Skip to main content
The Signicat Blog
A blog post graphic with a dark purple background. The image features the title "Fragmented Rules, No More: A unified approach to AML & eIDAS". Above the title is an icon of a smartphone with a key on the screen, surrounded by a circle of twelve turquoise stars, symbolizing a unified digital identity framework.
Edwin de Ron

Product Manager eID and Wallet Hub

From fragmented rules to a single playbook: eIDAS and the future of AML compliance in Europe

The EU's new Anti-Money Laundering Regulation is set to replace 27 different national rulebooks with one. Here's what that means for you, and why eIDAS is now at the heart of compliant customer onboarding. 

Picture this: you're running a fast-growing Swedish fintech. Digital onboarding? Nailed it. You rely on BankID, conversion rates are sky-high, your compliance team is happy, and the UX is flawless. Expanding across Europe feels like the obvious next step. 

Then reality hits. 

In the Netherlands, you can't use a government-issued eID for onboarding. In Germany, eID adoption is so low it barely registers, video-based identity verification is the norm, and a national identity number doesn't even exist. Multiply that by 27 member states, each with their own interpretation of AML directives, and you don't have a European expansion plan, you have a compliance puzzle with no edge pieces. 

"27 national rulebooks. 27 different interpretations. One enormous headache for anyone trying to scale compliantly across Europe." 

The game changer: Europe's single AML rulebook & eIDAS 

That's all about to change. EU Regulation 2024/1624 - the Anti-Money Laundering Regulation (AMLR) introduces a single, directly applicable rulebook across all EU member states. No more local translations. No more national quirks (well, fewer of them). Article 22.6 of the AMLR is particularly significant: it mandates that remote identity verification must use either government-issued identity documents or, and this is the big one, the eIDAS toolkit. 

That's not just a technical footnote. It's a fundamental shift in how financial institutions are expected to verify who their customers are. 

Meet your new compliance toolkit: eID, EUDI Wallet, and QES 

The eIDAS framework gives obliged entities three powerful levers for compliant Customer Due Diligence (CDD): 

  • eID: Notified electronic identities already in use across EU and EEA countries, offering government-grade assurance. 
  • EUDI Wallet: The EU Digital Identity Wallet: a free, mobile-first national eID available to every EU/EEA resident, extensible with verified attributes from qualified sources, and usable across borders for both public and private services. The Member States will start issuing EUDI Wallets December 2026.
  • QES: Qualified Electronic Signature, now governed by strict new identity rules (CIR 2025/1566 and ETSI TS 119 461). This isn't just a signature, it's an identity-verified trust anchor. 

Think of these three as a new hierarchy for remote identity verification. eIDAS methods are the preferred methods, where QES can even cater for onboarding users that do not have an eID or EUDI Wallet (eg users from outside of Europe). 

Diagram of the eIDAS toolkit for pan-European AML compliance, showing how eID, the EUDI Wallet, and Qualified Electronic Signature (QES) work together.

The eIDAS Toolkit

The vision is clear. The reality is complex. 

Here's where it gets nuanced. The AMLR and eIDAS point toward a harmonised future, but three significant gaps stand between where we are today and that future: 

1. The Adoption Gap 

Not every European country has high eID adoption. According to Signicat's State of Digital Identity in Europe 2024-2025 report, eID usage varies dramatically, from 85-100% in some countries (like Germany, France and Spain) to under 30% in others. eID usage varies dramatically, from 95 % or more in  some countries (Nordics, Estonia) to less than 30 % or hardly at all in others (Germany, Spain, France and many more). While all member states are required to issue EUDI Wallets by December 2026, the readiness of national implementations varies enormously. For some countries, it's very likely. For others, it might not happen on time. For others, it might not happen in time, and for all countries, mass deployment will take time, maybe years.

2. The Incentive Gap 

Take Sweden. BankID is already excellent. So why would a Swedish citizen bother switching to a new national eID just to activate their EUDI Wallet? Countries like Germany and France, where national identity infrastructure is less mature, have far more to gain from the EUDI Wallet. For high-performing digital identity ecosystems, the incentive to switch may be low, at least initially. 

3. The Data Gap 

Even when an eID or Wallet successfully verifies a user's identity, it may not contain all the attributes you need. Address data isn't always available in every EUDI Wallet. Place of birth can be missing. For high-risk AML checks that demand specific attribute verification, a gap in the data means a gap in your compliance which you have to fill by using reliable sources. 

"Adoption gaps, incentive gaps, data gaps - a compliant strategy needs a Plan B for the years these realities persist." 

Why the QES Is Your Last Line of Defence 

The Qualified Electronic Signature has always been powerful, but new regulations have made it even more robust for identity verification purposes. A QES proves the identity of the signer by the qualified certificate used for signing, and to get that certificate the identity must be thoroughly verified. With the ETSI TS 119 461 standard adopted by eIDAS rules, this can now be done remotely by use of a combination of a national identity document and a "selfie-video".  The new rules provide two clear paths for this identity verification. 

  1. Path one is the fully automated, self-service flow. This is only allowed if you use cryptographic verification of a chipped document, like a modern passport, using a device's NFC reader. This method is highly secure and resistant to AI-based fraud. 
  2. Path two is for when an NFC-compatible document isn't available. You can use an AI-based video session, but it must include measures to counter deepfakes, like random challenges. You can use an AI-based video session to capture an optical scan of the identity document, which must include measures to detect tampered and fake documents and deepfakes. And critically, every single one of these sessions must be reviewed by a specifically trained human agent afterwards, unless an agent is present with the customer. This makes it a much heavier process. 

What this means for your AML strategy 

The era of AML fragmentation is ending. The AMLR creates a single rulebook, and eIDAS, through eIDs, the EUDI Wallet, and the QES, is now the gold standard for remote Customer Due Diligence. But the transition won't happen overnight. 

Smart compliance teams are already planning for the gaps. That means building fallback strategies for countries where eID adoption is low, understanding which data attributes your eIDAS integration will and won't cover, and leaning on QES as a rock-solid, legally recognised alternative when primary methods fall short. 

The organisations that will thrive in this new regulatory landscape aren't the ones that wait for perfect harmonisation. They're the ones building flexible, multi-method identity verification strategies now, so that when the eIDAS-powered future arrives, they're ready to meet it. 

"The single AML rulebook is coming. The question is whether your identity verification strategy is ready for it." 

Ready to future proof your CDD? 

Signicat's brings together eID verification, EUDI Wallet integration, and Qualified Electronic Signatures in one orchestrated, regulatory-compliant solution, built for the complexity of real-world European expansion.