eIDAS 2 Timeline: EU Deployment 2026-2027

Introduction: why the eIDAS 2 timeline is critical for your organisation

Since the entry into force of Regulation (EU) 2024/1183 — commonly known as eIDAS 2 — the European framework for digital identity and electronic signature has undergone its most profound transformation since 2014. While the revised text is formally adopted, its operational deployment, spread across 2024 and 2027, now concentrates the attention of CISOs, legal professionals and compliance officers. Understanding the official deployment timeline of the eIDAS 2 regulation across the European Union allows you to anticipate obligations, secure your contractual processes and avoid any compliance gaps. This article decodes the key stages, expected implementing acts and concrete impacts for French and European businesses.

---

1. Reminder: what is eIDAS 2 and why this revision?

1.1 The limitations of eIDAS 1 (2014)

The original eIDAS regulation (No. 910/2014) laid the foundations for digital trust in Europe: mutual recognition of electronic signatures, creation of qualified (QES), simple (SES) and advanced (AdES) levels, and accreditation of Trust Service Providers (TSPs). However, ten years of implementation have highlighted several major gaps:

• National fragmentation: fewer than 19% of European citizens used a cross-border electronic identification scheme in 2022 according to the European Commission.
• Absence of digital identity wallet: eIDAS 1 did not provide for a universal instrument allowing each citizen or business to prove their identity online in all Member States.
• Partial coverage: qualified electronic archiving services or attribute attestations were not harmonised.

1.2 The structural contributions of eIDAS 2

Adopted on 11 April 2024 and published in the Official Journal of the EU on 30 April 2024, Regulation (EU) 2024/1183 introduces notably:

• The European Digital Identity Wallet (EUDI Wallet): digital identity wallet that each Member State must offer to its citizens.
• New qualified trust services: qualified electronic attribute attestations, qualified electronic archiving, management of signature creation devices at a distance.
• Extension of scope: large online platforms (within the meaning of the DSA regulation) will be required to accept the EUDI Wallet for user authentication.
• Strengthened governance: creation of a stricter compliance certification framework for TSPs.

To deepen the basics of the regulation, our comprehensive guide to eIDAS 2.0 details all regulatory developments.

---

2. The official eIDAS 2 deployment timeline: stages and key dates 2024-2027

The eIDAS 2 regulation structures its entry into application through a multi-phase mechanism: entry into force, Commission implementing acts, national transposition and effective deployment of tools. Here is the official roadmap.

2.1 Phase 1 — Entry into force and delegated acts (May 2024 – end 2025)

| Date | Stage | |---|---| | 30 April 2024 | Publication of Regulation (EU) 2024/1183 in the Official Journal of the EU | | 20 May 2024 | Official entry into force (D+20 after publication) | | Q3-Q4 2024 | Launch of working groups on implementing acts (eIDAS 2 Toolbox) | | End of 2024 | Publication of first technical reference specifications for the EUDI Wallet (ARF — Architecture Reference Framework v1.4) | | Q1-Q2 2025 | Commission implementing acts on technical specifications of wallets (12-month deadline provided for in Article 5a) | | Q3 2025 | Implementing acts relating to new qualified trust services |

The European Commission published in January 2025 the first package of implementing acts on common technical specifications for the EUDI Wallet. These texts form the mandatory technical basis for Member States.

2.2 Phase 2 — Deployment of pilot projects and national transpositions (2025-2026)

As part of the Large Scale Pilots (LSP) programme, four consortiums have tested the EUDI Wallet since 2023 on over 360 use cases across 25 Member States:

• EU Digital Identity Wallet Consortium (EUDIW) — 140+ entities
• NOBID — focused on digital payments
• POTENTIAL — identity and attributes
• DC4EU — diplomas and professional qualifications

The results of these pilots directly feed into the implementing acts. On the national level, Member States have 24 months from the entry into application of the implementing acts to deploy their national wallet. In practice, this means that the vast majority of national deployments are expected between mid-2026 and end of 2026.

| Period | Expected actions | |---|---| | Q1-Q2 2026 | Final adoption of missing implementing acts (qualified archiving, attribute attestations) | | Q2 2026 | First production versions of EUDI Wallets in pioneering states (Germany, Netherlands, Spain) | | Q3-Q4 2026 | Progressive deployment across the 27 Member States — opening to professional users | | End of 2026 | Acceptance obligations for the EUDI Wallet for online public services (art. 5b) |

France, via the National Agency for Information Systems Security (ANSSI) and the Interministerial Directorate for Digital (DINUM), has launched its adaptation work in 2025. The French wallet project is based on France Identity as a technical foundation.

2.3 Phase 3 — Acceptance obligations for the private sector (2027)

This is the most impactful stage for businesses. Article 5b of the eIDAS 2 regulation requires that certain private sector service providers accept the EUDI Wallet for online identification in the following areas:

• Banking and financial services (account opening, KYC)
• Mobility (transport, vehicle rental)
• Energy (consumer contracts)
• Very large online platforms (within the meaning of the DSA, > 45 million monthly active users in the EU)
• Telecommunications

The mandatory acceptance deadline is set at 12 months after the wallet becomes available in each Member State, which places the real deadline for most sectors in the first half of 2027.

For companies already using electronic signature solutions compliant with eIDAS, the challenge is to ensure the compatibility of their document flows with the new identity attributes from digital wallets.

---

3. Impact on Trust Service Providers (TSPs) and SaaS editors

3.1 New obligations for qualified TSPs

Qualified Trust Service Providers (QTSPs) must update their certification practices to integrate the new service categories introduced by eIDAS 2:

• Qualified electronic attribute attestations: digital driving licence, diplomas, professional qualifications
• Qualified electronic archiving: service guaranteeing long-term integrity of signed documents
• Management of Remote Signature Creation Devices (RQSCD): clarification of the framework for cloud solutions

QTSPs have up to 18 months after the publication of revised ETSI standards (expected Q2-Q3 2026) to comply with the new technical requirements, which positions the first effective re-certifications in 2027.

3.2 What this means for using companies

If your organisation uses a SaaS electronic signature provider — whether a certified QES solution or an advanced signature tool — several compliance questions arise right now:

1. Is your service provider updating its certification to integrate eIDAS 2 requirements?
2. Are your signature workflows ready to receive identities from EUDI Wallets?
3. Does your archiving policy meet future qualified electronic archiving requirements?

Our analyses of the comparison of electronic signature solutions now incorporate the eIDAS 2 roadmap criterion as a key differentiating factor.

3.3 Technical reference standards

The ETSI (European Telecommunications Standards Institute) is responsible for producing the harmonised standards on which eIDAS 2 relies. The work programme for 2025-2027 covers notably:

• ETSI EN 319 411-1 and -2 (revised): policies and requirements for TSPs issuing certificates
• ETSI EN 319 132-1 (XAdES) and EN 319 122-1 (CAdES): advanced and qualified signature formats
• ETSI TS 119 500: trust framework for qualified electronic archiving services
• ISO/IEC 18013-5: protocol for presenting mDL (mobile Driving Licence) attributes, adopted as the technical basis of the EUDI Wallet

---

4. eIDAS 2 timeline in France: progress and specific obligations

4.1 The role of ANSSI in national governance

In France, ANSSI is the supervisory authority for Trust Service Providers under eIDAS. In the context of eIDAS 2, it oversees:

• Adaptation of the General Security Reference (RGS) to integrate new qualified services
• Participation in the work of the eIDAS cooperation group (Article 46e of the regulation)
• Supervision of compliance audits of French QTSPs

ANSSI published in March 2025 a national roadmap outlining the steps for adapting the French framework to eIDAS 2, with a progress checkpoint planned for September 2026.

4.2 Obligations for large French companies

French companies exceeding DSA thresholds or operating in sectors targeted by Article 5b should now engage in an impact analysis. The recommended stages are:

1. Mapping of identification flows: identify processes where digital identity is required (KYC, contract signing, access to customer portals)
2. Evaluation of current service providers: verify their eIDAS 2 compliance roadmap
3. Plan to update GTCs and signature policies: anticipate integration of identity attributes from EUDI Wallets
4. Training of legal and IT teams: the technical and legal framework is changing significantly

For companies managing high volumes of contracts, electronic signature tools in enterprise should be evaluated in terms of their ability to evolve towards eIDAS 2 without service disruption.

4.3 Interaction with other European regulations

The deployment of eIDAS 2 does not occur in isolation. It works closely with:

• GDPR (2016/679): identity attributes contained in EUDI Wallets constitute personal data subject to minimisation and purpose principles
• NIS 2 Directive (2022/2555): TSPs are essential entities within the meaning of NIS 2 and must meet enhanced cybersecurity requirements
• DORA Regulation (2022/2554): financial institutions using trust services for their digital operations must integrate these dependencies into their ICT risk mapping
• Data Regulation (Data Act, 2023/2854): interoperability of identity data between sectors

Companies that have already engaged their NIS 2 compliance will find significant synergies with eIDAS 2 compliance, particularly in risk management and business continuity sections.

---

5. Preparing your organisation now: the 2026 checklist

5.1 For legal and compliance departments

• [ ] Read Regulation (EU) 2024/1183 in its consolidated version and identify articles applicable to your sector
• [ ] Map contracts and processes requiring updates (signature clauses, retention policy)
• [ ] Verify cross-border legal validity of your current electronic signatures in the eIDAS 2 context
• [ ] Anticipate integration of qualified attribute attestations (e.g., professional qualifications verification for notarial or medical acts)

5.2 For information systems departments

• [ ] Assess compatibility of your technical stack with EUDI Wallet protocols (OpenID4VP, ISO 18013-5)
• [ ] Identify APIs to be updated with your electronic signature editors
• [ ] Plan integration testing with pilot wallets available in 2026
• [ ] Implement monitoring of Commission implementing acts (notifications in the Official Journal of the EU)

5.3 For business departments

The gains expected from well-anticipated compliance are concrete: reduced friction in signature flows thanks to pre-verified identity from the EUDI Wallet, accelerated KYC processes, and reduced identity verification costs. To assess the return on investment of your transition, our electronic signature ROI calculator integrates parameters specific to eIDAS 2 compliance.

Finally, organisations considering migration from other solutions to a platform natively prepared for eIDAS 2 can consult our migration guide from DocuSign or YouSign to Certyneo, which details the technical and contractual steps of a seamless transition.

Legal framework applicable to eIDAS 2 deployment

Founding texts and hierarchy of norms

The deployment of eIDAS 2 is part of a stratified legal corpus, mastery of which is essential for any organisation subject to compliance obligations.

Regulation (EU) 2024/1183 of the European Parliament and of the Council — known as "eIDAS 2" — constitutes the reference standard. It repeals and replaces Regulation (EU) No. 910/2014 (eIDAS 1) on the points it revises, while maintaining the validity of existing certifications during the transition periods provided for in Articles 51 and following. Published in the Official Journal of the EU series L on 30 April 2024, it entered into force on 20 May 2024.

French Civil Code, Articles 1366 and 1367, enshrines the recognition of electronic signature as equivalent to handwritten signature when it meets the conditions for identifying the signatory and document integrity. These provisions are interpreted in light of European eIDAS law, which takes precedence by virtue of the primacy principle of Union law.

Regulation (EU) 2016/679 (GDPR) applies in full to personal data processing carried out in the context of the EUDI Wallet and trust services. Identity attributes (biographical data, qualifications, licenses) constitute personal data within the meaning of Article 4 § 1 of the GDPR. The minimisation principle (Art. 5 § 1 c) is particularly relevant: service providers should only collect attributes strictly necessary for the transaction purpose.

Directive (EU) 2022/2555 (NIS 2), transposed into French law by Law No. 2024-449 of 21 May 2024, classifies qualified trust service providers among essential entities subject to enhanced cyber risk management, incident notification and supply chain security obligations.

ETSI standards constitute the harmonised technical reference of eIDAS 2:

• ETSI EN 319 401: general requirements for TSPs
• ETSI EN 319 411-1/-2: policies for TSPs issuing qualified certificates
• ETSI EN 319 132-1: XAdES format (advanced XML signatures)
• ETSI EN 319 122-1: CAdES format (advanced CMS signatures)
• ETSI EN 319 162-1: ASiC format (signature containers)

Legal risks in case of non-compliance

Non-compliance with eIDAS 2 obligations exposes organisations to several risks:

1. Unenforceability of signatures: an electronic signature made via a non-compliant TSP may lose the legal presumption of validity, calling into question the probative value of signed contracts.
2. Administrative sanctions: national supervisory authorities (ANSSI in France) may pronounce corrective measures, compliance injunctions, or even accreditation withdrawals for TSPs.
3. Contractual liability: companies using non-compliant tools may have their liability engaged towards their clients and partners if a dispute concerns the validity of an electronically signed deed.
4. Cumulative with GDPR: non-compliant management of EUDI Wallet identity attributes may simultaneously expose to CNIL sanctions (up to 4% of annual global turnover).

Concrete use cases against the eIDAS 2 timeline

Scenario 1 — A mid-sized law firm managing cross-border transactions

A corporate law firm with about fifteen collaborators regularly handling M&A transactions involving counterparties in several EU Member States (Belgium, Netherlands, Spain) currently uses a qualified electronic signature solution for its share purchase agreements and confidentiality agreements. With the eIDAS 2 implementation timeline entering effect by end of 2026, the firm anticipates two major developments:

• Simplified identity verification: foreign counterparties will be able to present their identity attributes via their national EUDI Wallet, eliminating exchanges of passport copies and redundant KYC procedures. According to estimates from Commission reports on LSPs, the time saving in the identity verification phase is estimated between 40% and 60% depending on the jurisdictions involved.
• Enhanced probative value: deeds signed with identities attested by qualified EUDI Wallets will benefit from an even more robust legal presumption, reducing the risk of litigation challenges in cross-border disputes.

The firm plans to migrate to a SaaS platform with a documented eIDAS 2 roadmap before Q3 2026, approximately six months before the first acceptance obligations.

Scenario 2 — A manufacturing SME managing a high volume of supplier contracts

An industrial equipment SME managing approximately 250 supplier contracts per year, of which 30% are with partners outside France, faces increasing identity verification constraints when onboarding new suppliers. The current process — request for business registration, copy of legal representative's identity document, manual verification — mobilises on average 2.5 hours per file according to industry benchmarks from the purchasing federation.

With EUDI Wallet integration into its signature workflow by 2027, the SME projects:

• A reduction of 55 to 70% in time spent on identity verification thanks to qualified attribute attestations (registration number, legal representation)
• A decrease of 80% in document follow-ups with foreign suppliers
• Enhanced security against document fraud, as attributes are cryptographically verifiable

The SME has identified the need to update its general terms of purchase to integrate reference to eIDAS 2 attestations, in liaison with its legal counsel.

Scenario 3 — A hospital group anticipating compliance for digital medical acts

A hospital group of approximately 900 beds across three sites must manage electronic signature of sensitive medical documents: informed consent, prescriptions, operative reports and contracts with healthcare providers. French regulation requires qualified signature for certain medical acts with strong legal scope.

In view of the eIDAS 2 timeline, the group anticipates the arrival of qualified attribute attestations for healthcare professional qualifications (RPPS number, specialty, practice location), which will allow:

• Automated verification of signatory quality (doctor, surgeon, pharmacist) without manual verification in professional directories
• Reduced risk of signature attribution error during replacements and on-call services
• Easier portability of digital medical records between establishments, within the framework of the European health data space (EHDS)

The group estimates that integration of EUDI Wallet flows into its hospital information system (HIS) represents a 12 to 18-month project, justifying launch of technical studies by Q3 2026 for production deployment before the sector-specific acceptance obligation.

Conclusion

The eIDAS 2 regulation deployment timeline across the European Union is now clearly mapped: implementing acts being finalised in 2026, deployment of national EUDI Wallets between mid-2026 and end of 2026, and acceptance obligations for the private sector from the first half of 2027. This roadmap leaves a concrete window for action for French and European companies, provided they engage now in compliance analysis, provider evaluation and update of contractual processes.

Waiting until 2027 to achieve compliance risks a rushed transition, with the costs and legal risks that entails. Certyneo, designed natively for eIDAS requirements and with an active roadmap towards eIDAS 2, supports you from today in this transition. Get started free on Certyneo and secure your document flows in compliance with the European digital trust framework.