eIDAS compliance for SMEs: the complete 2026 checklist

The European eIDAS regulation (EU n°910/2014, soon to be amended by eIDAS 2.0) regulates electronic signatures throughout the European Union. For an SME, being in compliance is not just a box to check: it is the guarantee that its contracts are enforceable, that its signature data is protected, and that it protects itself against legal risks that can be costly. Here is the 2026 checklist in 12 concrete points to check that your SME is fully eIDAS compliant.

Point 1: choose the right signature level

First reflex: map your contract types and associate a target level. Standard commercial contracts (quotes, purchase orders, simple NDAs): SES is enough. Employment contracts, leases, sensitive NDAs, strategic agreements: AES minimum, preferably with OTP SMS. Regulated acts (lawyer, notary, public contracts above a threshold): Mandatory QES. Without this mapping, you risk undersizing (refused contract) or oversizing (excessive cost).

Point 2: check the qualification of the service provider

Your service provider must be a trusted service provider (QTSP) or rely on a QTSP for AES/QES levels. Consult the Trust Services List published by ANSSI (eidas.ssi.gouv.fr) and the European Trusted List (webgate.ec.europa.eu/tl-browser). The French reference QTSPs: Certigna, Docaposte, Certinomis, Universign. For SES/AES via platform (Certyneo, Yousign, etc.), check their explicitly documented eIDAS compliance.

Point 3: Test the audit trail

Sign a test envelope and collect the audit trail (usually a separate PDF). It must contain: identity and email of the signatory, timestamp of each step (sending, opening, validation, signature), IP address, user agent, hash of the document, OTP validation if AES. If one of these elements is missing, the evidentiary value is weakened. Certyneo provides the complete audit trail even on a free plan.

Point 4: control the timestamp

The timestamp must be issued by a Time Stamp Authority (TSA) compliant with RFC 3161. A timestamp simply from a company NTP server is not enough. Open the signed PDF in Adobe Reader: Signatures tab → Details → Timestamp. You should see a valid TSA certificate and a certified clock there. If the PDF does not have a certified timestamp, back off on the choice of service provider.

Point 5: archive for at least 10 years

The Commercial Code (article L. 123-22) requires 10 years of storage for commercial documents. The Labor Code imposes 5 years for post-termination employment contracts. Archiving must preserve integrity (hash, sealing) and access. Ideal: PDF/A format (ISO 19005), dual storage (primary + off-site backup), qualified electronic safe (CFE) for maximum proof. Certyneo archives 10 years by default and offers export to CFE partners.

Point 6: check data localization

Where is your signature data hosted? For a French SME dealing with sensitive contracts, choose French or EU hosting. Ask your service provider for the list of subcontractors and their location (article 28 GDPR). Avoid solutions subject to the US Cloud Act for strategic contracts. Certyneo is hosted in France, without Cloud Act dependency. See our article on /blog/cloud-act-signature-electronique.

Point 7: articulate with the GDPR

Signature and GDPR are closely linked: each envelope contains personal data (name, email, IP, telephone). Make sure that your processing register (art. 30 GDPR) includes the electronic signature, that the retention periods are consistent (10 years), and that the rights of individuals can be implemented (access, rectification, portability). If you are requesting a lot of signatures, a DPO is recommended. See our article /blog/signature-electronique-rgpd.

Point 8: identify signatories upstream

For a solid AES, identification does not start with signing: it starts with data collection. Check emails (no aliases, no mailing list), phone numbers (no shared line), and keep track of the source of identification (ID for heavy contracts, existing customer KYC for ongoing contracts). This due diligence makes the evidence solid in the event of a dispute.

Point 9: train the teams

Your sales, HR and legal teams must understand the rules: never force a signer to use a third-party device, never return a modified signed PDF, never paste a scanned signature image in place of a real signature. One hour of training per team is enough to instill good reflexes. Certyneo provides a complete guide to share internally (/resources).

Point 10: check the service providers' contracts

The CGU/CGV of the signature service provider must: initiate eIDAS compliance, specify archiving periods, include a GDPR subcontracting agreement (art. 28), document the subcontractors, provide a reversibility plan in the event of cessation. Also request SOC 2 Type II or equivalent if you process large volumes. For Certyneo, these documents are available on /legal and /security.

Point 11: prepare eIDAS 2.0 and the EUDI Wallet

The eIDAS 2.0 regulation (EU 2024/1183) comes into force gradually and requires Member States to deploy an EUDI Wallet before the end of 2026. This digital identity wallet will notably allow access to the QES remotely without a physical registration office. Prepare your SME: check that your service provider has a EUDI Wallet roadmap, follow communications from ANSSI and the European Commission. See /blog/eidas-2-nouveau-reglement-2026.

Point 12: audit annually

Compliance is not an acquired status: it is an ongoing process. Schedule an annual audit (internal or external) to check: regulatory changes, service provider developments, up-to-date mapping of contract types, effective retention, training of new recruits. A light audit takes half a day for an SME and avoids many surprises. Start by creating a free Certyneo account at certyneo.com/signup to test real-world compliance, then check out our eIDAS guide to dig deeper (/guide/eidas).