The eIDAS Regulatory Framework
To obtain eIDAS v2 conformity certification, Trust Service Providers (TSPs) are assessed cross-functionally and by service type according to a strict framework:
- The General Baseline: The assessment is strictly based on the ETSI EN 319 401 standard (General Policy Requirements for Trust Service Providers) and Implementing Regulation (EU) 2025/2530 (security and governance requirements applicable to qualified providers).
- Audit Methodology: Our assessment processes scrupulously comply with the requirements of ISO/IEC 17065 and ETSI EN 319 403-1 standards regarding the operation of conformity assessment bodies certifying trust services.
- Technical Reference Framework: The applicable audit criteria, including the precise versions and publication dates of ETSI standards, are detailed in the document available online: Q092 – Annex 1.
List of eIDAS v2 Trust Services
The European eIDAS v2 regulation aims to secure all our online procedures. To achieve this, it defines a list of trust services. If a provider is certified, its services receive a "qualified" status, giving them true legal value throughout Europe.
Maintained and Enhanced eIDAS Services
These services already existed under the first version of eIDAS but remain indispensable:
- Electronic Signature (for individuals): The digital equivalent of your handwritten signature. It allows an individual to sign a contract online while proving their identity and guaranteeing that the contract has not been modified after signing.
- Electronic Seal (for corporate entities): The digital equivalent of a company stamp. It allows a company or public administration to automatically sign thousands of documents (such as invoices or payslips) to prove their origin.
- Electronic Time Stamp: A digital "talking clock". This service associates an official, tamper-proof date and time with a document or an online action, providing indisputable proof that a document existed at a specific moment.
- Website Authentication (QWAC Certificates): A high-end version of the secure connection indicator in your browser's address bar. This certificate indisputably proves the real identity of the company owning the website (to prevent phishing, hacking, and fake banking or administrative sites).
- Electronic Registered Delivery Service (ERDS): The digital equivalent of paper registered mail with acknowledgement of receipt. It provides legal proof of the date and time an email was sent, its successful receipt by the recipient, and guarantees that the message content has not been intercepted or altered.
- Validation and Preservation: These services make it possible to instantly verify whether an old electronic signature was valid at the time it was made, and to extend its legal validity over time by adding new cryptographic protections.
New eIDAS v2 Services
These services were created to adapt to new digital and mobile use cases:
- European Digital Identity Wallet (EUDI Wallet): A secure smartphone application (an official, European digital wallet). It allows every citizen to store their identity card, driving license, or diplomas to share them securely in a single click.
- Qualified Electronic Attestation of Attributes (QEAA): This service digitizes official supporting documents (a university diploma, an insurance certificate, a commercial register extract). These credentials are electronically signed by the issuing body to prove their authenticity.
- Qualified Electronic Archiving Service (EATS): This service guarantees that a digital document (such as a contract or an invoice) will be kept in a safe place for many years (10, 30 years or more) without risk of modification, loss, or becoming unreadable due to technological evolution.
- Electronic Ledgers: This service allows data or transactions to be recorded in a decentralized, shared digital ledger. It guarantees that no one can modify or delete the history of what has been recorded (highly useful for tracing the origin of products or financial transactions).
- Remote QSCD Management (Remote Qualified Signature/Seal Creation Devices): This service allows a user to sign a document in a highly secure manner from their smartphone or computer, without needing a physical USB token or a special smart card. The signature keys are protected remotely in ultra-secure servers.
The challenges of eIDAS certification?
The major challenges of eIDAS certification for customers (Trusted Service Providers) are :
- Increased confidence and credibility : Obtaining qualification strengthens the confidence of users and partners in your digital services.
- Pan-European recognition: Ensure the legal validity of your services (signatures, stamps, etc.) in all European Union member states.
- Regulatory compliance: Meet the strict requirements of European regulations to avoid legal challenges.
- Access to public procurement: eIDAS qualification is often required for transactions with European administrations and public bodies.
- Secure transactions : guarantee the highest level of security for the identification and integrity of exchanged data.
- Process optimization: Facilitate the complete dematerialization of contractual and administrative exchanges.
Who is eIDAS Certification For?
eIDAS certification is aimed at an expanding ecosystem of stakeholders, encompassing all structures—both public and private—that issue, manage, or integrate digital data with high legal and security value.
It primarily concerns traditional or emerging Trust Service Providers (TSPs) (software vendors, trusted third parties, certification authorities) wishing to validate the compliance of their signature, seal, time-stamping, or electronic archiving solutions. It is also of crucial relevance to Public Administrations and State Services (ministries, prefectures, social protection agencies, universities, professional bodies) responsible for managing authentic sources of data.
By obtaining this certification, these public and private entities position themselves as pivotal hubs of modern digital identity, qualifying them to issue certified attributes and Qualified Electronic Attestations of Attributes (QEAA) that are natively compatible and interoperable with the future European Digital Identity Wallet (EUDI Wallet).
How Does the eIDAS Certification Process Work at LSTI?
LSTI is listed on the European Commission's official list as an accredited Conformity Assessment Body (CAB) authorized to perform eIDAS certification audits.
The initial assessment is rigorously carried out in two major, time-bound steps:
- Step 1: Remote Document Review An in-depth analysis of the Provider's documentation (Information Security Policy, risk assessments, service policies) to evaluate readiness and validate the contractual scope. This phase determines progression to the next step; the maximum delay between Step 1 and Step 2 cannot exceed 6 months.
- Step 2: On-site Audit (Processes, Premises, and Information Systems) On-site investigations by our expert auditor teams to gather factual evidence of the implementation of operating procedures: logical and physical security, cryptographic reliability, subscriber registration mechanisms, and infrastructure compliance.
- The Surveillance Cycle: Once certification is granted (valid for 2 years), a surveillance audit is systematically carried out at 12 months to ensure continuous compliance maintenance. A full renewal audit takes place before the certificate expires.
The qualification of providers is granted by the supervisory bodies of the EU Member States. Qualification is pronounced based on a certificate and a report drawn up by an accredited conformity assessment body authorized to carry out these assessments.
The list of our eIDAS-certified clients is available via our search engine under the TSP register.
List of references to the eIDAS Regulation, the technical standards, and the link to the implementing acts:
| Trust Services (Official Designation) | eIDAS Reference | Main Reference Standards | Official Title of the Dedicated European Implementing Regulation |
| For all services (Common Baseline) | Cross-functional | ETSI EN 319 401 | Implementing Regulation (EU) 2025/2530 laying down compliance requirements and general security and governance standards for qualified trust service providers. |
| Issuance of qualified electronic signature certificates |
Art. 3 – No. 16 – A | ETSI EN 319 411-2, ETSI TS 119 461, ETSI EN 301 549 | Implementing Regulation (EU) 2025/1943 (standards applicable to qualified certificates) / Implementing Regulation (EU) 2025/1566 (standards applicable to the verification of identity and attributes). |
| Issuance of qualified electronic seal certificates |
Art. 3 – No. 16 – B | ETSI EN 319 411-2, ETSI TS 119 495, ETSI TS 119 461 | Implementing Regulation (EU) 2025/1943 (Certificate standards) / Implementing Regulation (EU) 2025/1566 (Identity verification). |
| Issuance of qualified website authentication certificates (QWAC) | Art. 3 – No. 16 – C | ETSI EN 319 411-2, ETSI TS 119 411-5, ETSI TS 119 461 | Implementing Regulation (EU) 2025/2527 (standards applicable to QWACs) / Implementing Regulation (EU) 2025/1566 (Identity verification). |
| Qualified validation service for qualified electronic signatures and seals | Art. 3 – No. 16 – D / J / L | ETSI TS 119 441, ETSI TS 119 442, ETSI EN 319 102-1 | Implementing Regulation (EU) 2025/1942 regarding reference standards applicable to qualified validation services |
| Qualified preservation service for qualified electronic signatures and seals | Art. 3 – No. 16 – E | ETSI TS 119 511, ETSI TS 119 512 | Implementing Regulation (EU) 2025/1946 as regards reference standards applicable to qualified preservation services. |
| Creation of qualified electronic time stamps | Art. 3 – No. 16 – I / J | ETSI EN 319 421, ETSI EN 319 422 | Implementing Regulation (EU) 2025/1929 as regards binding the date and time to data and establishing the accuracy of clocks. |
| Provision of qualified electronic registered delivery services (ERDS) | Art. 3 – No. 16 – K / L | ETSI EN 319 521, ETSI EN 319 522, ETSI TS 119 461 | Implementing Regulation (EU) 2025/1944 as regards reference standards applicable to sending/receiving processes and interoperability. |
| Qualified management service for remote electronic signature or seal creation devices (Remote QSCD) | Art. 3 – No. 16 – C / F | ETSI TS 119 431-1, ETSI TS 119 461 | Implementing Regulation (EU) 2025/1567 as regards the management of remote qualified electronic signature or seal creation devices. |
| Qualified electronic archiving service (EATS) |
Art. 3 – No. 16 – M | CEN/TS 18170, ETSI EN 319 401 | Specific European implementing act project undergoing sectoral finalization. |
| Qualified electronic ledger service (Ledgers) | Art. 3 – No. 16 – N | ISO 23257:2022, ISO 23635:2022 | Implementing Regulation (EU) 2025/2531 laying down technical requirements and reference standards for electronic ledgers. |
| Qualified electronic attestation of attributes issuance service (QEAA) | Art. 3 – No. 16 – G | ETSI TS 119 461, ETSI EN 319 401 | Implementing Regulation (EU) 2025/1569 defining requirements for qualified electronic attestations of attributes. |
| Qualified validation service for electronic attestations of attributes | Art. 3 – No. 16 – H | ETSI TS 119 441, ETSI TS 119 442 | Implementing Regulation (EU) 2025/1569 (Requirements applicable to validation processes and interoperability of attribute structures). |
| Provision and management of the European Digital Identity Wallet (EUDI Wallet) | Art. 3 – No. 16 – G / H | Architecture Reference Framework (ARF) Specifications | Implementing Regulation (EU) 2024/2979 (Integrity and core functionalities) / Implementing Regulation (EU) 2024/2982 (Protocols and interfaces of the framework). |
Your Questions about eIDAS Certification
-
What is the difference between certification, qualification, and assessment under eIDAS v2?
Certification is the technical and formalized decision made by an independent third-party body like LSTI, materialized by a certificate of conformity attesting to compliance with ETSI standards and the requirements of the eIDAS regulation's implementing acts.
Assessment represents all factual investigations carried out by the audit team.
Qualification, on the other hand, falls under the exclusive sovereign competence of the national supervisory body (ANSSI for France), which relies on the positive audit report issued by LSTI to officially register the provider on the European Trusted List.
-
When does the eIDAS v2 regulation enter into force?
The eIDAS v2 regulation officially entered into force on May 20, 2024, twenty days after its publication in the Official Journal of the European Union. Its technical application materialized subsequently, notably with the production and publication of the majority of sectoral implementing acts at the end of 2025. These implementing texts make the new requirements mandatory for Trust Service Providers (TSPs), setting the deadline for their definitive transition to May 26, 2026. -
What are the main differences between eIDAS and eIDAS v2?
The main differences between eIDAS and eIDAS v2 lie in the major expansion of European trust services. eIDAS v2 introduces the European Digital Identity Wallet (EUDI Wallet) as well as four new qualified services: qualified electronic archiving, qualified electronic attestation of attributes (QEAA), remote management of cryptographic keys (Remote QSCD), and qualified electronic ledgers. -
What is the duration of an eIDAS v2 certification?
The validity period of an eIDAS v2 certification is set at 2 years. The annual surveillance introduced by eIDAS v2 consists of a strict obligation to conduct an intermediate surveillance audit at the end of the first 12 months to verify that the provider maintains a level of security and governance compliant with requirements throughout its certification cycle. -
What are the sanctions and non-compliance risks for a provider not respecting eIDAS v2 requirements?
The sanctions and non-compliance risks introduced by the eIDAS v2 regulation have been considerably toughened to align with the philosophy of the GDPR. In the event of a breach of security or governance obligations validated by the audit, national supervisory bodies (such as ANSSI in France) can issue an immediate withdrawal of the "qualified" status and banishment from the European Trusted List. Financially, Trust Service Providers (TSPs) risk administrative fines of up to 5 million euros or 1% of their total global annual turnover for qualified providers, not to mention the risk of strict civil liability in the event of damage caused to a user. -
What is the duration of an eIDAS v2 certification?
The validity period of an eIDAS v2 certification is set at 2 years. The annual surveillance introduced by eIDAS v2 consists of a strict obligation to conduct an intermediate surveillance audit at the end of the first 12 months to verify that the provider maintains a level of security and governance compliant with requirements throughout its certification cycle.
-
How can a software vendor or SaaS platform integrate its services with the European Digital Identity Wallet (EUDI Wallet)?
To integrate its services with the European Digital Identity Wallet (EUDI Wallet), a software vendor or SaaS platform must comply with the technical protocols standardized by Implementing Regulation (EU) 2024/2982 and rely on the Architecture Reference Framework (ARF).
Two paths are possible: either the vendor acts as a Relying Party to accept and verify the identity or attributes shared by a user's Wallet, which requires mandatory registration with their national authority; or they wish to issue data into the Wallet, which requires them to have their service certified as a Qualified Trust Service Provider (QTSP) for the issuance of Qualified Electronic Attestations of Attributes (QEAA).
-
What are the sovereignty and data localization obligations imposed by eIDAS v2 for storing archives and cryptographic keys?
The sovereignty and data localization obligations imposed by the eIDAS v2 regulatory framework and its Implementing Regulation (EU) 2025/2530 prohibit the storage of highly critical information outside European territory. For all qualified services—and very strictly for the Qualified Electronic Archiving Service (EATS) and remote signature management (Remote QSCD)—the physical infrastructures for storing trust data, immutable audit trails, as well as Hardware Security Modules (HSMs) containing the issuer's cryptographic keys must be located exclusively within the European Union. This obligation aims to protect citizens' identity data against access by extraterritorial laws of third countries.
Find out more
Why Choose LSTI?

Recognized expertise
With over twenty years of experience, LSTI supports more than 300 organisations in France and Europe as a benchmark certification body and evaluation centre, operating in the fields of cybersecurity, digital trust, and information security.

Specialized Auditors
Our auditing teams consist of seasoned professionals with deep expertise in ANSSI cybersecurity frameworks, information security management practices, and European digital trust frameworks. Their approach ensures rigorous, balanced evaluations adapted to each organisation's operational context.

Independent Third Party and Dedicated Support
Accredited by ANSSI, LSTI guarantees impartiality, transparency, and consistency throughout the entire cycle: preparation, audits, surveillance, and renewals. A dedicated point of contact ensures continuity and clarity throughout the certification journey.
Discover ou other
news




