""

eIDAS v2 – Qualified Electronic Archiving Service

The European eIDAS v2 Regulation introduces the Qualified Electronic Archiving Service, designed to ensure that a digital document maintains its evidential value over time.
This service ensures the preservation of the authenticity, integrity, traceability, availability, and readability of documents, even through shifts in formats, technologies, or underlying systems.
Qualified electronic archiving is intended for public and private organizations seeking to retain digital documents in a reliable and legally enforceable manner.

What does eIDAS certification mean for a Qualified Electronic Archiving Service?

The eIDAS certification of an electronic archiving service is a rigorous, independent, third-party regulatory and technical conformity assessment. It certifies that a Trust Service Provider (TSP) complies with the requirements of Article 45j of the eIDAS v2 Regulation (Regulation (EU) 2024/1183) and Implementing Regulation (EU) 2025/2532.

 

Conducted by an accredited Conformity Assessment Body (CAB) such as LSTI, this audit is primarily based on the European technical specification CEN/TS 18170, which rules the management of information packages (SIP, AIP, and DIP cycles of the OAIS model), and on the ETSI EN 319 401 standard for general governance. The audit validates the logical and physical security of the service, the immutability of its audit trail, and the mandatory localization of storage infrastructures within the European Union.

 

Upon successful completion of these verifications, LSTI issues a Conformity Assessment Report (CAR). This positive report is the indispensable regulatory supporting document upon which the National Supervisory Body (ANSSI in France) bases its review to grant official qualified status to the service and proceed with its registration on the European Trusted List (EUTL).

What are the challenges of certification for archiving solution providers?

For an editor or operator of an electronic archiving solution, engaging in the eIDAS v2 qualified certification process presents three major strategic challenges:

  • Obtaining the Legal Presumption of Integrity (Legal Advantage): This is the most powerful commercial and legal asset. The eIDAS v2 implementing regulation automatically awards documents stored in a qualified system a legal presumption of integrity and accuracy of their origin. In a dispute or regulatory audit, the automated and sealed data integrity report provided by the system triggers an inversion of the burden of proof: the document is legally presumed authentic, and it is up to the opposing party to prove otherwise.
  • Immediate Access to the Single European Market (Cross-Border Interoperability): Prior to harmonization by the CEN/TS 18170 specification, each EU country applied its own national criteria for evidential archiving (such as NF Z42-013 in France). Thanks to eIDAS v2 certification, national barriers fall. A qualified service benefits from automatic mutual recognition: a document in a qualified archive in France holds the exact same immediate legal standing before the courts and public administrations of the 26 other EU Member States.
  • A Guarantee of Long-Term Sustainability Against Technological Obsolescence (Absolute Trust): eIDAS v2 certification enforces very strict requirements regarding media migration and file format conversion over the long term (10, 30 years, or more). For providers, certification demonstrates their capability to migrate obsolete formats (e.g., converting to PDF/A) while immutably preserving the original cryptographic hash and the complete traceability of the operation in the audit trail. This is the hallmark of a sustainable solution for key accounts and heavily regulated sectors.
     

Features Standard electronic archiving Qualified electronic archiving (eIDAS v2)
Legalstanding Simple element of proof (evidential value at the judge's discretion). Legal presumption of integrity (Inversion of the burden of proof).
Geographic scope Often restricted to national regulations and local usages. Automatic mutual recognition across all 27 EU Member States.
Proof of integrity Manual or based on unsealed internal logs Automated data integrity report covered by a qualified electronic seal or signature of the TSP.
Audit trail Modifiable by system administrators Immutable, locked via Merkle trees, digital signatures, or integrity chains.
Infrastructure Free hosting (subject to extraterritorial laws) Storage components mandatory located within the European Union.


eIDAS V2 Regulation for Qualified Electronic Archiving

A qualified electronic archiving service is governed by a comprehensive set of requirements, notably covering:

  • Service governance and management control,
  • Security of technical environments,
  • Management of the chain of custody (integrity, sealing, time-stamping),
  • Long-term preservation and sustainability mechanisms,
  • Transparency and contractual commitments.

 

The assessment is based on the ETSI standards applicable to Trust Service Providers (TSPs):

Official reference Subject Contribution to the qualified service
Regulation (EU) 2024/1183(eIDAS v2)
 European legal framework for trust services Article 45j: Legal basis introducing the qualified electronic archiving service and its legal effects.
Implementing regulation (EU) 2025/2532 European implementing act Mandates the uniform application of technical criteria and harmonizes data integrity report formats across the EU.
CEN/TS 18170:2025 Technical specification for electronic archiving The core of the audit: Enforces functional requirements for ingest, storage, traceability, and retrieval (SIP/AIP/DIP packages).
ETSI EN 319 401 General Policy Requirements for TSPs The baseline of the audit: Governs general security, logical and physical access control, risk management, and internal controls.
ETSI TS 119 511 / TS 119 512
 Standards for the preservation of electronic signatures Optional component: Only applicable if the archiving service includes a module aimed at extending the validity of electronic signatures affixed to ingested documents.


Certification confirms the service's compliance with these standard requirements. Qualification, however, is officially granted by the National Supervisory Body and dictates entry into the European Union Trusted List (EUTL).

Ask for a quote

Who is eIDAS certification intended for?

This certification addresses actors ensuring the preservation of digital documents with a focus on legal reliability, including:

  • Third-party electronic archiving service providers,
  • Digital trust operators integrating an archiving function,
  • Public or semi-public bodies managing administrative archives,
  • Enterprises needing to preserve documents with long-term evidential value,
  • Software-as-a-Service (SaaS) secure archiving solution vendors.

 

It enables providers to demonstrate complete mastery of the processes, environments, and protection mechanisms applied to digital archives.


LSTI's role

As an accredited Conformity Assessment Body, LSTI:

  • Performs the conformity audit of the Electronic Archiving Trust Service (EATS) as an independent third-party body,*
  • Verifies strict alignment with the functional requirements of the CEN/TS 18170 specification, the general requirements of ETSI EN 319 401 for trust service providers, and the additional criteria of Implementing Regulation (EU) 2025/2532,
  • Evaluates the immutability of the audit trail and the validity of the automated data integrity reports delivered to users,
  • Establishes a structured, rigorous, and verifiable Conformity Assessment Report (CAR) intended for submission to the competent authorities.

 

The certification delivered by LSTI acts as the essential objective evidence upon which the Supervisory Body relies to grant official qualification and list the service on the European Trusted List.

 

Ask for a quote

Your questions about eIDAS, Qualified Electronic Archiving

  • What is the CEN/TS 18170 specification, and what role does it play in eIDAS v2?

    CEN/TS 18170 (published in May 2025) is the benchmark European technical specification defining the functional requirements for electronic archiving services. It was explicitly drafted to accompany the introduction of electronic archiving services (qualified or non-qualified) by the eIDAS v2 Regulation (Regulation (EU) 2024/1183).

    Its primary role is to provide a harmonized technical framework allowing Trust Service Providers (TSPs) to demonstrate compliance. It details the procedures and technologies necessary to ensure the durability, readability, integrity, confidentiality, and proof of origin of electronic records and documents throughout their retention period.

     

  • What is the fundamental difference between "electronic archiving" (CEN/TS 18170) and "electronic signature preservation" under eIDAS?

    The eIDAS v2 Regulation clearly distinguishes between two distinct types of trust services:

    • Electronic Archiving (governed by CEN/TS 18170): Introduced by Article 3(48) of eIDAS v2, it focuses on the comprehensive preservation of the data or document's content itself (durability, readability, integrity) over the long term.
    • Preservation of Electronic Signatures, Seals, or Certificates: Governed by Article 3(16)(e) (and covered by ETSI TS 119 511 and TS 119 512), its sole technical purpose is to extend the cryptographic validity of a specific signature or seal affixed to a document.

     

    The CEN/TS 18170 specification states that an electronic archiving service may, however, incorporate or rely upon a signature preservation component if required.

  • What are the main infrastructure and safety requirements of CEN/TS 18170?

    To guarantee absolute trust and achieve eIDAS v2 compliance, an Electronic Archive Trust Service Provider (EATSP) must meet strict technical criteria:

    • European Localization: All components of the processing and storage infrastructure must be mandatory located within the European Union (EU).
    • Geographical Redundancy: Archived information packages (AIP) must be permanently stored across at least two separate, geographically distinct data centers to mitigate shared physical or environmental risks.
    • Integrity and Traceability (Audit Trail): The system must generate immutable logs for "critical events" (such as ingest, format conversion, or deletion). This audit trail must be sealed and protected against tampering using cryptographic signatures or integrity chains (e.g., Merkle trees).

  • How is proof of integrity provided when retrieving an archived document?

    In accordance with Article 45j of eIDAS v2 and the criteria of CEN/TS 18170, the archiving service must be capable of automatically generating a data integrity report. This report is provided upon document retrieval (and at any time during the retention period).

     

    For a Qualified Provider (EAQTSP), this report must mandatory be covered by a qualified electronic seal or signature of the EATSP. By recalculating the document's cryptographic hash and verifying it against the history of the immutable audit trail, it formally certifies that the data has undergone no unauthorized alteration or tampering since the exact moment of its ingestion.

  • What is the official text of the eIDAS v2 implementing act for qualified archiving, and when does it apply?

    The specific implementing act for qualified electronic archiving is Commission Implementing Regulation (EU) 2025/2532. Officially published in the Official Journal of the EU on December 17, 2025, this text directly completes Article 45j of the eIDAS v2 Regulation.

     

    It establishes uniform implementation conditions across Europe, transforming high-level eIDAS guidelines into definitive, binding audit criteria. To be listed on the European Trusted List, an archiving TSP must successfully pass a conformity assessment aligned with this implementing regulation and technically supported by the CEN/TS 18170 specification.

  • What is the probative value of a document stored via qualified archiving in accordance with Implementing Regulation (EU) 2025/2532?

    Implementing Regulation (EU) 2025/2532 introduces a historic legal advantage: a cross-border legal presumption of integrity and accuracy of origin. In practice, this means:

    Inversion of the Burden of Proof: In a legal dispute or regulatory inspection, a document extracted from a qualified archiving system is legally presumed authentic and intact since the day it was deposited. The opposing party bears the entire burden of proving any potential tampering.

    Automatic Mutual Recognition: A qualified archiving service certified in France by LSTI is automatically recognized with the exact same immediate evidential value before courts and public authorities across the other 26 countries of the European Union.

     

  • Does the eIDAS v2 implementing regulation allow for format or media migration during archiving?

    Yes, absolutely. Implementing Regulation (EU) 2025/2532, in perfect alignment with clause 10.5 of CEN/TS 18170, explicitly addresses media migration (e.g., switching servers, moving to secure cloud environments) and format conversion (e.g., converting an old Word file to PDF/A) to battle technological obsolescence.

    The implementing act dictates that these operations must be bound by strict rules:

    • Zero Information Loss: The conversion process must preserve the informational integrity and significant properties of the original record.
    • Full Traceability: Every migration or conversion is categorized as a critical event. The old format, new format, tooling used, and the cryptographic hash before and after the operation must be immutably recorded in the audit trail.
    • Maintenance of Proofs: If the original document carried an electronic signature or seal, the system must apply validation-augmentation techniques (for instance, through a CEN/TS 18170 Evidence Record) to extend the validity of the proof across the entire retention span.

Find out more

about our other certifications

""
eIDAS certification
With the European eIDAS regulation (electronic identification and trust services), trust in digital transactionstransactions has become a major issue for the interoperability and security of exchanges throughout the EU (signatures, stamps, electronic time stamping). As a recognized Conformity Assessment Body, LSTI Certification can help you qualify your trust services to guarantee their legal value and strengthen your organization's competitiveness in the digital single market.
See more
""
eIDAS V2 - Qualified Electronic Registers
The eIDAS v2 regulation introduces the distributed ledger trust service. This service enables data to be recorded and stored in a distributed register in an immutable, verifiable and traceable manner, guaranteeing its integrity, authenticity and enforceability over time.
See more
""
ISO 27001 certification: Certify your Information Security Management System (ISMS)
In the face of ever-increasing cyber threats and regulatory requirements, information security has become a strategic priority for organisations. The ISO/IEC 27001 standard has established itself as the leading international framework for structuring information security governance and managing the risks associated with information systems.
ISO 27001 certification is based on the implementation of an Information Security Management System (ISMS) that guarantees the confidentiality, integrity and availability of data. As an independent third-party body, LSTI validates the compliance of your approach, transforming this security requirement into a genuine factor of trust and a competitive advantage for your digital, cloud or healthcare services.
See more

Why choose LSTI?

1

Recognized expertise

With over twenty years' experience, LSTI supports more than 300 organizations in France and Europe as a leading certification body and assessment center, operating in the fields of cybersecurity, digital trust and information security.

2

Specialized auditors

Our teams of auditors are made up of experienced professionals who are fully conversant with ANSSI cybersecurity guidelines, information security management practices and European digital trust frameworks. Their approach guarantees assessments that are demanding, balanced and adapted to the operational contexts of each organization.

3

Independent third party and dedicated support

LSTI guarantees impartiality, transparency and consistency throughout the entire cycle: preparation, audits, surveillance and renewals. A dedicated contact ensures continuity and clarity throughout the certification process.


Discover our news