eIDAS Compliance for SMEs: Complete 2026 Checklist

The European eIDAS regulation (EU No. 910/2014, soon amended by eIDAS 2.0) governs electronic signatures across the entire European Union. For an SME, being compliant is not just a box to tick: it is the guarantee that its contracts are enforceable, that its signature data is protected, and that it protects itself against legal risks that can be costly. Here is the 2026 checklist in 12 concrete points to verify that your SME is perfectly eIDAS compliant.

Point 1: Choose the right signature level

First reflex: map your contract types and assign a target level. Standard commercial contracts (quotes, purchase orders, simple NDAs): SES is sufficient. Employment contracts, leases, sensitive NDAs, strategic agreements: AES minimum, preferably with SMS OTP. Regulated acts (solicitor, notary, public procurement above a threshold): QES mandatory. Without this mapping, you risk under-dimensioning (contract rejected) or over-dimensioning (excessive cost).

Point 2: Verify service provider qualification

Your service provider must be a Qualified Trust Service Provider (QTSP) or rely on a QTSP for AES/QES levels. Consult the Trust Services List published by ANSSI (eidas.ssi.gouv.fr) and the European Trusted List (webgate.ec.europa.eu/tl-browser). Reference French QTSPs: Certigna, Docaposte, Certinomis, Universign. For SES/AES via platform (Certyneo, Yousign, etc.), verify their eIDAS compliance explicitly documented.

Point 3: Test the audit trail

Sign a test envelope and retrieve the audit trail (usually a separate PDF). It must contain: identity and email of the signatory, timestamp of each step (sending, opening, validation, signature), IP address, user agent, document hash, OTP validation if AES. If any of these elements are missing, the evidence value is weakened. Certyneo provides the complete audit trail even on the free plan.

Point 4: Check timestamping

Timestamping must be issued by a Time Stamp Authority (TSA) compliant with RFC 3161. A timestamp simply from the company's NTP server is not sufficient. Open the signed PDF in Adobe Reader: Signatures tab → Details → Timestamp. You should see a valid TSA certificate and a certified clock. If the PDF does not have a certified timestamp, reconsider your service provider choice.

Point 5: Archive for 10 years minimum

The French Commercial Code (article L. 123-22) requires retention of commercial documents for 10 years. The Labour Code requires 5 years for employment contracts after termination. Archival must preserve integrity (hash, sealing) and access. Ideal: PDF/A format (ISO 19005), dual storage (primary + offsite backup), qualified electronic safe (CFE) for maximum proof value. Certyneo archives for 10 years by default and offers export to partner CFEs.

Point 6: Verify data location

Where is your signature data hosted? For a French SME handling sensitive contracts, prioritise hosting in France or the EU. Ask your service provider for the list of subprocessors and their location (article 28 GDPR). Avoid solutions subject to the American Cloud Act for strategic contracts. Certyneo is hosted in France, with no Cloud Act dependency. See our article on /blog/cloud-act-signature-electronique.

Point 7: Align with GDPR

Signature and GDPR are closely linked: each envelope contains personal data (name, email, IP, phone number). Ensure that your processing record (art. 30 GDPR) includes electronic signature, that retention periods are consistent (10 years), and that individual rights are implementable (access, rectification, portability). If you request many signatures, a DPO is recommended. See our article /blog/signature-electronique-rgpd.

Point 8: Identify signatories in advance

For solid AES, identification does not start at signature: it starts at data collection. Verify emails (no aliases, no mailing lists), phone numbers (no shared lines), and keep trace of the identification source (ID document for significant contracts, existing customer KYC for ongoing contracts). This due diligence strengthens proof value in case of dispute.

Point 9: Train teams

Your sales, HR, legal teams must understand the rules: never force a signatory to use a third-party device, never return a modified signed PDF, never paste a scanned signature image in place of a true signature. One hour of training per team is sufficient to embed good practices. Certyneo provides a comprehensive guide to share internally (/ressources).

Point 10: Review service provider contracts

The service provider's terms and conditions must: commit to eIDAS compliance, specify archival periods, include a GDPR data processing agreement (art. 28), document subprocessors, provide a reversibility plan in case of termination. Also request SOC 2 Type II or equivalent if you handle significant volumes. For Certyneo, these documents are available on /legal and /security.

Point 11: Prepare for eIDAS 2.0 and the EUDI Wallet

The eIDAS 2.0 regulation (EU 2024/1183) enters into force progressively and requires Member States to deploy an EUDI Wallet by end of 2026. This digital identity wallet will notably enable access to remote QES without physical registration office. Prepare your SME: verify your service provider has an EUDI Wallet roadmap, follow communications from ANSSI and the European Commission. See /blog/eidas-2-nouveau-reglement-2026.

Point 12: Audit annually

Compliance is not an acquired status: it is an ongoing approach. Schedule an annual audit (internal or external) to verify: regulatory changes, service provider evolutions, updated contract type mapping, actual retention, training of new hires. A light audit takes half a day for an SME and prevents many surprises. Start by creating a free Certyneo account on certyneo.com/signup to test practical compliance, then consult our eIDAS guide for in-depth information (/guide/eidas).