eIDAS 2 certification service provider signature 2026

Why eIDAS 2 certification changes the game for service providers

Since the entry into force of Regulation (EU) 2024/1183 of 11 April 2024 — commonly called eIDAS 2 — trust service providers (TSP) operating in the European Union face a fundamentally restructured regulatory framework. The revision of the original eIDAS regulation of 2014 is not limited to broadening the scope of recognised services: it substantially hardens accreditation conditions, introduces new levels of assurance and strengthens the supervisory requirements of national control bodies. For any actor wishing to offer qualified electronic signature (QES) or advanced (AdES) services on the European market, understanding how to obtain eIDAS 2 certification for signature service providers is no longer an option — it is a strategic obligation.

This article provides a comprehensive overview of the certification pathway: applicable texts, technical standards to comply with, the role of conformity assessment bodies (CAB), realistic timelines and operational vigilance points.

---

The new eIDAS 2 regulatory landscape: what has changed

From Regulation 910/2014 to Regulation 2024/1183: major developments

The original eIDAS regulation (No. 910/2014) laid the foundations for a single digital trust market in Europe. It defined three levels of signature — simple, advanced and qualified — and required qualified providers to be listed on national trust lists (TSL, Trust Service Lists). eIDAS 2 retains this architecture but enriches it on several structural points:

• Expansion of qualified services: qualified electronic archiving, electronic attestations of attributes (EAA), remote management of qualified signature creation devices (QSCD). These new services are now subject to the same accreditation procedure as qualified signature.
• The European digital identity wallet (EUDIW): service providers wishing to interact with the future identity wallet must demonstrate compliance with technical specifications published by the Commission (ARF — Architecture and Reference Framework, v1.4, 2024).
• Strengthened supervision: national supervisory authorities (in France, ANSSI) have enhanced powers of investigation and enforcement. Qualified TSP may be subject to unannounced audits.
• Reduced notification deadlines: any significant security incident must be notified to the competent authority within 24 hours (compared to 72 hours in the previous version for certain incidents).

For a comprehensive overview of the regulation, the eIDAS 2.0 guide from Certyneo provides a pedagogical summary of all these developments.

Assurance levels and their implications for certification

The distinction between advanced and qualified electronic signature remains the pivot of the system. Only QES benefits from a legal presumption of integrity and attributability equivalent to handwritten signature (art. 25 of eIDAS 2 regulation). This presumption is directly conditioned by the certification of the service provider.

| Level | Probative value | Provider requirement | |---|---|---| | Simple (SES) | Limited | None | | Advanced (AdES) | Significant | Best practices + ETSI standards | | Qualified (QES) | Maximum (legal presumption) | eIDAS 2 certification mandatory |

---

The eIDAS 2 certification process step by step

Step 1 — Organisational and technical prerequisites

Before formally engaging in the certification process, a service provider must assess its maturity level on three axes:

1. Compliance with ETSI standards Standards in the EN 319 series form the essential technical foundation. The main ones are:

• ETSI EN 319 401: general requirements for trust service providers
• ETSI EN 319 411-1 and 411-2: policies and requirements for certification authorities issuing certificates (PTC-QC profiles for qualified certifications)
• ETSI EN 319 421: policy and requirements for time stamping service providers
• ETSI EN 319 132: signature formats XAdES (XML), and the associated CAdES (CMS) and PAdES (PDF) series

Compliance with these standards is not optional for qualified service providers: it is explicitly required by European Commission implementing acts.

2. Information systems security QSCD (qualified signature creation devices) must be certified according to Common Criteria (CC) EAL4+ or equivalent. For remote signature solutions — the dominant SaaS model — requirements also apply to HSM (Hardware Security Module) modules and cryptographic key management procedures (FIPS 140-2 level 3 minimum compliance).

3. Information Security Policy (ISSP) and risk management The certification file requires a formalised ISSP, aligned with ISO/IEC 27001 (for which certification is strongly recommended and sometimes required by CABs) and incorporating NIS2 requirements for entities classified as "important" or "critical".

Step 2 — Selection and engagement of a Conformity Assessment Body (CAB)

In France, CABs accredited by COFRAC (French Committee for Accreditation) to assess trust service providers are few in number. By way of example, LSTI (Laboratoire de Sécurité des Technologies de l'Information) and Bureau Veritas Certification are among the referenced actors. At the European level, each Member State publishes the list of its notified CABs.

The role of the CAB is to conduct a conformity audit in two phases:

1. Documentary review (Phase 1): examination of policies, procedures, Certification Practice Statement (CPS) and technical evidence.
2. On-site audit (Phase 2): verification of operational controls, penetration testing, interviews with teams.

The total duration of a CAB audit typically ranges from 4 to 8 weeks depending on the candidate's prior maturity.

Step 3 — Instruction by the national supervisory authority

In France, it is ANSSI (National Agency for Information Systems Security) that processes applications for registration on the national trust list (TSL FR). On the basis of the CAB audit report, ANSSI conducts its own analysis and may request additional information or corrective measures.

The regulatory instruction period is 3 months from receipt of a complete file (art. 17 of eIDAS 2 regulation). In practice, actual timelines are often longer if the initial file is incomplete.

Once registered on the national TSL, the service provider is automatically referenced in the EUTL (EU Trusted List), published by the European Commission, which gives it immediate cross-border recognition in all 27 Member States.

Step 4 — Maintaining qualification and renewal

eIDAS 2 certification is not permanent. Qualified service providers are subject to:

• Annual surveillance audit conducted by the CAB
• Full renewal audit every 24 months (shortened cycle compared to previous practice)
• Unannounced inspections possible at the initiative of ANSSI

Any substantial change to the infrastructure (HSM change, PKI evolution, new qualified service) triggers a prior notification procedure and may require a partial audit.

---

Costs, timelines and risk factors: what IT leaders must anticipate

Budget and human resources

The cost of a first eIDAS 2 certification is significant. Expense items include:

• CAB audit: between €40,000 and €120,000 depending on the complexity of the scope
• Technical compliance (HSM, PKI, CC-certified QSCD): from €80,000 to several hundred thousand euros for proprietary infrastructure
• ISO 27001 certification (recommended as a prerequisite): €15,000 to €50,000 depending on size
• Legal advice fees and CPS drafting: €10,000 to €30,000
• Internal costs: mobilisation of a dedicated team (CISO, DPO, compliance officer) for 12 to 18 months

Cumulating all these items, a complete certification represents a total investment in the order of €200,000 to €500,000 for a mid-sized service provider, excluding recurring maintenance costs.

Operational risk factors

The most common causes of failure or delay in certification procedures are:

1. Insufficiently detailed CPS: the Certification Practice Statement must document each control with sometimes underestimated granularity.
2. Gaps in key lifecycle management: revocation, archiving, destruction of private keys.
3. Insufficient incident governance: lack of SIEM, tested crisis management procedures, runbooks.
4. Underestimation of NIS2: since October 2024, qualified trust service providers are automatically classified as "important" entities under the NIS2 directive, with additional reporting and risk management obligations.

For companies wishing to delegate these constraints to an already-certified service provider rather than build their own infrastructure, the comparison of electronic signature solutions available on Certyneo helps to objectively assess this build-vs-buy choice.

---

eIDAS 2 and electronic signature in the enterprise: transition issues

For user organisations — as opposed to service providers — the eIDAS 2 certification of their SaaS signature supplier is now an indispensable selection criterion. Including a clause in calls for tender requiring registration on the national TSL has become standard practice in regulated sectors (finance, healthcare, real estate).

Electronic signature in the enterprise indeed requires clearly distinguishing use cases requiring QES — high-stakes private agreements, powers of attorney, electronic notarial deeds — from those for which AdES is sufficient. This mapping of use cases directly conditions the level of service that can be contractually required from the service provider.

Organisations migrating from an existing solution to a certified eIDAS 2 service provider must also anticipate the portability of evidence archives. The guide on migration from DocuSign or YouSign to Certyneo details best practices for preserving the probative value of documents already signed during the transition.

Legal framework applicable to eIDAS 2 certification

Founding texts

The certification of trust service providers is based on a dense regulatory stack that must be understood in its entirety:

Regulation (EU) 2024/1183 of 11 April 2024 (eIDAS 2): the reference text that repeals and replaces the corresponding provisions of Regulation 910/2014. It defines the conditions for obtaining and maintaining the status of qualified service provider, the obligations of national supervision, and the requirements for new services (EUDIW, EAA).

Regulation (EU) No 910/2014 (eIDAS 1): still partially applicable for provisions not amended; implementing and delegated acts adopted under this regulation remain in force until their formal revision.

French Civil Code, articles 1366 and 1367: Article 1366 establishes the principle of equivalence of electronic signature to handwritten signature subject to reliability; Article 1367 specifies that reliability is presumed until proof to the contrary when qualified signature is used. These national provisions articulate directly with the legal presumption of art. 25 eIDAS 2.

Directive (EU) 2022/2555 (NIS2): implemented into French law by the Law of 15 October 2024, it automatically classifies qualified trust service providers among important entities. Obligations: notification to ANSSI within 72 hours for any significant incident, implementation of formalised cyber risk management, periodic security audit.

Regulation (EU) 2016/679 (GDPR): signature service providers process sensitive personal data (identity of signatories, audit logs). Compliance with principles of minimisation, limitation of retention and integrity requires a specific impact assessment (DPIA). The legal basis for processing must be documented for each service.

Technical standards with regulatory value

European Commission implementing acts (notably Implementing Decision (EU) 2015/1506 and its revisions) designate ETSI standards as presumptive of compliance:

• ETSI EN 319 401: general requirements TSP
• ETSI EN 319 411-1 and 411-2: certification policies
• ETSI EN 319 421: qualified time stamping
• ETSI EN 319 132 / 122 / 102: AdES formats (XAdES, CAdES, PAdES, ASiC)
• ETSI TS 119 431: remote signature services

Legal risks in case of non-compliance

Fraudulent or negligent use of the status of qualified service provider exposes to administrative sanctions pronounced by ANSSI (suspension, removal from the trust list) and to criminal prosecution (art. 226-17 of the Penal Code for failure to secure personal data). On the civil side, calling into question the probative value of signatures issued during a period of non-compliance may engage the contractual liability of the service provider towards its clients.

Use scenarios: eIDAS 2 certification in practice

Scenario 1 — A mid-sized SaaS editor aiming for QES qualification

A company specialising in document dematerialisation, employing around one hundred employees and handling several million signature transactions per year on behalf of clients in the banking and insurance sectors, decides to apply for eIDAS 2 qualification for its electronic signature service. Until now, the company offered advanced certificate-based signature (AdES), sufficient for the majority of its client contracts, but insufficient for deeds requiring maximum probative value (SEPA mandates, notarised proof agreements).

After a 3-month internal audit revealing around fifteen major gaps compared to ETSI EN 319 411-2 requirements, the company launches a 14-month compliance programme. The main projects involve replacing existing HSMs with FIPS 140-2 level 3 certified modules, drafting a 180-page CPS, and obtaining ISO 27001 certification prior to the CAB audit. The total investment reaches €340,000. Following completion of the process, registration on the French TSL enables the company to access calls for tenders from which it was systematically excluded, representing estimated commercial potential of 20% additional revenue.

Scenario 2 — A hospital group integrating qualified signature for medico-legal deeds

A hospital group of approximately 1,200 beds wishes to dematerialise its informed consent processes, medical power of attorney delegation and clinical research contracts. These documents fall into the category of deeds for which QES is required or strongly recommended by HAS reference documents and the legal framework for health data (art. L. 1110-4 CSP).

Rather than certifying an internal infrastructure — an option judged too costly and outside core business — the group opts for integration of a third-party service provider already registered on the TSL. The IT department conducts a supplier compliance audit on the basis of the ETSI EN 319 401 checklist and verifies actual presence on the EUTL before any contractualisation. The deployment, completed in 4 months, reduces by 65% the time required to collect signatures on clinical research files and eliminates the risk of legal challenge linked to prior use of simple signatures for sensitive deeds.

Scenario 3 — A law firm securing its private agreements

A law firm specialising in business affairs, with around thirty partners, handling nearly 400 merger and business sale transactions annually, seeks to strengthen the reliability of signature on its complex private agreements. The unit value of transactions handled frequently exceeds one million euros, and any formal defect may engage the professional liability of the firm.

After analysis, the IT team and managing partner agree on the minimum contractual requirement of a QES issued by an eIDAS 2-certified service provider for any deed with a value exceeding €100,000. The service provider selection criterion mandatorily includes verification of registration on the national TSL and availability of a recent ETSI compliance certificate (less than 12 months old). This framework allows the firm to reduce by more than 80% requests for expert review of signature validity in subsequent litigation, according to feedback from comparable structures in the sector.

Conclusion

Obtaining eIDAS 2 certification as an electronic signature service provider is a demanding, costly and lengthy process — but unavoidable for any actor wishing to offer maximum legal guarantees to its clients on the European market. From compliance with ETSI standards, passing the CAB audit, instruction by ANSSI and maintaining qualification over time, the process mobilises substantial resources over 12 to 24 months.

For user organisations, the good news is that it is not necessary to build this infrastructure in-house: choosing a SaaS service provider already certified eIDAS 2 and registered on the national trust list allows you to immediately benefit from the legal presumption attached to QES, without bearing certification costs.

Certyneo is a trusted certification service provider, designed for B2B companies that require legal rigour and ease of use. Discover our pricing and start your free trial today.