eIDAS 2: the new European regulation explained in 2026

Introduction: why eIDAS 2 changes everything for European businesses

Entering into force on 20 May 2024 after a lengthy legislative process, Regulation eIDAS 2 — officially named Regulation (EU) 2024/1183 — represents the most ambitious reform ever undertaken in the field of electronic identification and trust services in Europe. It repeals and partially replaces the original eIDAS regulation of 2014 (No. 910/2014), whilst maintaining backwards compatibility with existing infrastructure. For businesses that use eIDAS-compliant electronic signatures, this overhaul introduces new obligations, unprecedented opportunities and a tight compliance timeline through 2026 and beyond. This article decrypts in depth the key provisions of the text, their operational implications and how your organisation can prepare for them.

---

What eIDAS 2 regulation fundamentally changes

From the 2014 regulation to the 2024 version: a structural overhaul

The original 2014 eIDAS regulation had laid the groundwork for mutual recognition of electronic identification schemes between Member States and established a unified legal framework for trust services (signature, seal, time-stamping, etc.). But ten years later, the shortcomings were glaring: low adoption rates of notified eIDs, fragmentation of national solutions, absence of a universal digital wallet for citizens, and above all, inadequacy for web usage (GAFAM excluded from the trust framework).

eIDAS 2 addresses these gaps on three major axes:

1. The European digital identity wallet (EUDI Wallet) — each Member State must provide, by no later than November 2026, a digital wallet application allowing any European citizen or resident to securely store and present their identity attributes (identity card, driving licence, diplomas, etc.).
2. Expansion of qualified trust services — the text adds new qualified services: qualified electronic archiving service management (QESAP), qualified identity attribute reports (QEAA), qualified electronic ledgers (QLED) and management of remote signature creation devices (QRCD).
3. Obligation for large platforms — providers of large online services (social networks, marketplaces) must accept the EUDI wallet for user authentication.

The EUDI Wallet: architecture and operation

The EUDI Wallet is at the heart of eIDAS 2. In concrete terms, it is a software application — delivered or certified by each Member State — which is based on a decentralised model for selective attribute presentation. The user only transmits the data strictly necessary for the transaction (principle of minimisation, in compliance with GDPR).

From a technical perspective, the architecture is based on the Architecture Reference Framework (ARF) specifications, published by the European Commission and regularly updated by the Large Scale Pilot (LSP) which brings together four pilot consortiums (DC4EU, EWC, POTENTIAL, NOBID). The data formats retained are primarily ISO/IEC 18013-5 (mDL/mDocs) and W3C Verifiable Credentials, guaranteeing cross-border interoperability.

For businesses, this means they will be able, in due course, to verify the identity of their customers or partners via the wallet without themselves managing the collection of supporting documents — thus considerably reducing KYC (Know Your Customer) friction and the risk of document fraud.

---

Trust levels and the signature hierarchy: what's changing

Maintenance of the QES / AdES / SES hierarchy

The electronic signature regime remains structured around three levels defined in Article 3 of eIDAS 2 (using the same terminology as 2014 but clarifying technical requirements):

• Simple electronic signature (SES): minimum probative value, suitable for routine acts.
• Advanced electronic signature (AdES): exclusive link to the signatory, ability to detect any subsequent modification.
• Qualified electronic signature (QES): legal equivalent of a handwritten signature throughout the EU (Article 25§2), issued via a qualified signature creation device (QSCD) on the basis of a qualified certificate.

The novelty lies in the way QES can now be delivered via qualified remote signature services (QRCD), with the conditions for approval specified in Articles 29a and 29b of the revised text. This paves the way for 100% digital workflows for the most demanding acts — notarised contracts, electronic public deeds — without requiring a physical smart card.

Impact on qualified trust service providers (QTSP)

Service providers such as Certyneo, which operate by relying on certified QTSPs, must anticipate the new audit requirements introduced by eIDAS 2. Article 24 now imposes stricter controls on the sub-contracting chain, and security incident notification requirements explicitly align with those of the NIS2 Directive (24-hour notification deadline). To deepen understanding of how the different signature levels work in a B2B context, consult our comprehensive guide to electronic signature in business.

---

Deployment timeline and business obligations for 2025-2026

Key deployment milestones

Regulation (EU) 2024/1183 was published in the EU Official Journal on 30 April 2024 and entered into force on 20 May 2024. Implementing and delegated acts — essential for clarifying technical requirements — are published progressively:

| Deadline | Obligation | |---|---| | May 2024 | Regulation entry into force | | End 2024 | Publication of implementing acts on ARF v2.0 | | Mid-2025 | Certification of first pilot EUDI Wallets | | November 2026 | Mandatory availability of an EUDI Wallet in each Member State | | 2027 | Mandatory acceptance by large online platforms |

What B2B businesses must do right now

For businesses using electronic signature solutions, three priorities are essential in 2025-2026:

1. Audit their chain of trust: verify that their signature provider is indeed listed on the QTSP (Trusted List) of their Member State, and that the certificates used are in compliance with the new revised ETSI EN 319 401 and EN 319 411-1 specifications.

2. Anticipate EUDI Wallet integration: businesses operating in regulated sectors (banking, insurance, healthcare, real estate) will be among the first affected by identity verification flows via wallet. Preparing integration APIs from 2025 onwards is recommended.

3. Revise their retention policies: the new qualified electronic archiving service (QESAP) introduces long-term preservation standards that may become mandatory in certain sectors (public procurement, pharmaceutical sector). Our ROI calculator for electronic signature allows you to assess the financial impact of upgrading your documentary infrastructure.

---

Interoperability, GDPR and digital sovereignty challenges

eIDAS 2 and GDPR: strengthened complementarity

One of the major advances of eIDAS 2 is the explicit integration of data protection by design principles in the architecture of the EUDI wallet. Article 5a§14 provides that the wallet does not enable providers to track user behaviour during transactions. Issuers of qualified identity attributes (QEAA) are not informed of how the attestations they issue are used — which represents a major break with current centralised models.

This architecture is qualified as unlinkability (non-correlatability): two separate transactions carried out by the same user cannot be linked without their consent. This guarantee exceeds the minimum requirements of the GDPR whilst being perfectly aligned with it.

The geopolitical dimension: regaining control over online identity

eIDAS 2 also addresses a sovereignty issue. Today, online authentication relies heavily on "Sign in with Google/Facebook/Apple" buttons, which gives American technology giants a dominant position in managing digital identities in Europe. By requiring very large platforms (in the sense of the Digital Services Act) to accept the EUDI Wallet as an authentication method, eIDAS 2 creates an interoperable and sovereign alternative.

For B2B businesses, this also means that eIDAS 2 compliance can become a supplier selection criterion in public and private procurement — similar to what ISO 27001 certification represents today in procurement processes. If your organisation is considering evolving its current solution, our migration guide from DocuSign or YouSign to Certyneo details the steps for a controlled transition.

Legal framework applicable to eIDAS 2 and electronic signature

Reference texts

Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, amending Regulation (EU) No. 910/2014 with regard to the establishment of the European framework for digital identity (eIDAS 2). Published in the OJEU on 30 April 2024, entered into force on 20 May 2024.

Regulation (EU) No. 910/2014 (eIDAS 1): kept in force for its unchanged provisions, in particular the articles relating to "low", "substantial" and "high" assurance levels for notified identification schemes.

French Civil Code, Articles 1366 and 1367: electronic writing has the same evidentiary force as paper writing provided that the person from whom it emanates is duly identified and that the document is drawn up in conditions guaranteeing its integrity. Qualified electronic signature (QES) within the meaning of eIDAS 2 satisfies these requirements by right.

Regulation (EU) 2016/679 (GDPR): the processing of identity data within the EUDI wallet framework is subject to the principles of minimisation (Art. 5§1c), purpose limitation (Art. 5§1b) and data protection by design (Art. 25). Qualified service providers act as separate data controllers for verification operations.

Directive (EU) 2022/2555 (NIS2): transposed into French law by Ordinance No. 2024-528 of 12 June 2024, it imposes on qualified trust service providers obligations for risk management and incident notification within 24 hours.

ETSI Standards:

• EN 319 132 (XAdES) and EN 319 122 (CAdES): advanced electronic signature formats.
• EN 319 401: general requirements for trust service providers.
• EN 319 411-1 and 411-2: policy and security requirements for CAs issuing qualified certificates.
• EN 319 521: requirements for qualified signature preservation services (QESAP).

Obligations and legal risks for businesses

Any business using electronic signatures in a contractual context must ensure that the signature level chosen is appropriate to the value and nature of the act. For acts subject to a legal signature requirement (sales promises, employment contracts, purchase orders exceeding certain thresholds), only QES or AdES based on a qualified certificate provides the reliability presumption referred to in Article 26 of eIDAS 2.

In case of dispute, the burden of proof is reversed: if the signature is qualified, it is for the party challenging the document to prove its alteration; if it is simple or advanced without a qualified certificate, the burden of proof rests with the signatory relying on it. Non-compliance with traceability and integrity requirements can result in the nullity of the act or the signature being unenforceable against a third party.

Use cases: eIDAS 2 applied to B2B businesses

Scenario 1 — A digital transformation consulting firm (approximately 80 consultants)

A consulting structure deploying its employees with clients in multiple Member States (France, Germany, Netherlands) must have each month signatures on work orders, contractual amendments and acceptance minutes. Before eIDAS 2, managing cross-border identities created friction: refusal by some German clients to recognise certificates issued by a French QTSP, double authentication by email insufficient for sensitive acts.

With the deployment of the EUDI Wallet in 2026, consultants will be able to sign from their national wallet — recognised as of right in all Member States — without any friction. The firm estimates a reduction of 60 to 70% of the time spent on documentary verification exchanges prior to signing, or approximately 3 to 4 hours saved per consultant per month according to sectoral benchmarks published by McKinsey Digital (2024).

Scenario 2 — An industrial SME managing 350 supplier contracts per year

An SME in the industrial equipment sector, working with around a hundred European and Asian suppliers, must sign purchase orders, confidentiality agreements (NDAs) and framework contracts. Until now, 30% of these documents came back unsigned or with delays exceeding 10 working days.

By adopting an electronic signature solution compliant with eIDAS 2 with identity verification via qualified attributes (QEAA), the SME can enforce a signature workflow where the identity of the supplier's legal representative is automatically verified via the EUDI wallet, without manual entry. Expected result: reduction of the average signing time from 10 days to less than 48 hours, and a 40% reduction in disputes related to non-compliant signatures, based on ranges observed in ELENIUS 2025 reports on B2B digitalisation.

Scenario 3 — A real estate group managing sales agreements in multiple countries

A network of real estate agencies operating in France, Spain and Portugal must regularly have sales agreements signed between sellers and buyers of different nationalities. QES is required in some contexts to guarantee equivalence with handwritten signatures before a notary.

Thanks to eIDAS 2 and the interoperability of EUDI wallets, a Portuguese buyer can sign a contract subject to French law using their national wallet, with a "high" level of assurance automatically recognised by the signature platform. The group reduces its travel and legalisation fees by approximately 800 to 1,200 euros per cross-border file, whilst reducing the time to conclusion of agreements from 3 weeks to 5 days on average. For uses specific to the sector, our dedicated page on electronic signature in real estate details tailored workflows.

Conclusion

eIDAS 2 is not just a regulatory update: it is a profound overhaul of how digital identity and electronic trust function in Europe. The EUDI Wallet, new qualified services, the interoperability requirement and alignment with NIS2 and GDPR form a coherent ecosystem that will transform the contractual and authentication processes of businesses by the end of 2026.

To remain compliant and competitive, B2B organisations must act now: audit their chain of trust, choose a provider aligned with the new requirements and prepare their documentary workflows for integration with the European digital wallet.

Certyneo supports you in this transition with eIDAS 2-compliant qualified electronic signature solutions, ready for 2026. Request a demonstration or create your account on Certyneo to secure your contracts today.