---
title: "What is a QWAC under the EU eIDAS Regulation?"
canonical_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qwac"
source_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qwac"
author: "Sorena AI"
description: "Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "eIDAS QWAC"
  - "qualified certificate for website authentication"
  - "qualified trust service provider"
  - "EU trusted lists"
  - "website authentication certificate"
  - "EU eIDAS Regulation"
  - "eIDAS"
  - "QWAC"
  - "trusted lists"
  - "website authentication"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# What is a QWAC under the EU eIDAS Regulation?

Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.

*FAQ* *EU eIDAS*

## What is a QWAC under eIDAS?

A QWAC is a qualified certificate for website authentication: it links a website to the natural or legal person named in the certificate and must be issued by a qualified trust service provider under eIDAS.

Use this FAQ to separate the legal qualified-certificate status from ordinary TLS deployment, trusted-list checks, browser recognition duties, and the evidence needed before relying on a QWAC.

Under eIDAS, a QWAC is not just a normal website TLS certificate with a compliance label. It is a qualified certificate for website authentication, issued by a qualified trust service provider and containing the identity, domain, validity, issuer-signature, and status-service information required for that certificate type.

## What does a QWAC prove under eIDAS?

A certificate for website authentication makes it possible to authenticate a website and link that website to the natural or legal person to whom the certificate is issued. A QWAC adds the eIDAS qualified layer: the certificate must be issued by a qualified trust service provider and meet Annex IV requirements.

For a website owner or relying party, the useful question is not only whether the TLS connection works. The QWAC evidence should show who the certificate identifies, which domain names are covered, which qualified trust service provider issued it, and where relying parties can check certificate validity or revocation status.

- Confirm that the certificate is explicitly indicated as a qualified certificate for website authentication.
- Check that the subject identity, address elements, and domain names match the website or service being authenticated.
- Record the certificate validity period, serial or certificate identity code, issuer, and status-service location.
- Treat QWAC evidence as website identity evidence, not as proof that the whole transaction, application, or message payload has been sealed or signed.

Sources for this answer:

- [Regulation (EU) No 910/2014 (eIDAS) - website authentication certificate definitions](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02014R0910-20240520&ref=sorena.io) - Defines certificate for website authentication and qualified certificate for website authentication, including the QTSP and Annex IV elements that make the certificate qualified.
- [ETSI EN 319 412-5 - QCStatements for EU qualified certificates](https://www.etsi.org/deliver/etsi_en/319400_319499/31941205/02.05.01_60/en_31941205v020501p.pdf?ref=sorena.io) - Maps eIDAS Annex IV QWAC requirements to certificate-profile fields, including qualified-certificate indication, subject identity, domain names, validity, serial number, and status-service locations.

## How should a relying party validate a QWAC?

Validation should combine certificate checks with eIDAS status checks. First confirm that the issuer and service are qualified for the relevant trust service on an EU trusted list, because eIDAS allows a qualified trust service provider to provide a qualified trust service after qualified status appears in the trusted lists.

Then validate the certificate itself: domain match, certificate chain, validity period, certificate-status endpoint, revocation status, and the QWAC-specific qualified-certificate statements. eIDAS requires qualified trust service providers issuing qualified certificates to publish revocation status and provide validity or revocation information to relying parties.

- Use the EU and national trusted-list information to confirm the QTSP and qualified service status.
- Check the website domain against the certificate's domain-name information before treating it as the authenticated endpoint.
- Use the certificate validity-status service, such as the CRL or OCSP location identified in the certificate profile, before relying on the certificate.
- Keep validation logs that show the certificate examined, trusted-list result, revocation or validity status, validation time, and any exception decision.

Sources for this answer:

- [Regulation (EU) No 910/2014 (eIDAS) - trusted lists and certificate status](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02014R0910-20240520&ref=sorena.io) - Supports checking qualified status through trusted lists and checking qualified-certificate validity or revocation status before relying on a QWAC.
- [ETSI TS 119 612 - Trusted Lists](https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.03.01_60/ts_119612v020301p.pdf?ref=sorena.io) - Specifies trusted-list structure and service information used by validators to interpret qualified trust service provider and qualified service status.
- [European Commission eSignature building block - trusted-list tooling](https://ec.europa.eu/digital-building-blocks/sites/spaces/DIGITAL/pages/467109036/eSignature?ref=sorena.io) - Commission Digital Building Blocks page points users to eIDAS Dashboard resources such as the Trusted List Browser and validation-test tooling.

## What changed for browsers and QWACs under eIDAS 2?

The eIDAS 2 amendments add browser-facing duties for qualified certificates for website authentication. Providers of web browsers must recognise QWACs issued in accordance with Article 45 and display the identity data and additional attested attributes in a user-friendly way, subject to the small-enterprise exception stated in the Regulation.

That browser rule should not be read as a guarantee that every deployed browser, user interface, certificate store, or relying-party application already presents QWAC identity information in the same way. For implementation work, keep the distinction clear: the certificate may satisfy eIDAS QWAC requirements, while browser support and display behavior are separate deployment and interoperability checks.

- For website owners, confirm whether the intended browser and client environment recognises and displays the QWAC identity information needed for the user journey.
- For relying-party systems, do not rely on browser display alone; keep machine-readable validation evidence for issuer, service status, certificate status, and domain match.
- For incidents, remember that eIDAS allows browser precautionary measures only for substantiated concerns about security breaches or loss of integrity of an identified certificate or set of certificates.
- For procurement, ask certificate providers how the QWAC profile, trusted-list status, revocation publication, and renewal process will be evidenced.

Sources for this answer:

- [Regulation (EU) 2024/1183 - eIDAS 2 browser recognition amendments](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Amends eIDAS Article 45 and adds browser-recognition and precautionary-measure provisions for qualified certificates for website authentication.
- [ETSI EN 319 412-4 - certificate profile for website authentication](https://www.etsi.org/deliver/etsi_en/319400_319499/31941204/01.04.01_60/en_31941204v010401p.pdf?ref=sorena.io) - Explains the website-certificate profile for TLS-accessed websites, useful for distinguishing website authentication from other eIDAS certificate purposes.
- [ETSI EN 319 412-5 - certificate type QCStatement](https://www.etsi.org/deliver/etsi_en/319400_319499/31941205/02.05.01_60/en_31941205v020501p.pdf?ref=sorena.io) - Supports the distinction between website-authentication certificates, electronic-signature certificates, and electronic-seal certificates through certificate-type QCStatements.

## Primary sources

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02014R0910-20240520&ref=sorena.io) - Primary legal source for QWAC definitions, Annex IV content, trusted lists, QTSP qualified status, and certificate validity or revocation-status duties.
  - Quote: "qualified certificate for website authentication"
- [Regulation (EU) 2024/1183 (European Digital Identity Framework)](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32024R1183&ref=sorena.io) - Primary legal source for eIDAS 2 amendments affecting QWAC browser recognition and browser precautionary measures.
  - Quote: "recognise qualified certificates for website authentication"
- [ETSI EN 319 412-5 - QCStatements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941205/02.05.01_60/en_31941205v020501p.pdf?ref=sorena.io) - Technical certificate-profile source mapping eIDAS Annex IV QWAC requirements to certificate fields and QCStatements.
  - Quote: "EU qualified certificates for website authentication"
- [ETSI EN 319 412-4 - website certificate profile](https://www.etsi.org/deliver/etsi_en/319400_319499/31941204/01.04.01_60/en_31941204v010401p.pdf?ref=sorena.io) - Technical profile source for website certificates accessed through TLS, used to explain the website-authentication layer without treating QWAC as a substitute for seals or signatures.
  - Quote: "Certificate profile for web site certificates"
- [ETSI TS 119 612 - Trusted Lists](https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.03.01_60/ts_119612v020301p.pdf?ref=sorena.io) - Technical source for trusted-list structure and service-status information used when validating QTSP and qualified service status.
  - Quote: "Trusted Lists"
- [European Commission eSignature building block](https://ec.europa.eu/digital-building-blocks/sites/spaces/DIGITAL/pages/467109036/eSignature?ref=sorena.io) - Commission resource pointing to eIDAS Dashboard tools, including trusted-list browsing and validation-test resources.
  - Quote: "eIDAS Dashboard"

## Topic Guides

- [eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services](/artifacts/eu/electronic-identification-and-trust-services-regulation/deadlines-and-compliance-calendar.md): Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
- [eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas2-vs-eidas.md): Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
- [eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/certificates-and-authentication.md): Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
- [eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist-and-evidence.md): Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
- [eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/compliance.md): Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
- [eIDAS electronic signatures: SES, AES, QES legal effect and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-signatures-and-legal-effect.md): A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
- [eIDAS penalties and fines for trust service providers](/artifacts/eu/electronic-identification-and-trust-services-regulation/penalties-and-fines.md): Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
- [eIDAS QES validation checks for relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/qes-validation.md): How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
- [eIDAS Qualified Trust Services: QTSP Selection](/artifacts/eu/electronic-identification-and-trust-services-regulation/qualified-trust-services-and-qtsp-selection.md): How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
- [eIDAS remote signature and cloud HSM controls for QTSPs](/artifacts/eu/electronic-identification-and-trust-services-regulation/remote-signature-and-cloud-hsm-controls.md): Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
- [eIDAS signature legal effect selector: SES, AES, AES-QC, or QES](/artifacts/eu/electronic-identification-and-trust-services-regulation/signature-legal-effect-selector-workflow.md): Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
- [eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-service-role-scoping-workflow.md): Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
- [eIDAS trusted list validation: LOTL, QTSP status, and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-list-validation.md): How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
- [eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-esign-and-ueta.md): Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
- [eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-etsi-en-319-401.md): Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
- [eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-gdpr-identity-data.md): Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
- [eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-nis2-trust-services.md): Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
- [Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-attestations-of-attributes.md): Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
- [EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/applicability-test.md): A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
- [EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/attribute-attestations.md): What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
- [EU eIDAS checklist for signatures, trust services, and wallets](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist.md): Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
- [EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq.md): FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
- [EU eIDAS QTSP authorization and supervision guide](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-authorization-and-supervision.md): How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
- [EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-due-diligence-workflow.md): Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
- [EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/requirements.md): Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
- [EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/trusted-lists.md): How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
- [EUDI Wallet readiness for service providers under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-readiness.md): Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
- [EUDI Wallet Relying Parties under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/eudi-wallet-relying-party.md): What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
- [EUDI Wallet Relying Party Onboarding Workflow under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/wallet-onboarding-workflow.md): A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
- [EUDI Wallet Relying Party Registration Under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-relying-party-registration.md): What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
- [EUDI Wallet Technical Architecture Guide under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-technical-architecture-guide.md): Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
- [QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qes-vs-ades.md): Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
- [QWACs under eIDAS: website authentication certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/qwacs.md): A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
- [What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs](/artifacts/eu/electronic-identification-and-trust-services-regulation/what-eidas-covers.md): A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
- [What is a qualified trust service provider under eIDAS?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qualified-trust-service-provider.md): How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.

*Recommended next step*

*Placement: before sources*

## Turn QWAC validation into a reusable evidence pack

Sorena can help structure QWAC checks around the certificate, QTSP trusted-list status, revocation evidence, browser assumptions, and renewal ownership without treating a normal TLS certificate as eIDAS-qualified.

- [Open Research Copilot for eIDAS](/solutions/research-copilot.md): Ask source-linked questions about QWACs, qualified trust service providers, trusted lists, and validation evidence using the cited sources on this page.
- [Review a QWAC workflow](/contact.md): Check whether your website-authentication process separates certificate deployment, qualified status, trusted-list evidence, revocation checks, and browser assumptions.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qwac