Overview

eiDAS 2.0 establishes a legal framework for digital trust, but the actual technical requirements live in dozens of technical standards. Understanding this relationship is essential for anyone building wallets, trust services, or verification systems in Europe.

This explainer shows how the law delegates technical detail to standards bodies, which standards matter most, and who writes them.

How Standards Become Part of the Law

Legal Framework

The relationship between eIDAS 2.0 and technical standards is governed by two key EU regulations:

• Regulation (EU) 2024/1183 - The eIDAS 2.0 amending regulation, which sets the substantive legal obligations for digital identity, wallets, and trust services.
• Regulation (EU) 1025/2012 - The EU standardisation regulation, which establishes the general framework for how the Commission issues standardisation requests, how European standards bodies develop standards, and how standards become legally relevant through harmonisation.

Under this framework, the primary regulation defines what must be true (rights, obligations, legal effects), secondary law defines exact technical and operational rules (often by pointing at standards), and standards define how to build it (protocols, data formats, security controls).

Three Legal Mechanisms

There are three main mechanisms through which standards become part of the law under eIDAS 2.0. These mechanisms can operate independently or stack together.

Mechanism A: Direct or Indirect Reference in Legal Acts

A regulation or implementing act can explicitly require compliance with a named standard.

How it works:

• The legal text states, in effect, "you must use standard X" or "you must meet requirements defined by standard X."
• When this happens, compliance with the standard is not merely best practice - it becomes a legal obligation.

Mechanism B: Harmonised Standards and Presumption of Conformity

This is the classic EU "New Approach" model, established under Regulation (EU) 1025/2012.

How it works: