On June 12, 2026, Bigbank became the first Estonian lender to switch customers onto Smart-ID+, a hardened version of the authentication app that roughly 730,000 Estonians use to log into banks, file taxes, sign contracts and vote. LHV follows on June 17, with Swedbank and SEB adopting later in the year. The change is deceptively small: instead of typing an ID code and tapping "approve" when a login prompt appears, users must now self-initiate every session by scanning a dynamically generated QR code with the Smart-ID app — or via an app-to-app handshake. The app will only scan a genuine Smart-ID login code.
That single design choice targets the most lucrative scam in the Baltics. According to Estonia's Information System Authority (RIA), Estonians lost €29 million to fraud in 2025 — three times the prior year's total — much of it through a now-standardised script: a fake "bank officer," then a fake "police officer," walk a victim through entering PIN1 and PIN2 while a fraudulent login runs in the background. Because the old flow let an attacker trigger the authentication and the victim merely confirmed it, social engineering was enough. Smart-ID+ severs that link by requiring the user to start the session from their own device. The operator, SK ID Solutions, describes it as binding each authentication "tightly" to the user's own app, defeating phishing, man-in-the-middle and replay attacks.
The right altitude for an intervention
There is a serious case for a tougher response. Fraud losses in Estonia have exceeded €100 million since 2023, and cybersecurity researchers have argued for years that banks underestimated Smart-ID's exposure to social engineering when they retired paper code cards in 2019. When citizens are losing their pensions to scripted phone calls, demands for the state to mandate stronger authentication — or even to throttle the digital-ID system itself — are neither unreasonable nor fringe.
But Estonia's approach is the more proportionate one, and it is worth naming why. Rather than legislating new compliance obligations, capping transaction limits, or adding identity-verification friction for every citizen, the fix lives in the protocol layer. RIA quietly adopted Smart-ID+ for state e-services on January 28, 2026, and banks are now layering it in. The threat model — remotely triggered logins — is closed off by redesigning the handshake, not by writing a rule that punishes the symptom. This is regulation-by-architecture, and it scales: Smart-ID processes nearly 100 million transactions a month across the Baltics, a volume no manual review regime could police.
Voluntary rollout is a feature, not a failure
The rollout is staggered and, for now, optional — banks adopt on their own timelines, and ERR reported earlier this year that lenders were "not rushing." Critics read that as dangerous foot-dragging while losses mount. The steelman is fair: every month a major bank delays, the old attack stays open.
Yet a phased, operator-led migration is precisely how you upgrade critical national infrastructure without breaking it. Smart-ID underpins not just banking but the Estonian state's entire e-government stack. A flag-day mandate forcing 730,000 users and four banks onto a new flow simultaneously would risk lockouts, support-line collapse and exactly the kind of outage that erodes the public trust digital identity depends on. Letting Bigbank go first, surface edge cases, and let LHV, Swedbank and SEB learn from it is responsible engineering, not negligence. The correct regulatory posture is to set a clear expectation and a backstop deadline — then let the providers execute.
Why this matters beyond fraud numbers
The timing is no accident. Estonia is simultaneously rebuilding the identity layer underneath e-Residency, its flagship program for non-residents who run EU companies remotely. The scheme generated €125 million for the Estonian treasury in 2025, up 87 percent, with e-residents founding 5,556 companies. Its 2026–2029 strategy phases out the plastic e-resident card in favour of a fully mobile, biometric, app-based identity — officials estimate a card-free model could lift company formation by at least 20 percent.
That ambition only works if app-based authentication is trustworthy. A mobile-first national identity that can be hijacked by a convincing phone call is a liability, not an asset. Smart-ID+ is therefore not a defensive patch but a precondition for the next decade of Estonian digital statecraft — and a quiet rebuke to jurisdictions that treat every security gap as a reason to slow digital identity down rather than to engineer it better.
The exportable lesson
For policymakers in the EU's eIDAS wallet rollout, India's Aadhaar-linked services, or any government weighing a digital-ID expansion, Estonia offers a template worth copying. The lesson is not "digital ID is too risky." It is that authentication design is the regulation that matters — and that the most effective consumer protection here came not from a statute but from changing where a login begins. When fraud is structural, fix the structure. Estonia is doing exactly that, and doing it without sacrificing the openness that made its digital society worth defending in the first place.