.svg)
On August 13, 2025, the National Bank of Ukraine (NBU) launched a consultation on proposed amendments to the Regulations governing the BankID NBU System. The purpose of these amendments is to bring Ukraine’s digital identification framework into closer alignment with Regulation (EU) No. 910/2014 on electronic identification and trust services (eIDAS) and the Law of Ukraine on Electronic Identification and Trust Services. The consultation closed on August 25, 2025 and, to date, there has not yet been any regulatory movement.
The draft text introduces harmonised definitions, sets out detailed contractual obligations and requires the creation of termination plans. By mirroring EU eIDAS standards on digital identity and trust services, these reforms aim to foster greater consumer trust, enhance competition and lay the groundwork for a secure and interoperable open banking system in the country.
The bigger picture
The link to open banking becomes clearer when viewed through the lens of eIDAS. At its core, Regulation (EU) No. 910/2014 is about creating legal certainty for digital identity and trust in services across the single European market. It ensures that a qualified electronic signature has the same legal value as a handwritten one, that electronic seals and time stamps can be relied on in court and that national eID schemes are mutually recognised. In other words, eIDAS builds the legal and technical foundations for trust in cross-border digital transactions.
For open banking, these foundations are critical. The revised Payment Services Directive (PSD2) gave third-party providers the right to access customer accounts, but doing so safely depends on strong authentication and reliable identity verification. By aligning BankID with eIDAS standards, mandating dynamic multi-factor authentication, clarifying provider responsibilities and embedding stricter security protocols the NBU is effectively equipping Ukraine with the same trust infrastructure that underpins open banking in the EU.
The implications are far-reaching. For banks, eIDAS-style identity guarantees mean greater confidence when granting third-party access, reducing compliance risk. For fintechs, it means a smoother path to integration, as their services can plug into a recognised and standardised digital identity layer rather than fragmented bank-by-bank solutions. And for customers, it means electronic transactions, whether opening an account, granting consent to a payment initiation service, or signing a digital contract, carry clear legal recognition and enforceability.
Against that backdrop, the initial focus of the regulations is likely to be centred around identity assurance and authentication integrity (strong credentials controls and robust binding of real-world identity to digital credentials), paired with an early emphasis on consent and auditability through standardised logs and qualified timestamps. Access to BankID is likely to be limited to vetted and certified providers, with liability clearly defined. The regulations may also focus on implementing security controls and prompt incident reporting from the outset.
Digital identity has become the foundation of payments modernisation and open banking. Neighbouring member states such as Poland, Romania and the Baltic countries have already embedded eIDAS standards into their frameworks, enabling a secure and interoperable approach to electronic identification. By moving its BankID framework towards eIDAS equivalence, Ukraine is positioning itself within this wider regional trajectory of convergence.
In this way, BankID’s evolution is not just about payments efficiency but about aligning Ukraine’s financial system with the broader digital single market architecture of the EU.
Beyond this, the BankID reforms tie directly into Ukraine’s macro-political ambition of EU accession, signalling the country’s capacity to adopt complex EU legislation ahead of full membership. Much as Montenegro and Albania used SEPA participation as a demonstration of alignment with European standards, Ukraine is using BankID modernisation to send a similar message about its direction of travel.
Why should you care?
For firms, the proposed amendments present both legal and operational challenges. From a legal and regulatory standpoint, providers will be subject to a greater range of obligations, from stronger data protection and breach reporting to more prescriptive contractual requirements. These obligations increase exposure to regulatory scrutiny and potential penalties, particularly in relation to the safeguarding of user data. Cross-border operators may also face the challenge of reconciling differences between Ukraine’s transitional regime and fully implemented eIDAS frameworks in EU markets.
From an operational perspective, the reforms demand significant system upgrades. Mandatory dynamic multi-factor authentication and stricter information security standards will require new investment in IT and cybersecurity infrastructures. The expansion of BankID coverage to individual entrepreneurs will increase onboarding volumes and administrative complexity, requiring careful planning to ensure efficiency. Furthermore, the obligation to prepare and maintain service termination plans adds an additional layer of operational overhead, particularly for institutions with large user bases.
However, on the other side, for firms, tighter rules ensure that access requests are more secure, reducing fraud and liability risks associated with third-party access.
For consumers, stronger BankID protections enhance trust in digital channels, encouraging greater use of online and mobile banking services. PSPs and banks that are seen as safeguarding digital identities and transactions are more likely to become the “default” provider for customers, which strengthens brand loyalty and reduces churn.
In short, the reforms are laying the trust architecture needed for open banking to scale.
Next steps
In regard to regulatory-related actions, firms should focus on two priorities. First, they must review the draft amendments to identify provisions that directly impact their role as subscriber-identifiers, providers or users. Second, they should conduct a gap analysis of their current systems against the proposed requirements, paying particular attention to authentication mechanisms, data protection processes and contractual templates.
In regard to operational-related actions, once the amendments are adopted, firms will need to move from assessment to implementation. This includes upgrading authentication systems to meet the requirement for dynamic multi-factor authentication, rewriting customer agreements to incorporate the new obligations on confidentiality, breach reporting and data accuracy, and developing a detailed service termination plan that specifies notification procedures and data destruction protocols. These tasks will require cross-functional coordination between compliance, legal, IT and operations teams.
Longer-term planning should be framed around strategic alignment. In regard to strategic-related actions, firms should monitor how the NBU positions BankID in relation to EU eIDAS 2.0 and the forthcoming PSD3 framework, both of which will further shape digital identity and open banking standards. In other words, firms should not only seek compliance but also position themselves for interoperability with European markets as Ukraine’s accession process moves forward.
Conclusion
Ultimately, the NBU’s consultation on BankID reforms is a strategic move that reinforces Ukraine’s credibility as a future EU member and accelerates the modernisation of its financial sector.
By taking a proactive stance, institutions can not only ensure compliance but also position themselves to benefit from the efficiencies, trust and interoperability that a modernised digital identity framework will bring. In this sense, the consultation marks both a regulatory challenge and an opportunity to lead in the transformation of Ukraine’s digital financial ecosystem.
For firms that fail to adapt, consequences will prevail. Beyond regulatory penalties and exclusion from the BankID system, those that are slow to adapt will struggle to compete in an environment where customer expectations are shifting rapidly towards seamless, secure and cross-border digital services. Neighbouring EU states such as Poland and Romania are already advancing their digital identity ecosystems under eIDAS, meaning that non-compliant firms in Ukraine risk being cut off from future interoperability and losing relevance in cross-border transactions with EU counterparties.
