The Only EU Government Attestation That Beats In-Person ID

Most identity providers can show you a certification. Very few can show you a conclusion, signed off by an EU member-state government, that their remote verification is safer than meeting the customer in person. Didit can.

Didit is the only provider formally attested by an EU member-state government (Spain's Tesoro / BdE / SEPBLAC / CNMV) as safer than in-person verification. That conclusion did not come from a marketing test or a vendor-funded study. It came out of Spain's official financial regulatory sandbox, supervised by the CNMV, reviewed in coordination with SEPBLAC — Spain's financial intelligence unit — and published permanently on the Spanish Treasury's own website. This is what that attestation is, how it was reached, and why it matters for anyone choosing an identity provider in Europe.

Key takeaways

• A government conclusion, not a vendor claim. Spain's financial sandbox concluded that Didit's remote identity verification meets and exceeds in-person identification standards — the only EU member-state government attestation of its kind.
• Supervised by the CNMV, Spain's securities-markets authority, and reviewed with SEPBLAC, Spain's financial intelligence unit (FIU) — the body that sets the AML/CFT bar for remote onboarding.
• Tested over eight months — 2024-11-01 to 2025-07-09 — with conclusions published in February 2026.
• Publicly published and permanent, on the Spanish Treasury site (tesoro.es) — anyone can read the conclusions report.
• Built on real technology: cryptographic NFC chip reading of official ID documents plus facial biometrics with active liveness, supporting AML/CFT-compliant onboarding.

What the attestation is

Spain runs a financial regulatory sandbox under Ley 7/2020 of 13 November — a controlled environment in which financial innovations are tested under the eye of the supervisory authorities before reaching the market. Didit's digital identity solution was admitted to the sandbox's 4th cohort.

The project tested a digital identity solution combining cryptographic NFC reading of the chip in official ID documents with facial biometrics and active liveness detection, built to support AML/CFT-compliant digital onboarding. The supervising authority was the CNMV (Comisión Nacional del Mercado de Valores — Spain's National Securities Market Commission), through its Dirección General de Política Estratégica y Asuntos Internacionales. The tests were reviewed in coordination with SEPBLAC, the Servicio Ejecutivo de la Comisión de Prevención del Blanqueo de Capitales — Spain's financial intelligence unit and the authority responsible for AML/CFT supervision.

The conclusion the regulators reached is the headline: Didit's remote identity verification meets — and exceeds — in-person identification standards. The conclusions report was published in February 2026, on the Spanish Treasury's site, where it remains publicly available.

What the sandbox actually tested

The sandbox was structured in phases. The two that were fully executed and concluded:

• Phase 1 — registration and onboarding. The end-to-end remote onboarding journey: document capture, NFC chip authentication, facial biometric capture, and active liveness.
• Phase 2 — creation of the verified digital identity. Producing a trustworthy, reusable verified identity from the onboarding evidence.

Later phases — financial-entity reuse (Phase 3), user updates (Phase 4), and MiCA crypto transactions (Phase 5) — were either not executed or run with token amounts (5 USDC) per the test protocol. The tests ran from 2024-11-01 to 2025-07-09, and the Memoria de Resultados was delivered on 2025-07-31. The conclusions report followed in February 2026.

The promoter on the sandbox file was Markets Prolive 360, S.L. — the entity name under which the Didit management system was originally certified, since renamed.

Why it matters

In-person identification has been the regulatory gold standard for decades. Remote onboarding has always carried an implicit asterisk: convenient, but is it as safe? The Spanish sandbox conclusion removes the asterisk. A government — through its securities regulator and reviewed with its financial intelligence unit — looked at Didit's remote flow and concluded it does not merely match the in-person bar but exceeds it.

For a compliance officer choosing a provider, that changes the conversation. It is one thing to assert that automated NFC-plus-biometric verification is robust; it is another to point a regulator or an auditor at a published government conclusion that says so. In EU procurement, in security questionnaires, and in any discussion with a supervisor about whether remote onboarding is adequate, the Tesoro/SEPBLAC/CNMV report is evidence no competitor can match.

How Didit helps

The attestation is not a trophy on a shelf — it describes the live product.

The technology that earned it is the product you integrate. Cryptographic NFC chip reading is available as a module at $0.15, active liveness at $0.15, and the core KYC bundle (ID verification, passive liveness, face match, IP analysis) at $0.33 per verification — the same building blocks the sandbox evaluated, on the unified /v3/ API.

It pairs with an independent legal opinion. Beyond the government conclusion, finReg360 — an independent Spanish AML/CFT legal advisory — issued a memo (2026-04-28) concluding that Didit's remote onboarding tool is adequate under the EBA Guidelines on remote customer onboarding (EBA/GL/2022/15) and compatible with the incoming EU AML Single Rulebook, and that the video-identification process does not require manual human review when Didit's automated controls are in place. That memo is distributable to a buyer's money-laundering reporting officer on request.

It sits inside a full attestation stack. The government conclusion joins ISO/IEC 27001:2022 certification (cert nº ES144068), a SOC 2 Type 1 attestation (Security, Availability, Confidentiality), and iBeta Level 1 PAD biometric anti-spoofing testing (0% attack success across 360 attempts). The complete set lives on the security and compliance hub.

Use cases

• EU banks and EMIs justifying fully remote onboarding to a supervisor — the published conclusion is the strongest available evidence that the remote flow is adequate.
• Compliance and procurement teams that need third-party, government-grade assurance rather than a vendor's own benchmark.
• Spanish and EU regulated firms building AML/CFT onboarding where SEPBLAC's review carries direct weight.
• Any business comparing identity providers on regulatory credibility — this is the differentiator no competitor can replicate.

Frequently asked questions

Who issued the attestation?

It is a conclusion of Spain's financial regulatory sandbox (Ley 7/2020), supervised by the CNMV — Spain's National Securities Market Commission — and reviewed in coordination with SEPBLAC, Spain's financial intelligence unit. It was published on the Spanish Treasury site (tesoro.es).

What exactly did the regulators conclude?

That Didit's remote identity verification meets and exceeds in-person identification standards. It is the only EU member-state government attestation of its kind.

Is the report public?

Yes. The conclusions report was published in February 2026 on the Spanish Treasury's website and remains publicly available — it is permanent, not a time-limited certificate.

What technology was tested?

A digital identity solution combining cryptographic NFC reading of official ID document chips with facial biometrics and active liveness detection, supporting AML/CFT-compliant onboarding. The tests ran from November 2024 to July 2025.

How is this different from a certification like ISO 27001?

A certification attests that a management system or control set meets a standard. This is a government regulator's conclusion about the security of the verification method itself — specifically, that it exceeds in-person identification. Didit holds both: ISO 27001, SOC 2 Type 1, iBeta PAD, and this attestation.

Ready to get started?

Read the full attestation stack on the security and compliance hub, see the verification technology in action on the ID Verification product page, and review transparent per-check pricing on the pricing page. When you're ready, start free — 500 free KYC checks every month, using the same verification the Spanish sandbox attested.