ChecklistEU

EU eIDAS Checklist

A practical eIDAS checklist optimized for real implementation and audit readiness.

Use it to drive workstreams across product, security, and compliance.

Back to main artifactReview sources
Author
Sorena AI
Published
Feb 21, 2026
Updated
Feb 21, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published Feb 21, 2026
Updated Feb 21, 2026
Overview

This checklist is designed to produce evidence, not just activity. Treat every checkbox as "done = verifiable". If you can't prove it with a test result, a log, or a signed artifact, it's not done.

Section 1

Scope and role mapping (week 0)

Everything starts with role mapping. Your controls and evidence depend on whether you are a relying party, trust service provider/QTSP, wallet provider, or attribute issuer.

Most organizations are multiple roles across different products.

  • Run the applicability test and document your roles per product/journey.
  • Inventory trust services you provide or rely on (signatures, seals, timestamps, delivery, website authentication).
  • Decide assurance level needs (advanced vs qualified) for each journey.
Section 2

Trust services implementation (build and prove)

If you sign or validate, you need deterministic validation, revocation checks, and evidence retention that supports disputes and audits.

Prefer standards-aligned formats and validation tooling to avoid interoperability failures.

  • Implement signature/seal validation with clear pass/fail reasoning and machine-readable reports.
  • Implement certificate status and revocation handling (including safe failure modes).
  • Define evidence retention and dispute-handling workflows (what logs you keep, for how long, and why).
Section 3

QTSP selection and vendor due diligence

Most organizations outsource qualified trust services. That doesn't outsource your compliance risk.

Treat QTSP selection as a security + audit decision with measurable acceptance criteria.

  • Create a QTSP requirements pack: service scope, SLAs, audit rights, incident notice, data handling, and evidence outputs.
  • Verify ETSI policy alignment (e.g., EN 319 401) and obtain audit reports / conformity assessment evidence.
  • Define fallback and exit strategy (provider change, certificate replacement, emergency signing continuity).
Section 4

EUDI Wallet readiness (eIDAS 2.0)

If you authenticate users or rely on attributes, plan EUDI wallet flows as product capabilities with privacy and security controls.

Interoperability and conformance testing are critical path items.

  • Define relying party acceptance strategy and user journeys to support wallet first.
  • Build verifier pipeline: authenticity/validity checks, status handling, decision logging, and monitoring.
  • Implement attribute schema governance and data minimization controls.
  • Run interoperability and negative test suites; gate releases on conformance.
Section 5

Evidence pack (what auditors and partners ask for first)

Build an evidence index linking requirements to systems-of-record artifacts. Avoid static "evidence PDFs".

Evidence should be reproducible and current.

  • Policies: trust service policy, security policy, incident response, change management, retention/deletion.
  • Tests: interoperability, revocation/status checks, negative testing, BC/DR drills.
  • Audits: QTSP audit reports, conformity assessments, and supervision-facing evidence where applicable.
  • Operational logs: validation decision logs, wallet interaction logs, incident records, remediation tracking.
Recommended next step

Turn EU eIDAS Checklist into an operational assessment

Assessment Autopilot can take EU eIDAS Checklist from turning this checklist into an operational workflow to a reusable workflow inside Sorena. Teams working on EU eIDAS can keep owners, evidence, and next steps aligned without copying this guide into separate documents.

Assessment workflow
Open Assessment Autopilot for EU eIDAS Checklist

Start from EU eIDAS Checklist and turn the guidance into owned tasks, evidence requests, and review checkpoints.

Explore next step
Talk to Sorena
Talk through EU eIDAS

Review your current process, evidence gaps, and next steps for EU eIDAS Checklist.

Explore next step
Primary sources

References and citations

Related guides

Explore more topics

eIDAS & eIDAS 2.0 Deadlines and Compliance Calendar | EUDI Wallet Key Dates + Readiness Plan
An eIDAS deadlines calendar with the dates that matter: 1 July 2016 baseline application, the 2024 eIDAS amendment.
eIDAS 2.0 vs eIDAS | What Changed: EUDI Wallet, Attributes, Trust Services, Relying Parties
A grounded eIDAS 2.0 vs eIDAS comparison covering what Regulation (EU) 2024/1183 changed: EUDI Wallets, electronic attestations of attributes.
eIDAS Applicability Test | Are You a Relying Party, TSP/QTSP, Wallet Provider, or Attribute Issuer?
A practical applicability test for eIDAS and eIDAS 2.0: identify your roles (relying party, trust service provider/QTSP, wallet provider, attribute issuer).
eIDAS Certificates and Authentication | Qualified Certificates, QWACs, Validation, and Implementation
A deep guide to eIDAS certificates and authentication: qualified certificates for signatures and seals, website authentication certificates.
eIDAS Checklist and Evidence Pack | Audit-Ready Artifacts for Relying Parties and QTSP Programs
A deep eIDAS evidence guide: what artifacts auditors and supervisors ask for first, how to structure an evidence index.
eIDAS Compliance Program | Operating Model, Controls, Tests, and Governance Cadence
A deep eIDAS compliance playbook: build a role-scoped operating model for trust services and EUDI Wallet readiness, define owners and controls.
eIDAS FAQ (EU) | QES, QTSP, Trust Services, EUDI Wallet, Evidence, and Deadlines
High-signal answers to the most searched eIDAS questions: what eIDAS covers, AdES vs QES, how to choose a QTSP, what evidence to retain.
eIDAS Penalties, Liability, and Enforcement | Supervision, Audits, and Risk Reduction
A practical eIDAS enforcement guide: how supervision and audits work for trust service providers and qualified trust services.
eIDAS Requirements (EU) | Trust Services, QTSP Controls, Wallet Obligations, Evidence Mapping
An advanced eIDAS requirements breakdown: trust services obligations, QTSP security and supervision expectations, relying party validation duties.
eIDAS vs E-SIGN Act vs UETA | EU vs US Electronic Signature Frameworks (Practical Comparison)
A practical comparison of EU eIDAS (Regulation (EU) No 910/2014, amended by Regulation (EU) 2024/1183) vs the US E-SIGN Act and UETA: legal effect.
Electronic Signatures under eIDAS | Advanced vs Qualified (AdES vs QES), Legal Effect, Validation
A deep eIDAS electronic signature guide: decide AdES vs QES, understand legal effect and evidentiary strength, design signing ceremonies and remote signing.
EUDI Wallet Readiness (eIDAS 2.0) | Relying Party + Provider Checklist and Evidence Pack
A deep EUDI Wallet readiness guide for product, security, and compliance teams: relying party acceptance strategy, identity + attribute flows.
EUDI Wallet Technical Architecture Guide | ARF-Aligned Components, Flows, and Controls
A deep technical architecture guide for the EU Digital Identity (EUDI) Wallet ecosystem: wallet components, issuer + verifier flows.
Qualified Trust Services and QTSP Selection | Due Diligence, Security, Supervision, Evidence
A deep guide to qualified trust services and QTSP selection under eIDAS: how qualification works in practice, what due diligence and contract clauses matter.
What eIDAS Covers (EU) | Trust Services, eSignatures, Wallets, QTSPs, and Relying Parties
A practical eIDAS overview covering electronic identification, trust services, qualified trust services, electronic attestations of attributes.