particularly with the rise of AI-generated identities, deepfakes, and the demand for more advanced digital wallets, an update became necessary. This led to eIDAS 2.0, a significant evolution designed to address modern challenges and introduce the concept of European Digital Identity (EUDI) Wallets.

eIDAS 2.0 aims to empower EU citizens with greater control over their digital identities, allowing them to prove their identity and share credentials securely across various online services. For businesses, this means adapting to new standards for verifying customers and partners, ensuring compliance, and leveraging the enhanced security and efficiency that eIDAS 2.0 promises. The regulation's emphasis on interoperability and privacy-by-design is set to transform how digital transactions are conducted, making it essential for companies to understand its nuances.

The Three Levels of Assurance: Low, Substantial, and High

Central to eIDAS 2.0 are the three defined levels of assurance (LoA) for electronic identification schemes. These levels dictate the degree of confidence in a person's asserted identity, based on the robustness of the identity verification process. Each level specifies the technical and procedural requirements for identity proofing, authentication, and management.

Low Level of Assurance

The 'low' level of assurance provides a basic degree of confidence in a person's asserted identity. It typically involves simple verification methods, where the risk of identity theft or misuse is considered minimal. For example, this might include verifying an email address or a phone number via a one-time password (OTP). These methods are suitable for services where the potential impact of identity compromise is low, such as accessing non-sensitive online content or participating in public consultations that don't require strong identity ties. While convenient, businesses must be aware that this level offers limited protection against sophisticated fraud.

Substantial Level of Assurance

The 'substantial' level offers a higher degree of confidence, indicating that adequate safeguards are in place to reduce the risk of misuse or alteration of the identity. This level often involves a more rigorous verification process, such as verifying a government-issued ID document combined with a basic liveness check (e.g., a passive selfie scan). This level is appropriate for services where the risk of identity compromise is moderate, such as opening a basic online bank account, accessing certain government services, or making online purchases above a certain threshold. Most KYC (Know Your Customer) processes today typically aim for this level.

Practical Example: A fintech company offering peer-to-peer lending might require a 'substantial' level of assurance. This would involve users submitting a photo of their government ID (like a passport or driver's license), followed by a live selfie capture to ensure the person presenting the ID is its legitimate owner. Didit's ID Document Verification and Passive Liveness modules are perfectly suited for achieving this, providing robust checks in seconds.

High Level of Assurance

The 'high' level provides the highest degree of confidence in an individual's identity, ensuring that the risk of identity compromise is significantly reduced. This level demands the most stringent verification methods, often combining advanced biometrics, NFC chip reading of e-passports, and potentially database validation against official registries. It's reserved for services where identity compromise would have a severe impact, such as accessing highly sensitive medical records, performing high-value financial transactions, or digitally signing legally binding contracts. Achieving this level often involves multi-factor authentication and continuous monitoring.

Practical Example: A digital bank offering high-value investment accounts or a public notary providing digital signature services would require a 'high' level of assurance. This means not only verifying an ID document with a liveness check but also reading the NFC chip of an e-passport for cryptographic validation and potentially performing ongoing AML screening. Didit's NFC Document Reading, Active Liveness (iBeta Level 1 certified), and AML Screening modules are designed to meet these stringent requirements, providing a complete solution for high-assurance needs.

Implications for Businesses and Compliance

For businesses operating within the EU or interacting with EU citizens, eIDAS 2.0 and its levels of assurance have profound implications. Compliance is not just about avoiding penalties; it's about building trust, enhancing security, and streamlining operations. Companies need to:

• Assess Current Identity Processes: Evaluate existing identity verification methods against eIDAS 2.0 LoA requirements to identify gaps.
• Adapt Workflows: Design or adjust onboarding and authentication workflows to achieve the appropriate LoA for each service or transaction type.
• Leverage Technology: Implement advanced identity verification technologies that can reliably meet the technical specifications for substantial and high assurance levels, such as biometric verification and NFC reading.
• Ensure Interoperability: Prepare for integration with EUDI Wallets, which will become a primary means for citizens to share verified identity attributes.
• Maintain Data Privacy and Security: Adhere to GDPR and eIDAS 2.0 requirements for data handling, storage, and protection.

Failing to comply can lead to significant fines, reputational damage, and loss of customer trust. Conversely, early adoption and strategic implementation can provide a competitive advantage, attracting users who value security and privacy.

How Didit Helps Achieve eIDAS 2.0 Compliance

Didit's all-in-one identity platform is specifically designed to help businesses navigate the complexities of eIDAS 2.0, enabling them to achieve the necessary levels of assurance with ease and efficiency. Didit consolidates identity verification, biometrics, fraud detection, and compliance tools into a single, powerful system.

• Modular Verification Capabilities: Didit offers 18 composable modules, including AI-powered ID Document Verification (supporting 14,000+ document types), Passive and Active Liveness Detection (iBeta Level 1 certified), Face Match 1:1, NFC Document Reading, and AML Screening. These modules can be combined to build workflows tailored to specific LoA requirements.
• Workflow Orchestration: The visual Workflow Builder allows businesses to drag-and-drop modules to create custom identity flows. This means you can easily configure a 'substantial' LoA flow (e.g., ID Verification + Passive Liveness) or a 'high' LoA flow (e.g., ID Verification + NFC Reading + Active Liveness + AML Screening) without writing a single line of code.
• Reusable KYC and EUDI Wallet Compatibility: Didit is eIDAS2 compatible, supporting reusable KYC. This allows users to verify once and reuse their identity across multiple platforms with biometric re-authentication, aligning perfectly with the vision of the EUDI Wallet and enhancing user experience.
• Robust Security and Compliance: Didit is SOC 2 Type II and ISO 27001 certified, GDPR compliant, and adheres to privacy-by-design principles. Our infrastructure ensures EU data residency and secure processing, critical for eIDAS 2.0.
• Cost-Effective Solutions: With a transparent, pay-per-success pricing model and a generous free tier, Didit makes advanced identity verification accessible, allowing businesses to meet compliance without prohibitive costs.

By leveraging Didit, companies can not only meet eIDAS 2.0 requirements but also significantly improve their onboarding conversion rates, reduce manual review times, and detect fraud more effectively.

Ready to Get Started?

Navigating the new landscape of eIDAS 2.0 can seem daunting, but with the right tools, it becomes an opportunity to build more secure, efficient, and user-friendly digital services. Didit provides the comprehensive platform you need to meet these challenges head-on.

Explore how Didit can help your business achieve eIDAS 2.0 compliance and transform your digital identity strategy. Visit our pricing page for transparent costs, or check out our technical documentation to start building. For a deeper dive, request a product demo or use our ROI calculator to see the potential savings.

How Didit supports eIDAS 2.0 assurance

Didit's checks — document, NFC chip reading, active and passive liveness, and biometric face match — map to higher eIDAS 2.0 levels of assurance, and Didit is the only provider formally attested by an EU member-state government (Spain's Tesoro / SEPBLAC / CNMV) as safer than in-person verification.

See Didit's security & compliance, explore the products, check pricing, and start free — 500 free KYC checks every month.