eIDAS 2 Certification for Signature Service Providers 2026

Why eIDAS 2 Certification Changes the Game for Service Providers

Since the entry into force of Regulation (EU) 2024/1183 of April 11, 2024 — commonly known as eIDAS 2 — trust service providers (TSPs) operating within the European Union face a fundamentally restructured regulatory framework. The revision of the original 2014 eIDAS regulation extends far beyond broadening the scope of recognized services: it significantly tightens accreditation conditions, introduces new levels of assurance, and strengthens oversight requirements by national competent authorities. For any actor wishing to offer qualified electronic signature (QES) or advanced signature (AdES) services on the European market, understanding how to obtain eIDAS 2 certification for signature service providers is no longer optional — it is a strategic obligation.

This article provides a comprehensive overview of the certification pathway: applicable texts, technical standards to comply with, the role of conformity assessment bodies (CABs), realistic timelines, and operational risk factors.

---

The New eIDAS 2 Regulatory Landscape: What Has Changed

From Regulation 910/2014 to Regulation 2024/1183: Major Evolutions

The original eIDAS regulation (No. 910/2014) laid the foundations for a single digital trust market in Europe. It defined three levels of signature — simple, advanced, and qualified — and required qualified providers to be listed on national trust service lists (TSLs, Trust Service Lists). eIDAS 2 preserves this architecture but enriches it in several structural respects:

• Expansion of qualified services: qualified electronic archiving, electronic attestations of attributes (EAA), remote management of qualified signature creation devices (QSCDs). These new services are now subject to the same accreditation procedure as qualified signature.
• The European Digital Identity Wallet (EUDIW): service providers wishing to interact with the future identity wallet must demonstrate compliance with technical specifications published by the Commission (ARF — Architecture and Reference Framework, v1.4, 2024).
• Enhanced supervision: national competent authorities (in France, ANSSI) have strengthened investigation and enforcement powers. Qualified TSPs may be subject to unannounced audits.
• Reduced notification deadlines: any significant security incident must be reported to the competent authority within 24 hours (compared to 72 hours in the previous version for certain incidents).

For a comprehensive overview of the regulation, the eIDAS 2.0 guide by Certyneo provides an educational summary of all these evolutions.

Assurance Levels and Their Implications for Certification

The distinction between advanced and qualified electronic signature remains the pivot of the system. Only QES enjoys a legal presumption of integrity and attribution equivalent to a handwritten signature (Art. 25 of eIDAS 2 regulation). This presumption is directly conditional on provider certification.

| Level | Probative Value | Provider Requirement | |---|---|---| | Simple (SES) | Limited | None | | Advanced (AdES) | Significant | Best practices + ETSI standards | | Qualified (QES) | Maximum (legal presumption) | Mandatory eIDAS 2 certification |

---

The eIDAS 2 Certification Process Step by Step

Step 1 — Organizational and Technical Prerequisites

Before formally initiating the certification process, a service provider must assess its maturity level on three axes:

1. Compliance with ETSI Standards The EN 319 series standards constitute the indispensable technical foundation. The main ones are:

• ETSI EN 319 401: general requirements for trust service providers
• ETSI EN 319 411-1 and 411-2: policies and requirements for certification authorities issuing certificates (PTC-QC profiles for qualified certifications)
• ETSI EN 319 421: policy and requirements for time-stamping service providers
• ETSI EN 319 132: signature formats XAdES (XML), and associated CAdES (CMS) and PAdES (PDF) series

Compliance with these standards is not optional for qualified service providers: it is explicitly required by European Commission implementing acts.

2. Information Systems Security QSCDs (qualified signature creation devices) must be certified according to Common Criteria (CC) EAL4+ or equivalent. For remote signature solutions — the dominant SaaS model — requirements also cover HSM (Hardware Security Module) modules and cryptographic key management procedures (minimum FIPS 140-2 level 3 compliance).

3. Information Security Policy (ISSP) and Risk Management The certification file requires a formalized ISSP, aligned with ISO/IEC 27001 (for which certification is strongly recommended and sometimes required by CABs) and incorporating NIS2 requirements for entities classified as "important" or "essential."

Step 2 — Selection and Engagement of a Conformity Assessment Body (CAB)

In France, CABs accredited by COFRAC (French Accreditation Committee) to assess trust service providers are limited in number. For example, LSTI (Laboratoire de Sécurité des Technologies de l'Information) and Bureau Veritas Certification are among the referenced actors. At the European level, each Member State publishes the list of its notified CABs.

The role of the CAB is to conduct a conformity audit in two phases:

1. Document review (Phase 1): examination of policies, procedures, Certification Practice Statement (CPS) and technical evidence.
2. On-site audit (Phase 2): verification of operational controls, penetration testing, interviews with team members.

The total duration of a CAB audit typically ranges from 4 to 8 weeks depending on the candidate's prior maturity.

Step 3 — Instruction by the National Competent Authority

In France, the ANSSI (National Agency for Information Systems Security) reviews applications for inclusion on the national trust list (TSL FR). Based on the CAB audit report, ANSSI conducts its own analysis and may request additional information or corrective measures.

The regulatory review period is 3 months from receipt of a complete file (Art. 17 of eIDAS 2 regulation). In practice, actual timelines are often longer if the initial file is incomplete.

Once registered on the national TSL, the service provider is automatically referenced in the EUTL (EU Trusted List), published by the European Commission, which grants it immediate cross-border recognition in all 27 Member States.

Step 4 — Qualification Maintenance and Renewal

eIDAS 2 certification is not permanent. Qualified service providers are subject to:

• Annual surveillance audit conducted by the CAB
• Full renewal audit every 24 months (shortened cycle compared to previous practice)
• Unannounced inspections possible at the initiative of ANSSI

Any substantial modification to the infrastructure (HSM change, PKI evolution, new qualified service) triggers a prior notification procedure and may require a partial audit.

---

Costs, Timelines, and Risk Factors: What IT Directors Must Anticipate

Budget and Human Resources

The cost of first-time eIDAS 2 certification is significant. Expense items include:

• CAB audit: between €40,000 and €120,000 depending on scope complexity
• Technical compliance (HSM, PKI, CC-certified QSCDs): €80,000 to several hundred thousand euros for proprietary infrastructure
• ISO 27001 certification (recommended as a prerequisite): €15,000 to €50,000 depending on size
• Legal counsel and CPS drafting fees: €10,000 to €30,000
• Internal costs: mobilization of a dedicated team (CISO, DPO, compliance officer) for 12 to 18 months

By combining all these items, a complete certification represents a total investment on the order of €200,000 to €500,000 for a mid-sized service provider, excluding recurring maintenance costs.

Operational Risk Factors

The most frequent causes of failure or delay in certification procedures are:

1. Insufficiently detailed CPS: the Certification Practice Statement must document each control with sometimes underestimated granularity.
2. Gaps in key lifecycle management: revocation, archiving, destruction of private keys.
3. Insufficient incident governance: absence of SIEM, tested crisis management procedures, runbooks.
4. Underestimation of NIS2: since October 2024, qualified TSPs are automatically classified as "important" entities under the NIS2 directive, with additional reporting and risk management obligations.

For companies wishing to delegate these constraints to an already-certified service provider rather than building their own infrastructure, the comparison of electronic signature solutions available on Certyneo helps objectify this build-vs-buy choice.

---

eIDAS 2 and Electronic Signature in Business: Transition Challenges

For user organizations — as opposed to service providers — eIDAS 2 certification of their SaaS signature vendor is now an essential selection criterion. Including in RFPs a clause requiring presence on the national TSL has become standard practice in regulated sectors (finance, healthcare, real estate).

Electronic signature in business indeed requires clearly distinguishing between use cases requiring QES — sensitive private deeds, powers of attorney, electronic notarial acts — and those where AdES is sufficient. This mapping of use cases directly conditions the level of service contractually required from the provider.

Organizations migrating from an existing solution to a certified eIDAS 2 provider must also anticipate proof archiving portability. The guide on migration from DocuSign or YouSign to Certyneo details best practices for preserving the probative value of documents already signed during the transition.

Legal Framework Applicable to eIDAS 2 Certification

Founding Texts

The certification of trust service providers rests on a dense regulatory stack that must be fully understood:

Regulation (EU) 2024/1183 of April 11, 2024 (eIDAS 2): the reference text that repeals and replaces corresponding provisions of Regulation 910/2014. It defines the conditions for obtaining and maintaining qualified service provider status, national supervision obligations, and requirements for new services (EUDIW, EAA).

Regulation (EU) No. 910/2014 (eIDAS 1): still partially applicable for unmodified provisions; implementing and delegated acts adopted under this regulation remain in force until formally revised.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence between electronic and handwritten signatures subject to reliability; Article 1367 clarifies that reliability is presumed unless proven otherwise when qualified signature is used. These national provisions directly align with the legal presumption of Art. 25 eIDAS 2.

Directive (EU) 2022/2555 (NIS2): transposed into French law by the October 15, 2024 law, it automatically classifies qualified trust service providers among important entities. Obligations: notification to ANSSI within 72 hours for any significant incident, implementation of formalized cyber risk management, periodic security audit.

Regulation (EU) 2016/679 (GDPR): signature service providers process sensitive personal data (signatory identity, audit logs). Compliance with principles of minimization, storage limitation, and integrity requires a specific impact assessment (DPIA). The legal basis for processing must be documented for each service.

Technical Standards with Regulatory Value

European Commission implementing acts (notably Implementing Decision (EU) 2015/1506 and its revisions) designate ETSI standards as presumptively compliant:

• ETSI EN 319 401: general TSP requirements
• ETSI EN 319 411-1 and 411-2: certification policies
• ETSI EN 319 421: qualified time-stamping
• ETSI EN 319 132 / 122 / 102: AdES formats (XAdES, CAdES, PAdES, ASiC)
• ETSI TS 119 431: remote signature services

Legal Risks of Non-Compliance

Fraudulent or negligent use of qualified service provider status exposes to administrative sanctions by ANSSI (suspension, removal from trust list) and criminal prosecution (Art. 226-17 French Penal Code for failure to secure personal data). On civil grounds, challenging the probative value of signatures issued during a period of non-compliance may engage the provider's contractual liability to its clients.

Use Case Scenarios: eIDAS 2 Certification in Practice

Scenario 1 — A Mid-Sized SaaS Editor Targeting QES Qualification

A company specializing in document dematerialization, employing around one hundred employees and managing several million signature transactions annually for clients in banking and insurance, decides to seek eIDAS 2 qualification for its electronic signature service. Until now, the company offered advanced certificate-based signature (AdES), sufficient for the majority of its client contracts, but insufficient for acts requiring maximum probative value (SEPA mandates, notarized proof agreements).

Following a 3-month internal audit revealing approximately fifteen major gaps versus ETSI EN 319 411-2 requirements, the company launches a 14-month compliance program. Key initiatives involve replacing existing HSMs with FIPS 140-2 level 3-certified modules, drafting a 180-page CPS, and obtaining ISO 27001 certification prior to CAB audit. Total investment reaches €340,000. Upon successful completion, registration on the French TSL enables the company to access RFPs from which it was systematically excluded, representing estimated commercial potential of 20% additional revenue.

Scenario 2 — A Hospital Group Integrating Qualified Signature for Medico-Legal Acts

A hospital group of approximately 1,200 beds wishes to dematerialize its informed consent processes, medical power-of-attorney delegation, and clinical research contracts. These documents fall under the category of acts for which QES is required or strongly recommended by HAS reference frameworks and the legal framework for health data (Art. L. 1110-4 French Public Health Code).

Rather than certifying internal infrastructure — deemed too costly and outside core business — the group opts for integration of a third-party provider already registered on the TSL. The IT department conducts vendor compliance audit based on the ETSI EN 319 401 checklist and verifies actual EUTL presence before any contracting. Deployment, completed in 4 months, reduces signature collection delays on clinical research files by 65% and eliminates the risk of legal challenge linked to prior use of simple signatures for sensitive acts.

Scenario 3 — A Law Firm Securing Its Private Deeds

A law firm specializing in corporate matters with approximately thirty partners, managing nearly 400 merger and acquisition operations and business sale transactions annually, seeks to strengthen the signature reliability of its complex private deeds. Individual transaction values frequently exceed one million euros, and any formal defect may engage the firm's professional liability.

Following analysis, the IT team and managing partner agree on a minimum contractual requirement of QES issued by an eIDAS 2-certified service provider for any deed valued above €100,000. The provider selection criterion mandatorily includes verification of registration on the national TSL and availability of a recent ETSI compliance certificate (less than 12 months old). This framework enables the firm to reduce by over 80% requests for expert review of signature validity in subsequent disputes, based on feedback from comparable structures in the sector.

Conclusion

Obtaining eIDAS 2 certification as an electronic signature service provider is a demanding, costly, and lengthy process — but unavoidable for any actor wishing to offer maximum legal guarantees to clients on the European market. Between technical compliance with ETSI standards, CAB audit passage, instruction by ANSSI, and qualification maintenance over time, the undertaking mobilizes substantial resources over 12 to 24 months.

For user organizations, the good news is that building this infrastructure internally is unnecessary: choosing a SaaS provider already eIDAS 2-certified and registered on the national trust list allows immediate benefit from the legal presumption attached to QES, without bearing certification costs.

Certyneo is a trusted provider, certified and designed for B2B companies that demand legal rigor and simplicity of use. Discover our pricing and start your free trial today.