eIDAS 2 vs eIDAS 1: Key Changes for SMEs

Introduction: Why eIDAS 2 Changes the Game for SMEs

Since 20 May 2024, Regulation (EU) 2024/1183 — commonly known as eIDAS 2 — has entered into force, progressively repealing and replacing Regulation (EU) No. 910/2014 (eIDAS 1). For French SMEs, this shift is not simply an administrative update: it redefines digital trust levels, introduces a European identity wallet (EUDIW), strengthens requirements for trust service providers, and broadens the scope of recognized services. This article compares eIDAS 1 and eIDAS 2 point by point, identifies the concrete operational impacts for small and medium-sized enterprises, and gives you an action plan to remain compliant by 2026.

---

1. Reminder: What eIDAS 1 Established (2014-2024)

1.1 The Foundations of the Initial Regulation

Adopted in July 2014 and applicable since September 2016, eIDAS 1 laid the first foundations for a European digital trust space. It introduced three main categories of electronic signature — simple (SES), advanced (AdES), and qualified (QES) — and created the list of trusted qualified providers (Trusted List), which can be consulted on the European Commission's portal.

For SMEs, the major contribution of eIDAS 1 was the cross-border recognition of qualified signatures: a contract signed with a French QES was legally recognized in Germany, Spain, or Italy without apostille or additional formality. This principle — called "non-discrimination" — remained the foundation on which SaaS offers like Certyneo built their services.

1.2 The Identified Limitations

Despite its advances, eIDAS 1 suffered from several gaps documented by the European Commission in its 2021 evaluation report:

• Fragmentation of identity schemes: only Member States that notified their national scheme (such as FranceConnect+ at substantial level) benefited from mutual recognition. By 2023, only 14 out of 27 States had notified a compliant scheme.
• Lack of native mobile support: the qualified device for creating a signature (QSCD) often required a smart card or physical token, hampering mobile adoption.
• Limited trust services: eIDAS 1 listed nine types of qualified services; new uses (qualified electronic archiving, attribute management) were not covered.
• No unified identity wallet: each citizen or company managed its identifiers in a siloed manner, without guaranteed interoperability.

These limitations led the Commission to launch the review in 2020, resulting in Regulation eIDAS 2 after three years of trilogue.

---

2. The Five Major Innovations of eIDAS 2 for SMEs

2.1 The European Digital Identity Wallet (EU Digital Identity Wallet — EUDIW)

This is the most visible innovation of the regulation. By November 2026 (transposition deadline set by Article 5a), each Member State must offer at least one certified digital identity wallet to its citizens and residents. For SMEs, this development has two direct consequences:

1. Simplified customer and partner authentication: the wallet will allow sharing verified attributes (age, intra-Community VAT number, business register extract, certified banking data) without friction. A framework agreement with a German partner could be signed after instant verification of his professional attributes from his EUDIW.
2. Obligation to accept for certain sectors: online services of large platforms (Article 45bis) and certain public services must accept the EUDIW as an authentication method. SMEs providing B2B portals will need to adapt their authentication APIs.

2.2 Extension of the List of Qualified Trust Services

eIDAS 2 expands the catalogue of qualified trust services from 9 to 14 categories. The new entries directly affecting SMEs are:

• Qualified electronic archiving (Art. 45septies): long-term preservation with enhanced probative value. Until now, archiving with probative value relied on national frameworks (in France, the SIAF/ANSSI framework); eIDAS 2 harmonizes the European framework.
• Remote management of qualified signature creation devices (RQSCD): now explicitly regulated, it removes the ambiguities that weighed on cloud-based qualified signature solutions. For a 50-employee SME, this means accessing a qualified signature without a physical token, from any device.
• Qualified electronic registry service: registries based on blockchain or distributed ledger technologies can now obtain qualified status, opening the way to new contractual management models.

For more information on signature levels and their legal value, consult our comprehensive guide to electronic signatures.

2.3 Strengthened Security Requirements for Qualified Providers (QTSP)

eIDAS 2 tightens the obligations of qualified trust service providers (QTSP). The revised Article 24 notably requires:

• A cybersecurity certification compliant with the European framework (EU Cybersecurity Act, Regulation 2019/881), with sectoral schemes currently being developed by ENISA.
• Strengthened requirements for operational resilience: QTSPs must now document their business continuity plan and submit it to their national supervisory authority (in France, ANSSI for qualified providers).
• An obligation to notify security incidents within 24 hours (alignment with NIS 2).

For user SMEs, this results in an increased due diligence obligation in selecting the provider: verifying that your signature solution is listed on the updated European Trusted List is now a critical step in your procurement process. Our comparison of electronic signature solutions can help you in this analysis.

2.4 Mandatory Interoperability of Identity Schemes

Whereas eIDAS 1 left Member States free to notify (or not) their scheme, eIDAS 2 makes notification and interoperability mandatory for identity schemes used in online public services (Art. 5). France Identité — the national scheme led by the Ministry of Interior — is being adapted to comply with the technical specifications of the EUDIW, published by the Commission in Implementing Regulation (EU) 2024/2977.

For an SME that regularly interacts with public administrations (public procurement, tax e-filing, customs procedures), this evolution means that online procedures will progressively be unified around a single digital identifier recognized throughout the EU.

2.5 New Rules on Liability and Supervision

eIDAS 2 clarifies and expands the regimes of provider liability (revised Art. 13). A QTSP is now presumed liable for any damage caused to a natural or legal person by a breach of its obligations, unless it can prove the absence of fault. This strengthened presumption of liability, compared to eIDAS 1, should encourage SMEs to:

• Formalize their provider's commitments by contract (SLAs, availability guarantees, indemnification).
• Verify the QTSP's professional liability insurance coverage.
• Retain evidence of audits of signed transactions (timestamp logs, signature verification reports).

Our teams have written a detailed guide on electronic signatures in business that addresses these contractual aspects.

---

3. Comparative Table eIDAS 1 vs eIDAS 2: What Changes in Practice

3.1 Summary of Major Developments

| Criterion | eIDAS 1 (2016-2024) | eIDAS 2 (2024-2026+) | |---|---|---| | Identity wallet | Absent | EUDIW mandatory (Member States) | | Qualified services | 9 categories | 14 categories (archiving, RQSCD, registries…) | | Scheme notification | Optional | Mandatory for public services | | QTSP security | Common Criteria | Cybersecurity Act + ENISA schemes | | QTSP liability | Partial | Strengthened presumption of liability | | Incident notification deadline | Not specified | 24 hours (NIS 2 alignment) | | Mobile QSCD | Legal ambiguity | RQSCD explicitly regulated |

3.2 Key Deadlines to Remember for 2026

• May 2024: entry into force of Regulation (EU) 2024/1183.
• November 2026: deadline for each Member State to offer at least one certified EUDIW solution.
• 2027: obligation for large platforms (Art. 45bis) to accept the EUDIW as an authentication method.
• 2028: planned review of technical implementing acts (delegated regulations on EUDIW specifications).

If your SME is considering migrating to a more compliant solution, our offer to migrate to Certyneo includes a free eIDAS 2 compliance audit.

---

4. Practical Action Plan to Bring Your SME into eIDAS 2 Compliance

4.1 Audit Your Existing Document Flows

Start by mapping all processes in which you currently use electronic signature or digital identity: supplier contracts, dematerialized payroll slips, SEPA mandates, confidentiality agreements, HR documents. For each flow, identify:

• The signature level used (SES, AdES, QES).
• The current provider and its status on the Trusted List.
• The level of legal risk in case of dispute.

This audit is the recommended starting point by ANSSI in its compliance guide published in March 2025.

4.2 Upgrade Your Signature Solution

If your current provider is not listed on the eIDAS 2 Trusted List or does not yet offer RQSCD, it is time to compare market offerings. Certyneo is a certified QTSP that supports all three signature levels (SES, AdES, QES) and natively integrates the new eIDAS 2 requirements, including qualified archiving and remote device management.

4.3 Train Your Teams and Update Your Contracts

eIDAS 2 strengthens the probative value of qualified signatures but also imposes good document practices. Make sure your legal and administrative teams:

• Know how to distinguish the three levels of signature and their respective legal value.
• Integrate an eIDAS compliance audit clause in supplier contracts.
• Retain evidence of signature verification (validation report, qualified timestamp) for the legal retention period applicable (3 to 10 years depending on the nature of the act).

To structure this approach, our electronic signature ROI calculator will allow you to quantify the operational gains related to the upgrade.

Applicable Legal Framework

Reference Texts

Bringing an SME into eIDAS 2 compliance in France is part of a regulatory framework that is essential to master.

Regulation (EU) 2024/1183 of the European Parliament and of the Council (called "eIDAS 2"): this is the founding text, published in the Official Journal on 30 April 2024. It repeals and replaces Regulation (EU) No. 910/2014 according to a phased implementation schedule running until 2027. It is directly applicable in all Member States without requiring national legislative transposition for its main provisions.

Regulation (EU) No. 910/2014 (eIDAS 1): some of its provisions remain applicable during the transition periods provided for by eIDAS 2, particularly for qualified providers that obtained their qualification before May 2024 and have a deadline to recertify.

French Civil Code, Articles 1366 and 1367: Article 1366 establishes the principle of equivalence between electronic writing and paper writing, provided that "the person from whom it emanates can be duly identified and it is established and preserved in conditions likely to guarantee its integrity". Article 1367 recognizes electronic signature as a means of proof, referring to the conditions set by decree in Council of State (Decree No. 2017-1416 of 28 September 2017, codified in Articles R. 1369-1 to R. 1369-10 of the Civil Code).

Regulation (EU) 2016/679 (GDPR): the deployment of the EUDIW and the processing of identity attributes in electronic signature flows constitute personal data processing within the meaning of the GDPR. SMEs must ensure that their QTSP acts as a processor within the meaning of Article 28 GDPR, with a DPA (Data Processing Agreement) that is compliant. The CNIL published in January 2026 a specific recommendation on EUDIW-GDPR integration.

Directive (EU) 2022/2555 (NIS 2): eIDAS 2 explicitly aligns with NIS 2 on incident notification obligations (Art. 24, §2 eIDAS 2 referring to NIS 2 provisions). QTSPs are considered "essential" or "important" entities within the meaning of NIS 2 depending on their size, and are subject as such to regular security audits.

ETSI Standards: qualified electronic signatures must comply with ETSI EN 319 132-1 (XAdES), ETSI EN 319 122-1 (CAdES), ETSI EN 319 162-1 (ASiC), and ETSI EN 319 102-1 (validation procedure) standards. The ETSI TS 119 461 standard governs remote identity verification (IDV), particularly relevant for RQSCD.

Legal Risks in Case of Non-Compliance

Using an electronic signature solution that does not comply with eIDAS 2 exposes the SME to several risks:

• Inadmissibility in court: a judge may reject an electronic signature whose level does not match the act signed (e.g., simple signature for an act requiring an advanced or qualified level).
• Contractual liability: if a contract is disputed by a partner on the grounds of signature nullity, the SME may be exposed to indemnification claims.
• GDPR sanctions: in case of a data breach related to a provider's security defect, the SME, as co-controller or controller, may be sanctioned by the CNIL up to 4% of annual worldwide turnover (Art. 83 §4 GDPR).

Concrete Use Case Scenarios

Scenario 1: An 80-Person Industrial SME Managing 400 Supplier Contracts Per Year

An SME in the metalworking sector processing approximately 400 supplier contracts annually used until 2024 a simple electronic signature solution (SES) for all of its commitments, including framework contracts exceeding 50,000 €. After an eIDAS 2 compliance audit, it found that 35% of its contracts required an advanced or qualified signature to withstand legal challenge, particularly with suppliers established in other EU Member States.

By migrating to a solution combining advanced signature (AdES) for routine contracts and qualified signature (QES) for framework contracts, and by activating qualified electronic archiving (new eIDAS 2 service), this SME reduced by 70% the time spent on post-signature document management (filing, searching, sending certified copies) and brought to zero disputes related to signature contestation over the following 18 months, compared to two incidents in the 18 months before.

Scenario 2: A 15-Person Legal Consulting Firm

A firm specializing in business law, issuing an average of 1,200 signed documents per year (engagement letters, mandates, confidentiality agreements), faced growing demand from its corporate clients for qualified signatures recognized throughout the EU. Under eIDAS 1, obtaining a qualified certificate required a face-to-face procedure or lengthy video verification (45 to 90 minutes per user).

Thanks to the RQSCD (Remote Qualified Signature Creation Device) regulated by eIDAS 2, the firm was able to deploy qualified signature for all its staff in less than two weeks, via a 100% remote enrollment procedure compliant with ETSI TS 119 461 standard. Internal adoption rate rose from 40% to 95% in three months, and the average turnaround time for signed documents was reduced from 4.2 days to less than 6 hours according to the firm's internal measurements.

Scenario 3: An SME E-Commerce Operating in Three EU Countries

An online sales company employing 35 people and operating in France, Belgium, and the Netherlands had to manage three types of electronic agreements: employment contracts for its local employees, partnership agreements with carriers, and SEPA mandates for its professional customers. The fragmentation of national requirements under eIDAS 1 forced it to maintain three distinct signature workflows, with estimated management costs of approximately 12,000 € per year.

The adoption of a single solution compliant with eIDAS 2 — integrating mutual recognition of qualified signatures in all three countries — made it possible to unify workflows, reduce management costs to approximately 4,500 € per year (62% saving) and eliminate delays related to manual validation of foreign signatures by the legal department.

Conclusion

eIDAS 2 is not a mere cosmetic revision of the regulatory framework: it fundamentally redefines the rules of digital trust in Europe. For French SMEs, the five major developments — EUDIW wallet, extension of qualified services, RQSCD, mandatory interoperability, and strengthened liability — represent both a compliance constraint and an opportunity to accelerate their document transformation.

SMEs that anticipate these changes today will benefit from a real competitive advantage: contracts recognized throughout the EU without friction, integrated archiving with probative value, and fully dematerialized and secure signature processes.

Certyneo is designed to support this transition. Start your free trial on certyneo.com and receive a complimentary eIDAS 2 compliance audit for your existing document flows.