Skip to main content

2 posts tagged with "kyc"

View All Tags

2027 Is Closer Than It Looks. What eIDAS 2.0 Means for Companies in Romania.

· 6 min read
Cătălin Toma
Cătălin Toma
Founder, EidKit

On 4 December 2024, the European Commission published the first implementing acts of Regulation (EU) 2024/1183 — eIDAS 2.0. Twenty days later, they entered into force. Since then, the clock has been running.

The deadlines are legal, not aspirational. By the end of 2026, every EU Member State must make at least one certified European Digital Identity Wallet available to citizens. By the end of 2027, private companies in regulated sectors are required to accept it. And the sectors that fall under this obligation include, explicitly, banks, payment service providers, insurers, and telecoms.

If you work in any of these domains in Romania, 2026 is the year to understand what this transition involves — not 2027.

What the EUDI Wallet Is, and Its Connection to the Electronic ID Card

The EUDI Wallet is a standardised mobile app in which citizens can store and present verified identity credentials — their identity card, driving licence, diplomas, professional qualifications, and other attributes. Users control what data they share and with whom, through selective disclosure: you can prove you are over 18 without revealing your exact date of birth, or confirm you are a resident of a Member State without giving your full address.

The connection to the Romanian CEI is direct and intentional. The Director of DGEP, Cătălin Giulescu, has publicly stated that the electronic identity card is "an intermediary" in the digitisation process — the platform on which Romania's EUDI Wallet will be built. The CEI chip, with its MAI-issued digital certificates, is the primary enrollment mechanism for the wallet. Without CEI, there is no Romanian EUDI Wallet.

Romania is already participating in the EUDIW-PACT pilot project coordinated by the French Ministry of the Interior, alongside 24 other Member States. On 17-18 March 2026, cross-border interoperability tests took place in Bucharest in a live environment — working credential exchange between different Member States.

The Timeline, Clearly

DeadlineObligation
24 Dec 2024First implementing acts enter into force — clock starts
31 Dec 2026Each Member State provides at least one certified EUDI Wallet
31 Dec 2026Public and semi-public bodies required to accept it
31 Dec 2027Private companies in regulated sectors required to accept it

Article 5f(2) of the Regulation is direct: private companies already legally required to use strong user authentication — Strong Customer Authentication — must accept the EUDI Wallet at the user's request, within 36 months of the implementing acts entering into force. The legal basis for SCA in financial services is PSD2. If you are a bank or fintech processing payments, the obligation is certain.

Penalties for non-compliance reach €5 million or 1% of global turnover, whichever is higher.

Why 2026 Is the Year to Act, Not 2027

There is a common trap in how companies read regulatory deadlines: they see 2027 and plan for 2027. The problem is that an enterprise-level integration does not complete in a few weeks.

Implementation experts estimate that a full integration, from decision to production, takes between 9 and 18 months for a mid-to-large organisation. A bank with legacy systems, procurement processes, internal audit requirements, and well-defined release cycles will be at the upper end of that range, not the lower.

Companies that start in 2027 will go live in 2028 — after the mandatory deadline. Companies that start in 2026 will be ready on time, and will have gained a competitive advantage: they can offer customers EUDI Wallet authentication before it becomes the standard.

Chambers & Partners, in their Romania FinTech analysis, confirm explicitly: in practice, 2026 is the preparatory year to achieve wallet acceptance and adapt onboarding flows for 2027.

What to Prepare, Concretely

1. Map your identity flows

The first step is not technical — it is a business exercise. Any company under the obligation must identify every point in its products and services where strong authentication or identity verification occurs: KYC onboarding, authentication for significant transactions, contract signing, access to sensitive data. These are the points that must accept EUDI Wallet credentials.

2. Register as a Relying Party

Companies that want to accept the EUDI Wallet must register as a relying party with the competent national authority. Without registration, you cannot request credentials from user wallets. The registration process is not instant — it involves identifying your legal entity, specifying the attributes you intend to access, and the business reasons why you need them.

3. Technical integration

The technical standards for interacting with the EUDI Wallet — OpenID4VP for credential presentation, OpenID4VCI for issuance, SD-JWT for selective disclosure — are established through the implementing acts. Integration means implementing these protocols alongside existing systems, not replacing them.

4. Redesign KYC data flows

The Regulation mandates data minimisation — you may only request the attributes necessary for the given transaction. If you currently have a KYC flow that collects all available data, you will need to redesign it to request selectively only what is needed for each context. This is an architectural change, not just a UI change.

The Situation in Romania: Solid Foundation, Operational Uncertainty

Romania is not starting from scratch. The CEI is already in national rollout, with over 1.5 million cards issued and a target of 5 million by mid-2026. ROeID exists as a government SSO application. EUDI Wallet interoperability tests have already taken place on Romanian soil.

What is missing is operational clarity for the private sector. A recent Accace report finds that while legal alignment exists through Law 214/2024, many companies lack clarity on short-term practical requirements. Awareness remains limited outside heavily regulated sectors.

There is also an honest nuance to add: at the European level, some Member States may not meet the 2026 deadline for wallet availability, due to the technical complexity and standards still being finalised in parallel. But the 2027 deadline for the private sector is independent of the exact wallet launch timing — the acceptance obligation exists regardless. And in Romania, the CEI is already available and functional as the foundation.

The Connection to Today's Identity Infrastructure

There is a direct continuity between what is available now and what will be mandatory in 2027. The EUDI Wallet in Romania will be populated with data from the CEI. NFC-based KYC flows that read the CEI chip today are architecturally compatible with what accepting EUDI Wallet credentials will require tomorrow — the same assurance level, the same identity data source, the same MAI certificates in the verification chain.

Companies integrating CEI NFC reading today for onboarding and identity verification are not building a temporary solution. They are building the identity infrastructure they will need in 2027 — with one or two years ahead of the legal obligation.

We write about the Romanian CEI — its capabilities, its integration challenges, and the regulatory context around it. If a topic here is relevant to something you're building, feel free to reach out.

Your New Romanian ID Card Has Your Address. Your Bank Doesn't Know How to Read It.

· 7 min read
Cătălin Toma
Cătălin Toma
Founder, EidKit

This is the first article in our series on Romania's electronic identity card. The second covers what the 2024 electronic signature law means for the CEI.

Something quietly changed when Romania rolled out its new electronic identity card — the Carte Electronică de Identitate, or CEI. The home address disappeared from the physical card. No more printed street, number, city, county on the back. That information is now stored exclusively on the chip inside the card, readable only via NFC or a card reader.

In theory, this is an upgrade. The address can be updated electronically when you move, without needing to reissue the card. In practice, it has created a slow-motion crisis that is now visibly breaking down.

The Problem in One Sentence

Millions of Romanians now carry an ID card that legally contains their home address — but cannot hand it to a bank teller, notary, or civil servant in a way they can read it.

As of this week, the Romanian government has logged over 300 formal complaints in the "Passport and Identity Card" category alone on its fara-hartie.gov.ro platform. The most reported issue by far: the missing printed address. Banks, notaries, schools, ANAF offices, and local authorities are all asking for a separate adeverință de domiciliu — a paper certificate proving the address that is already, technically, on the document they are holding.

One person described arriving at a notary for a property transaction and being turned away because the CEI "was not sufficient to prove domicile." Another went to open a bank account, same story. A 34-year-old recounted: "I got the electronic ID because I understood it was more modern and secure. Nobody told me I'd need a separate certificate every time I have to prove my address."

This is what happens when infrastructure moves before institutions are ready to use it.

What the Government's Fix Looks Like

To its credit, the government has moved quickly. On March 25, 2026 — two days ago — civil registry offices were instructed to look up applicants' addresses themselves in the national database, rather than conditioning service on a physical document.

Banks have received direct database access to the population registry and, according to the government announcement, no longer need to ask for the certificate.

For notaries, a similar mechanism is being tested.

And for everyone else — citizens who need to show address proof somewhere that doesn't have database access yet — the Ministry of Internal Affairs has launched a mobile app called RoCEIReader. You tap your card, enter the 6-digit CAN code and your 4-digit PIN, and the app reads the address off the chip and lets you save it as a PDF.

It is available for Android. The iOS version is "coming soon."

The shape of this solution

The government's answer to "institutions can't read the chip" is a consumer app for citizens to read the chip themselves and produce a PDF. That PDF is then presented to the institution that couldn't read the chip.

The problem has been partially converted from a technical integration challenge into paperwork — digital paperwork, but paperwork. It works, and it is better than nothing. But it illustrates the gap between what the CEI is — a cryptographically secure NFC smart card with a verified, government-signed dataset — and what most systems are currently prepared to do with it.

The Options for Reading the Address

For anyone building software that needs a verified home address in Romania, the transition has real consequences. The old workflow — ask the user for a scan of their ID card, OCR the address from the back — no longer works. The address is not on the back.

The alternatives, roughly in order of robustness:

Government database lookup Banks have been given direct access to the DGEP population registry. Clean, no NFC required, no user interaction beyond a CNP. Access requires a formal agreement with the government authority and is not available to arbitrary private companies on request.

NFC chip read The card is read directly using the CAN code printed on its front face. This gives you the address as the government has it — cryptographically signed, verifiable against the Ministry's certificate chain, no dependency on a third-party database. The address lives in the card's EDATA applet, behind a PACE secure channel and a 4-digit PIN. Reading it correctly requires handling some Romanian-specific data formats that standard ICAO libraries do not cover out of the box.

User-produced certificate The workaround the government is now facilitating via RoCEIReader. Legally valid. Introduces a manual step for the user, a 6-month validity window on the certificate, and friction at exactly the point where onboarding flows tend to lose people.

The Larger Pattern

The address issue is the most visible symptom, but the CEI is capable of considerably more than any institution has caught up to yet.

The chip contains biometric data, a face photo, and two cryptographic keys backed by MAI-issued certificates. One key is for advanced electronic signatures — under Law 214/2024, a document signed with this certificate carries the same legal weight as a handwritten signature. The other is for active authentication: a challenge-response proof that the chip is genuine and not cloned.

And yet ANAF's own tax filing platform rejects the CEI's signature. It only accepts signatures from separately purchased qualified certificates sold by commercial providers. The card grants you a legally valid signature. The government's own portal won't accept it.

The card is ahead of the ecosystem. The ecosystem is catching up, institution by institution. Banks have caught up on address verification. Notaries are close. ANAF has not caught up on signatures. The same pattern will repeat for every institution that needs to interact with these cards over the next two to three years.

What Reading the Chip Actually Involves

For the technically curious: the CEI chip runs the PACE protocol (Password Authenticated Connection Establishment) using AES-256 to establish a secure channel before anything is readable. After the channel is open, reading personal data requires selecting the correct applet, completing PIN verification, and parsing the response in a Romanian-specific ASN.1 format that is not the same as the ICAO MRZ format most libraries expect.

Passive authentication — verifying that the data on the chip is signed by MAI and hasn't been tampered with — should always run before trusting anything read from the card. It chains from the data groups through the document signing certificate up to the Ministry's CSCA root.

None of this is exotic. But it is specific, and the specifics matter. The card is not something you can integrate with by reading the standard ICAO documentation and adapting a passport reader. The Romanian implementation has its own applet structure, its own data formats, and its own sequence requirements that are not publicly documented in a complete way anywhere.

From July 2025, the CEI became the only identity card model being issued nationally. Every identity document issued in Romania from here forward contains a chip the bearer cannot show to most institutions in a form they can read.

That gap will close gradually. The question for anyone building in this space is how long they are willing to wait for it to close, and whether the interim solution — user-produced PDF certificates of what's already on the card — is acceptable friction for their product.

We write about the Romanian CEI — its capabilities, its integration challenges, and the regulatory context around it. If a topic here is relevant to something you're building, feel free to reach out.