The regulation nobody is reading
On 8 April 2026, the European Commission published Commission Implementing Regulation (EU) 2026/798 in the Official Journal. It is one of the quieter releases in the current eIDAS 2 rollout, but it is also one of the most consequential. It defines how a citizen actually gets onboarded onto an EU Digital Identity Wallet — the step that happens before every single piece of downstream verification you rely on.
If you are a merchant, verifier, or developer planning to trust EUDI Wallet attestations in production, you need to know what assurance level the person enrolled at and what evidence the wallet issuer collected. IR 2026/798 is the text that answers those questions.
This article is a plain-English walk-through. For the raw legal source, see the EUR-Lex entry.
What the regulation covers
IR 2026/798 is an implementing act under Article 5a(24) of the amended eIDAS Regulation (EU) 2024/1183. In plain terms, it lays down the technical reference standards and specifications for how users are remotely onboarded onto an EUDI Wallet.
There are two important scoping points.
First, it is narrowly about remote onboarding — the flow where a citizen enrols from their own device, without visiting a physical counter. In-person enrolment is governed by separate rules.
Second, it applies to a specific combination: eID means at Level of Assurance "substantial" combined with additional remote onboarding procedures that together meet Level of Assurance "high". This sentence is doing a lot of work, so we will unpack it.
Levels of Assurance in one page
eIDAS defines three Levels of Assurance (LoA) for electronic identification means: low, substantial, and high. The distinction is about how confident the issuer is that the person presenting the eID is who they claim to be.
- Low — limited degree of confidence. Typical example: username and password registered online without document checks.
- Substantial — substantial degree of confidence. Typical example: a national eID based on document verification plus a liveness selfie.
- High — highest degree of confidence, considered equivalent to face-to-face identification. Typical example: in-person enrolment at a government office with physical document inspection.
The EUDI Wallet is required to operate at LoA high. That creates a problem: most member states' existing national eID schemes sit at LoA substantial. How do you get from one to the other without forcing everyone to visit a government office?
IR 2026/798 is the answer.
The "substantial plus additional procedures equals high" construction
The regulation permits a combination: a user who already has an LoA substantial eID means can onboard onto an LoA high wallet provided the issuer layers additional remote procedures on top of the existing substantial-level authentication. The combination, taken as a whole, must meet the LoA high requirements set out in Implementing Regulation (EU) 2015/1502 — the foundational LoA definitions from the original eIDAS framework.
In practice, the additional procedures are things like:
- Automated document authenticity checks against the eID document's security features.
- Liveness detection and biometric matching against the document photo.
- Cross-checks against authoritative data sources (population registers, vehicle registration, tax records) to validate identity coherence.
- Real-time video verification with a trained operator for the highest-risk cases.
The exact menu will be spelled out in accompanying technical specifications and in the ETSI TS 119 461 identity proofing standard, which the regulation references as its reference point.
Why this matters for verifiers
When your backend receives a signed attestation from an EUDI Wallet, the attestation carries metadata identifying the issuer and, by extension, the LoA under which the wallet was provisioned. If the wallet is provisioned at LoA high, you can treat the identity data inside as equivalent to a government-office-verified identity. If it is LoA substantial, you cannot.
Until IR 2026/798, the answer to "how is LoA high remote enrolment actually done" was "you cannot do it, everyone visit a government office". That would have made national rollout by December 2026 physically impossible. The new regulation removes the bottleneck.
For your integration, the practical effect is simple. The SDK or verifier you use receives a wallet attestation and a metadata envelope that asserts LoA. Your business logic can trust LoA high attestations for high-value flows like bank onboarding, large-value payments, or regulated account creation. See our technical deep dive on how eIDAS verification works for how the LoA metadata flows through the OpenID4VP presentation.
What verifiers should check in the attestation
Two practical pieces of the regulation affect verifier-side logic.
The issuer declaration. The wallet's issuer metadata must declare the enrolment path used — whether LoA high was achieved through in-person enrolment, through substantial-plus-additional procedures per IR 2026/798, or through another recognised pathway. Your verification code should log this and, for regulated use cases, may need to distinguish between pathways.
The onboarding timestamp and revalidation policy. The regulation implies (though it does not mandate) that wallets provisioned under the remote pathway will carry an onboarding timestamp and revalidation rules. High-risk verifiers may want to check both.
If you are using the OpenEUDI SDK, the metadata flags are exposed through the standard verifier interface. For the protocol-level mechanics, see Understanding OpenID4VP.
Interaction with the age verification mini-wallet
A related question in the wake of the 15 April 2026 EU age verification app announcement: does the mini-wallet require LoA high enrolment?
Yes. Age proofs that are cryptographically tied to a person's real date of birth require an LoA high chain of trust. An LoA substantial enrolment would not suffice, because an unverified birth date is worthless for age verification. The mini-wallet's onboarding flow therefore falls directly under the IR 2026/798 combination pathway.
This is also why the age verification app cannot be as minimal as some critics have suggested. The privacy is in what the wallet releases (just a boolean over an age threshold); the assurance is in how the wallet was enrolled in the first place.
The open questions
Two things the regulation deliberately leaves open.
Exact technical procedures. The regulation references ETSI standards and delegates much of the concrete detail to technical specifications. Member states have room to interpret.
Cross-border recognition of remote enrolment. If a French wallet enrolled under the French national eID's substantial-plus-additional pathway is presented to a German verifier, is it recognised as LoA high? The answer should be yes under cross-border recognition rules, but the operational details — whether a German verifier's compliance team accepts the French pathway — will depend on how each country's national supervisor interprets the regulation.
We will be tracking how member states converge or diverge on these points in coming months. If you sell into multiple EU countries and need to think about this seriously, our piece on cross-border verification under eIDAS is the companion read.
What merchants should do today
Nothing urgent. IR 2026/798 is infrastructure-level legislation — it governs what wallet issuers do, not what verifiers do. Your integration work does not change.
What it does mean is that the regulatory path to December 2026 is now genuinely clear. Before this regulation, there was a serious question whether remote LoA high enrolment was even possible at scale. After it, the answer is yes, and member states are building accordingly. For a view of where each country stands on that build-out, see our April 2026 rollout tracker.
If you want to be certified as a Relying Party once wallets go live, start your WRPAC paperwork now. The process takes months. See What is WRPAC and why every business needs one by December 2026 and our Relying Party registration guide.
eIDAS Pro handles the LoA metadata and issuer validation automatically in its managed verifier. If you want to trust wallet attestations without building a compliance team, see our managed plans or the OpenEUDI SDK quickstart.
Share this article
Help others learn about eIDAS verification