eIDAS 2 vs eIDAS 1: key changes for SMEs

Introduction: why eIDAS 2 changes the game for SMEs

Since 20 May 2024, Regulation (EU) 2024/1183 — commonly called eIDAS 2 — has come into force, progressively repealing and replacing Regulation (EU) No 910/2014 (eIDAS 1). For French SMEs, this shift is not merely an administrative update: it redefines digital trust levels, introduces a European digital identity wallet (EUDIW), strengthens requirements for trust service providers and broadens the scope of recognised services. This article compares eIDAS 1 and eIDAS 2 point by point, identifies concrete operational impacts for small and medium-sized enterprises, and provides you with an action plan to stay compliant by 2026.

---

1. Background: what eIDAS 1 established (2014-2024)

1.1 The foundations of the initial regulation

Adopted in July 2014 and applicable from September 2016, eIDAS 1 laid the first building blocks of a European digital trust space. It introduced three main categories of electronic signature — simple (SES), advanced (AdES) and qualified (QES) — and created the trusted list of qualified trust service providers (Trusted List), which can be consulted on the European Commission portal.

For SMEs, the major contribution of eIDAS 1 was the cross-border recognition of qualified signatures: a contract signed with a French QES was legally recognised in Germany, Spain or Italy without apostille or additional formality. This principle — known as "non-discrimination" — remained the foundation on which SaaS offerings like Certyneo built their services.

1.2 Identified limitations

Despite its advances, eIDAS 1 suffered from several shortcomings documented by the European Commission in its 2021 evaluation report:

• Fragmentation of identity schemes: only Member States that had notified their national scheme (such as FranceConnect+ at substantial level) benefited from mutual recognition. By 2023, only 14 out of 27 Member States had notified a compliant scheme.
• Absence of native mobile support: the qualified signature creation device (QSCD) often required a smartcard or hardware token, hindering mobile adoption.
• Limited trust services: eIDAS 1 listed nine types of qualified services; new use cases (qualified electronic archiving, attribute management) were not regulated.
• No unified identity wallet: each citizen or enterprise managed its identifiers in isolation, without guaranteed interoperability.

These limitations prompted the Commission to launch the revision in 2020, resulting in eIDAS 2 Regulation after three years of trilogue negotiations.

---

2. Five major innovations of eIDAS 2 for SMEs

2.1 The European Digital Identity Wallet (EU Digital Identity Wallet — EUDIW)

This is the most visible innovation in the regulation. By November 2026 (transposition deadline set by Article 5a), each Member State must offer at least one certified digital identity wallet to its citizens and residents. For SMEs, this development has two direct consequences:

1. Simplified authentication of customers and partners: the wallet will enable the sharing of verified attributes (age, intra-Community VAT number, business registration extract, certified bank details) frictionlessly. A framework agreement with a German partner can be signed after instant verification of their professional attributes from their EUDIW.
2. Obligation to accept for certain sectors: online services of major platforms (Article 45bis) and certain public services must accept EUDIW as an authentication method. SMEs providing B2B portals will need to adapt their authentication APIs.

2.2 Expansion of the list of qualified trust services

eIDAS 2 extends the catalogue of qualified trust services from 9 to 14 categories. The new entries directly affecting SMEs are:

• Qualified electronic archiving (Art. 45septies): long-term preservation with enhanced evidential value. Previously, archiving with evidential value relied on national frameworks (in France, the SIAF/ANSSI framework); eIDAS 2 harmonises the European framework.
• Remote management of qualified signature creation devices (RQSCD): now explicitly regulated, it removes the ambiguities that weighed on cloud-based qualified signature solutions. For a 50-person SME, this means accessing a qualified signature without a physical token, from any device.
• Qualified electronic registry service: registries based on blockchain or distributed ledger technologies can now obtain qualified status, opening the way to new contract management models.

For more information on signature levels and their legal value, see our comprehensive guide to electronic signature.

2.3 Strengthened security requirements for qualified trust service providers (QTSP)

eIDAS 2 tightens the obligations of qualified trust service providers (QTSP). The revised Article 24 notably imposes:

• A cybersecurity certification compliant with the European framework (EU Cybersecurity Act, Regulation 2019/881), with sectoral schemes currently being developed by ENISA.
• Strengthened requirements for operational resilience: QTSPs must now document their business continuity plan and submit it to their national supervisory authority (in France, ANSSI for qualified trust service providers).
• An obligation to notify security incidents within 24 hours (alignment with NIS 2).

For using SMEs, this translates into a requirement for enhanced due diligence in the choice of trust service provider: verifying that your signature solution is listed on the updated European Trusted List is now a critical step in your procurement process. Our comparison of electronic signature solutions can help you with this analysis.

2.4 Mandatory interoperability of identity schemes

Whereas eIDAS 1 left Member States free to notify (or not) their scheme, eIDAS 2 makes notification and interoperability mandatory for identity schemes used in online public services (Art. 5). France Identité — the national scheme managed by the Ministry of the Interior — is being updated to comply with the technical specifications for EUDIW, published by the Commission in Implementing Regulation (EU) 2024/2977.

For an SME that regularly interacts with public administrations (public procurement, e-filing for tax, customs procedures), this development means that online procedures will be progressively unified around a single digital identifier recognised throughout the EU.

2.5 New rules on liability and supervision

eIDAS 2 clarifies and extends the liability regimes for trust service providers (revised Art. 13). A QTSP is now presumed liable for any damage caused to a natural or legal person by a breach of its obligations, except insofar as it proves absence of fault. This strengthened presumption of liability compared to eIDAS 1 should prompt SMEs to:

• Formalise their trust service provider's commitments by contract (SLA, availability guarantees, indemnification).
• Verify the professional liability insurance coverage of the QTSP.
• Keep evidence of transaction audits (timestamp logs, signature verification reports).

Our teams have drafted a detailed guide on electronic signature in business that addresses these contractual aspects.

---

3. Comparative table eIDAS 1 vs eIDAS 2: what concretely changes

3.1 Summary of major developments

| Criterion | eIDAS 1 (2016-2024) | eIDAS 2 (2024-2026+) | |---|---|---| | Identity wallet | Absent | EUDIW mandatory (Member States) | | Qualified services | 9 categories | 14 categories (archiving, RQSCD, registries…) | | Scheme notification | Optional | Mandatory for public services | | QTSP security | Common Criteria standards | Cybersecurity Act + ENISA schemes | | QTSP liability | Partial | Strengthened presumption of liability | | Incident notification deadline | Not specified | 24 hours (NIS 2 alignment) | | Mobile QSCD | Legal ambiguity | RQSCD explicitly regulated |

3.2 Key 2026 deadlines to remember

• May 2024: entry into force of Regulation (EU) 2024/1183.
• November 2026: deadline for each Member State to offer at least one certified EUDIW solution.
• 2027: obligation for large platforms (Art. 45bis) to accept EUDIW as an authentication method.
• 2028: scheduled review of technical implementing acts (delegated regulations on EUDIW specifications).

If your SME is considering migrating to a more compliant solution, our migration offer to Certyneo includes a complimentary eIDAS 2 compliance audit.

---

4. Practical action plan to bring your SME into compliance with eIDAS 2

4.1 Audit your existing documentary flows

Start by mapping all processes in which you currently use electronic signature or digital identity: supplier contracts, dematerialised payslips, SEPA mandates, confidentiality agreements, HR agreements. For each flow, identify:

• The signature level used (SES, AdES, QES).
• The current trust service provider and its status on the Trusted List.
• The legal risk level in case of dispute.

This audit is the recommended starting point by ANSSI in its compliance guidance published in March 2025.

4.2 Upgrade your signature solution

If your current trust service provider is not listed on the eIDAS 2 Trusted List or does not yet offer RQSCD, it is time to compare market offerings. Certyneo is a certified QTSP that supports all three signature levels (SES, AdES, QES) and natively integrates the new eIDAS 2 requirements, notably qualified archiving and remote device management.

4.3 Train your teams and update your contracts

eIDAS 2 strengthens the evidential value of qualified signatures but also imposes good documentary practices. Ensure that your legal and administrative teams:

• Know how to distinguish between the three signature levels and their respective legal value.
• Include in supplier contracts a clause for eIDAS compliance audit.
• Preserve evidence of signature verification (validation report, qualified timestamp) for the applicable legal retention period (3 to 10 years depending on the nature of the document).

To structure this approach, our electronic signature ROI calculator will enable you to quantify the operational gains from the upgrade.

Applicable legal framework

Reference texts

Bringing an SME into compliance with eIDAS 2 in France is part of a layered regulatory framework that it is essential to master.

Regulation (EU) 2024/1183 of the European Parliament and of the Council (known as "eIDAS 2"): this is the foundational text, published in the OJEU on 30 April 2024. It repeals and replaces Regulation (EU) No 910/2014 according to a phased deployment schedule running until 2027. It is directly applicable in all Member States, without requiring national legislative transposition for its principal provisions.

Regulation (EU) No 910/2014 (eIDAS 1): certain of its provisions remain applicable during the transitional periods provided for by eIDAS 2, notably for qualified trust service providers that obtained their qualification before May 2024 and have a deadline to recertify.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence between electronic and paper writing, provided that "the person from whom it emanates can be duly identified and it is established and preserved in such conditions as to guarantee its integrity". Article 1367 recognises electronic signature as a means of proof, referring to conditions set by decree of the Council of State (Decree No. 2017-1416 of 28 September 2017, codified in Articles R. 1369-1 to R. 1369-10 of the Civil Code).

Regulation (EU) 2016/679 (GDPR): the deployment of EUDIW and the processing of identity attributes in electronic signature flows constitute data processing within the meaning of the GDPR. SMEs must ensure that their QTSP acts as a data processor within the meaning of Article 28 GDPR, with a compliant DPA (Data Processing Agreement). The CNIL published in January 2026 a specific recommendation on EUDIW-GDPR integration.

Directive (EU) 2022/2555 (NIS 2): eIDAS 2 explicitly aligns with NIS 2 for incident notification obligations (Art. 24, §2 eIDAS 2 referring to NIS 2 provisions). QTSPs are considered "essential" or "important" entities within the meaning of NIS 2 depending on their size, and are subject to regular security audits accordingly.

ETSI standards: qualified electronic signatures must comply with ETSI EN 319 132-1 (XAdES), ETSI EN 319 122-1 (CAdES), ETSI EN 319 162-1 (ASiC) and ETSI EN 319 102-1 (validation procedure) standards. ETSI TS 119 461 governs remote identity verification (IDV), particularly relevant for RQSCD.

Legal risks of non-compliance

Using an electronic signature solution that does not comply with eIDAS 2 exposes the SME to several risks:

• Inadmissibility in court: a judge may reject an electronic signature whose level does not correspond to the signed document (e.g. simple signature for a document requiring an advanced or qualified level).
• Contractual liability: if a contract is disputed by a partner on the grounds of signature invalidity, the SME may be exposed to indemnification claims.
• GDPR sanctions: in the event of data breach related to a defect in the trust service provider's security, the SME, as joint controller or controller, may be sanctioned by the CNIL up to 4% of global annual turnover (Art. 83 §4 GDPR).

Concrete use scenarios

Scenario 1: an industrial SME of 80 employees managing 400 supplier contracts per year

An SME in the metalworking sector handling approximately 400 supplier contracts annually was using until 2024 a simple electronic signature (SES) solution for all its commitments, including framework contracts exceeding €50,000. Following an eIDAS 2 compliance audit, it found that 35% of its contracts required an advanced or qualified signature to withstand legal challenge, particularly with suppliers established in other EU Member States.

By migrating to a solution combining advanced signature (AdES) for routine contracts and qualified (QES) for framework contracts, and by enabling qualified electronic archiving (new eIDAS 2 service), this SME reduced by 70% the time spent on post-signature document management (filing, searching, sending certified copies) and brought to zero disputes related to signature contest over the following 18 months, compared to two incidents in the previous 18 months.

Scenario 2: a legal services firm of 15 consultants

A firm specialising in business law, issuing on average 1,200 signed documents per year (engagement letters, mandates, confidentiality agreements), faced increasing demand from its corporate clients for signatures qualified and recognised throughout the EU. Under eIDAS 1, obtaining a qualified certificate required a face-to-face procedure or lengthy video verification (45 to 90 minutes per user).

Thanks to RQSCD (Remote Qualified Signature Creation Device) regulated by eIDAS 2, the firm was able to deploy qualified signature for all its consultants in less than two weeks, via a 100% remote enrolment procedure compliant with ETSI TS 119 461 standard. The internal adoption rate rose from 40% to 95% in three months, and the average return time for signed documents was reduced from 4.2 days to less than 6 hours according to the firm's internal measurements.

Scenario 3: an SME e-commerce operating in three EU countries

An online sales company employing 35 people and operating in France, Belgium and the Netherlands had to manage three types of electronic agreements: employment contracts for its local employees, partnership agreements with transporters, and SEPA mandates for its business customers. The fragmentation of national requirements under eIDAS 1 forced it to maintain three separate signature workflows, with management costs estimated at approximately €12,000 per year.

Adoption of a unified eIDAS 2-compliant solution — incorporating mutual recognition of qualified signatures in all three countries — made it possible to unify workflows, reduce management costs to approximately €4,500 per year (62% savings) and eliminate delays related to manual validation of foreign signatures by the legal department.

Conclusion

eIDAS 2 is not merely a cosmetic revision of the regulatory framework: it fundamentally redefines the rules of digital trust in Europe. For French SMEs, the five major developments — EUDIW wallet, expansion of qualified services, RQSCD, mandatory interoperability and strengthened liability — represent both a compliance challenge and an opportunity to accelerate their document transformation.

SMEs that anticipate these changes today will benefit from real competitive advantage: contracts recognised throughout the EU without friction, archiving with integrated evidential value, and fully dematerialised and secure signature processes.

Certyneo is designed to support this transition. Start your free trial on certyneo.com and benefit from a complimentary eIDAS 2 compliance audit for your existing documentary flows.