eIDAS Compliance for SMEs: Complete Checklist 2026

The European eIDAS regulation (EU No. 910/2014, soon amended by eIDAS 2.0) governs electronic signatures throughout the European Union. For an SME, being compliant is not just a tick-box exercise: it is the guarantee that its contracts are enforceable, that its signature data is protected, and that it protects itself against legal risks that can be costly. Here is the 2026 checklist in 12 concrete points to verify that your SME is fully eIDAS compliant.

Point 1: Choose the right signature level

First reflex: map your contract types and associate a target level. Standard commercial contracts (quotations, purchase orders, simple NDAs): SES is sufficient. Employment contracts, leases, sensitive NDAs, strategic agreements: AES minimum, preferably with SMS OTP. Regulated acts (lawyer, notary, public procurement above a threshold): QES mandatory. Without this mapping, you risk under-dimensioning (contract rejected) or over-dimensioning (excessive cost).

Point 2: Verify the service provider's qualification

Your service provider must be a qualified trust service provider (QTSP) or rely on a QTSP for AES/QES levels. Consult the Trust Services List published by ANSSI (eidas.ssi.gouv.fr) and the European Trusted List (webgate.ec.europa.eu/tl-browser). Reference French QTSPs: Certigna, Docaposte, Certinomis, Universign. For SES/AES via platform (Certyneo, Yousign, etc.), verify their eIDAS compliance explicitly documented.

Point 3: Test the audit trail

Sign a test envelope and retrieve the audit trail (generally a separate PDF). It must contain: signer's identity and email, timestamp of each step (sending, opening, validation, signature), IP address, user agent, document hash, OTP validation if AES. If any of these elements are missing, the evidentiary value is weakened. Certyneo provides a complete audit trail even in the free plan.

Point 4: Control the timestamping

Timestamping must be issued by a Time Stamp Authority (TSA) compliant with RFC 3161. A timestamp simply issued from the company's NTP server is not sufficient. Open the signed PDF in Adobe Reader: Signatures tab → Details → Timestamp. You must see a valid TSA certificate and a certified clock. If the PDF does not have a certified timestamp, reconsider your service provider choice.

Point 5: Archive for a minimum of 10 years

The Commercial Code (article L. 123-22) requires retention of 10 years for commercial documents. The Labour Code requires 5 years for employment contracts after termination. Archiving must preserve integrity (hash, sealing) and access. Ideal: PDF/A format (ISO 19005), dual storage (primary + off-site backup), qualified electronic safe (QES) for maximum proof. Certyneo archives for 10 years by default and offers export to partner QES.

Point 6: Verify data location

Where is your signature data hosted? For a French SME handling sensitive contracts, prioritise hosting in France or the EU. Ask your service provider for a list of subcontractors and their location (article 28 GDPR). Avoid solutions subject to the US Cloud Act for strategic contracts. Certyneo is hosted in France, with no Cloud Act dependency. See our article on /blog/cloud-act-signature-electronique.

Point 7: Align with GDPR

Signature and GDPR are closely linked: each envelope contains personal data (name, email, IP, phone number). Ensure that your processing register (art. 30 GDPR) includes electronic signature, that retention periods are consistent (10 years), and that individuals' rights are implementable (access, correction, portability). If you request many signatures, a DPO is recommended. See our article /blog/signature-electronique-rgpd.

Point 8: Identify signers beforehand

For solid AES, identification does not begin at signature: it begins at data collection. Verify emails (no aliases, no mailing lists), phone numbers (no shared lines), and keep track of the identification source (ID for heavy contracts, existing customer KYC for continuous contracts). This due diligence makes the strength of proof in case of dispute.

Point 9: Train teams

Your sales, HR, and legal teams must understand the rules: never force a signer through a third-party device, never return a modified signed PDF, never paste an image of a scanned signature instead of a genuine signature. One hour of training per team is enough to anchor good practices. Certyneo provides a comprehensive guide to share internally (/ressources).

Point 10: Check service provider contracts

The service provider's Terms of Use/Terms of Service must: commit to eIDAS compliance, specify archiving periods, include a GDPR data processing agreement (art. 28), document subcontractors, plan for reversibility in case of termination. Also request SOC 2 Type II or equivalent if you handle significant volumes. For Certyneo, these documents are available on /legal and /security.

Point 11: Prepare for eIDAS 2.0 and EUDI Wallet

Regulation eIDAS 2.0 (EU 2024/1183) enters into force progressively and requires Member States to deploy an EUDI Wallet by end of 2026. This digital identity wallet will in particular enable access to remote QES without a physical registration office. Prepare your SME: check that your service provider has an EUDI Wallet roadmap, follow communications from ANSSI and the European Commission. See /blog/eidas-2-nouveau-reglement-2026.

Point 12: Audit annually

Compliance is not an acquired status: it is an ongoing process. Schedule an annual audit (internal or external) to verify: regulatory changes, service provider updates, updated contract type mapping, effective retention, training for new recruits. A light audit takes half a day for an SME and avoids many surprises. Start by creating a free Certyneo account on certyneo.com/signup to test compliance in practice, then consult our eIDAS guide for further information (/guide/eidas).