eIDAS Compliance for SMEs: The Complete 2026 Checklist

The European regulation eIDAS (EU No. 910/2014, soon to be amended by eIDAS 2.0) governs electronic signatures throughout the European Union. For an SME, being compliant is not just a box to check: it guarantees that its contracts are enforceable, that its signature data is protected, and that it mitigates legal risks that could prove costly. Here is the 2026 checklist in 12 concrete points to verify that your SME is perfectly eIDAS compliant.

Point 1: Choose the right signature level

First reflex: map your contract types and assign a target level. Standard commercial contracts (quotes, purchase orders, simple NDAs): SES is sufficient. Employment contracts, leases, sensitive NDAs, strategic agreements: AES minimum, preferably with SMS OTP. Regulated acts (lawyer, notary, public procurement above a threshold): QES mandatory. Without this mapping, you risk under-sizing (contract rejected) or over-sizing (excessive cost).

Point 2: Verify the qualification of the service provider

Your service provider must be a qualified trust service provider (QTSP) or rely on a QTSP for AES/QES levels. Consult the Trust Services List published by ANSSI (eidas.ssi.gouv.fr) and the European Trusted List (webgate.ec.europa.eu/tl-browser). Reference French QTSPs: Certigna, Docaposte, Certinomis, Universign. For SES/AES via platform (Certyneo, Yousign, etc.), verify their eIDAS compliance explicitly documented.

Point 3: Test the audit trail

Sign a test envelope and retrieve the audit trail (generally a separate PDF). It must contain: signatory identity and email, timestamp of each step (sending, opening, validation, signature), IP address, user agent, document hash, OTP validation if AES. If any of these elements is missing, the evidentiary value is weakened. Certyneo provides the complete audit trail even in the free plan.

Point 4: Control the timestamp

The timestamp must be issued by a Time Stamp Authority (TSA) compliant with RFC 3161. A timestamp simply from the company's NTP server is not sufficient. Open the signed PDF in Adobe Reader: Signatures tab → Details → Timestamp. You must see a valid TSA certificate and a certified clock there. If the PDF does not have a certified timestamp, reconsider your choice of service provider.

Point 5: Archive for a minimum of 10 years

The Commercial Code (article L. 123-22) requires retention of commercial documents for 10 years. The Labor Code requires 5 years for employment contracts after termination. Archiving must preserve integrity (hash, sealing) and access. Ideal: PDF/A format (ISO 19005), dual storage (primary + off-site backup), qualified electronic vault (CFE) for maximum proof. Certyneo archives for 10 years by default and offers export to partner CFEs.

Point 6: Verify data location

Where is your signature data hosted? For a French SME handling sensitive contracts, prioritize France or EU hosting. Ask your service provider for a list of subprocessors and their location (article 28 GDPR). Avoid solutions subject to the American Cloud Act for strategic contracts. Certyneo is hosted in France with no Cloud Act dependency. See our article on /blog/cloud-act-signature-electronique.

Point 7: Align with GDPR

Signature and GDPR are closely linked: each envelope contains personal data (name, email, IP, phone). Ensure that your processing register (art. 30 GDPR) includes electronic signature, that retention periods are consistent (10 years), and that individuals' rights are implementable (access, rectification, portability). If you request many signatures, a DPO is recommended. See our article /blog/signature-electronique-rgpd.

Point 8: Identify signatories in advance

For solid AES, identification does not begin at signature: it begins at data collection. Verify emails (no aliases, no mailing lists), phone numbers (no shared lines), and keep track of the source of identification (ID for heavy contracts, existing customer KYC for ongoing contracts). This due diligence strengthens the strength of proof in case of dispute.

Point 9: Train your teams

Your commercial, HR, and legal teams must understand the rules: never force a signatory to use a third-party device, never return a modified signed PDF, never paste a scanned signature image in place of a true signature. One hour of training per team is enough to establish good reflexes. Certyneo provides a complete guide to share internally (/ressources).

Point 10: Review service provider contracts

The service provider's terms and conditions must: commit to eIDAS compliance, specify archiving periods, include a GDPR data processing agreement (art. 28), document subprocessors, provide a reversibility plan in case of termination. Also request SOC 2 Type II or equivalent if you process large volumes. For Certyneo, these documents are available at /legal and /security.

Point 11: Prepare for eIDAS 2.0 and the EUDI Wallet

Regulation eIDAS 2.0 (EU 2024/1183) comes into force progressively and requires Member States to deploy an EUDI Wallet by the end of 2026. This digital identity wallet will notably allow access to remote QES without a physical registration office. Prepare your SME: verify that your service provider has an EUDI Wallet roadmap, follow communications from ANSSI and the European Commission. See /blog/eidas-2-nouveau-reglement-2026.

Point 12: Audit annually

Compliance is not an acquired status: it is a continuous effort. Schedule an annual audit (internal or external) to verify: regulatory changes, service provider updates, current contract type mapping, effective retention, training for new hires. A light audit takes half a day for an SME and avoids surprises. Start by creating a free Certyneo account at certyneo.com/signup to test actual compliance, then consult our eIDAS guide for more detail (/guide/eidas).