eIDAS 2 Deployment Timetable: EU 2026-2027 Rollout

Introduction: why the eIDAS 2 timetable is crucial for your organisation

Since the entry into force of Regulation (EU) 2024/1183 — commonly called eIDAS 2 — the European framework for digital identity and electronic signatures has undergone its most profound transformation since 2014. Whilst the revised text is formally adopted, it is its operational deployment, spread between 2024 and 2027, that now concentrates the attention of CISOs, legal teams and compliance officers. Understanding the official deployment timetable of the eIDAS 2 regulation in the European Union allows you to anticipate obligations, secure your contractual processes and avoid any compliance gaps. This article decodes the key stages, expected implementing acts and concrete impacts for French and European businesses.

---

1. Reminder: what is eIDAS 2 and why this revision?

1.1 The limitations of eIDAS 1 (2014)

The original eIDAS regulation (No 910/2014) laid the foundations for digital trust in Europe: mutual recognition of electronic signatures, creation of qualified (QES), simple (SES) and advanced (AdES) levels, and accreditation of Trust Service Providers (TSP). However, ten years of application have exposed several major gaps:

• National fragmentation: fewer than 19% of European citizens used a cross-border electronic identification scheme in 2022 according to the European Commission.
• Absence of a digital identity wallet: eIDAS 1 did not provide for a universal instrument enabling each citizen or business to prove their identity online in all Member States.
• Partial coverage: qualified electronic archiving services or attribute attestations were not harmonised.

1.2 The structural contributions of eIDAS 2

Adopted on 11 April 2024 and published in the EU Official Journal on 30 April 2024, Regulation (EU) 2024/1183 introduces in particular:

• The European Digital Identity Wallet (EUDI Wallet): digital identity wallet that each Member State must offer to its citizens.
• New qualified trust services: qualified electronic attribute attestations, qualified electronic archiving, management of remote signature creation devices.
• Extension of the scope of application: large online platforms (within the meaning of the DSA regulation) must accept the EUDI Wallet for user authentication.
• Strengthened governance: creation of a stricter certification of compliance framework for TSP.

To deepen your understanding of the regulation basics, our comprehensive guide to eIDAS 2.0 details all regulatory developments.

---

2. The official eIDAS 2 deployment timetable: stages and key dates 2024-2027

Regulation eIDAS 2 structures its entry into application around a multi-stage mechanism: entry into force, implementing acts from the Commission, national transposition and effective deployment of tools. Here is the official roadmap.

2.1 Phase 1 — Entry into force and delegated acts (May 2024 – end 2025)

| Date | Stage | |---|---| | 30 April 2024 | Publication of Regulation (EU) 2024/1183 in the Official Journal | | 20 May 2024 | Official entry into force (D+20 after publication) | | Q3-Q4 2024 | Launch of working groups on implementing acts (eIDAS 2 Toolbox) | | End 2024 | Publication of first technical reference specifications for EUDI Wallet (ARF — Architecture Reference Framework v1.4) | | Q1-Q2 2025 | Implementing acts from the Commission on technical specifications for wallets (12-month deadline provided for in Article 5a) | | Q3 2025 | Implementing acts relating to new qualified trust services |

The European Commission published in January 2025 the first batch of implementing acts on common technical specifications for the EUDI Wallet. These texts constitute the mandatory technical basis for Member States.

2.2 Phase 2 — Deployment of pilot projects and national transpositions (2025-2026)

As part of the Large Scale Pilots (LSP) programme, four consortiums have tested the EUDI Wallet since 2023 on more than 360 use cases across 25 Member States:

• EU Digital Identity Wallet Consortium (EUDIW) — 140+ entities
• NOBID — focused on digital payments
• POTENTIAL — identity and attributes
• DC4EU — diplomas and professional qualifications

The results of these pilots feed directly into the implementing acts. At the national level, Member States have 24 months from the entry into application of the implementing acts to deploy their national wallet. In practice, this means that the vast majority of national deployments are expected between mid-2026 and end 2026.

| Period | Expected actions | |---|---| | Q1-Q2 2026 | Final adoption of remaining implementing acts (qualified archiving, attribute attestations) | | Q2 2026 | First production versions of EUDI Wallets in pioneering States (Germany, Netherlands, Spain) | | Q3-Q4 2026 | Progressive rollout across the 27 Member States — opening to professional users | | End 2026 | Obligations to accept EUDI Wallet for online public services (Article 5b) |

France, through the National Agency for Information Systems Security (ANSSI) and the Interministerial Directorate for Digital (DINUM), has engaged its adaptation work in 2025. The French wallet project is based on France Identité as its technical foundation.

2.3 Phase 3 — Acceptance obligations for the private sector (2027)

This is the most impactful stage for businesses. Article 5b of the eIDAS 2 regulation requires that certain private sector service providers accept the EUDI Wallet for online identification in the following areas:

• Banking and financial services (account opening, KYC)
• Mobility (transport, car rental)
• Energy (consumer contracts)
• Very large online platforms (within the meaning of the DSA, > 45 million monthly users in the EU)
• Telecommunications

The mandatory acceptance deadline is set at 12 months after the wallet is made available in each Member State, which places the actual deadline for most sectors in the first half of 2027.

For businesses already using electronic signature solutions compliant with eIDAS, the challenge is to ensure the compatibility of their document flows with the new identity attributes from digital wallets.

---

3. Impact on Trust Service Providers (TSP) and SaaS editors

3.1 New obligations for qualified TSP

Qualified Trust Service Providers (QTSP) must update their certification practices to incorporate the new service categories introduced by eIDAS 2:

• Qualified electronic attribute attestations: digital driving licence, diplomas, professional qualifications
• Qualified electronic archiving: service guaranteeing the long-term integrity of signed documents
• Management of remote signature creation devices (RQSCD): clarification of the framework for cloud-based solutions

QTSP have until 18 months after the publication of revised ETSI standards (expected Q2-Q3 2026) to comply with the new technical requirements, positioning the first re-certifications effectively in 2027.

3.2 What this means for user businesses

If your organisation uses a SaaS electronic signature provider — whether it is a certified QES solution or an advanced signature tool — several compliance questions arise right now:

1. Is your service provider updating its certification to incorporate eIDAS 2 requirements?
2. Are your signature workflows ready to receive identities from EUDI Wallets?
3. Does your archiving policy meet the future requirements for qualified electronic archiving?

Our analyses of the comparison of electronic signature solutions now incorporate the eIDAS 2 roadmap criterion as a key differentiating factor.

3.3 Reference technical standards

ETSI (European Telecommunications Standards Institute) is responsible for producing the harmonised standards on which eIDAS 2 is based. The 2025-2027 work programme covers in particular:

• ETSI EN 319 411-1 and -2 (revised): policies and requirements for TSP issuing certificates
• ETSI EN 319 132-1 (XAdES) and EN 319 122-1 (CAdES): advanced and qualified signature formats
• ETSI TS 119 500: trust framework for qualified electronic archiving services
• ISO/IEC 18013-5: presentation protocol for mDL (mobile Driving Licence) attributes, adopted as the technical basis of the EUDI Wallet

---

4. eIDAS 2 timetable in France: progress and specific obligations

4.1 ANSSI's role in national governance

In France, ANSSI is the supervisory authority for trust service providers under eIDAS. In the context of eIDAS 2, it is driving:

• Adaptation of the general security framework (RGS) to incorporate new qualified services
• Participation in the work of the eIDAS cooperation group (Article 46e of the regulation)
• Supervision of audit compliance for French QTSP

ANSSI published in March 2025 a national roadmap clarifying the steps to adapt the French framework to eIDAS 2, with a progress review scheduled for September 2026.

4.2 Obligations for large French businesses

French businesses exceeding DSA thresholds or operating in sectors targeted by Article 5b must now undertake an impact analysis. Recommended steps are:

1. Mapping of identification flows: identify processes where digital identity is required (KYC, contract signing, client portal access)
2. Evaluation of current service providers: verify their eIDAS 2 compliance roadmap
3. Plan to update T&C and signature policies: anticipate the integration of identity attributes from EUDI Wallets
4. Training of legal and IT teams: the technical and legal framework is evolving significantly

For businesses managing high volumes of contracts, enterprise electronic signature tools must be evaluated in light of their ability to evolve towards eIDAS 2 without service disruption.

4.3 Alignment with other European regulations

The deployment of eIDAS 2 does not happen in isolation. It is closely aligned with:

• GDPR (2016/679): identity attributes contained in EUDI Wallets constitute personal data subject to minimisation and purpose limitation principles
• NIS 2 Directive (2022/2555): TSP are essential entities within the meaning of NIS 2 and must meet enhanced cybersecurity requirements
• DORA Regulation (2022/2554): financial institutions using trust services for their digital operations must integrate these dependencies into their ICT risk mapping
• Data Regulation (Data Act, 2023/2854): interoperability of identity data across sectors

Businesses that have already engaged in NIS 2 compliance will find significant synergies with eIDAS 2 compliance, particularly on risk management and business continuity.

---

5. Preparing your organisation right now: the 2026 checklist

5.1 For legal and compliance departments

• [ ] Read Regulation (EU) 2024/1183 in its consolidated version and identify articles applicable to your sector
• [ ] Map contracts and processes requiring updates (signature clauses, retention policies)
• [ ] Verify the cross-border legal validity of your current electronic signatures in the eIDAS 2 context
• [ ] Anticipate the integration of qualified attribute attestations (e.g. verification of professional qualification for notarial or medical acts)

5.2 For information systems departments

• [ ] Assess the compatibility of your technical stack with EUDI Wallet protocols (OpenID4VP, ISO 18013-5)
• [ ] Identify APIs to be updated with your electronic signature editors
• [ ] Plan testing with pilot wallets available in 2026
• [ ] Set up monitoring of Commission implementing acts (notifications in the EU Official Journal)

5.3 For business departments

The expected gains from well-anticipated compliance are concrete: reduction of friction in signature processes thanks to pre-verified identity from the EUDI Wallet, acceleration of KYC processes, and reduction in identity verification costs. To assess the return on investment of your transition, our electronic signature ROI calculator now incorporates parameters specific to eIDAS 2 compliance.

Finally, organisations considering migration from other solutions to a platform natively prepared for eIDAS 2 can consult our migration guide from DocuSign or YouSign to Certyneo, which details the technical and contractual steps of a seamless transition.

Legal framework applicable to eIDAS 2 deployment

Founding texts and hierarchy of norms

The deployment of eIDAS 2 is part of a stratified legal framework whose mastery is essential for any organisation subject to compliance obligations.

Regulation (EU) 2024/1183 of the European Parliament and of the Council — known as "eIDAS 2" — constitutes the reference standard. It repeals and replaces Regulation (EU) No 910/2014 (eIDAS 1) on the points it revises, whilst maintaining the validity of existing certifications during the transition periods provided for in Articles 51 et seq. Published in the EU Official Journal series L on 30 April 2024, it entered into force on 20 May 2024.

The French Civil Code, Articles 1366 and 1367, enshrines the recognition of electronic signature as equivalent to handwritten signature when it meets the conditions of signer identification and document integrity. These provisions are interpreted in light of European eIDAS law, which takes precedence by virtue of the principle of primacy of Union law.

Regulation (EU) 2016/679 (GDPR) applies in full to personal data processing carried out in the context of the EUDI Wallet and trust services. Identity attributes (biographical data, qualifications, licences) constitute personal data within the meaning of Article 4 §1 of the GDPR. The minimisation principle (Article 5 §1 c) is particularly relevant: providers must only collect attributes strictly necessary for the purpose of the transaction.

Directive (EU) 2022/2555 (NIS 2), transposed into French law by Law No 2024-449 of 21 May 2024, classifies qualified trust service providers amongst essential entities subject to enhanced obligations regarding cyber risk management, incident notification and supply chain security.

ETSI standards constitute the harmonised technical reference for eIDAS 2:

• ETSI EN 319 401: general requirements for TSP
• ETSI EN 319 411-1/-2: policies for TSP issuing qualified certificates
• ETSI EN 319 132-1: XAdES format (advanced XML signatures)
• ETSI EN 319 122-1: CAdES format (advanced CMS signatures)
• ETSI EN 319 162-1: ASiC format (signature containers)

Legal risks in case of non-compliance

Non-compliance with eIDAS 2 obligations exposes organisations to several risks:

1. Enforceability of signatures: an electronic signature made via a TSP not compliant with the new requirements may lose the legal presumption of validity, undermining the probative value of signed contracts.
2. Administrative sanctions: national supervisory authorities (ANSSI in France) may impose corrective measures, compliance injunctions, or even withdrawal of accreditation for TSP.
3. Contractual liability: businesses using non-compliant tools may have their liability engaged towards their clients and partners if a dispute concerns the validity of an electronically signed deed.
4. Cumulative with GDPR: non-compliant management of EUDI Wallet identity attributes may simultaneously expose you to CNIL sanctions (up to 4% of global annual turnover).

Concrete usage scenarios in light of the eIDAS 2 timetable

Scenario 1 — A mid-size law firm managing cross-border transactions

A business law firm with approximately fifteen associates regularly handling M&A transactions involving counterparties in several EU Member States (Belgium, Netherlands, Spain) currently uses a qualified electronic signature solution for share transfer documents and confidentiality protocols. With the entry into application of the eIDAS 2 timetable, the firm anticipates two major developments by end 2026:

• Simplified identity verification: foreign counterparties will be able to present their identity attributes via their national EUDI Wallet, eliminating exchanges of passport copies and redundant KYC procedures. According to estimates from Commission reports on the LSP, the time saving on the identity verification phase is estimated at 40% to 60% depending on the jurisdictions involved.
• Enhanced probative value: deeds signed with identities attested by qualified EUDI Wallets will benefit from an even more robust legal presumption, reducing the risk of judicial challenge in cross-border disputes.

The firm plans to migrate to a SaaS platform with a documented eIDAS 2 roadmap before Q3 2026, approximately six months before the first acceptance obligations.

Scenario 2 — A SME in the industrial sector managing high-volume supplier contracts

A SME in the industrial equipment sector managing approximately 250 supplier contracts per year, 30% of which are with European partners outside France, faces increasing constraints in identity verification during onboarding of new suppliers. The current process — request for company registration, copy of legal representative's ID, manual verification — requires an average of 2.5 hours per file according to sector benchmarks.

With the integration of EUDI Wallet into its signature workflow by 2027, the SME projects:

• A reduction of 55 to 70% of time spent on identity verification thanks to qualified attribute attestations (registration number, legal representation)
• An 80% decrease in document requests from foreign suppliers
• Enhanced security against document fraud, with attributes being cryptographically verifiable

The SME has identified the need to update its general purchasing conditions to integrate the reference to eIDAS 2 attestations, in liaison with its legal adviser.

Scenario 3 — A hospital group anticipating compliance for digital medical acts

A hospital group of approximately 900 beds across three sites must manage the electronic signature of sensitive medical documents: informed consents, prescriptions, operation reports and contracts with healthcare providers. French regulations impose qualified signature for certain medical acts with strong legal significance.

In the perspective of the eIDAS 2 timetable, the group anticipates the arrival of qualified attribute attestations for healthcare professional qualifications (RPPS number, specialty, place of practice), which will enable:

• Automated verification of signer quality (doctor, surgeon, pharmacist) without manual verification in professional directories
• Reduced risk of signature attribution errors during replacements and on-call shifts
• Facilitated portability of digital medical records between institutions, within the framework of the European health data space (EHDS)

The group estimates that integrating EUDI Wallet flows into its hospital information system (HIS) represents a project of 12 to 18 months, justifying the launch of technical studies by Q3 2026 for production deployment before the sector-wide acceptance obligation.

Conclusion

The deployment timetable for Regulation eIDAS 2 in the European Union is now clearly mapped: implementing acts being finalised in 2026, deployment of national EUDI Wallets between mid-2026 and end 2026, and acceptance obligations for the private sector from the first half of 2027. This roadmap leaves a concrete window of action for French and European businesses, provided you now engage in compliance analysis, service provider evaluation and updating of contractual processes.

Waiting until 2027 to achieve compliance risks a rushed transition, with the costs and legal risks that entails. Certyneo, designed natively for eIDAS requirements and with an active roadmap towards eIDAS 2, supports you from today in this transition. Start free on Certyneo and secure your document flows in compliance with the European digital trust framework.