eIDAS 2: the new European regulation explained in 2026

Introduction: why eIDAS 2 changes everything for European businesses

Entered into force on 20 May 2024 after a lengthy legislative process, Regulation eIDAS 2 — officially known as Regulation (EU) 2024/1183 — represents the most ambitious reform ever undertaken in the field of electronic identification and trust services in Europe. It repeals and partially replaces the original eIDAS regulation of 2014 (No. 910/2014), whilst maintaining backward compatibility with existing infrastructure. For businesses using eIDAS-compliant electronic signatures, this overhaul introduces new obligations, unprecedented opportunities and a tight compliance timeline until 2026 and beyond. This article decrypts in depth the key provisions of the text, their operational implications and how your organisation can prepare for them.

---

What eIDAS 2 regulation fundamentally changes

From the 2014 regulation to the 2024 version: a structural overhaul

The original 2014 eIDAS regulation had laid the groundwork for mutual recognition of electronic identification schemes between Member States and established a unified legal framework for trust services (signature, seal, time stamp, etc.). But ten years later, the limitations were glaring: low adoption rates for notified eIDs, fragmentation of national solutions, absence of a universal digital wallet for citizens, and above all inadequacy to web usage (GAFAM excluded from the trust framework).

eIDAS 2 corrects these shortcomings on three major axes:

1. The European digital identity wallet (EUDI Wallet) — each Member State must provide, no later than November 2026, a digital wallet application allowing any European citizen or resident to securely store and present their identity attributes (identity card, driving licence, diplomas, etc.).
2. The expansion of qualified trust services — the text adds new qualified services: qualified electronic archiving service management (QESAP), qualified identity attribute reporting (QEAA), qualified electronic ledgers (QLED) and remote signature creation device management (QRCD).
3. The obligation for large platforms — large online service providers (social networks, marketplaces) must accept the EUDI wallet for user authentication.

The EUDI Wallet: architecture and functioning

The EUDI Wallet is at the heart of eIDAS 2. In concrete terms, it is a software application — delivered or certified by each Member State — based on a decentralised model of selective attribute presentation. The user transmits only data strictly necessary for the transaction (principle of minimisation, compliant with GDPR).

From a technical standpoint, the architecture is based on the Architecture Reference Framework (ARF) specifications, published by the European Commission and regularly updated by the Large Scale Pilot (LSP) which brings together four pilot consortiums (DC4EU, EWC, POTENTIAL, NOBID). The data formats adopted are primarily ISO/IEC 18013-5 (mDL/mDocs) and W3C Verifiable Credentials, ensuring cross-border interoperability.

For businesses, this means that they will, in due course, be able to verify the identity of their customers or partners via the wallet without managing document collection themselves — significantly reducing KYC (Know Your Customer) friction and documentary fraud risks.

---

Trust levels and the signature hierarchy: what changes

Maintenance of the QES / AdES / SES hierarchy

The electronic signature regime remains structured around three levels defined in Article 3 of eIDAS 2 (adopting the 2014 terminology but clarifying technical requirements):

• Simple electronic signature (SES): minimal evidential value, suitable for routine acts.
• Advanced electronic signature (AdES): exclusive link to the signatory, ability to detect any subsequent alteration.
• Qualified electronic signature (QES): legal equivalent of a handwritten signature throughout the EU (Article 25§2), issued via a qualified signature creation device (QSCD) on the basis of a qualified certificate.

The novelty lies in the way QES can now be delivered via qualified remote signature services (QRCD), whose accreditation conditions are set out in Articles 29a and 29b of the revised text. This opens the door to 100% digital workflows for the most demanding acts — notarised contracts, electronic authentic deeds — without requiring a physical smart card.

The impact on qualified trust service providers (QTSP)

Service providers such as Certyneo, which operate by relying on certified QTSPs, must anticipate the new audit requirements introduced by eIDAS 2. Article 24 now imposes strengthened controls over the sub-contracting chain, and security incident notification requirements are explicitly aligned with those of the NIS2 Directive (24-hour notification deadline). To deepen understanding of how different signature levels function in a B2B context, consult our comprehensive guide to electronic signatures in business.

---

Deployment timeline and business obligations in 2025-2026

Key deployment milestones

Regulation (EU) 2024/1183 was published in the EU Official Journal on 30 April 2024 and entered into force on 20 May 2024. Implementing and delegated acts — essential for clarifying technical requirements — are being published progressively:

| Deadline | Obligation | |---|---| | May 2024 | Regulation enters into force | | End 2024 | Publication of implementing acts on ARF v2.0 | | Mid-2025 | Certification of first pilot EUDI Wallets | | November 2026 | Mandatory availability of an EUDI Wallet in each Member State | | 2027 | Mandatory acceptance by large online platforms |

What B2B businesses must do starting now

For businesses using electronic signature solutions, three priorities are essential in 2025-2026:

1. Audit their trust chain: verify that their signature provider is indeed listed on the QTSP (Trusted List) of their Member State, and that the certificates used comply with the new revised ETSI EN 319 401 and EN 319 411-1 specifications.

2. Anticipate EUDI Wallet integration: businesses operating in regulated sectors (banking, insurance, health, real estate) will be among the first affected by identity verification workflows via wallet. Preparing integration APIs from 2025 onwards is recommended.

3. Revise their retention policies: the new qualified electronic archiving service (QESAP) introduces long-term preservation standards that may become mandatory in certain sectors (public procurement, pharmaceutical). Our ROI calculator for electronic signatures allows you to assess the financial impact of upgrading your documentary infrastructure.

---

Interoperability, GDPR and digital sovereignty issues

eIDAS 2 and GDPR: reinforced complementarity

One of the major advances of eIDAS 2 is the explicit integration of data protection principles from the outset (privacy by design) into the architecture of the EUDI wallet. Article 5a§14 provides that the wallet does not enable providers to track user behaviour during transactions. Identity attribute issuers (QEAA) are not informed of how the attestations they issue are used — which represents a major break from current centralised models.

This architecture is termed unlinkability (non-correlatability): two separate transactions by the same user cannot be linked without their consent. This guarantee exceeds GDPR minimum requirements whilst aligning perfectly with it.

The geopolitical dimension: regaining control over online identity

eIDAS 2 also responds to a sovereignty issue. Today, online authentication relies heavily on "Log in with Google/Facebook/Apple" buttons, which gives American tech giants a dominant position in managing European digital identities. By requiring very large platforms (within the meaning of the Digital Services Act) to accept the EUDI Wallet as an authentication method, eIDAS 2 creates an interoperable and sovereign alternative.

For B2B businesses, this also means that eIDAS 2 compliance can become a supplier selection criterion in public and private tenders — similar to what ISO 27001 certification represents today in procurement processes. If your organisation is considering evolving its current solution, our migration guide from DocuSign or YouSign to Certyneo details the steps for a controlled transition.

Legal framework applicable to eIDAS 2 and electronic signatures

Reference texts

Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, amending Regulation (EU) No 910/2014 with regard to the establishment of the European framework for a digital identity (eIDAS 2). Published in the OJ on 30 April 2024, entered into force on 20 May 2024.

Regulation (EU) No 910/2014 (eIDAS 1): maintained in force for its unmodified provisions, in particular Articles relating to "low", "substantial" and "high" assurance levels for notified identification schemes.

French Civil Code, Articles 1366 and 1367: electronic writing has the same probative force as paper writing provided that the person from whom it emanates is properly identified and that the document is established under conditions guaranteeing its integrity. A qualified electronic signature (QES) within the meaning of eIDAS 2 satisfies these requirements as of right.

Regulation (EU) 2016/679 (GDPR): the processing of identity data in the context of the EUDI wallet is subject to the principles of minimisation (Art. 5§1c), limitation of purpose (Art. 5§1b) and data protection from the outset (Art. 25). Qualified service providers hold the status of separate data controllers for verification operations.

Directive (EU) 2022/2555 (NIS2): transposed into French law by Ordinance No. 2024-528 of 12 June 2024, it imposes obligations on qualified trust service providers for risk management and incident notification within 24 hours.

ETSI standards:

• EN 319 132 (XAdES) and EN 319 122 (CAdES): advanced electronic signature formats.
• EN 319 401: general requirements for trust service providers.
• EN 319 411-1 and 411-2: policy and security requirements for CAs issuing qualified certificates.
• EN 319 521: requirements for qualified signature preservation services (QESAP).

Obligations and legal risks for businesses

Any business using electronic signatures in a contractual context must ensure that the signature level chosen is appropriate to the value and nature of the act. For acts subject to a legal signature requirement (promises of sale, employment contracts, purchase orders exceeding certain thresholds), only QES or AdES based on a qualified certificate provides the reliability presumption referred to in Article 26 of eIDAS 2.

In the event of dispute, the burden of proof is reversed: if the signature is qualified, it is for the party contesting the document to prove its alteration; if it is simple or advanced without a qualified certificate, the burden of proof rests on the signatory invoking it. Non-compliance with traceability and integrity requirements may result in the deed being voided or the signature being unenforceable against a third party.

Usage scenarios: eIDAS 2 applied to B2B businesses

Scenario 1 — A digital transformation consulting firm (approximately 80 consultants)

A consulting firm deploying its staff with clients in several Member States (France, Germany, Netherlands) must have mission orders, contract amendments and acceptance minutes signed each month. Before eIDAS 2, managing cross-border identities created friction: refusal by some German clients to recognise certificates issued by a French QTSP, double authentication by email insufficient for sensitive acts.

With the deployment of the EUDI Wallet in 2026, consultants will be able to sign from their national wallet — recognised as of right in all Member States — without any friction. The firm estimates a reduction of 60 to 70% of time spent on exchanging verification documentation prior to signature, equivalent to approximately 3 to 4 hours saved per consultant per month according to sectoral benchmarks published by McKinsey Digital (2024).

Scenario 2 — An SME in industry managing 350 supplier contracts per year

An SME in the industrial equipment sector, working with around a hundred European and Asian suppliers, must contract purchase orders, confidentiality agreements (NDAs) and master agreements. Hitherto, 30% of these documents returned unsigned or invalid, or with delays exceeding 10 working days.

By adopting an electronic signature solution compliant with eIDAS 2 with identity verification via qualified attributes (QEAA), the SME can enforce a signature workflow where the identity of the supplier's legal representative is automatically verified via the EUDI wallet, without manual entry. Expected result: reduction of average signature delay from 10 days to less than 48 hours, and a 40% decrease in disputes related to non-compliant signatures, based on ranges observed in ELENIUS 2025 reports on B2B dematerialisation.

Scenario 3 — A real estate group managing sales agreements in several countries

A network of estate agents operating in France, Spain and Portugal must regularly have preliminary contracts signed between sellers and buyers of different nationalities. QES is required in certain contexts to guarantee equivalence with a handwritten signature before a notary.

Thanks to eIDAS 2 and the interoperability of EUDI wallets, a Portuguese buyer can sign an agreement subject to French law using their national wallet, with a "high" assurance level automatically recognised by the signature platform. The group reduces its travel and legalisation costs by approximately 800 to 1,200 euros per cross-border file, whilst reducing the time to conclude preliminary agreements from 3 weeks to an average of 5 days. For sector-specific uses, our dedicated page on electronic signatures in real estate details adapted workflows.

Conclusion

eIDAS 2 is not merely a regulatory update: it is a profound overhaul of how digital identity and electronic trust function in Europe. The EUDI Wallet, new qualified services, the interoperability requirement and alignment with NIS2 and GDPR form a coherent ecosystem that will transform the contractual processes and authentication of businesses by the end of 2026.

To remain compliant and competitive, B2B organisations must act now: audit their trust chain, choose a provider aligned with new requirements and prepare their document workflows for integration with the European digital wallet.

Certyneo supports you in this transition with eIDAS 2-compliant qualified electronic signature solutions, ready for 2026. Request a demonstration or create your account on Certyneo to secure your contracts today.