eIDAS 2 Certification for Signature Service Providers 2026

Why eIDAS 2 Certification Changes the Game for Service Providers

Since the entry into force of Regulation (EU) 2024/1183 of 11 April 2024 — commonly known as eIDAS 2 — trust service providers (TSP) operating in the European Union face a fundamentally reformed regulatory framework. The revision of the original eIDAS regulation of 2014 goes beyond merely expanding the scope of recognized services: it substantially tightens accreditation conditions, introduces new levels of assurance, and strengthens the supervision requirements of national control bodies. For any player wishing to offer qualified electronic signature (QES) or advanced signature (AdES) services on the European market, understanding how to obtain eIDAS 2 certification for signature service providers is no longer optional — it is a strategic necessity.

This article provides a comprehensive overview of the certification pathway: applicable legislation, technical standards to comply with, the role of Conformity Assessment Bodies (CAB), realistic timelines, and operational vigilance points.

---

The New eIDAS 2 Regulatory Landscape: What Has Changed

From Regulation 910/2014 to Regulation 2024/1183: Major Developments

The original eIDAS regulation (No. 910/2014) laid the foundations for a single European digital trust market. It defined three signature levels — simple, advanced, and qualified — and required qualified providers to be listed on national trust service lists (TSL, Trust Service Lists). eIDAS 2 preserves this architecture but enriches it on several structural points:

• Extension of qualified services: qualified electronic archiving, electronic attestations of attributes (EAA), remote management of qualified signature creation devices (QSCD). These new services are now subject to the same accreditation procedure as qualified signatures.
• The European Digital Identity Wallet (EUDIW): providers wishing to interact with the future digital identity wallet must demonstrate compliance with technical specifications published by the Commission (ARF — Architecture and Reference Framework, v1.4, 2024).
• Strengthened supervision: national supervision authorities (in France, ANSSI) have enhanced investigative and injunction powers. Qualified TSP may be subject to unannounced audits.
• Reduced notification periods: any significant security incident must be reported to the competent authority within 24 hours (compared to 72 hours in the previous version for certain incidents).

For a comprehensive overview of the regulation, the eIDAS 2.0 guide by Certyneo offers an educational summary of all these developments.

Levels of Assurance and Their Implications for Certification

The distinction between advanced and qualified electronic signature remains the system's pivot point. Only QES benefits from a legal presumption of integrity and attribution equivalent to handwritten signature (Article 25 of eIDAS 2 regulation). This presumption is directly conditional on provider certification.

| Level | Evidentiary Value | Provider Requirement | |---|---|---| | Simple (SES) | Limited | None | | Advanced (AdES) | Significant | Best practices + ETSI standards | | Qualified (QES) | Maximum (legal presumption) | Mandatory eIDAS 2 certification |

---

The eIDAS 2 Certification Process Step by Step

Step 1 — Organizational and Technical Prerequisites

Before formally engaging in the certification process, a provider must audit its maturity level on three axes:

1. Compliance with ETSI Standards Standards in the EN 319 series constitute the essential technical foundation. The main ones are:

• ETSI EN 319 401: general requirements for trust service providers
• ETSI EN 319 411-1 and 411-2: policies and requirements for certification authorities issuing certificates (PTC-QC profiles for qualified certifications)
• ETSI EN 319 421: policy and requirements for timestamp service providers
• ETSI EN 319 132: signature formats XAdES (XML), and associated series CAdES (CMS) and PAdES (PDF)

Compliance with these standards is not optional for qualified providers: it is explicitly required by the European Commission's implementing acts.

2. Information Systems Security QSCDs (qualified signature creation devices) must be certified according to Common Criteria (CC) EAL4+ or equivalent. For remote signature solutions — the dominant SaaS model — requirements also cover HSM (Hardware Security Module) modules and cryptographic key management procedures (FIPS 140-2 level 3 minimum compliance).

3. Information Security Policy (ISSP) and Risk Management The certification file requires a formalized ISSP, aligned with ISO/IEC 27001 (whose certification is strongly recommended and sometimes required by CABs) and incorporating NIS2 requirements for entities classified as "important" or "essential."

Step 2 — Selection and Engagement of a Conformity Assessment Body (CAB)

In France, CABs accredited by COFRAC (French Committee for Accreditation) to assess trust service providers are few in number. By way of example, LSTI (Laboratoire de Sécurité des Technologies de l'Information) and Bureau Veritas Certification are among the referenced actors. At the European level, each Member State publishes the list of its notified CABs.

The CAB's role is to conduct a compliance audit in two phases:

1. Document review (Phase 1): examination of policies, procedures, Certification Practice Statement (CPS) and technical evidence.
2. On-site audit (Phase 2): verification of operational controls, penetration testing, interviews with teams.

The total duration of a CAB audit typically ranges from 4 to 8 weeks depending on the candidate's prior maturity.

Step 3 — Review by National Supervision Authority

In France, it is the ANSSI (French National Agency for Information Systems Security) that processes applications for entry on the national trust list (TSL FR). Based on the CAB audit report, ANSSI conducts its own analysis and may request additional information or corrective measures.

The regulatory review period is 3 months from receipt of a complete file (Article 17 of eIDAS 2 regulation). In practice, actual timelines are often longer if the initial file is incomplete.

Once listed on the national TSL, the provider is automatically referenced in the EUTL (EU Trusted List), published by the European Commission, which gives it immediate cross-border recognition in all 27 Member States.

Step 4 — Maintaining Qualification and Renewal

eIDAS 2 certification is not permanent. Qualified providers are subject to:

• An annual surveillance audit conducted by the CAB
• A complete renewal audit every 24 months (a shorter cycle than previous practice)
• Unannounced inspections possible on the initiative of ANSSI

Any substantial modification to the infrastructure (HSM change, PKI evolution, new qualified service) triggers a prior notification procedure and may require a partial audit.

---

Costs, Timelines, and Risk Factors: What CISOs Must Anticipate

Budget and Human Resources

The cost of first-time eIDAS 2 certification is significant. Expense items include:

• CAB audit: between €40,000 and €120,000 depending on scope complexity
• Technical compliance implementation (HSM, PKI, CC-certified QSCD): €80,000 to several hundred thousand euros for proprietary infrastructure
• ISO 27001 certification (recommended as a prerequisite): €15,000 to €50,000 depending on size
• Legal consulting and CPS drafting fees: €10,000 to €30,000
• Internal costs: mobilization of a dedicated team (CISO, DPO, compliance officer) for 12 to 18 months

Combining all these items, a complete certification represents a global investment of approximately €200,000 to €500,000 for a mid-sized provider, excluding recurring maintenance costs.

Operational Risk Factors

The most frequent causes of failure or delay in certification procedures are:

1. Insufficiently detailed CPS: the Certification Practice Statement must document each control with a level of granularity sometimes underestimated.
2. Gaps in key lifecycle management: revocation, archiving, destruction of private keys.
3. Inadequate incident governance: lack of SIEM, tested crisis management procedures, runbooks.
4. Underestimation of NIS2: since October 2024, qualified TSP are automatically classified as "important" entities under the NIS2 directive, with additional reporting and risk management obligations.

For companies wishing to delegate these constraints to an already-certified provider rather than building their own infrastructure, the comparison of electronic signature solutions available on Certyneo helps objectify this build-vs-buy choice.

---

eIDAS 2 and Electronic Signature in Business: Transition Challenges

For user enterprises — as opposed to providers — the eIDAS 2 certification of their SaaS signature provider is now an essential selection criterion. Including a clause in calls for tender requiring entry on the national TSL has become standard practice in regulated sectors (finance, healthcare, real estate).

Electronic signature in business indeed requires clearly distinguishing use cases requiring QES — private documents with significant stakes, powers of attorney, notarial electronic documents — from those where AdES is sufficient. This mapping of use cases directly determines the level of contractual service required from the provider.

Organizations migrating from an existing solution to a provider certified eIDAS 2 must also anticipate the portability of proof archives. The guide on migration from DocuSign or YouSign to Certyneo details best practices for preserving the evidentiary value of documents already signed during the transition.

Legal Framework Applicable to eIDAS 2 Certification

Founding Texts

The certification of trust service providers rests on a dense normative framework that must be mastered in its entirety:

Regulation (EU) 2024/1183 of 11 April 2024 (eIDAS 2): the reference text that repeals and replaces the corresponding provisions of Regulation 910/2014. It defines the conditions for obtaining and maintaining qualified provider status, national supervision obligations, and requirements for new services (EUDIW, EAA).

Regulation (EU) No. 910/2014 (eIDAS 1): still partially applicable for non-amended provisions; implementing and delegated acts adopted under this regulation remain in force until their formal revision.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence of electronic signature to handwritten signature subject to reliability; Article 1367 specifies that reliability is presumed until proven otherwise when qualified signature is used. These national provisions articulate directly with the legal presumption of Article 25 eIDAS 2.

Directive (EU) 2022/2555 (NIS2): transposed into French law by the Law of 15 October 2024, it automatically classifies trust service providers as important entities. Obligations: reporting to ANSSI within 72 hours for any significant incident, implementation of formalized cyber risk management, periodic security audit.

Regulation (EU) 2016/679 (GDPR): electronic signature service providers process sensitive personal data (identity of signatories, audit logs). Compliance with principles of minimization, storage limitation, and integrity requires a specific impact assessment (DPIA). The legal basis for processing must be documented for each service.

Technical Standards With Regulatory Value

European Commission implementing acts (notably Implementing Decision (EU) 2015/1506 and its revisions) designate ETSI standards as presumptive of compliance:

• ETSI EN 319 401: general TSP requirements
• ETSI EN 319 411-1 and 411-2: certification policies
• ETSI EN 319 421: qualified timestamp
• ETSI EN 319 132 / 122 / 102: AdES formats (XAdES, CAdES, PAdES, ASiC)
• ETSI TS 119 431: remote signature services

Legal Risks in Case of Non-Compliance

Fraudulent or negligent use of qualified provider status exposes to administrative sanctions imposed by ANSSI (suspension, removal from the trust list) and criminal prosecution (Article 226-17 of the Penal Code for data security failure). On the civil side, questioning the evidentiary value of signatures issued during a period of non-compliance may engage the provider's contractual liability to its clients.

Use Case Scenarios: eIDAS 2 Certification in Practice

Scenario 1 — A Mid-Sized SaaS Editor Targeting QES Qualification

A company specializing in document dematerialization, employing around one hundred employees and managing several million signature transactions annually for clients in the banking and insurance sectors, decides to apply for eIDAS 2 qualification for its electronic signature service. Until now, the company had offered advanced signature based on certificates (AdES), sufficient for the majority of its client contracts, but insufficient for documents requiring maximum evidentiary value (SEPA mandates, notarial proof conventions).

After a 3-month internal audit revealing about fifteen major gaps compared to ETSI EN 319 411-2 requirements, the company launches a compliance program over 14 months. Main work streams concern replacing existing HSMs with FIPS 140-2 level 3 certified modules, drafting a 180-page CPS, and obtaining ISO 27001 certification prior to CAB audit. Total investment reaches €340,000. Upon completion of the process, entry on the French TSL allows the company to access calls for tender from which it was systematically excluded, representing potential revenue growth estimated at 20% additional income.

Scenario 2 — A Hospital Group Integrating Qualified Signature for Medico-Legal Acts

A hospital group of approximately 1,200 beds wishes to dematerialize its informed consent processes, medical power of attorney delegation, and clinical research contracts. These documents fall into the category of acts for which QES is required or strongly recommended by HAS reference frameworks and the legal framework for health data (Article L. 1110-4 French Public Health Code).

Rather than certifying in-house infrastructure — an option deemed too costly and outside core business — the group opts for integration of a third-party provider already listed on the TSL. IT conducts provider compliance audit based on the ETSI EN 319 401 control checklist and verifies actual presence on EUTL before any contracting. Deployment, completed in 4 months, reduces by 65% the signature collection timeframe on clinical research files and eliminates the legal challenge risk associated with prior use of simple signatures for sensitive documents.

Scenario 3 — A Law Firm Securing Its Private Deeds

A business law firm of approximately thirty partners, managing annually nearly 400 merger, acquisition, and business asset sale transactions, seeks to strengthen the signature of its complex private deeds. The unit value of transactions handled frequently exceeds one million euros, and any formal defect can engage the firm's professional liability.

After analysis, IT and the managing partner agree that the minimum contractual requirement is QES issued by an eIDAS 2 certified provider for any document valued above €100,000. The provider selection criterion mandatorily includes verification of entry on the national TSL and availability of a recent ETSI compliance certificate (less than 12 months old). This framework allows the firm to reduce by over 80% requests for expert review on signature validity during subsequent disputes, according to feedback from comparable structures in the sector.

Conclusion

Obtaining eIDAS 2 certification as an electronic signature service provider is a demanding, costly, and lengthy process — but essential for any player wishing to offer maximum legal guarantees to clients on the European market. Between compliance with ETSI standards, CAB audit passage, ANSSI review, and maintaining qualification over time, the initiative mobilizes substantial resources over 12 to 24 months.

For user enterprises, the good news is that it is not necessary to build this infrastructure in-house: choosing a SaaS provider already certified eIDAS 2 and listed on the national trust list allows immediate benefit from the legal presumption attached to QES, without bearing certification costs.

Certyneo is a certified trust provider designed for B2B companies that demand legal rigor and ease of use. Discover our pricing and start your free trial today.