The Fourthline Team
Why Banks Should Care About Qualified Electronic Signatures in 2026
Why Banks Should Care About Qualified Electronic Signatures in 2026
From the earliest days of banking, institutions have gone to great lengths to keep legitimate customers in and keep criminals out. These days, rather than relying on branches and bank tellers, financial institutions rely heavily on remote customer onboarding, leveraging technology to speed up KYC while keeping their institutions (and customers) secure.
But there are changes afoot: the regulatory framework governing how European banks verify identity and execute contracts is undergoing its most significant transformation in a decade. Europe's new Anti-Money Laundering Authority (AMLA) has developed regulatory technical standards that establish a verification hierarchy that favours eIDAS-compliant methods like the EU Digital Identity Wallet (EUDI Wallet) making Qualified Electronic Signatures (QES) as the preferred method for executing legally binding contracts.
This isn't just another regulatory update. With the EUDI Wallet rollout occurring throughout 2026, eIDAS-compliant verification and QES is quickly becoming the regulatory gold standard. Here's what's changing, what the deadlines are, and what banks need to do to prepare.
What is a Qualified Electronic Signature (QES)?
A Qualified Electronic Signature (QES) is the highest level of electronic signature under EU law. It's created using cryptographic technology and requires the signer to be verified by a Qualified Trust Service Provider (QTSP) — a government-approved organisation that confirms your identity before issuing signature credentials.
When you sign a document with QES, you're using a private cryptographic key (stored securely on your device) that's uniquely linked to your verified identity. The signature includes a timestamp, your qualified certificate, and tamper-detection technology that shows if the document has been altered after signing.
For banks, this matters because account agreements, loan documents, and high-value contracts signed with QES carry the strongest legal certainty. Under Article 25(2) of the eIDAS Regulation (EU) No 910/2014), QES has the same weight as a handwritten signature. Unlike the basic "click to accept" buttons banks use for general terms and conditions, QES provides non-repudiation and cryptographic proof of authenticity. This means there’s no ambiguity about contract validity if disputes arise.
How does QES work in practice?
Historically, creating a QES was cumbersome: customers had to verify their identity through a trusted registration authority, receive a qualified certificate from a QTSP, and then use USB tokens or smart card readers plugged into their computers to sign documents. This multi-step process required hardware, desktop software, and lots of patience, leading to poor user experience and low adoption among banks and customers alike. But the new EUDI Wallet transforms this entirely.
The EUDI Wallet: The new frontier in Qualified Electronic Signatures
Rolling out across EU member states in 2026 and 2027, the EU Digital Identity Wallet (EUDI Wallet) is a government-issued smartphone app that stores verified identity credentials and enables citizens to prove their identity and create legally binding signatures across all EU services. Users can download the wallet app, verify their identity using their national ID scheme or passport, and their government-issued credentials are stored securely with QES capability enabled.
The EUDI Wallet does two things simultaneously: it verifies customer identity using government credentials (satisfying AMLA's requirements for eIDAS-compliant verification methods) AND enables QES creation for contract signing. This means banks get both AML-compliant identity verification and the strongest possible legal signature in a single customer action.
Let’s look at how the process works in practice. When opening a bank account, the customer authenticates in their EUDI Wallet using Face ID, fingerprint, or PIN, approves sharing their verified identity attributes, and creates a QES. On the other end, the bank's system sends an API request to the customer's wallet, which retrieves government-verified credentials and generates a cryptographic signature using a private key stored in the customer’s smartphone's secure element. Finally, the bank receives a legally binding, court-admissible signature with government-level identity assurance, complete with timestamp, qualified certificate, and tamper-detection seal.
The Regulatory Framework: Why QES Is becoming essential
For banks and other financial institutions, two major regulatory developments are converging to make Qualified Electronic Signatures the preferred method for contract execution. First, the new regulation eIDAS 2.0 creates the infrastructure that makes QES accessible through EUDI Wallet. Second, AMLA's regulatory technical standards prioritise the same eIDAS-compliant methods for identity verification. Let’s take a look at how these two developments work in concert.
eIDAS 2.0: Making QES accessible
The revised eIDAS regulation (eIDAS 2.0) entered into force in 2024 and fundamentally transforms how financial institutions use digital tools. Most importantly, it requires all EU member states to offer EUDI Wallets to citizens.
But that's not all. For banks, eIDAS 2.0 creates a strong trust model that shifts identity verification liability from banks to member states. When customers use EUDI Wallet, member states are legally liable for the credentials they issue — meaning banks can rely on government-verified identities with legal certainty rather than bearing the risk of document verification themselves.
The regulation also imposes stronger security requirements for QES, including mandatory secure elements with hardware-backed keys and enhanced cryptography standards. Banks that integrate with certified EUDI Wallets can demonstrate they're meeting the highest standards of digital identity security through the European Digital Identity Trust Mark certification scheme.
AMLA's verification hierarchy: Prioritising QES
While eIDAS 2.0 makes QES technically feasible, AMLA's Regulatory Technical Standards (RTS) under the Anti-Money Laundering Regulation (AMLR) establish how banks must prioritise verification methods.
Effective July 10, 2027, the RTS create a clear verification hierarchy that favours eIDAS-compliant methods. These include electronic identification (eID) with QES capability, EUDI Wallet with Qualified Electronic Attestations of Attributes (QEAA), national digital identity schemes meeting eIDAS standards, and qualified trust services.
In this new regulatory landscape, video identification becomes a fallback option, accepted only when eIDAS methods are unavailable or unsuitable, and banks must document why preferred methods weren't used and may face enhanced monitoring requirements. In-person branch-based verification remains compliant but represents the least efficient approach.
What this means for banks
All this means a massive shift for financial institutions of all kinds, but perhaps especially banks. The regulatory prioritisation of eIDAS-compliant verification methods will require significant investment, particularly for banks that have built their operations around video identification. Banks must offer EUDI Wallet as the primary verification option, maintain detailed documentation showing why alternative methods were used when applicable, and build compliance reporting infrastructure to track verification method usage.
Supervisors will scrutinise these statistics closely. If your video KYC usage remains high when EUDI Wallet is widely available, expect pointed questions about why eIDAS-compliant options weren't prioritised. Banks that haven't built EUDI Wallet capability by July 2027 will face supervisory findings and remediation requirements.
Here's a timeline of what takes effect, and when:
2024-2025: eIDAS 2.0 legal framework finalised
2026: EUDI Wallet rollout across member states (pilot and large-scale deployments)
July 10, 2027: AMLR takes effect with AMLA's verification hierarchy
2027-2028: Supervisory enforcement begins, with scrutiny on banks not prioritising eIDAS methods
Your QES compliance roadmap
Preparing for QES and eIDAS-compliant verification doesn't have to be overwhelming. Here's a practical roadmap broken into three phases: assessment, implementation, and optimisation.
Phase 1: Assess where you stand
Start with an honest assessment of your current setup. Are you already using eIDAS-compliant verification methods, or is most of your onboarding still built around video KYC and document uploads? Can your systems talk to EUDI Wallet APIs, or will you need major technical work?
Next, find the right technology partners who can support EUDI Wallet integration and QES capabilities, have proven QES implementation experience, and the flexibility to support multiple verification methods during the transition. If you operate across borders, make sure they offer EU-wide coverage and have solid GDPR expertise.
Once you've chosen your partners, start building. Connect your systems to EUDI Wallet APIs, develop QES workflows for account agreements and contracts, and make sure you have fallback options for customers who don't have wallets yet. Don't forget the behind-the-scenes infrastructure: audit logging and compliance reporting that tracks which verification methods you're using and generates reports for supervisory reviews.
Phase 2: Build compliant customer journeys
Before July 2027, make eIDAS-compliant verification your default option. Put EUDI Wallet front and centre in your onboarding flow, build QES into your account agreements, and explain the options clearly so customers naturally choose the compliant path.
Video KYC remains permissible as a fallback when eIDAS methods are unavailable or unsuitable, but banks must document why eIDAS-compliant options weren't used. This documentation matters when supervisors ask why some customers aren't using eIDAS methods.
Set up reporting systems that track verification method usage by volume and percentage. Your audit trails should capture not just which method was used, but whether eIDAS options were offered first and why alternatives were chosen.
Finally, train your teams. Compliance staff need to understand AMLA requirements, customer support needs to troubleshoot EUDI Wallet issues, and legal teams should know how QES affects contract validity.
Phase 3: Monitor, optimise, and expand
Once you're all set up, focus on continuous improvement. Track adoption rates, monitor customer feedback, and run quarterly compliance reviews to show supervisors you're making progress toward eIDAS-first verification. Modern identity verification platforms can automate much of this reporting, tracking which methods customers are using and flagging when your video KYC rates need attention.
As EUDI Wallet adoption grows, expand beyond account opening. Use QES for loan agreements, investment disclosures, and corporate banking authority verification. Leverage QEAA to verify specific attributes — like confirming a customer is over 18 or an EU resident, without accessing their full identity document. This approach strengthens compliance while improving customer experience.
Stay current with regulatory guidance as it evolves. AMLA will continue issuing implementation guidance, and national authorities may add country-specific requirements. Think of QES and EUDI Wallet as less of a one-off change than a foundational infrastructural shift that will mature alongside Europe's digital identity ecosystem.
Fourthline: Your Partner for QES Compliance
The question isn't whether to adopt QES and EUDI Wallet — it's whether you'll be ready by July 2027. Banks that act now position themselves ahead of regulatory requirements. Those that wait will face supervisory findings and competitive disadvantage.
Fourthline's platform handles the complexity: EUDI Wallet integration, QES workflows, automated compliance reporting, and audit trails that satisfy supervisory expectations. We help you meet AMLA's eIDAS-first requirements while improving customer experience and reducing fraud risk.
From the earliest days of banking, institutions have gone to great lengths to keep legitimate customers in and keep criminals out. These days, rather than relying on branches and bank tellers, financial institutions rely heavily on remote customer onboarding, leveraging technology to speed up KYC while keeping their institutions (and customers) secure.
But there are changes afoot: the regulatory framework governing how European banks verify identity and execute contracts is undergoing its most significant transformation in a decade. Europe's new Anti-Money Laundering Authority (AMLA) has developed regulatory technical standards that establish a verification hierarchy that favours eIDAS-compliant methods like the EU Digital Identity Wallet (EUDI Wallet) making Qualified Electronic Signatures (QES) as the preferred method for executing legally binding contracts.
This isn't just another regulatory update. With the EUDI Wallet rollout occurring throughout 2026, eIDAS-compliant verification and QES is quickly becoming the regulatory gold standard. Here's what's changing, what the deadlines are, and what banks need to do to prepare.
What is a Qualified Electronic Signature (QES)?
A Qualified Electronic Signature (QES) is the highest level of electronic signature under EU law. It's created using cryptographic technology and requires the signer to be verified by a Qualified Trust Service Provider (QTSP) — a government-approved organisation that confirms your identity before issuing signature credentials.
When you sign a document with QES, you're using a private cryptographic key (stored securely on your device) that's uniquely linked to your verified identity. The signature includes a timestamp, your qualified certificate, and tamper-detection technology that shows if the document has been altered after signing.
For banks, this matters because account agreements, loan documents, and high-value contracts signed with QES carry the strongest legal certainty. Under Article 25(2) of the eIDAS Regulation (EU) No 910/2014), QES has the same weight as a handwritten signature. Unlike the basic "click to accept" buttons banks use for general terms and conditions, QES provides non-repudiation and cryptographic proof of authenticity. This means there’s no ambiguity about contract validity if disputes arise.
How does QES work in practice?
Historically, creating a QES was cumbersome: customers had to verify their identity through a trusted registration authority, receive a qualified certificate from a QTSP, and then use USB tokens or smart card readers plugged into their computers to sign documents. This multi-step process required hardware, desktop software, and lots of patience, leading to poor user experience and low adoption among banks and customers alike. But the new EUDI Wallet transforms this entirely.
The EUDI Wallet: The new frontier in Qualified Electronic Signatures
Rolling out across EU member states in 2026 and 2027, the EU Digital Identity Wallet (EUDI Wallet) is a government-issued smartphone app that stores verified identity credentials and enables citizens to prove their identity and create legally binding signatures across all EU services. Users can download the wallet app, verify their identity using their national ID scheme or passport, and their government-issued credentials are stored securely with QES capability enabled.
The EUDI Wallet does two things simultaneously: it verifies customer identity using government credentials (satisfying AMLA's requirements for eIDAS-compliant verification methods) AND enables QES creation for contract signing. This means banks get both AML-compliant identity verification and the strongest possible legal signature in a single customer action.
Let’s look at how the process works in practice. When opening a bank account, the customer authenticates in their EUDI Wallet using Face ID, fingerprint, or PIN, approves sharing their verified identity attributes, and creates a QES. On the other end, the bank's system sends an API request to the customer's wallet, which retrieves government-verified credentials and generates a cryptographic signature using a private key stored in the customer’s smartphone's secure element. Finally, the bank receives a legally binding, court-admissible signature with government-level identity assurance, complete with timestamp, qualified certificate, and tamper-detection seal.
The Regulatory Framework: Why QES Is becoming essential
For banks and other financial institutions, two major regulatory developments are converging to make Qualified Electronic Signatures the preferred method for contract execution. First, the new regulation eIDAS 2.0 creates the infrastructure that makes QES accessible through EUDI Wallet. Second, AMLA's regulatory technical standards prioritise the same eIDAS-compliant methods for identity verification. Let’s take a look at how these two developments work in concert.
eIDAS 2.0: Making QES accessible
The revised eIDAS regulation (eIDAS 2.0) entered into force in 2024 and fundamentally transforms how financial institutions use digital tools. Most importantly, it requires all EU member states to offer EUDI Wallets to citizens.
But that's not all. For banks, eIDAS 2.0 creates a strong trust model that shifts identity verification liability from banks to member states. When customers use EUDI Wallet, member states are legally liable for the credentials they issue — meaning banks can rely on government-verified identities with legal certainty rather than bearing the risk of document verification themselves.
The regulation also imposes stronger security requirements for QES, including mandatory secure elements with hardware-backed keys and enhanced cryptography standards. Banks that integrate with certified EUDI Wallets can demonstrate they're meeting the highest standards of digital identity security through the European Digital Identity Trust Mark certification scheme.
AMLA's verification hierarchy: Prioritising QES
While eIDAS 2.0 makes QES technically feasible, AMLA's Regulatory Technical Standards (RTS) under the Anti-Money Laundering Regulation (AMLR) establish how banks must prioritise verification methods.
Effective July 10, 2027, the RTS create a clear verification hierarchy that favours eIDAS-compliant methods. These include electronic identification (eID) with QES capability, EUDI Wallet with Qualified Electronic Attestations of Attributes (QEAA), national digital identity schemes meeting eIDAS standards, and qualified trust services.
In this new regulatory landscape, video identification becomes a fallback option, accepted only when eIDAS methods are unavailable or unsuitable, and banks must document why preferred methods weren't used and may face enhanced monitoring requirements. In-person branch-based verification remains compliant but represents the least efficient approach.
What this means for banks
All this means a massive shift for financial institutions of all kinds, but perhaps especially banks. The regulatory prioritisation of eIDAS-compliant verification methods will require significant investment, particularly for banks that have built their operations around video identification. Banks must offer EUDI Wallet as the primary verification option, maintain detailed documentation showing why alternative methods were used when applicable, and build compliance reporting infrastructure to track verification method usage.
Supervisors will scrutinise these statistics closely. If your video KYC usage remains high when EUDI Wallet is widely available, expect pointed questions about why eIDAS-compliant options weren't prioritised. Banks that haven't built EUDI Wallet capability by July 2027 will face supervisory findings and remediation requirements.
Here's a timeline of what takes effect, and when:
2024-2025: eIDAS 2.0 legal framework finalised
2026: EUDI Wallet rollout across member states (pilot and large-scale deployments)
July 10, 2027: AMLR takes effect with AMLA's verification hierarchy
2027-2028: Supervisory enforcement begins, with scrutiny on banks not prioritising eIDAS methods
Your QES compliance roadmap
Preparing for QES and eIDAS-compliant verification doesn't have to be overwhelming. Here's a practical roadmap broken into three phases: assessment, implementation, and optimisation.
Phase 1: Assess where you stand
Start with an honest assessment of your current setup. Are you already using eIDAS-compliant verification methods, or is most of your onboarding still built around video KYC and document uploads? Can your systems talk to EUDI Wallet APIs, or will you need major technical work?
Next, find the right technology partners who can support EUDI Wallet integration and QES capabilities, have proven QES implementation experience, and the flexibility to support multiple verification methods during the transition. If you operate across borders, make sure they offer EU-wide coverage and have solid GDPR expertise.
Once you've chosen your partners, start building. Connect your systems to EUDI Wallet APIs, develop QES workflows for account agreements and contracts, and make sure you have fallback options for customers who don't have wallets yet. Don't forget the behind-the-scenes infrastructure: audit logging and compliance reporting that tracks which verification methods you're using and generates reports for supervisory reviews.
Phase 2: Build compliant customer journeys
Before July 2027, make eIDAS-compliant verification your default option. Put EUDI Wallet front and centre in your onboarding flow, build QES into your account agreements, and explain the options clearly so customers naturally choose the compliant path.
Video KYC remains permissible as a fallback when eIDAS methods are unavailable or unsuitable, but banks must document why eIDAS-compliant options weren't used. This documentation matters when supervisors ask why some customers aren't using eIDAS methods.
Set up reporting systems that track verification method usage by volume and percentage. Your audit trails should capture not just which method was used, but whether eIDAS options were offered first and why alternatives were chosen.
Finally, train your teams. Compliance staff need to understand AMLA requirements, customer support needs to troubleshoot EUDI Wallet issues, and legal teams should know how QES affects contract validity.
Phase 3: Monitor, optimise, and expand
Once you're all set up, focus on continuous improvement. Track adoption rates, monitor customer feedback, and run quarterly compliance reviews to show supervisors you're making progress toward eIDAS-first verification. Modern identity verification platforms can automate much of this reporting, tracking which methods customers are using and flagging when your video KYC rates need attention.
As EUDI Wallet adoption grows, expand beyond account opening. Use QES for loan agreements, investment disclosures, and corporate banking authority verification. Leverage QEAA to verify specific attributes — like confirming a customer is over 18 or an EU resident, without accessing their full identity document. This approach strengthens compliance while improving customer experience.
Stay current with regulatory guidance as it evolves. AMLA will continue issuing implementation guidance, and national authorities may add country-specific requirements. Think of QES and EUDI Wallet as less of a one-off change than a foundational infrastructural shift that will mature alongside Europe's digital identity ecosystem.
Fourthline: Your Partner for QES Compliance
The question isn't whether to adopt QES and EUDI Wallet — it's whether you'll be ready by July 2027. Banks that act now position themselves ahead of regulatory requirements. Those that wait will face supervisory findings and competitive disadvantage.
Fourthline's platform handles the complexity: EUDI Wallet integration, QES workflows, automated compliance reporting, and audit trails that satisfy supervisory expectations. We help you meet AMLA's eIDAS-first requirements while improving customer experience and reducing fraud risk.
Solutions
Solutions
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.
Fourthline has been certified by EY CertifyPoint to ISO/IEC27001:2022 with certification number 2021-039.
Copyright © 2026 - Fourthline B.V. - All rights reserved.