---
title: "eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations"
canonical_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-nis2-trust-services"
source_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-nis2-trust-services"
author: "Sorena AI"
description: "Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "eIDAS"
  - "NIS2"
  - "trust service provider"
  - "qualified trust service provider"
  - "QTSP"
  - "cybersecurity risk management"
  - "incident reporting"
  - "trusted lists"
  - "EU eIDAS Regulation"
  - "qualified trust services"
  - "cybersecurity incident reporting"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations

Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.

*eIDAS vs NIS2 guide* *Trust services and cybersecurity*

## eIDAS and NIS2 for trust service providers

Use this comparison to separate eIDAS trust-service obligations from NIS2 cybersecurity risk-management and incident-reporting duties for trust service providers and QTSPs.

The overlap is real but limited: eIDAS governs trust-service status, qualified service evidence, trusted lists, conformity assessment, and supervisory bodies; NIS2 governs cybersecurity governance, all-hazards controls, significant-incident reporting, and NIS competent authorities.

Trust service providers can sit under both eIDAS and NIS2. eIDAS decides whether a service is a trust service or qualified trust service, what evidence supports legal effects and qualified status, and how supervisory bodies and trusted lists work. NIS2 adds a cybersecurity layer for trust service providers: risk-management measures, management-body oversight, significant-incident notification, and NIS competent-authority supervision.

## eIDAS vs NIS2 for trust service providers: practical compliance differences

Use this comparison to separate eIDAS trust-service and QTSP obligations from NIS2 cybersecurity governance, risk-management, and significant-incident duties.

- **eIDAS trust-service obligations**: Use this column for trust-service classification, qualified status, conformity assessment, trusted-list status, legal effects, trust marks, service practice evidence, and eIDAS supervisory-body interactions.
- **NIS2 cybersecurity obligations**: Use this column for NIS2 entity classification, management-body governance, Article 21 cybersecurity risk-management measures, Article 23 reporting, CSIRT or competent-authority notifications, and cybersecurity supervision.

| Dimension | eIDAS trust-service obligations | NIS2 cybersecurity obligations | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | Covers the trust service and its legal status: electronic signatures, seals, timestamps, registered delivery, website authentication certificates, electronic attestations of attributes, electronic archiving, electronic ledgers, validation, preservation, and qualified variants where applicable. | Covers the provider as a cybersecurity-regulated entity. NIS2 includes trust service providers regardless of size where the entity is in the covered type, and qualified trust service providers are essential entities regardless of size. | Start with two classifications: the eIDAS service classification and the NIS2 entity classification. Do not treat every relying party or certificate user as a trust service provider. | [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/eli/reg/2024/1183/oj?ref=sorena.io) - Supports eIDAS 2 scope additions for wallets, relying parties, electronic attestations of attributes, and cooperation with NIS2 authorities.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Who must act | The trust service provider or QTSP, its conformity assessment body, the eIDAS supervisory body, the trusted-list operator, and internal owners for trust-service policy, certificate or attestation operations, termination, and user terms. | The essential or important entity, its management body, cybersecurity leadership, incident handling, business continuity, supplier management, asset owners, and the NIS CSIRT or competent authority notification path. | Give eIDAS status and trust-service evidence to the trust-service owner; give NIS2 risk treatment, control effectiveness, and incident notification to cybersecurity governance owners. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Trigger or threshold | The trigger is providing a trust service or seeking, keeping, changing, or terminating qualified status for a qualified trust service. eIDAS supervision also reacts to significant security breaches, loss of integrity, conformity assessment, and trusted-list status changes. | The trigger is being a NIS2-covered trust service provider or QTSP, then operating network and information systems for that service. A significant incident affecting trust-service provision triggers the NIS2 reporting path, with trust service providers subject to an early warning within 24 hours. | Run the legal-effect and qualified-status trigger separately from the cybersecurity incident trigger; one outage or compromise can activate both. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Core obligations | Requires trust-service rules: qualified-status process, conformity assessment reports, trustworthy systems and products, qualified-certificate or attestation data, terms and limitations, liability and termination arrangements, trusted-list updates, and Article 19 trust-service security measures. | Requires Article 20 management-body approval and training, Article 21 all-hazards cybersecurity measures, supplier and vulnerability controls, business continuity, cryptography, access control, asset management, cyber hygiene, and Article 23 significant-incident reporting. | Convert eIDAS duties into trust-service operating evidence and NIS2 duties into cybersecurity governance and control evidence; link them only where the same system or supplier supports both. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Evidence and records | Service classification, qualified-status grant or withdrawal, conformity assessment reports, trust-service policy and practice statement, trusted-list status, certificate or attestation profile, user terms and limitations, notification evidence, and termination plan. | NIS2 entity classification, management-body approvals, risk analysis, information-system security policies, risk treatment plan, asset inventory, access-control records, supplier-security clauses, vulnerability handling, business-continuity tests, incident logs, and CSIRT or competent-authority notifications. | A shared evidence system is useful only if every item is tagged to the eIDAS obligation, the NIS2 obligation, or both. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Timing and cadence | Follows eIDAS service lifecycle events: starting a qualified service, submitting conformity assessment evidence, changing or ceasing qualified services, maintaining accessible records after cessation, handling security breaches or loss of integrity, and trusted-list updates. | Follows NIS2 governance and incident clocks: ongoing Article 21 measures, management-body oversight, and Article 23 reporting. For significant incidents, NIS2 requires an early warning within 24 hours, a 72-hour incident notification, and a final report within one month; trust service providers must notify within 24 hours where a significant incident affects trust-service provision. | Use the faster clock during incidents and keep separate reminders for eIDAS qualified-status evidence and NIS2 control assurance. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Enforcement or assurance route | Uses eIDAS supervisory bodies for trust services. They supervise QTSPs through ex ante and ex post activities, analyse conformity assessment reports, carry out or request audits, grant or withdraw qualified status, update trusted-list status, and require remediation. | Uses NIS2 competent authorities and CSIRTs for cybersecurity supervision, reporting, guidance, risk-based supervisory work, and enforcement under national transposition. Essential and important entities have different supervisory treatment under NIS2. | Route trust-service status and trusted-list issues to the eIDAS supervisory path; route cybersecurity incidents and Article 21 control issues to the NIS2 path, while coordinating when authorities must exchange information. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Overlap and reuse | eIDAS 2 recognises that trust service cybersecurity duties and NIS2 duties are complementary and calls for cooperation between eIDAS supervisory bodies and NIS2 competent authorities. | NIS2 requires Member State authorities to cooperate and exchange relevant information with eIDAS authorities, including for relevant incidents and cyber threats. | Build one coordination playbook for incidents and supervision, but keep the legal basis, authority, notification recipient, and evidence label visible for each duty. | [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/eli/reg/2024/1183/oj?ref=sorena.io) - Supports the eIDAS 2 position that trust service cybersecurity duties and NIS2 obligations are complementary and require authority cooperation.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |
| Practical decision rule | If the question is whether the service is qualified, whether evidence supports legal effects, whether a trusted-list entry is correct, or whether a conformity assessment or termination plan is adequate, start with eIDAS. | If the question is whether management approved controls, whether network and information systems are protected, whether a supplier or vulnerability risk is treated, or whether an incident is significant and reportable, start with NIS2. | For a QTSP, assume both workstreams may be needed: eIDAS to preserve trust-service assurance and NIS2 to prove cybersecurity governance and incident response. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.<br>[Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation. |

Sources for Scope and covered activity - eIDAS trust-service obligations:

- [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/eli/reg/2024/1183/oj?ref=sorena.io) - Supports eIDAS 2 scope additions for wallets, relying parties, electronic attestations of attributes, and cooperation with NIS2 authorities.
  - Quote: "European Digital Identity Wallets"

Sources for Scope and covered activity - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Scope and covered activity - operational implication:

- [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/eli/reg/2024/1183/oj?ref=sorena.io) - Supports eIDAS 2 scope additions for wallets, relying parties, electronic attestations of attributes, and cooperation with NIS2 authorities.
  - Quote: "European Digital Identity Wallets"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Who must act - eIDAS trust-service obligations:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"

Sources for Who must act - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Who must act - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Trigger or threshold - eIDAS trust-service obligations:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"

Sources for Trigger or threshold - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Trigger or threshold - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Core obligations - eIDAS trust-service obligations:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"

Sources for Core obligations - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Core obligations - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Evidence and records - eIDAS trust-service obligations:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"

Sources for Evidence and records - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Evidence and records - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Timing and cadence - eIDAS trust-service obligations:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"

Sources for Timing and cadence - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Timing and cadence - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Enforcement or assurance route - eIDAS trust-service obligations:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"

Sources for Enforcement or assurance route - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Enforcement or assurance route - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Overlap and reuse - eIDAS trust-service obligations:

- [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/eli/reg/2024/1183/oj?ref=sorena.io) - Supports the eIDAS 2 position that trust service cybersecurity duties and NIS2 obligations are complementary and require authority cooperation.
  - Quote: "Directive (EU) 2022/2555"

Sources for Overlap and reuse - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Overlap and reuse - operational implication:

- [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/eli/reg/2024/1183/oj?ref=sorena.io) - Supports the eIDAS 2 position that trust service cybersecurity duties and NIS2 obligations are complementary and require authority cooperation.
  - Quote: "Directive (EU) 2022/2555"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Practical decision rule - eIDAS trust-service obligations:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"

Sources for Practical decision rule - NIS2 cybersecurity obligations:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

Sources for Practical decision rule - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

### How should teams decide which workstream owns the issue?

- Choose eIDAS first when the question concerns trust-service status, qualified status, trusted-list representation, legal effect, conformity assessment, trust-service terms, or eIDAS supervisory-body action.
- Choose NIS2 first when the question concerns cybersecurity governance, network and information system risk, management-body approval, supplier security, vulnerability handling, cyber hygiene, business continuity, or significant-incident reporting.
- Use both when a QTSP system, cloud provider, cryptographic component, identity-proofing flow, certificate service, attestation service, or incident affects the trust service and the cybersecurity of the systems used to provide it.
- Keep one cross-reference table, but preserve separate evidence labels for eIDAS supervisory evidence and NIS2 risk-management or incident-reporting evidence.

Sources for the practical decision rule:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"

## What eIDAS controls and what NIS2 adds

eIDAS is the trust framework. It covers electronic identification, trust services, qualified trust services, electronic signatures, seals, timestamps, registered delivery services, website authentication certificates, electronic attestations of attributes, electronic archiving, and related legal effects. For a QTSP, eIDAS evidence normally includes qualified-status decisions, conformity assessment reports, trusted-list entries, service practice statements, certificate or attestation profiles, relying-party terms, and termination arrangements.

NIS2 is the cybersecurity framework. It applies to trust service providers regardless of size where the entity is within the covered type, and it treats qualified trust service providers as essential entities. Its core work is Article 20 governance, Article 21 cybersecurity risk-management measures, Article 23 significant-incident reporting, and Member State supervision through NIS competent authorities, CSIRTs, and single points of contact.

- Use eIDAS when the question is trust-service status, qualified status, legal effect, trust marks, trusted lists, conformity assessment, or trust-service supervision.
- Use NIS2 when the question is cybersecurity governance, network and information system risk, all-hazards controls, supply-chain security, cyber hygiene, or significant-incident notification.
- Use both where the same provider, system, supplier, or incident affects a trust service and the network and information systems used to provide it.

Sources for this answer:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Grounds the eIDAS side of the comparison: trust services, qualified trust services, supervisory bodies, trusted lists, and qualified-status controls.
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Grounds the NIS2 side of the comparison: trust service provider scope, essential-entity treatment for QTSPs, risk-management measures, and incident reporting.

## Where the provider overlap starts

The overlap starts at the provider, not at every relying party or every certificate user. A relying party that merely accepts a signature, seal, certificate, attestation, or wallet credential is not automatically a trust service provider under eIDAS or a trust service provider under NIS2. The provider analysis should identify the legal entity offering the trust service, the Member State of establishment or main supervisory route, and whether the service is qualified.

NIS2 also matters for non-qualified trust service providers because trust service providers are one of the size-independent categories in Article 2. Qualified trust service providers have an additional classification consequence: NIS2 Article 3 treats QTSPs as essential entities regardless of size.

- Record the eIDAS service category first: qualified certificate, timestamp, registered delivery, electronic attestation of attributes, website authentication certificate, validation, preservation, archiving, electronic ledger, or another covered trust service.
- Record whether the provider is qualified, because qualified status changes eIDAS supervision, trusted-list status, conformity-assessment evidence, and NIS2 essential-entity classification.
- Do not classify customers, browsers, wallet users, or relying parties as providers unless they actually provide the trust service.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports the NIS2 scope distinction: trust service providers are in scope regardless of size, and QTSPs are essential entities.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the eIDAS classification distinction between trust services, qualified trust services, providers, and relying parties.

## Security and incident duties do not collapse into one process

eIDAS Article 19 requires qualified and non-qualified trust service providers to manage risks to the security of the trust services they provide and to notify significant breaches of security or loss of integrity. ETSI EN 319 401 maps that duty into trust-service controls such as risk assessment, information security policy, operations security, vulnerability and incident management, reporting, business continuity, termination plans, and supply-chain controls.

NIS2 Article 21 separately requires essential and important entities to use appropriate and proportionate technical, operational, and organisational measures for network and information systems, based on an all-hazards approach. Article 23 creates the significant-incident notification sequence, with an early warning within 24 hours for trust service providers when a significant incident affects the provision of their trust services.

- Keep an eIDAS incident path for trust-service security breaches, loss of integrity, affected trust-service users, supervisory-body communication, and trusted-list or qualified-status consequences.
- Keep a NIS2 incident path for significant incidents, CSIRT or competent-authority notification, cross-border impact, early warning, incident notification, intermediate updates, final reporting, and recipient communications.
- Link the two paths in the incident playbook so one event can trigger both without hiding the different legal tests.

Sources for this answer:

- [ETSI EN 319 401 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Maps eIDAS Article 19 and Article 24 trust-service obligations to concrete TSP controls and evidence areas.
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports the separate NIS2 cybersecurity governance, Article 21 risk-management, and Article 23 reporting duties.

## What evidence should remain separate

A single control library can reference both laws, but the evidence labels should remain separate. eIDAS evidence proves the status and trustworthy operation of the trust service. NIS2 evidence proves cybersecurity governance, risk treatment, incident handling, supplier security, business continuity, training, access control, asset management, and security testing for the network and information systems used by the entity.

The most useful overlap evidence is operational rather than legal: system inventories, trust-service component maps, supplier registers, logging and monitoring records, vulnerability handling records, business continuity tests, incident post-reviews, and management approvals. Reuse those records only when the record explicitly names which eIDAS obligation and which NIS2 obligation it supports.

- eIDAS file: qualified-status grant or withdrawal, conformity assessment report, trust-service policy and practice statement, trusted-list entry, certificate or attestation profile, terms and limitations, termination plan, and user notification evidence.
- NIS2 file: management-body approval, Article 21 risk analysis and security policies, risk treatment plan, incident-handling procedure, business continuity and disaster recovery evidence, supplier-security clauses, vulnerability handling, access control, asset inventory, training, and notification records.
- Joint file: cross-reference table showing which systems and suppliers support each trust service and which cybersecurity controls protect them.

Sources for this answer:

- [ETSI EN 319 401 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports trust-service evidence areas such as risk assessment, information security policy, operations, incident management, supply chain, and termination.
- [Commission Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Specifies technical and methodological NIS2 cybersecurity risk-management requirements for trust service providers and other digital infrastructure entities.

*Recommended next step*

*Placement: before sources*

## Build one control map without merging the legal tests

Sorena can help trust service providers map eIDAS qualified-status, trusted-list, conformity-assessment, and trust-service evidence to NIS2 governance, Article 21 controls, and Article 23 incident reporting.

- [Open Research Copilot for eIDAS and NIS2](/solutions/research-copilot.md): Ask cited questions about QTSP scope, NIS2 provider classification, Article 21 controls, Article 23 reporting, and eIDAS supervisory evidence.
- [Talk through implementation](/contact.md): Review your trust-service classification, incident paths, supplier evidence, and control map with Sorena.

## Primary sources

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports eIDAS trust-service categories, qualified status, supervisory-body powers, trusted lists, and trust-service security duties.
  - Quote: "rules for trust services"
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports NIS2 trust service provider scope, QTSP essential-entity classification, Article 21 controls, Article 23 reporting, and authority cooperation.
  - Quote: "cybersecurity risk-management measures"
- [Commission Implementing Regulation (EU) 2024/2690](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL_202402690&ref=sorena.io) - Specifies NIS2 technical and methodological cybersecurity risk-management requirements for trust service providers and significant-incident criteria for covered digital providers.
  - Quote: "trust service providers"
- [ETSI EN 319 401 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds practical eIDAS trust-service evidence areas including risk assessment, information security policy, incident reporting, business continuity, supply-chain controls, and termination plans.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/eli/reg/2024/1183/oj?ref=sorena.io) - Supports the eIDAS 2 position that trust service cybersecurity duties and NIS2 obligations are complementary and require authority cooperation.
  - Quote: "Directive (EU) 2022/2555"

## Related Topic Guides

- [eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services](/artifacts/eu/electronic-identification-and-trust-services-regulation/deadlines-and-compliance-calendar.md): Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
- [eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas2-vs-eidas.md): Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
- [eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/certificates-and-authentication.md): Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
- [eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist-and-evidence.md): Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
- [eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/compliance.md): Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
- [eIDAS electronic signatures: SES, AES, QES legal effect and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-signatures-and-legal-effect.md): A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
- [eIDAS penalties and fines for trust service providers](/artifacts/eu/electronic-identification-and-trust-services-regulation/penalties-and-fines.md): Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
- [eIDAS QES validation checks for relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/qes-validation.md): How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
- [eIDAS Qualified Trust Services: QTSP Selection](/artifacts/eu/electronic-identification-and-trust-services-regulation/qualified-trust-services-and-qtsp-selection.md): How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
- [eIDAS remote signature and cloud HSM controls for QTSPs](/artifacts/eu/electronic-identification-and-trust-services-regulation/remote-signature-and-cloud-hsm-controls.md): Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
- [eIDAS signature legal effect selector: SES, AES, AES-QC, or QES](/artifacts/eu/electronic-identification-and-trust-services-regulation/signature-legal-effect-selector-workflow.md): Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
- [eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-service-role-scoping-workflow.md): Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
- [eIDAS trusted list validation: LOTL, QTSP status, and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-list-validation.md): How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
- [eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-esign-and-ueta.md): Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
- [eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-etsi-en-319-401.md): Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
- [eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-gdpr-identity-data.md): Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
- [Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-attestations-of-attributes.md): Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
- [EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/applicability-test.md): A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
- [EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/attribute-attestations.md): What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
- [EU eIDAS checklist for signatures, trust services, and wallets](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist.md): Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
- [EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq.md): FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
- [EU eIDAS QTSP authorization and supervision guide](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-authorization-and-supervision.md): How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
- [EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-due-diligence-workflow.md): Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
- [EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/requirements.md): Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
- [EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/trusted-lists.md): How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
- [EUDI Wallet readiness for service providers under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-readiness.md): Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
- [EUDI Wallet Relying Parties under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/eudi-wallet-relying-party.md): What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
- [EUDI Wallet Relying Party Onboarding Workflow under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/wallet-onboarding-workflow.md): A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
- [EUDI Wallet Relying Party Registration Under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-relying-party-registration.md): What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
- [EUDI Wallet Technical Architecture Guide under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-technical-architecture-guide.md): Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
- [QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qes-vs-ades.md): Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
- [QWACs under eIDAS: website authentication certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/qwacs.md): A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
- [What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs](/artifacts/eu/electronic-identification-and-trust-services-regulation/what-eidas-covers.md): A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
- [What is a qualified trust service provider under eIDAS?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qualified-trust-service-provider.md): How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
- [What is a QWAC under the EU eIDAS Regulation?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qwac.md): Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-nis2-trust-services