eIDAS 2 Certification for Signature Service Providers 2026

Why eIDAS 2 Certification Changes the Game for Service Providers

Since the entry into force of Regulation (EU) 2024/1183 of 11 April 2024 — commonly called eIDAS 2 — trust service providers (TSP) operating in the European Union face a fundamentally overhauled regulatory framework. The revision of the original eIDAS regulation of 2014 goes beyond simply widening the scope of recognised services: it substantially tightens accreditation conditions, introduces new levels of assurance and strengthens surveillance requirements for national oversight bodies. For any player wishing to offer qualified electronic signature (QES) or advanced (AdES) services on the European market, understanding how to obtain eIDAS 2 certification for a signature service provider is no longer optional — it is a strategic obligation.

This article provides a comprehensive overview of the certification pathway: applicable legislation, technical standards to observe, the role of conformity assessment bodies (CAB), realistic timelines and operational points of vigilance.

---

The New eIDAS 2 Regulatory Landscape: What Has Changed

From Regulation 910/2014 to Regulation 2024/1183: Major Developments

The original eIDAS regulation (No. 910/2014) laid the foundations for a unified digital trust market in Europe. It defined three levels of signature — simple, advanced and qualified — and required qualified providers to appear on national trust service lists (TSL, Trust Service Lists). eIDAS 2 retains this architecture but enriches it on several structural points:

• Extension of qualified services: qualified electronic archiving, electronic attestations of attributes (EAA), remote management of qualified signature creation devices (QSCD). These new services are now subject to the same accreditation procedure as qualified signatures.
• The European digital identity wallet (EUDIW): providers wishing to interact with the future identity wallet must demonstrate compliance with technical specifications published by the Commission (ARF — Architecture and Reference Framework, v1.4, 2024).
• Strengthened supervision: national supervisory authorities (in France, ANSSI) have strengthened powers of investigation and enforcement. Qualified TSP may be subject to ad hoc audits.
• Reduced notification deadlines: any significant security incident must be notified to the competent authority within 24 hours (versus 72 hours in the previous version for certain incidents).

For a comprehensive overview of the regulation, the eIDAS 2.0 guide from Certyneo offers a pedagogical summary of all these developments.

Assurance Levels and Their Implications for Certification

The distinction between advanced and qualified electronic signature remains the pivot of the system. Only QES benefits from a legal presumption of integrity and attribution equivalent to a handwritten signature (Art. 25 of eIDAS 2 regulation). This presumption is directly conditional on the provider's certification.

| Level | Probative Value | Provider Requirement | |---|---|---| | Simple (SES) | Limited | None | | Advanced (AdES) | Significant | Best practices + ETSI standards | | Qualified (QES) | Maximum (legal presumption) | Mandatory eIDAS 2 certification |

---

The eIDAS 2 Certification Process Step by Step

Step 1 — Organisational and Technical Prerequisites

Before formally engaging in the certification process, a provider must audit its maturity level on three axes:

1. Compliance with ETSI Standards The standards in the EN 319 series form the essential technical foundation. The main ones are:

• ETSI EN 319 401: general requirements for trust service providers
• ETSI EN 319 411-1 and 411-2: policies and requirements for certification authorities issuing certificates (PTC-QC profiles for qualified certifications)
• ETSI EN 319 421: policy and requirements for time-stamping service providers
• ETSI EN 319 132: signature formats XAdES (XML), and associated CAdES (CMS) and PAdES (PDF) series

Compliance with these standards is not optional for qualified providers: it is explicitly required by the Commission's implementing acts.

2. Information Systems Security QSCD (qualified signature creation devices) must be certified according to Common Criteria (CC) EAL4+ or equivalent. For remote signature solutions — the dominant SaaS model — requirements also extend to HSM modules (Hardware Security Module) and procedures for managing cryptographic keys (FIPS 140-2 level 3 minimum compliance).

3. Security Policy (PSSI) and Risk Management The certification file requires a formalised security policy aligned with ISO/IEC 27001 (certification of which is strongly recommended and sometimes required by CABs) and incorporating NIS2 requirements for entities classified as "important" or "essential".

Step 2 — Selection and Engagement of a Conformity Assessment Body (CAB)

In France, CABs accredited by COFRAC (French Committee for Accreditation) to assess trust service providers are few in number. For example, LSTI (Laboratory for Information Technology Security) and Bureau Veritas Certification are among the referenced players. At the European level, each Member State publishes the list of its notified CABs.

The CAB's role is to conduct a conformity audit in two phases:

1. Documentary review (Phase 1): examination of policies, procedures, Certification Practice Statement (CPS) and technical evidence.
2. On-site audit (Phase 2): verification of operational controls, penetration testing, team interviews.

The total duration of a CAB audit typically ranges from 4 to 8 weeks depending on the candidate's prior maturity.

Step 3 — Instruction by the National Supervisory Authority

In France, it is the ANSSI (National Cybersecurity Agency) that processes applications for inclusion on the national trust list (TSL FR). Based on the CAB audit report, ANSSI conducts its own analysis and may request additional information or corrective measures.

The statutory instruction period is 3 months from receipt of a complete file (Art. 17 of eIDAS 2 regulation). In practice, actual timelines are often longer if the initial file is incomplete.

Once entered on the national TSL, the provider is automatically referenced in the EUTL (EU Trusted List), published by the European Commission, which grants it immediate cross-border recognition across all 27 Member States.

Step 4 — Maintaining Qualification and Renewal

eIDAS 2 certification is not permanent. Qualified providers are subject to:

• Annual surveillance audit conducted by the CAB
• Full renewal audit every 24 months (a shortened cycle compared to previous practice)
• Ad hoc inspections possible at ANSSI's initiative

Any material change to the infrastructure (HSM change, PKI evolution, new qualified service) triggers a prior notification procedure and may require a partial audit.

---

Costs, Timelines and Risk Factors: What IT Directors Must Anticipate

Budget and Human Resources

The cost of first-time eIDAS 2 certification is significant. Expense items include:

• CAB audit: between €40,000 and €120,000 depending on scope complexity
• Technical compliance (HSM, PKI, CC-certified QSCD): €80,000 to several hundred thousand euros for proprietary infrastructure
• ISO 27001 certification (recommended beforehand): €15,000 to €50,000 depending on size
• Legal and CPS drafting fees: €10,000 to €30,000
• Internal costs: dedicated team mobilisation (CISO, DPO, compliance officer) for 12 to 18 months

Adding all these items together, complete certification represents a total investment of around €200,000 to €500,000 for a mid-sized provider, excluding ongoing maintenance costs.

Operational Risk Factors

The most frequent causes of failure or delay in certification procedures are:

1. Insufficiently detailed CPS: the Certification Practice Statement must document each control with sometimes underestimated granularity.
2. Gaps in key lifecycle management: revocation, archiving, destruction of private keys.
3. Insufficient incident governance: lack of SIEM, untested incident management procedures, missing runbooks.
4. Underestimation of NIS2: since October 2024, qualified TSP are automatically classified as "important" entities under the NIS2 directive, with additional reporting and risk management obligations.

For companies wishing to delegate these constraints to an already-certified provider rather than building their own infrastructure, the comparison of electronic signature solutions available on Certyneo helps objectify this build-versus-buy decision.

---

eIDAS 2 and Electronic Signature in Business: Transition Issues

For user organisations — as opposed to providers — the eIDAS 2 certification of their SaaS signature vendor is now an essential selection criterion. Incorporating into calls for tender a clause requiring inclusion on the national TSL has become standard practice in regulated sectors (finance, health, real estate).

Electronic signature in business indeed requires clearly distinguishing use cases requiring QES — high-stakes deeds, mandates, electronic notarial acts — from those where AdES suffices. This mapping of uses directly determines the level of service contractually required from the provider.

Organisations migrating from an existing solution to a provider certified under eIDAS 2 must also anticipate the portability of proof archives. The guide on migration from DocuSign or YouSign to Certyneo details best practices for preserving the probative value of documents already signed during the transition.

Legal Framework Applicable to eIDAS 2 Certification

Founding Texts

Trust service provider certification rests on a dense regulatory stack that must be mastered in its entirety:

Regulation (EU) 2024/1183 of 11 April 2024 (eIDAS 2): the reference text that repeals and replaces corresponding provisions of Regulation 910/2014. It defines the conditions for obtaining and maintaining qualified provider status, national supervision obligations, and requirements for new services (EUDIW, EAA).

Regulation (EU) No 910/2014 (eIDAS 1): still partially applicable for provisions not amended; implementing and delegated acts adopted under this regulation remain in force until their formal revision.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence of electronic signature to handwritten signature subject to reliability; Article 1367 clarifies that reliability is presumed until proven otherwise when qualified signature is used. These national provisions articulate directly with the legal presumption in Art. 25 eIDAS 2.

Directive (EU) 2022/2555 (NIS2): transposed into French law by the law of 15 October 2024, it automatically classifies qualified trust service providers among important entities. Obligations: notification to ANSSI within 72 hours for any significant incident, implementation of formalised risk management, periodic security audit.

Regulation (EU) 2016/679 (GDPR): signature service providers process sensitive personal data (identity of signatories, audit logs). Compliance with the principles of minimisation, storage limitation and integrity requires a specific impact assessment (DPIA). The legal basis of processing must be documented for each service.

Technical Standards with Regulatory Force

Commission implementing acts (notably Implementing Decision (EU) 2015/1506 and its revisions) designate ETSI standards as presumptively compliant:

• ETSI EN 319 401: general TSP requirements
• ETSI EN 319 411-1 and 411-2: certification policies
• ETSI EN 319 421: qualified time-stamping
• ETSI EN 319 132 / 122 / 102: AdES formats (XAdES, CAdES, PAdES, ASiC)
• ETSI TS 119 431: remote signature services

Legal Risks in Case of Non-Compliance

Fraudulent or negligent use of qualified provider status exposes to administrative sanctions imposed by ANSSI (suspension, removal from trust list) and criminal prosecution (Art. 226-17 of Criminal Code for failure to secure personal data). On the civil front, challenging the probative value of signatures issued during a non-compliance period may engage the provider's contractual liability to its clients.

Use Case Scenarios: eIDAS 2 Certification in Practice

Scenario 1 — A Mid-Sized SaaS Editor Targeting QES Qualification

A company specialising in document dematerialisation, employing about a hundred staff and managing several million signature transactions annually on behalf of clients in banking and insurance sectors, decides to seek eIDAS 2 qualification for its electronic signature service. Until now, the company offered advanced certificate-based signature (AdES), sufficient for most client contracts but inadequate for acts requiring maximum probative value (SEPA mandates, notarised proof agreements).

After a 3-month internal audit revealing around fifteen major gaps versus ETSI EN 319 411-2 requirements, the company launches a 14-month compliance programme. The main projects concern replacing existing HSMs with FIPS 140-2 level 3 certified modules, drafting a 180-page CPS, and obtaining ISO 27001 certification prior to the CAB audit. Total investment reaches €340,000. Upon completion, inclusion on the French TSL enables the company to access calls for tender from which it was systematically excluded, representing estimated commercial potential of 20% additional revenue.

Scenario 2 — A Hospital Group Integrating Qualified Signature for Medico-Legal Acts

A hospital group of approximately 1,200 beds wishes to dematerialise its processes for informed consent, delegation of medical powers and clinical research contracts. These documents fall into the category of acts for which QES is required or strongly recommended by HAS reference frameworks and the legal framework for health data (Art. L. 1110-4 CSP).

Rather than certifying in-house infrastructure — an option judged too costly and outside core business — the group opts for integration of a third-party provider already entered on the TSL. The IT department conducts a vendor compliance audit based on the ETSI EN 319 401 checklist and verifies actual presence on the EUTL before any contracting. Deployment, completed in 4 months, reduces by 65% the timeline for collecting signatures on clinical research files and eliminates the legal challenge risk associated with prior use of simple signatures for sensitive acts.

Scenario 3 — A Commercial Law Firm Securing Its Deeds Under Private Seal

A commercial law firm of around thirty partners, managing annually nearly 400 mergers and acquisitions and business sales, seeks to strengthen the signature of its complex deeds under private seal. The unit value of transactions handled frequently exceeds one million euros, and any formal defect may engage the firm's professional liability.

After analysis, the IT team and managing partner agree on the minimum contractual requirement of a QES issued by an eIDAS 2 certified provider for any deed worth more than €100,000. The provider selection criterion mandatorily includes verification of entry on the national TSL and availability of a recent ETSI compliance certificate (less than 12 months old). This framework allows the firm to reduce by more than 80% requests for expert review on signature validity in subsequent disputes, according to feedback observed from comparable structures in the sector.

Conclusion

Obtaining eIDAS 2 certification as an electronic signature service provider is a demanding, costly and lengthy process — but essential for any player wishing to offer maximum legal guarantees to its clients on the European market. Between compliance with ETSI standards, passing the CAB audit, instruction by ANSSI and maintaining qualification over time, the process mobilises substantial resources over 12 to 24 months.

For user organisations, the good news is that it is not necessary to build this infrastructure in-house: choosing a SaaS provider already certified under eIDAS 2 and listed on the national trust list allows you to immediately benefit from the legal presumption attached to QES, without bearing certification costs.

Certyneo is a trusted certified provider, designed for B2B companies requiring legal rigour and ease of use. Discover our pricing and start your free trial today.