Building Secure and Compliant Identity Verification in the Age of eIDAS 2.0

Across the European Union, eIDAS (electronic Identification, Authentication and Trust Services) is one of the key regulations that defines how citizens, businesses, and authorities have to interact with each other in the digital environment. Adopted in 2016, eIDAS sets standards for electronic identification and creates legal certainty for digital interactions throughout the Union.

The updated version (eIDAS 2.0) brought several crucial features to the original eIDAS framework. First of all, it introduced the European Digital Identity Wallet that each EU member state must make available to its citizens by the end of 2026. The wallet is meant to simplify digital interactions across borders even further as it allows people to identify themselves, store, and share verified data, as well as access both public and private services.

However, as digital onboarding becomes more standardized, businesses need to think not only about compliance, but also about how their verification systems are built. What really matters is whether sensitive user data can be processed without ever leaving the secure perimeter within on-premise or on-device architecture. For businesses, this means that aligning KYC workflows with the new framework is only part of the task. Equally important is choosing technologies that support compliance without storing and transmitting sensitive data anywhere.

Understanding eIDAS Levels of Assurance

eIDAS rules standardized how electronic identification means must be issued and used, which made onboarding in digital services seamless for customers regardless of which EU country they come from. The framework defines three Levels of Assurance (LoA) – each containing a set of standards for electronic identification. These standards are exactly what KYC providers and identity verification vendors need to align with if they want to present themselves as eIDAS-compliant.

“Low” level offers a basic degree of certainty about a claimed identity, “substantial” calls for more rigorous checks with fewer chances of misuse, and “high” is intended to deliver maximum assurance, backed by the strongest protections against identity fraud. Companies choose the level they need based on their risk exposure, the sensitivity of the data they handle, and any other regulatory obligations that apply to their services.

The Main Strength and Weakness of eIDAS Identity Verification Standards

One of the main strengths of eIDAS identity verification standards is that they create a common framework for the entire European Union. In practical terms, this means that an identity verification approach designed to align with eIDAS can serve as a strong foundation for operating in different EU member states, rather than being rebuilt from scratch for each country.

The main weakness of eIDAS identity verification standards, in our opinion, is that they do not actively support the development of on-premise / on-device verification technologies – the ones that truly protect citizens’ personal data from breaches and ensure frictionless identity verification workflows. Frameworks that regulate storage and transmission may reduce risk, but they do not remove the risk surface itself. Every time identity data is collected or transferred, it creates a new opportunity for leakage, and regulatory compliance alone cannot fully remove that vulnerability.

It may seem that eIDAS is building a unified and secure identity verification ecosystem across Europe. In many ways, it is certainly creating a more consistent and convenient one. But does this really mean security? At OCR Studio, we believe that true protection can only be delivered by technologies that do not require personal data to be stored or transmitted in the first place. In identity verification, the safest architecture is not the one that manages sensitive data more carefully, but the one that removes the need to handle it at all.

How to Build a Secure and Compliant Identity Verification

Since each eIDAS assurance level is largely built around the principle of minimizing the storage and transfer of personal data, on-premise / on-device technologies are the most effective way to build an identity verification system that is both compliant and genuinely secure. From a technological point of view, such systems outperform architectures that rely on cloud infrastructure or external servers, as they are not vulnerable to third-party outages and can operate even without a stable internet connection.

Below, using three of the key eIDAS standards as examples, we show how modern on-device technologies fully comply with these identity verification requirements:

“The person can be assumed to be in possession of evidence recognised by the Member State in which the application for the electronic identity means is being made and representing the claimed identity”

In order to verify that the user is the legitimate document holder, verification systems usually conduct selfie-to-ID checks by comparing the presenter’s selfie with the ID photo. On-device systems perform the same checks with the same accuracy while not transmitting sensitive biometric data anywhere. Some on-device systems are additionally able to detect presentation attacks when fraudsters use screen recaptures and photocopies – this ensures that the user is genuinely present.

“The evidence can be assumed to be genuine, or to exist according to an authoritative source and the evidence appears to be valid”

To meet this requirement, an identity verification system you choose must be able to assess whether the document presented by the user appears genuine and valid. Some on-device solutions do this by combining ID recognition with document forensics technologies. Based on a single document photo, they can detect various manipulations, including deepfakes, AI-generated, and morphed IDs. They can also check validity periods and cross-validate data from the VIZ, MRZ, and NFC to identify inconsistencies that may indicate tampering or fraud.

“Retain, as far as it is permitted by national law or other national administrative arrangement, and protect records for as long as they are required for the purpose of auditing and investigation of security breaches, and retention, after which the records shall be securely destroyed”

This requirement is not about storing all personal data by default, but about keeping the system auditable. The real challenge is architectural: how can identity data be processed locally while traceability is preserved? In our view, data should not be transferred for processing, but only for strictly limited and secure audit purposes. Future approaches may include selective logging, encrypted audit records, or mechanisms that preserve auditability without exposing raw personal data. This is not a limitation of the on-device model, but a broader challenge for the next generation of identity verification systems.

As you can see, on-premise technologies fully meet the key eIDAS requirements while avoiding the framework’s main weakness. Because they do not require data storage or transmission, they provide much stronger protection against personal data leaks than alternative approaches. Such technologies can support identity verification workflows at any required assurance level, from “low” to “high”.

On-Premise Architecture Goes Beyond eIDAS Compliance

Meeting eIDAS requirements is essential for any company operating in the EU. However, compliance alone is not enough to guarantee real protection of customer data. To build a truly secure KYC, businesses need to look beyond formal compliance and pay close attention to the technical characteristics of the identity verification solutions they use. In our view, the safest choice is not a vendor that merely minimizes personal data collection, but one that removes the need for collecting and transmitting that data at every stage.