eIDAS 2 vs eIDAS 1: Key Changes for SMEs

Introduction: Why eIDAS 2 Changes the Game for SMEs

Since 20 May 2024, Regulation (EU) 2024/1183 — commonly known as eIDAS 2 — has entered into force, progressively replacing Regulation (EU) No 910/2014 (eIDAS 1). For French SMEs, this transition is not merely an administrative update: it redefines digital trust levels, introduces a European digital identity wallet (EUDIW), strengthens requirements for trust service providers, and expands the scope of recognised services. This article compares eIDAS 1 and eIDAS 2 point by point, identifies the concrete operational impacts for small and medium-sized enterprises, and provides you with an action plan to remain compliant by 2026.

---

1. Reminder: What eIDAS 1 Established (2014-2024)

1.1 The Foundations of the Original Regulation

Adopted in July 2014 and applicable since September 2016, eIDAS 1 laid the first foundations of a European digital trust space. It introduced three main categories of electronic signature — simple (SES), advanced (AdES), and qualified (QES) — and established the list of trusted qualified service providers (Trusted List), accessible via the European Commission portal.

For SMEs, the major contribution of eIDAS 1 was the cross-border recognition of qualified signatures: a contract signed with a French QES was legally recognised in Germany, Spain, or Italy without apostille or additional formality. This principle — known as "non-discrimination" — became the foundation upon which SaaS offerings like Certyneo built their services.

1.2 Identified Limitations

Despite its advances, eIDAS 1 suffered from several shortcomings documented by the European Commission in its 2021 evaluation report:

• Fragmentation of identity schemes: only EU Member States that had notified their national scheme (such as FranceConnect+ at substantive level) benefited from mutual recognition. By 2023, only 14 out of 27 Member States had notified a compliant scheme.
• Absence of native mobile support: the qualified signature creation device (QSCD) often required a smart card or hardware token, hindering mobile adoption.
• Limited trust services: eIDAS 1 listed nine types of qualified services; new use cases (qualified electronic archiving, attribute management) were not covered.
• No unified identity wallet: each citizen or company managed their identifiers in silos, with no guaranteed interoperability.

These limitations prompted the Commission to launch the revision in 2020, resulting in eIDAS 2 after three years of trilogue negotiations.

---

2. The Five Major Innovations of eIDAS 2 for SMEs

2.1 The European Digital Identity Wallet (EU Digital Identity Wallet — EUDIW)

This is the most visible innovation in the regulation. By November 2026 (transposition deadline set by Article 5a), each EU Member State must offer at least one certified digital identity wallet to its citizens and residents. For SMEs, this development has two direct consequences:

1. Simplified authentication of clients and partners: the wallet will allow sharing of verified attributes (age, VAT identification number, business registration extract, certified banking data) without friction. A framework agreement with a German partner could be signed after instant verification of their professional attributes from their EUDIW.
2. Obligation to accept for certain sectors: online services on major platforms (Article 45bis) and certain public services will have to accept the EUDIW as a means of authentication. SMEs providing B2B portals will need to adapt their authentication APIs.

2.2 Expansion of the List of Qualified Trust Services

eIDAS 2 expands the catalogue of qualified trust services from 9 to 14 categories. The new entries directly affecting SMEs are:

• Qualified electronic archiving (Art. 45septies): long-term storage with enhanced evidentiary value. Until now, archiving with evidentiary value relied on national frameworks (in France, the SIAF/ANSSI framework); eIDAS 2 harmonises the European framework.
• Remote management of qualified signature creation devices (RQSCD): now explicitly regulated, it clarifies the ambiguities surrounding cloud-based qualified signature solutions. For a 50-employee SME, this means accessing a qualified signature without a physical token, from any device.
• Qualified electronic register service: registers based on blockchain or distributed ledger technologies can now obtain qualified status, opening the way to new models of contract management.

For more information on signature levels and their legal value, consult our comprehensive guide to electronic signature.

2.3 Strengthened Security Requirements for Qualified Service Providers (QTSP)

eIDAS 2 tightens the obligations of qualified trust service providers (QTSP). The revised Article 24 notably imposes:

• A cybersecurity certification compliant with the European framework (EU Cybersecurity Act, Regulation 2019/881), with sectoral schemes being developed by ENISA.
• Strengthened requirements for operational resilience: QTSPs must now document their business continuity plan and submit it to their national supervisory authority (in France, ANSSI for qualified service providers).
• An obligation to notify security incidents within 24 hours (alignment with NIS 2).

For SMEs as users, this translates into a requirement for enhanced diligence when choosing a service provider: verifying that your signature solution is properly listed on the updated European Trusted List is now a critical step in your procurement process. Our comparison of electronic signature solutions can help you in this analysis.

2.4 Mandatory Interoperability of Identity Schemes

Whereas eIDAS 1 left EU Member States free to notify (or not) their scheme, eIDAS 2 makes notification and interoperability mandatory for identity schemes used in online public services (Art. 5). France Identité — the national scheme led by the Ministry of the Interior — is being updated to comply with the technical specifications of the EUDIW, published by the Commission in Implementing Regulation (EU) 2024/2977.

For an SME that regularly interacts with public administrations (public procurement, tax filings, customs procedures), this development means that online processes will progressively be unified around a single digital identifier recognised across the entire EU.

2.5 New Rules on Liability and Supervision

eIDAS 2 clarifies and extends the regimes of liability of service providers (revised Art. 13). A QTSP is now presumed responsible for any damage caused to a natural or legal person by a breach of its obligations, unless it proves the absence of fault. This strengthened presumption of liability, compared to eIDAS 1, should prompt SMEs to:

• Formalise their service provider's commitments by contract (SLA, availability guarantees, indemnification).
• Verify the professional liability insurance coverage of the QTSP.
• Keep evidence of audit trails for signed transactions (timestamp logs, signature verification reports).

Our teams have drafted a detailed guide on electronic signature in business that addresses these contractual aspects.

---

3. Comparative Table eIDAS 1 vs eIDAS 2: What Changes in Practice

3.1 Summary of Major Changes

| Criterion | eIDAS 1 (2016-2024) | eIDAS 2 (2024-2026+) | |---|---|---| | Identity Wallet | Absent | EUDIW mandatory (Member States) | | Qualified Services | 9 categories | 14 categories (archiving, RQSCD, registers…) | | Scheme Notification | Optional | Mandatory for public services | | QTSP Security | Common Criteria | Cybersecurity Act + ENISA schemes | | QTSP Liability | Partial | Strengthened presumption of liability | | Incident Notification Deadline | Not specified | 24 hours (NIS 2 alignment) | | Mobile QSCD | Legal ambiguity | RQSCD explicitly regulated |

3.2 Key Timelines to Remember for 2026

• May 2024: entry into force of Regulation (EU) 2024/1183.
• November 2026: deadline for each EU Member State to offer at least one certified EUDIW solution.
• 2027: obligation for large platforms (Art. 45bis) to accept the EUDIW as a means of authentication.
• 2028: scheduled review of technical implementing acts (delegated regulations on EUDIW specifications).

If your SME is considering migrating to a more compliant solution, our offer to migrate to Certyneo includes a complimentary eIDAS 2 compliance audit.

---

4. Practical Action Plan to Bring Your SME into eIDAS 2 Compliance

4.1 Audit Your Existing Document Flows

Start by mapping all processes in which you currently use electronic signature or digital identity: supplier contracts, dematerialised payslips, SEPA mandates, confidentiality agreements, HR documents. For each flow, identify:

• The signature level in use (SES, AdES, QES).
• The current service provider and their status on the Trusted List.
• The legal risk level in case of dispute.

This audit is the recommended starting point by ANSSI in its compliance update guide published in March 2025.

4.2 Upgrade Your Signature Solution

If your current service provider is not listed on the eIDAS 2 Trusted List or does not yet offer RQSCD, it is time to compare market offerings. Certyneo is a certified QTSP that supports all three signature levels (SES, AdES, QES) and natively integrates the new eIDAS 2 requirements, including qualified archiving and remote device management.

4.3 Train Your Teams and Update Your Contracts

eIDAS 2 strengthens the evidentiary value of qualified signatures but also imposes sound document management practices. Ensure that your legal and administrative teams:

• Know how to distinguish between the three signature levels and their respective legal value.
• Integrate an eIDAS compliance audit clause into supplier contracts.
• Retain evidence of signature verification (validation report, qualified timestamp) for the applicable legal retention period (3 to 10 years depending on the nature of the document).

To structure this approach, our electronic signature ROI calculator will allow you to quantify the operational gains related to the upgrade.

Applicable Legal Framework

Reference Texts

Bringing an SME into eIDAS 2 compliance is part of a regulatory framework that is essential to understand.

Regulation (EU) 2024/1183 of the European Parliament and of the Council (known as "eIDAS 2"): this is the founding text, published in the Official Journal on 30 April 2024. It repeals and replaces Regulation (EU) No 910/2014 according to a deployment schedule running until 2027. It is directly applicable in all EU Member States without requiring national legislative transposition for its main provisions.

Regulation (EU) No 910/2014 (eIDAS 1): some of its provisions remain applicable during the transitional periods provided for by eIDAS 2, in particular for qualified service providers that obtained their qualification before May 2024 and have a period to recertify.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence between electronic and paper writing, provided that "the person from whom it emanates can be duly identified and that it is established and kept under conditions such as to guarantee its integrity". Article 1367 recognises electronic signature as a means of proof, referring to the conditions set by decree in the Council of State (Decree No. 2017-1416 of 28 September 2017, codified in Articles R. 1369-1 to R. 1369-10 of the Civil Code).

Regulation (EU) 2016/679 (GDPR): the deployment of the EUDIW and the processing of identity attributes in electronic signature flows constitute personal data processing within the meaning of the GDPR. SMEs must ensure that their QTSP acts as a data processor within the meaning of Article 28 GDPR, with a DPA (Data Processing Agreement) compliant with the regulation. The CNIL published in January 2026 a specific recommendation on EUDIW-GDPR integration.

Directive (EU) 2022/2555 (NIS 2): eIDAS 2 explicitly aligns with NIS 2 on incident notification obligations (Art. 24, §2 eIDAS 2 referring to NIS 2 provisions). QTSPs are considered "essential" or "important" entities within the meaning of NIS 2 depending on their size, and are therefore subject to regular security audits.

ETSI Standards: qualified electronic signatures must comply with ETSI standards EN 319 132-1 (XAdES), ETSI EN 319 122-1 (CAdES), ETSI EN 319 162-1 (ASiC), and ETSI EN 319 102-1 (signature verification procedure). The ETSI TS 119 461 standard governs remote identity verification (IDV), particularly relevant for RQSCD.

Legal Risks in Case of Non-Compliance

Using an electronic signature solution that does not comply with eIDAS 2 exposes the SME to several risks:

• Inadmissibility in court: a judge may reject an electronic signature whose level does not correspond to the act signed (e.g., simple signature for an act requiring advanced or qualified level).
• Contractual liability: if a contract is challenged by a partner on the grounds of signature nullity, the SME may be exposed to compensation claims.
• GDPR sanctions: in the event of a data breach linked to a service provider's security deficiency, the SME, as a co-controller or controller, may be sanctioned by the CNIL up to 4% of annual global turnover (Art. 83 §4 GDPR).

Concrete Use Case Scenarios

Scenario 1: An 80-Employee Industrial SME Managing 400 Supplier Contracts per Year

An SME in the metalworking sector processing approximately 400 supplier contracts annually used until 2024 a simple electronic signature solution (SES) for all its commitments, including framework contracts above €50,000. Following an eIDAS 2 compliance audit, it found that 35% of its contracts required advanced or qualified signature to resist legal challenge, particularly with suppliers established in other EU Member States.

By migrating to a solution combining advanced signature (AdES) for routine contracts and qualified signature (QES) for framework contracts, and by activating qualified electronic archiving (new eIDAS 2 service), this SME reduced by 70% the time spent on post-signature document management (filing, searching, sending certified copies) and reduced to zero disputes over signature authenticity in the following 18 months, compared to two incidents in the previous 18 months.

Scenario 2: A 15-Employee Legal Consultancy

A law firm specialising in corporate law, issuing on average 1,200 signed documents per year (engagement letters, mandates, confidentiality agreements), faced growing demand from its corporate clients for qualified signatures recognised across the entire EU. Under eIDAS 1, obtaining a qualified certificate required a face-to-face procedure or lengthy video verification (45 to 90 minutes per user).

Thanks to the RQSCD (Remote Qualified Signature Creation Device) regulated by eIDAS 2, the firm was able to deploy qualified signature for all its staff in less than two weeks, via a 100% remote enrolment procedure compliant with ETSI TS 119 461 standard. Internal adoption rates rose from 40% to 95% in three months, and the average turnaround time for signed documents was reduced from 4.2 days to less than 6 hours based on the firm's internal measurements.

Scenario 3: An E-Commerce SME Operating in Three EU Countries

An online sales company employing 35 people and operating in France, Belgium, and the Netherlands needed to manage three types of electronic agreements: employment contracts for its local staff, partnership agreements with carriers, and SEPA mandates for its professional customers. The fragmentation of national requirements under eIDAS 1 forced it to maintain three separate signature workflows, with estimated management costs of approximately €12,000 per year.

Adopting a single solution compliant with eIDAS 2 — integrating mutual recognition of qualified signatures across all three countries — allowed for unified workflows, reducing management costs to approximately €4,500 per year (62% savings) and eliminating delays related to manual validation of foreign signatures by the legal department.

Conclusion

eIDAS 2 is not merely a cosmetic revision of the regulatory framework: it fundamentally redefines the rules of digital trust in Europe. For French SMEs, the five major innovations — EUDIW wallet, expansion of qualified services, RQSCD, mandatory interoperability, and strengthened liability — represent both a compliance obligation and an opportunity to accelerate their document transformation.

SMEs that anticipate these changes today will gain real competitive advantage: contracts recognised throughout the EU without friction, archiving with integrated evidentiary value, and fully dematerialised and secure signature processes.

Certyneo is designed to support this transition. Start your free trial on certyneo.com and benefit from a complimentary eIDAS 2 compliance audit for your existing document flows.