Artifact GuideEU

eIDAS certificates and authentication

Use this page to separate ordinary certificates from eIDAS qualified certificates, confirm qualified trust service status, and preserve validation evidence before relying on a signature, seal, website certificate, or wallet authentication flow.

The focus is qualified certificates, QWACs, trusted lists, certificate validity and revocation checks, relying-party registration, and evidence that a later reviewer can verify without reconstructing the transaction.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Under eIDAS, authentication and certificate checks are not just PKI hygiene. A relying party must know whether it is relying on an electronic identification means, a European Digital Identity Wallet, a trust service, a qualified certificate for signature or seal, or a qualified certificate for website authentication. Each path changes what must be checked: issuer status, certificate type, validity and revocation status, trusted-list status, data shown to the relying party, and evidence retained from validation.

Section 1

What eIDAS certificate or authentication path is in scope?

Start with the transaction, not the certificate file. eIDAS covers notified electronic identification schemes, European Digital Identity Wallets provided by Member States, and trust service providers established in the Union. It also sets the legal framework for electronic signatures, seals, timestamps, registered delivery, website authentication certificates, attestations of attributes, archiving, and ledgers.

A certificate is qualified only when the eIDAS conditions for that certificate type are met. For signature and seal certificates, check that the certificate is issued by a qualified trust service provider and contains the required qualified-certificate information. For website authentication, a qualified certificate for website authentication is issued by a qualified trust service provider and must meet Annex IV requirements.

  • Classify the relying event as electronic identification, EUDI Wallet use, signature validation, seal validation, certificate validation, website authentication, or another trust service.
  • Record whether the issuer is a trust service provider, a qualified trust service provider, or a wallet-related actor, because qualified status is granted by the supervisory body.
  • For a qualified certificate claim, capture the certificate type: electronic signature, electronic seal, or website authentication.
  • For EUDI Wallet reliance, record the relying party's registered name, registration number where applicable, contact details, Member State, intended wallet use, and requested data.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS), consolidated text
Defines the eIDAS scope, relying party, trust service provider, qualified trust service provider, certificate for website authentication, qualified certificate for website authentication, validation data, and validation.
Regulation (EU) 2024/1183 (European Digital Identity Framework)
Amends eIDAS for EUDI Wallet reliance, including relying-party registration and wallet data-request context.
Section 2

Qualified trust service status and trusted-list checks

Do not treat a logo, a supplier statement, or a browser trust-store result as the complete eIDAS check. eIDAS requires Member States to maintain trusted lists for qualified trust service providers and the qualified trust services they provide. Trusted-list status is the public evidence that a provider and a specific service have qualified status.

A relying party check should therefore bind the certificate to the issuer, the trust service, the service status, and the time of the transaction. ETSI trusted-list guidance describes using trusted-list information in certificate path validation, including validating the trusted-list source, selecting CA entries under the applicable trust policy, holding selected CA certificates as trust anchors, and regularly checking for status changes.

  • Save the trusted-list source used, the list validation result, the Member State scheme territory, the provider name, the service digital identity, and the service type.
  • Capture whether the service status showed qualified status as granted for the service being relied on, or whether the status was withdrawn, revoked, ceased, or otherwise not acceptable under the relying policy.
  • Do not rely only on the certificate chain; record the applicable trusted-list entry and the policy rule that made the issuer acceptable for the transaction.
  • Refresh trusted-list based trust anchors on a defined schedule and after supplier, authority, incident, or certificate-status changes.
Sources for this answer
Commission Implementing Decision (EU) 2015/1505 on trusted lists
Requires Member States to establish, maintain, publish, sign or seal trusted lists for qualified trust service providers and qualified trust services.
ETSI TS 119 612 trusted lists
Explains trusted-list service status values and how trusted-list information can feed certificate path validation and trust-anchor management.
Section 3

Validation evidence for qualified signatures and seals

For qualified electronic signatures and advanced electronic signatures based on qualified certificates, eIDAS validation is a result that must be explainable to the relying party. The validation process must confirm the certificate's qualified nature at the time of signing, that it was issued by a qualified trust service provider, that it was valid at that time, that the validation data matches what was provided to the relying party, and that the signed data integrity was not compromised.

The validation evidence should be kept as a transaction record. It should show the signed object, signing time used by the validator, certificate chain, trusted-list status, revocation or validity status response, validation policy, result, warnings, and the version of the validation tool or service used.

  • For signatures, record whether a pseudonym was used and whether that was clearly indicated to the relying party.
  • For qualified electronic signatures, capture the qualified signature creation device indication where the validation check depends on it.
  • For seals, apply the equivalent validation logic for electronic seals based on qualified certificates, including certificate status and integrity evidence.
  • If a qualified validation service is used, save the provider identity and the signed or sealed validation result returned to the relying party.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS), consolidated text
Sets validation requirements for qualified electronic signatures, advanced electronic signatures based on qualified certificates, and qualified validation services.
ETSI TS 119 612 trusted lists
Provides the trusted-list validation context used to connect certificate path validation with service status and trust anchors.
Section 4

QWAC and website authentication checks

A qualified certificate for website authentication is not just an ordinary TLS certificate with stronger branding. eIDAS defines it as a website authentication certificate issued by a qualified trust service provider that meets Annex IV. Article 45 requires providers of web-browsers to recognise qualified certificates for website authentication issued in accordance with those requirements and to display the identity data attested in the certificate and additional attested attributes in a user-friendly manner.

The practical check is whether the certificate contains the Annex IV data needed to authenticate the website and bind it to the natural or legal person to whom it was issued. That includes the qualified-certificate indication, issuer data, subject identity data, address elements, domain names, validity period, certificate identity code, issuer signature or seal, issuer certificate location, and certificate validity status service information.

  • Confirm that the certificate indicates, in a form suitable for automated processing, that it is a qualified certificate for website authentication.
  • Check that the domain name in the certificate is operated by the natural or legal person to whom the certificate was issued.
  • Capture the issuer's qualified trust service provider identity and Member State, plus the certificate identity code and validity period.
  • Save the validity-status service location and the status response used for the relying decision.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS), consolidated text
Defines qualified certificates for website authentication and lists Annex IV certificate contents for QWAC checks.
Section 5

Revocation, status, and incident evidence to retain

Qualified trust service providers issuing qualified certificates must register revocations, publish revocation status in a timely manner, and make validity or revocation status available to relying parties on a per-certificate basis in an automated, reliable, free-of-charge, and efficient manner. A relying party record should therefore include the exact status evidence used, not just a pass or fail label.

If a browser provider takes precautionary measures against a QWAC because of substantiated security-breach or integrity concerns, eIDAS requires notification to the Commission, the competent supervisory body, the certificate subject, and the issuing qualified trust service provider. For relying-party operations, that means incident evidence should link certificate status, supervisory-body outcome, and any browser-specific treatment.

Can a team rely on an eIDAS qualified certificate without checking the trusted list?

No. The relying record should connect the certificate to a qualified trust service provider and the specific qualified service status shown in a trusted list. A supplier assertion or normal certificate-chain result is not enough to prove eIDAS qualified status.

What evidence should be saved after validating an eIDAS qualified signature or seal?

Save the signed object, validation result, validation policy, signing time used, certificate chain, trusted-list status, revocation or validity response, issuer and service identity, warnings, and the validation tool or qualified validation service output.

What makes a QWAC different from an ordinary website certificate under eIDAS?

A QWAC is a qualified certificate for website authentication issued by a qualified trust service provider and meeting Annex IV. The check must cover the qualified-certificate indication, issuer and subject identity data, domain names, validity period, certificate identity code, issuer signature or seal, issuer certificate location, and status-service information.

  • Store certificate validity or revocation status responses with retrieval time, certificate identity, issuer, and transaction identifier.
  • When a certificate is revoked after activation, treat the revocation as effective from publication and do not let later processing silently restore trust in the affected certificate.
  • For QWAC concerns, keep the browser notice, affected certificate set, mitigation measures, supervisory-body acknowledgement, and final supervisory outcome if available.
  • Use a separate exception record when business teams accept an indeterminate validation result, expired evidence, missing trusted-list proof, or an issuer/service mismatch.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS), consolidated text
Sets certificate revocation and validity-status duties for qualified trust service providers and QWAC cybersecurity precautionary-measure procedures.
Recommended next step

Build a reusable eIDAS certificate and authentication evidence record

Sorena can help convert these checks into cited validation records for qualified certificates, trusted-list status, QWAC review, and relying-party onboarding.

Research workflow
Open Research Copilot for eIDAS

Ask source-linked questions about qualified certificates, trusted lists, QWACs, and validation evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Review an eIDAS certificate validation workflow

Check whether your relying-party process captures the certificate, trusted-list, revocation, and validation evidence needed for eIDAS review.

Explore next step
Primary sources

References and citations

ETSI TS 119 612 trusted lists
etsi.org
Referenced sections
  • Provides the trusted-list validation context used to connect certificate path validation with service status and trust anchors.
"Certificate path validation"
Regulation (EU) No 910/2014 (eIDAS), consolidated text
eur-lex.europa.eu
Referenced sections
  • Sets certificate revocation and validity-status duties for qualified trust service providers and QWAC cybersecurity precautionary-measure procedures.
"validity or revocation status"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.