eIDAS 2 vs eIDAS 1: Key Changes for SMEs

Introduction: Why eIDAS 2 Changes Everything for SMEs

Since May 20, 2024, Regulation (EU) 2024/1183 — commonly known as eIDAS 2 — has entered into force, progressively repealing and replacing Regulation (EU) No. 910/2014 (eIDAS 1). For French SMEs, this transition is not merely a routine administrative update: it redefines digital trust levels, introduces a European digital identity wallet (EUDIW), strengthens requirements for trust service providers, and expands the scope of recognized services. This article compares eIDAS 1 and eIDAS 2 point by point, identifies concrete operational impacts for small and medium-sized enterprises, and provides you with an action plan to remain compliant by 2026.

---

1. Background: What eIDAS 1 Established (2014-2024)

1.1 The Foundations of the Initial Regulation

Adopted in July 2014 and applicable since September 2016, eIDAS 1 laid the first cornerstones of a European digital trust ecosystem. It introduced three major categories of electronic signature — simple (SES), advanced (AdES), and qualified (QES) — and created the list of trusted providers (Trusted List), accessible via the European Commission portal.

For SMEs, the major contribution of eIDAS 1 was cross-border recognition of qualified signatures: a contract signed with a French QES was legally recognized in Germany, Spain, or Italy without apostille or additional formality. This principle — called "non-discrimination" — became the foundation upon which SaaS offerings like Certyneo built their services.

1.2 Identified Limitations

Despite its advances, eIDAS 1 suffered from several gaps documented by the European Commission in its 2021 assessment report:

• Fragmentation of identity schemes: only EU Member States that had notified their national scheme (such as FranceConnect+ at substantial level) benefited from mutual recognition. By 2023, only 14 out of 27 States had notified a compliant scheme.
• Absence of native mobile support: the qualified signature creation device (QSCD) often required a smart card or hardware token, hindering mobile adoption.
• Limited trust services: eIDAS 1 listed nine types of qualified services; new use cases (qualified electronic archiving, attribute management) were not regulated.
• No unified identity wallet: each citizen or business managed their identifiers in silos, without guaranteed interoperability.

These limitations prompted the Commission to launch the revision in 2020, resulting in Regulation eIDAS 2 after three years of trilogue negotiations.

---

2. The Five Major Innovations of eIDAS 2 for SMEs

2.1 The European Digital Identity Wallet (EU Digital Identity Wallet — EUDIW)

This is the most visible innovation of the regulation. By November 2026 (transposition deadline set by Article 5a), each EU Member State must offer at least one certified digital identity wallet to its citizens and residents. For SMEs, this evolution has two direct consequences:

1. Simplified authentication of clients and partners: the wallet will allow verified attributes (age, intra-Community VAT number, corporate extract, certified banking data) to be shared without friction. A framework agreement with a German partner can be signed after instant verification of their professional attributes from their EUDIW.
2. Obligation to accept for certain sectors: online services of large platforms (Article 45bis) and certain public services must accept EUDIW as an authentication method. SMEs providing B2B portals will need to adapt their authentication APIs.

2.2 Expansion of the List of Qualified Trust Services

eIDAS 2 expands the catalog of qualified trust services from 9 to 14 categories. The new entries directly concerning SMEs are:

• Qualified electronic archiving (Art. 45septies): long-term preservation with enhanced evidentiary value. Until now, archiving with evidentiary value relied on national frameworks (in France, the SIAF/ANSSI reference framework); eIDAS 2 harmonizes the European framework.
• Remote management of qualified signature creation devices (RQSCD): now explicitly regulated, it removes ambiguities that weighed on cloud-based qualified signature solutions. For a 50-person SME, this means accessing a qualified signature without a physical token, from any device.
• Qualified electronic registry service: registries based on blockchain or distributed ledger technologies can now obtain qualified status, opening the door to new contract management models.

For more information on signature levels and their legal value, consult our comprehensive electronic signature guide.

2.3 Strengthened Security Requirements for Qualified Trust Service Providers (QTSP)

eIDAS 2 tightens obligations for qualified trust service providers (QTSP). The revised Article 24 notably requires:

• Cybersecurity certification compliant with the European framework (EU Cybersecurity Act, Regulation 2019/881), with sectoral schemes currently being developed by ENISA.
• Strengthened requirements for operational resilience: QTSP must now document their business continuity plan and submit it to their national supervision body (in France, ANSSI for qualified providers).
• An obligation to notify security incidents within 24 hours (alignment with NIS 2).

For user SMEs, this translates into an obligation to exercise greater due diligence in choosing a provider: verifying that your signature solution appears on the updated European Trusted List is now a critical step in your procurement process. Our comparison of electronic signature solutions can assist you with this analysis.

2.4 Mandatory Interoperability of Identity Schemes

Whereas eIDAS 1 left Member States free to notify (or not) their scheme, eIDAS 2 makes notification and interoperability mandatory for identity schemes used in online public services (Art. 5). France Identité — the national scheme led by the Ministry of the Interior — is being brought into compliance with the technical specifications of EUDIW, published by the Commission in Implementing Regulation (EU) 2024/2977.

For an SME that regularly interacts with public administrations (public procurement, tax filings, customs procedures), this evolution means that online procedures will progressively be unified around a single digital identifier recognized throughout the EU.

2.5 New Rules on Liability and Supervision

eIDAS 2 clarifies and extends the liability regimes for providers (revised Art. 13). A QTSP is now presumed liable for any damage caused to a natural or legal person by a breach of its obligations, unless it proves the absence of fault. This strengthened presumption of liability, compared to eIDAS 1, should encourage SMEs to:

• Formalize their provider commitments by contract (SLA, availability guarantees, indemnification).
• Verify the QTSP's professional liability insurance coverage.
• Retain evidence of audit trails for signed transactions (timestamp logs, signature verification reports).

Our teams have drafted a detailed guide on electronic signature in business covering these contractual aspects.

---

3. Comparative Table of eIDAS 1 vs eIDAS 2: What Changes in Practice

3.1 Summary of Major Changes

| Criterion | eIDAS 1 (2016-2024) | eIDAS 2 (2024-2026+) | |---|---|---| | Identity Wallet | Absent | EUDIW mandatory (Member States) | | Qualified Services | 9 categories | 14 categories (archiving, RQSCD, registries…) | | Scheme Notification | Optional | Mandatory for public services | | QTSP Security | Common Criteria | Cybersecurity Act + ENISA schemes | | QTSP Liability | Partial | Strengthened presumption of liability | | Incident Notification Deadline | Not specified | 24 hours (NIS 2 alignment) | | Mobile QSCD | Legal ambiguity | RQSCD explicitly regulated |

3.2 Key Deadlines to Remember for 2026

• May 2024: entry into force of Regulation (EU) 2024/1183.
• November 2026: deadline for each Member State to offer at least one certified EUDIW solution.
• 2027: obligation for large platforms (Art. 45bis) to accept EUDIW as an authentication method.
• 2028: planned revision of technical implementing acts (delegated regulations on EUDIW specifications).

If your SME is considering migration to a more compliant solution, our Certyneo migration offering includes a complimentary eIDAS 2 compliance audit.

---

4. Practical Action Plan to Bring Your SME into eIDAS 2 Compliance

4.1 Audit Your Existing Document Flows

Start by mapping all processes in which you currently use electronic signature or digital identity: supplier contracts, dematerialized payslips, SEPA mandates, confidentiality agreements, HR documents. For each workflow, identify:

• The signature level currently used (SES, AdES, QES).
• The current provider and its status on the Trusted List.
• The legal risk level in case of dispute.

This audit is the recommended starting point by ANSSI in its compliance guide published in March 2025.

4.2 Upgrade Your Signature Solution

If your current provider does not appear on the eIDAS 2 Trusted List or does not yet offer RQSCD, it is time to compare market offerings. Certyneo is a certified QTSP that supports all three signature levels (SES, AdES, QES) and natively integrates the new eIDAS 2 requirements, including qualified archiving and remote device management.

4.3 Train Your Teams and Update Your Contracts

eIDAS 2 strengthens the evidentiary value of qualified signatures but also imposes best practices in document management. Ensure that your legal and administrative teams:

• Can distinguish the three signature levels and their respective legal value.
• Integrate into supplier contracts a clause for eIDAS compliance audit.
• Retain evidence of signature verification (validation report, qualified timestamp) for the applicable legal retention period (3 to 10 years depending on the nature of the act).

To structure this approach, our electronic signature ROI calculator will allow you to quantify the operational gains related to upgrading.

Applicable Legal Framework

Reference Texts

Achieving eIDAS 2 compliance for a French SME is part of a regulatory framework that is essential to understand.

Regulation (EU) 2024/1183 of the European Parliament and of the Council (the "eIDAS 2" Regulation): this is the founding text, published in the OJEU on April 30, 2024. It repeals and replaces Regulation (EU) No. 910/2014 according to a progressive deployment schedule running through 2027. It has direct application in all Member States without requiring national legislative transposition for its main provisions.

Regulation (EU) No. 910/2014 (eIDAS 1): certain of its provisions remain applicable during the transitional periods provided for by eIDAS 2, notably for qualified providers that obtained their qualification before May 2024 and have a period to recertify.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence between electronic writing and paper writing, provided that "the person from whom it emanates can be duly identified and it is established and preserved in conditions likely to guarantee its integrity." Article 1367 recognizes electronic signature as a means of proof, referring to conditions set by decree in the Council of State (Decree No. 2017-1416 of September 28, 2017, codified in Articles R. 1369-1 to R. 1369-10 of the Civil Code).

Regulation (EU) 2016/679 (GDPR): the deployment of EUDIW and the processing of identity attributes in electronic signature flows constitute personal data processing under GDPR. SMEs must ensure that their QTSP acts as a processor within the meaning of Article 28 GDPR, with a compliant DPA (Data Processing Agreement). CNIL published in January 2026 a specific recommendation on EUDIW-GDPR integration.

Directive (EU) 2022/2555 (NIS 2): eIDAS 2 explicitly aligns with NIS 2 for incident notification obligations (Art. 24, §2 eIDAS 2 referring to NIS 2 provisions). QTSP are considered "essential" or "important" entities within the meaning of NIS 2 depending on their size, and are therefore subject to regular security audits.

ETSI Standards: qualified electronic signatures must comply with ETSI EN 319 132-1 (XAdES), ETSI EN 319 122-1 (CAdES), ETSI EN 319 162-1 (ASiC), and ETSI EN 319 102-1 (validation procedure) standards. The ETSI TS 119 461 standard governs remote identity verification (IDV), particularly relevant for RQSCD.

Legal Risks in Case of Non-Compliance

Using an electronic signature solution that is not compliant with eIDAS 2 exposes the SME to several risks:

• Inadmissibility in court: a judge may reject an electronic signature whose level does not correspond to the signed act (e.g., simple signature for an act requiring an advanced or qualified level).
• Contractual liability: if a contract is challenged by a partner on the grounds of signature nullity, the SME may face indemnification claims.
• GDPR sanctions: in case of data breach linked to a provider's security defect, the SME, as co-responsible or data controller, may be sanctioned by CNIL up to 4% of annual worldwide revenue (Art. 83 §4 GDPR).

Concrete Usage Scenarios

Scenario 1: A 80-person industrial SME managing 400 supplier contracts per year

An SME in the metalworking sector processing approximately 400 supplier contracts annually used until 2024 a simple electronic signature solution (SES) for all of its commitments, including framework contracts exceeding €50,000. Following an eIDAS 2 compliance audit, it discovered that 35% of its contracts required an advanced or qualified signature to withstand legal challenge, particularly with suppliers established in other EU Member States.

By migrating to a solution combining advanced signature (AdES) for routine contracts and qualified (QES) for framework contracts, and enabling qualified electronic archiving (a new eIDAS 2 service), this SME reduced by 70% the time spent on post-signature document management (filing, searching, sending certified copies) and brought to zero signature-related disputes over the following 18 months, compared to two incidents in the 18 months prior.

Scenario 2: A 15-person law firm specializing in corporate law

A firm specializing in business law, issuing an average of 1,200 signed documents per year (engagement letters, mandates, confidentiality agreements), faced growing demand from its corporate clients for qualified signatures recognizable throughout the EU. Under eIDAS 1, obtaining a qualified certificate required a face-to-face procedure or lengthy video verification (45 to 90 minutes per user).

Thanks to the RQSCD (Remote Qualified Signature Creation Device) regulated by eIDAS 2, the firm was able to deploy qualified signature to all collaborators in less than two weeks, via a 100% remote enrollment procedure compliant with the ETSI TS 119 461 standard. Internal adoption rates rose from 40% to 95% in three months, and the average turnaround time for signed documents was reduced from 4.2 days to less than 6 hours according to the firm's internal measurements.

Scenario 3: An e-commerce SME operating in three EU countries

An online sales company employing 35 people and operating in France, Belgium, and the Netherlands had to manage three types of electronic agreements: employment contracts for its local employees, partnership agreements with carriers, and SEPA mandates for its professional customers. The fragmentation of national requirements under eIDAS 1 forced it to maintain three distinct signature workflows, with management costs estimated at approximately €12,000 per year.

The adoption of a single eIDAS 2-compliant solution — integrating mutual recognition of qualified signatures in all three countries — allowed it to unify workflows, reduce management costs to approximately €4,500 per year (62% savings) and eliminate delays related to manual validation of foreign signatures by the legal department.

Conclusion

eIDAS 2 is not a mere cosmetic revision of the regulatory framework: it fundamentally redefines the rules of the digital trust game in Europe. For French SMEs, the five major innovations — EUDIW wallet, expansion of qualified services, RQSCD, mandatory interoperability, and strengthened liability — represent both a compliance obligation and an opportunity to accelerate their document transformation.

SMEs that anticipate these changes today will gain real competitive advantage: contracts recognized throughout the EU without friction, integrated evidentiary archiving, and fully digitalized and secure signature processes.

Certyneo is designed to support this transition. Start your free trial on certyneo.com and benefit from a complimentary eIDAS 2 compliance audit for your existing document flows.