eIDAS Compliance for SMEs: Complete 2026 Checklist

The European eIDAS regulation (EU No. 910/2014, soon to be amended by eIDAS 2.0) governs electronic signature throughout the European Union. For an SME, being compliant is not just a box to tick: it is the guarantee that its contracts are enforceable, that its signature data is protected, and that it safeguards itself against legal risks that could be costly. Here is the 2026 checklist in 12 concrete points to verify that your SME is fully eIDAS compliant.

Point 1: Choose the right signature level

First reflex: map your contract types and associate a target level. Standard commercial contracts (quotes, purchase orders, simple NDAs): SES is sufficient. Employment contracts, leases, sensitive NDAs, strategic agreements: AES minimum, preferably with SMS OTP. Regulated acts (lawyer, notary, public procurement above a threshold): QES mandatory. Without this mapping, you risk under-dimensioning (contract refused) or over-dimensioning (excessive cost).

Point 2: Verify the service provider's qualification

Your service provider must be a Qualified Trust Service Provider (QTSP) or rely on a QTSP for AES/QES levels. Consult the Trust Services List published by ANSSI (eidas.ssi.gouv.fr) and the European Trusted List (webgate.ec.europa.eu/tl-browser). Reference French QTSPs: Certigna, Docaposte, Certinomis, Universign. For SES/AES via platform (Certyneo, Yousign, etc.), verify their eIDAS compliance explicitly documented.

Point 3: Test the audit trail

Sign a test envelope and retrieve the audit trail (typically a separate PDF). It must contain: signer's identity and email, timestamp of each step (sending, opening, validation, signature), IP address, user agent, document hash, OTP validation if AES. If any of these elements is missing, the evidentiary value is weakened. Certyneo provides the complete audit trail even in the free plan.

Point 4: Control timestamping

The timestamp must be issued by a Time Stamp Authority (TSA) compliant with RFC 3161. A timestamp simply issued from the company's NTP server is not sufficient. Open the signed PDF in Adobe Reader: Signatures tab → Details → Timestamp. You should see a valid TSA certificate and a certified clock. If the PDF does not have a certified timestamp, reconsider your service provider choice.

Point 5: Archive for a minimum of 10 years

The French Commercial Code (article L. 123-22) requires retention of 10 years for commercial documents. The Labour Code requires 5 years for employment contracts after termination. Archiving must preserve integrity (hash, sealing) and access. Ideal: PDF/A format (ISO 19005), dual storage (primary + off-site backup), qualified electronic vault (CFE) for maximum evidence. Certyneo archives for 10 years by default and offers export to partner CFEs.

Point 6: Verify data location

Where is your signature data hosted? For a French SME handling sensitive contracts, prioritise hosting in France or the EU. Ask your service provider for a list of sub-processors and their location (GDPR article 28). Avoid solutions subject to the US Cloud Act for strategic contracts. Certyneo is hosted in France, with no Cloud Act dependency. See our article on /blog/cloud-act-signature-electronique.

Point 7: Align with GDPR

Signature and GDPR are closely linked: each envelope contains personal data (name, email, IP, phone number). Ensure that your processing register (article 30 GDPR) includes electronic signature, that retention periods are consistent (10 years), and that individuals' rights are implementable (access, rectification, portability). If you request many signatures, a DPO is recommended. See our article /blog/signature-electronique-rgpd.

Point 8: Identify signatories upstream

For solid AES, identification does not start at signature: it starts at data collection. Verify emails (no aliases, no mailing lists), phone numbers (no shared lines), and keep trace of the source of identification (ID for heavy contracts, existing customer KYC for ongoing contracts). This due diligence strengthens the evidentiary value in case of dispute.

Point 9: Train your teams

Your sales, HR and legal teams must understand the rules: never force a signer to go through a third-party device, never return a modified signed PDF, never paste a scanned signature image in place of a genuine signature. One hour of training per team is enough to anchor good practices. Certyneo provides a comprehensive guide to share internally (/ressources).

Point 10: Review service provider contracts

The signature service provider's Terms and Conditions must: commit to eIDAS compliance, specify archiving periods, include a GDPR sub-processing agreement (article 28), document sub-processors, provide a reversibility plan in case of termination. Also request SOC 2 Type II certification or equivalent if you process large volumes. For Certyneo, these documents are available at /legal and /security.

Point 11: Prepare for eIDAS 2.0 and the EUDI Wallet

The eIDAS 2.0 regulation (EU 2024/1183) enters into force progressively and requires Member States to deploy an EUDI Wallet by end 2026. This digital identity wallet will notably enable access to remote QES without a physical registration office. Prepare your SME: verify that your service provider has an EUDI Wallet roadmap, follow communications from ANSSI and the European Commission. See /blog/eidas-2-nouveau-reglement-2026.

Point 12: Audit annually

Compliance is not an acquired status: it is an ongoing process. Schedule an annual audit (internal or external) to verify: regulatory changes, service provider updates, contract types mapping up to date, effective retention, training of new recruits. A light audit takes half a day for an SME and prevents many surprises. Start by creating a free Certyneo account at certyneo.com/signup to test concrete compliance, then consult our eIDAS guide to go deeper (/guide/eidas).