eIDAS 2 vs eIDAS 1: Key changes for SMEs

Introduction: why eIDAS 2 changes the game for SMEs

Since 20 May 2024, Regulation (EU) 2024/1183 — commonly known as eIDAS 2 — has come into force, progressively repealing and replacing Regulation (EU) No 910/2014 (eIDAS 1). For French SMEs, this shift is not merely an administrative update: it redefines digital trust levels, introduces a European Digital Identity Wallet (EUDIW), strengthens requirements for trust service providers, and expands the scope of recognised services. This article compares eIDAS 1 and eIDAS 2 point by point, identifies concrete operational impacts for small and medium-sized enterprises, and provides you with an action plan to remain compliant by 2026.

---

1. Background: what eIDAS 1 established (2014-2024)

1.1 The foundations of the original regulation

Adopted in July 2014 and applicable from September 2016, eIDAS 1 laid the first stones of a European digital trust space. It introduced three broad categories of electronic signature — simple (SES), advanced (AdES), and qualified (QES) — and created the list of trusted qualified service providers (Trusted List), which can be consulted on the European Commission portal.

For SMEs, the major contribution of eIDAS 1 was the cross-border recognition of qualified signatures: a contract signed with a French QES was legally recognised in Germany, Spain, or Italy without apostille or additional formalities. This principle — known as "non-discrimination" — remained the foundation upon which SaaS offerings such as Certyneo built their services.

1.2 Identified limitations

Despite its advances, eIDAS 1 suffered from several shortcomings documented by the European Commission in its 2021 evaluation report:

• Fragmentation of identity schemes: only EU Member States that notified their national scheme (such as FranceConnect+ at substantial level) benefited from mutual recognition. By 2023, only 14 out of 27 Member States had notified a compliant scheme.
• Absence of native mobile support: the qualified electronic signature creation device (QSCD) often required a smart card or hardware token, hindering mobile adoption.
• Limited trust services: eIDAS 1 listed nine types of qualified services; new uses (qualified electronic archiving, attribute management) were not covered.
• No unified digital identity wallet: each citizen or enterprise managed their credentials in a siloed manner, with no guaranteed interoperability.

These limitations prompted the Commission to launch the revision in 2020, resulting in Regulation eIDAS 2 after three years of trilogue negotiations.

---

2. The five major innovations of eIDAS 2 for SMEs

2.1 The European Digital Identity Wallet (EU Digital Identity Wallet — EUDIW)

This is the most visible innovation in the regulation. By November 2026 (transposition deadline set by Article 5a), each Member State must provide at least one certified digital identity wallet to its citizens and residents. For SMEs, this development has two direct consequences:

1. Simplified authentication of customers and partners: the wallet will allow the sharing of verified attributes (age, VAT identification number, company registration extract, certified bank data) without friction. A framework agreement with a German partner could be signed after instant verification of his professional attributes from his EUDIW.
2. Obligation to accept for certain sectors: online services of large platforms (Article 45bis) and certain public services must accept the EUDIW as an authentication method. SMEs providing B2B portals will need to adapt their authentication APIs.

2.2 Expansion of the list of qualified trust services

eIDAS 2 extends the catalogue of qualified trust services from 9 to 14 categories. The new entries directly affecting SMEs are:

• Qualified electronic archiving (Art. 45septies): long-term preservation with enhanced probative value. Until now, archiving with probative value relied on national frameworks (in France, the SIAF/ANSSI framework); eIDAS 2 harmonises the European framework.
• Remote management of qualified electronic signature creation devices (RQSCD): now explicitly regulated, it removes ambiguities that weighed on cloud-based qualified signature solutions. For a 50-employee SME, this means accessing a qualified signature without a physical token from any device.
• Qualified electronic register service: registers based on blockchain or distributed ledger technologies may now obtain qualified status, opening the way to new contractual management models.

For more information on signature levels and their legal value, consult our complete guide to electronic signatures.

2.3 Strengthened security requirements for qualified service providers (QTSP)

eIDAS 2 tightens the obligations of qualified trust service providers (QTSP). The revised Article 24 notably imposes:

• A cybersecurity certification compliant with the European framework (EU Cybersecurity Act, Regulation 2019/881), with sectoral schemes currently being developed by ENISA.
• Strengthened requirements for operational resilience: QTSPs must now document their business continuity plan and submit it to their national supervisory body (in France, ANSSI for qualified service providers).
• An obligation to notify security incidents within 24 hours (alignment with NIS 2).

For SMEs as users, this translates to enhanced due diligence obligations in choosing a service provider: verifying that your signature solution appears on the updated European Trusted List is now a critical step in your procurement process. Our comparison of electronic signature solutions can help you in this analysis.

2.4 Mandatory interoperability of identity schemes

Whereas eIDAS 1 left Member States free to notify (or not) their scheme, eIDAS 2 makes notification and interoperability mandatory for identity schemes used in online public services (Art. 5). France Identité — the national scheme led by the Ministry of the Interior — is currently being brought into compliance with the technical specifications of the EUDIW, published by the Commission in Implementing Regulation (EU) 2024/2977.

For an SME that regularly interacts with public administrations (public procurement, tax returns, customs procedures), this development means that online procedures will gradually be unified around a single, EU-wide recognised digital identifier.

2.5 New rules on liability and supervision

eIDAS 2 clarifies and extends service provider liability regimes (revised Art. 13). A QTSP is now presumed liable for any damage caused to a natural or legal person by breach of its obligations, unless it proves the absence of fault. This presumption of liability, strengthened compared to eIDAS 1, should encourage SMEs to:

• Formally document their service provider's commitments (SLA, availability guarantees, indemnification).
• Verify the QTSP's professional liability insurance coverage.
• Retain evidence of audit of signed transactions (timestamp logs, signature verification reports).

Our teams have drafted a detailed guide on electronic signatures in business which addresses these contractual aspects.

---

3. Comparison table eIDAS 1 vs eIDAS 2: what concretely changes

3.1 Summary of major changes

| Criterion | eIDAS 1 (2016-2024) | eIDAS 2 (2024-2026+) | |---|---|---| | Identity wallet | Absent | EUDIW mandatory (Member States) | | Qualified services | 9 categories | 14 categories (archiving, RQSCD, registers…) | | Scheme notification | Optional | Mandatory for public services | | QTSP security | Common Criteria standards | Cybersecurity Act + ENISA schemes | | QTSP liability | Partial | Strengthened presumption of liability | | Incident notification deadline | Not specified | 24 hours (alignment with NIS 2) | | Mobile QSCD | Legal ambiguity | RQSCD explicitly regulated |

3.2 Key deadlines to remember for 2026

• May 2024: entry into force of Regulation (EU) 2024/1183.
• November 2026: deadline for each Member State to provide at least one certified EUDIW solution.
• 2027: obligation for large platforms (Art. 45bis) to accept EUDIW as an authentication method.
• 2028: scheduled review of technical implementing acts (delegated regulations on EUDIW specifications).

If your SME is considering migrating to a more compliant solution, our migration offer to Certyneo includes a complimentary eIDAS 2 compliance audit.

---

4. Practical action plan to bring your SME into eIDAS 2 compliance

4.1 Audit your existing document flows

Start by mapping all processes in which you currently use electronic signatures or digital identity: supplier contracts, dematerialised payslips, SEPA mandates, confidentiality agreements, HR agreements. For each flow, identify:

• The signature level currently in use (SES, AdES, QES).
• The current service provider and their status on the Trusted List.
• The legal risk level in the event of contestation.

This audit is the recommended starting point by ANSSI in its compliance implementation guide published in March 2025.

4.2 Upgrade your signature solution

If your current service provider does not appear on the eIDAS 2 Trusted List or does not yet offer RQSCD, it is time to compare market offerings. Certyneo is a certified QTSP that supports all three signature levels (SES, AdES, QES) and natively integrates the new eIDAS 2 requirements, including qualified archiving and remote device management.

4.3 Train your teams and update your contracts

eIDAS 2 strengthens the probative value of qualified signatures but also imposes documentary best practices. Ensure that your legal and administrative teams:

• Know how to distinguish the three signature levels and their respective legal value.
• Integrate into supplier contracts a clause for eIDAS compliance audit.
• Retain evidence of signature verification (validation report, qualified timestamp) for the applicable legal retention period (3 to 10 years depending on the nature of the document).

To structure this approach, our electronic signature ROI calculator will allow you to quantify the operational gains linked to the upgrade.

Applicable legal framework

Reference texts

Bringing an SME into eIDAS 2 compliance in France forms part of a regulatory framework that is essential to understand.

Regulation (EU) 2024/1183 of the European Parliament and of the Council (known as "eIDAS 2"): this is the foundational text, published in the OJEU on 30 April 2024. It repeals and replaces Regulation (EU) No 910/2014 according to a phased implementation schedule extending until 2027. It is directly applicable in all Member States without requiring national legislative transposition for its main provisions.

Regulation (EU) No 910/2014 (eIDAS 1): some of its provisions remain applicable during transition periods set by eIDAS 2, notably for qualified service providers that obtained their qualification before May 2024 and have a deadline for recertification.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence between electronic and paper writing, provided that "the person from whom it emanates can be duly identified and it is established and preserved in conditions such as to guarantee its integrity". Article 1367 recognises electronic signatures as a mode of proof, referring to the conditions set by decree in the Council of State (Decree No. 2017-1416 of 28 September 2017, codified in Articles R. 1369-1 to R. 1369-10 of the Civil Code).

Regulation (EU) 2016/679 (GDPR): the deployment of EUDIW and the processing of identity attributes in electronic signature flows constitute personal data processing within the meaning of the GDPR. SMEs must ensure that their QTSP acts as a processor under Article 28 GDPR, with a compliant DPA (Data Processing Agreement). The CNIL published in January 2026 a specific recommendation on EUDIW-GDPR integration.

Directive (EU) 2022/2555 (NIS 2): eIDAS 2 explicitly aligns with NIS 2 for incident notification obligations (Art. 24, §2 eIDAS 2 referring to NIS 2 provisions). QTSPs are considered "essential" or "important" entities under NIS 2 depending on their size, and subject as such to regular security audits.

ETSI standards: qualified electronic signatures must comply with ETSI EN 319 132-1 (XAdES), ETSI EN 319 122-1 (CAdES), ETSI EN 319 162-1 (ASiC), and ETSI EN 319 102-1 (validation procedure) standards. ETSI TS 119 461 covers remote identity verification (IDV), particularly relevant for RQSCD.

Legal risks in case of non-compliance

Using an electronic signature solution not compliant with eIDAS 2 exposes the SME to several risks:

• Inadmissibility in court: a judge may reject an electronic signature where the level does not correspond to the signed document (e.g., simple signature for a document requiring an advanced or qualified level).
• Contractual liability: if a contract is contested by a partner on the grounds of signature nullity, the SME may be exposed to indemnification claims.
• GDPR sanctions: in the event of a data breach due to a service provider's security failure, the SME, as joint controller or controller, may be sanctioned by the CNIL up to 4% of annual worldwide turnover (Art. 83 §4 GDPR).

Concrete use case scenarios

Scenario 1: an industrial SME of 80 employees managing 400 supplier contracts per year

An SME in the metalworking sector handling approximately 400 supplier contracts annually had been using a simple electronic signature (SES) solution for all of its commitments, including framework agreements exceeding €50,000. Following an eIDAS 2 compliance audit, it found that 35% of its contracts required an advanced or qualified signature to withstand legal contestation, particularly with suppliers established in other EU Member States.

By migrating to a solution combining advanced signatures (AdES) for routine contracts and qualified signatures (QES) for framework agreements, and activating qualified electronic archiving (new eIDAS 2 service), this SME reduced by 70% the time spent on post-signature document management (filing, searching, sending certified copies) and reduced to zero disputes related to signature contestation over the following 18 months, compared to two incidents in the previous 18 months.

Scenario 2: a legal consulting practice of 15 collaborators

A practice specialising in business law, issuing on average 1,200 signed documents per year (engagement letters, mandates, confidentiality agreements), faced growing demand from corporate clients for qualified signatures recognised throughout the EU. Under eIDAS 1, obtaining a qualified certificate required face-to-face procedures or lengthy video verification (45 to 90 minutes per user).

Thanks to RQSCD (Remote Qualified Signature Creation Device) covered by eIDAS 2, the practice was able to deploy qualified signatures for all collaborators in less than two weeks, via a fully remote enrolment procedure compliant with ETSI TS 119 461 standard. Internal adoption rate rose from 40% to 95% within three months, and the average turnaround time for signed documents fell from 4.2 days to less than 6 hours according to the practice's internal measurements.

Scenario 3: an e-commerce SME operating in three EU countries

An online sales company employing 35 people and operating in France, Belgium, and the Netherlands had to manage three types of electronic agreements: employment contracts for its local employees, partnership agreements with carriers, and SEPA mandates for its professional customers. The fragmentation of national requirements under eIDAS 1 forced it to maintain three separate signature workflows, with management costs estimated at approximately €12,000 per year.

Adoption of a single solution compliant with eIDAS 2 — integrating mutual recognition of qualified signatures across the three countries — allowed it to unify workflows, reduce management costs to approximately €4,500 per year (62% savings) and eliminate delays related to manual validation of foreign signatures by the legal department.

Conclusion

eIDAS 2 is not a mere cosmetic revision of the regulatory framework: it fundamentally redefines the rules of digital trust in Europe. For French SMEs, the five major changes — EUDIW wallet, expansion of qualified services, RQSCD, mandatory interoperability, and strengthened liability — represent both a compliance constraint and an opportunity to accelerate their document transformation.

SMEs that anticipate these changes today will gain a real competitive advantage: contracts recognised throughout the EU without friction, archiving with integrated probative value, and fully dematerialised and secure signature processes.

Certyneo is designed to support this transition. Start your free trial on certyneo.com and benefit from a complimentary eIDAS 2 compliance audit for your existing document flows.