Digital Identity: How to Prepare for eIDAS 2.0 Fraud Prevention Requirements

For nearly a decade, the eIDAS regulation has been the foundation of digital trust in Europe. By regulating electronic identification, authentication, and trust services, such as electronic signatures, seals, and timestamps, it has enabled the widespread adoption of legally recognized digital transactions across the EU.

However, the landscape has changed dramatically. The mass digitalization of customer journeys, combined with the rapid rise of technologies such as AI, has given birth to a new generation of identity fraud. Deepfakes, synthetic identities, and automated attacks are now more sophisticated, faster, and far harder to detect.

It is against this backdrop that eIDAS 2.0 and its implementing acts significantly strengthen fraud prevention requirements. The objective is clear: ensure a level of digital identity security and reliability that matches today’s risk environment.

Understanding Digital Identity Fraud: A Rapidly Evolving Threat

Identity fraud is no longer the work of isolated individuals. It has become industrialized. Organizations now face hybrid attacks that combine social engineering with advanced technologies.

The most common fraud techniques include:

• Presentation attacks, where biometric systems are deceived using photos, videos, or masks.
• Injection attacks, in which manipulated video streams—such as deepfakes, replays, or virtual cameras, are injected directly into the system.
  Synthetic identities, created by blending real and fabricated data to build credible yet non-existent profiles.
• Automated fraud, increasingly powered by AI, enabling attacks at scale.
  ‍

The scale of the problem is significant. European studies show that identity fraud attempts have risen by more than 30% in recent years, with a sharp increase in deepfake-based attacks in remote journeys. Gartner predicts that by 2028, a substantial share of sensitive digital interactions will be exposed to AI-driven fraud attempts.

These developments are rendering many traditional identity checks obsolete, as they were designed to counter far simpler threats.

Key eIDAS 2.0 Requirements to Address Fraud

In response, eIDAS 2.0 introduces a far more demanding approach to identity fraud prevention, particularly for high-risk and high-value digital journeys.

Stronger Remote Identity Proofing

The implementing acts require reinforced identification processes that can reliably confirm that a remote user is who they claim to be. This includes:

• robust document verification,
• strong holder binding between the user and their identity,
• advanced liveness detection mechanisms.

Simply collecting documents or relying on basic authentication is no longer sufficient. Solutions must demonstrate real resistance to advanced fraud scenarios.

Assurance Levels: Low, Substantial, High

eIDAS is built around a tiered assurance model:

• Low: suitable for low-risk use cases.
  Substantial: designed for journeys requiring increased security.
• High: mandatory for the most sensitive and regulated use cases.

Reaching the High assurance level requires strict technical and organizational controls, strong evidence, and proven resilience against advanced attacks, particularly biometric fraud. For critical journeys such as qualified electronic signatures and trust services, this level is no longer optional.

Higher Expectations for Service Providers and Technology Vendors

eIDAS 2.0 also strengthens obligations for:

• Qualified Trust Service Providers (QTSPs)
  
• Identity solution vendors.
  
  

Technologies must be certified, audited, and aligned with recognized standards (ISO, CEN, ETSI). Compliance can no longer be self-declared, it must be demonstrated, documented, and verifiable.

The Central Role of ISO- and CEN-Certified Facial Biometrics

Under eIDAS 2.0, facial biometrics is emerging as a cornerstone of digital identity fraud prevention, especially for remote processes. However, not all biometric solutions are equal. European regulation now places strong emphasis on certified technologies capable of objectively proving their security level.

This is where international and European standards come into play:

• ISO/IEC 30107-3, which defines requirements and testing methods for Presentation Attack Detection (PAD), covering photos, videos, and masks.
• CEN/TS 18099, a European standard focused on Injection Attack Detection (IAD), addressing deepfakes, injected video streams, and digital replays.

In line with eIDAS 2.0 and related technical specifications, particularly ETSI 119 461, achieving the High assurance level requires the use of robust, certified biometric solutions. The implementing acts reinforce a clear shift: biometric security can no longer rely on marketing claims, but on measurable, independently validated compliance.

For trust service providers and digital identity players, integrating ISO- and CEN-certified facial biometrics is therefore both a compliance requirement and a powerful way to build lasting trust with users and regulators.

Conclusion

eIDAS 2.0 marks a major turning point in the fight against digital identity fraud in Europe. As attacks become more intelligent and harder to detect, trust can no longer be built on outdated mechanisms.

Preparing today means securing digital journeys, protecting users, and ensuring future compliance. More than a regulatory constraint, eIDAS 2.0 should be seen as an opportunity to strengthen digital trust in a sustainable and scalable way.

‍