Penalties GuideEU eIDAS

eIDAS penalties and fines for trust service providers

Article 16 of eIDAS leaves penalty rules to Member States, but requires effective, proportionate, and dissuasive penalties and sets minimum maximum administrative fine levels for qualified and non-qualified trust service providers.

Use this page to separate monetary fine exposure from supervisory consequences such as audits, remedy orders, qualified-status withdrawal, and trusted-list updates.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 26, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
7

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 26, 2026
Overview

This page explains the eIDAS penalty and enforcement model for trust service providers. It focuses on what is grounded in the EU sources: Member States set penalty rules, administrative fines must reach specified minimum maximum levels for qualified and non-qualified trust service providers, and supervisory bodies can require remedies, audit providers, withdraw qualified status, and trigger trusted-list changes.

Section 1

What Article 16 says about eIDAS penalties

Article 16, as replaced by Regulation (EU) 2024/1183, does not publish one EU-wide schedule of Member State fine amounts for every infringement. It requires Member States to lay down penalty rules for infringements of eIDAS, and those penalties must be effective, proportionate, and dissuasive.

For qualified and non-qualified trust service providers, Article 16 adds a harmonised floor for the maximum administrative fine that Member States must make available. For a natural-person trust service provider, the maximum must be at least EUR 5,000,000. For a legal-person trust service provider, the maximum must be at least EUR 5,000,000 or 1% of the total worldwide annual turnover of the undertaking in the preceding financial year, whichever is higher.

  • Treat the Article 16 values as a minimum for national maximum fines, not as a single automatic fine for every case.
  • Check whether the actor is a qualified or non-qualified trust service provider before using the administrative-fine rule.
  • Do not assume the same procedure in every Member State; Article 16 allows fines to be initiated by a competent supervisory body and imposed by national courts where that fits the Member State legal system.
  • Keep NIS2 exposure separate; Article 16 applies without prejudice to Article 31 of Directive (EU) 2022/2555.
Sources for this answer
Regulation (EU) 2024/1183 - eIDAS Article 16 penalties
Replaces eIDAS Article 16 and provides the penalty rule, the minimum maximum administrative fine levels for trust service providers, and the possible court-imposed fine route.
Section 2

Who enforces trust-service obligations

For trust services, Member States designate supervisory bodies. Under Article 46b, those bodies supervise qualified trust service providers by ex ante and ex post activities, and they may take action against non-qualified trust service providers when informed that the provider or service allegedly does not meet eIDAS requirements.

The same supervisory model matters for fines because Article 16 allows national rules where the competent supervisory body initiates a fine and a national court imposes it. The practical record should therefore identify the provider's establishment Member State, the supervisory body route, and any court route that national law uses.

  • Identify the trust service provider, its establishment Member State, and whether the service is qualified, non-qualified, or only nationally recognised.
  • Record which supervisory body is responsible for the provider or affected service.
  • Separate a monetary fine file from non-monetary supervisory action, because the evidence and escalation path may differ.
  • If a security breach, loss of integrity, NIS2 issue, or personal data issue is involved, record the cross-notification path to the relevant authority.
Sources for this answer
Regulation (EU) 2024/1183 - eIDAS Article 46b supervision of trust services
Defines the supervisory body role for qualified and non-qualified trust service providers and lists tasks such as audits, remedy requirements, grant or withdrawal of qualified status, and cooperation with data protection and NIS2 authorities.
Regulation (EU) 2024/1183 - eIDAS Article 16 penalties
Supports the point that Member State fine procedures may involve a competent supervisory body initiating the fine and national courts imposing it.
Section 3

Non-monetary enforcement consequences to track

For qualified trust service providers, monetary fines are not the only enforcement consequence. Article 20 allows the supervisory body to audit the provider or request a conformity assessment at the provider's expense. If the provider fails to fulfil eIDAS requirements, the supervisory body must require a remedy within a set time limit where applicable.

If the provider does not remedy the failure within the set time limit where applicable, the supervisory body must withdraw qualified status where justified by the extent, duration, and consequences of the failure. Article 20 also connects withdrawal to NIS2 and GDPR failures notified by the relevant authorities.

  • Track audit requests, conformity assessment reports, remedy notices, deadlines set by the supervisory body, and the response evidence.
  • For qualified services, track whether the issue could affect the provider's qualified status or only a specific affected service.
  • Save correspondence showing whether the supervisory body, NIS2 competent authority, or data protection authority was involved.
  • When qualified status is withdrawn, confirm that the national trusted-list body is informed for the Article 22 trusted-list update.
Sources for this answer
Regulation (EU) 2024/1183 - eIDAS Article 20 supervision of qualified trust service providers
Grounds the audit, remedy, withdrawal of qualified status, and authority-notification consequences for qualified trust service providers.
Section 4

Trusted-list evidence for enforcement review

Trusted lists are enforcement evidence because they show the status and status history of qualified trust service providers and qualified trust services. Commission Implementing Decision (EU) 2015/1505 requires Member States to establish, publish, and maintain trusted lists with information on the qualified trust service providers they supervise and the qualified trust services provided by them.

For a penalties or fines review, trusted-list evidence should show the service type, the current status, the status start date, and relevant historical status. ETSI TS 119 612 gives status meanings that matter operationally, including under supervision, supervision in cessation, supervision ceased, supervision revoked, and withdrawn.

  • Capture the trusted-list entry used at the time of the incident, onboarding decision, or enforcement review.
  • Preserve current and historical status evidence rather than only a screenshot of today's provider name.
  • Escalate any entry showing supervision revoked, withdrawn, supervision ceased, or a mismatch between claimed qualified status and trusted-list status.
  • Do not call a non-qualified or nationally recognised service qualified unless the trusted-list status and service type support that conclusion.
Sources for this answer
Commission Implementing Decision (EU) 2015/1505 - eIDAS trusted lists
Requires Member States to publish and maintain trusted lists for supervised qualified trust service providers and their qualified trust services.
ETSI TS 119 612 - Trusted Lists
Defines trusted-list service status values used to interpret supervision, cessation, revocation, withdrawal, and historical status evidence.
Section 5

Penalty-review checklist for eIDAS trust services

Use this checklist when a trust-service issue could become an eIDAS enforcement matter. It keeps the review focused on facts that the EU sources actually make relevant: provider type, Member State supervision, Article 16 fine route, qualified-status consequences, and trusted-list status.

The checklist does not supersede Member State legal analysis. It prevents unsupported assumptions before counsel or the responsible compliance owner checks the applicable national penalty rules.

Does eIDAS set one EU-wide fine amount for every infringement?

No. Article 16 requires Member States to lay down penalty rules and says those penalties must be effective, proportionate, and dissuasive. For qualified and non-qualified trust service providers, it also requires Member States to make administrative fines available up to at least the specified Article 16 minimum maximum levels.

Can eIDAS enforcement lead to loss of qualified status?

Yes. For qualified trust service providers, Article 20 allows the supervisory body to require a remedy for failure to meet eIDAS requirements and, where justified by the extent, duration, and consequences of the failure, withdraw the provider's qualified status or the qualified status of the affected service.

What evidence matters most in an eIDAS penalties review?

The core evidence is the provider classification, the alleged eIDAS infringement, the Member State supervisory route, any audit or remedy records, the Article 16 fine analysis, and trusted-list current and historical status for the affected qualified service.

  • Classify the actor: qualified trust service provider, non-qualified trust service provider, provider of a specific qualified service, relying party, wallet actor, or another eIDAS role.
  • Identify the alleged eIDAS infringement and the affected service, certificate, signature, seal, timestamp, delivery service, website-authentication certificate, electronic attestation of attributes, or electronic ledger.
  • Check Article 16 exposure: Member State penalty rule, trust-service-provider fine floor, natural-person or legal-person provider status, and the relevant turnover year if the legal-person percentage route is being assessed.
  • Check supervisory consequences: audit or conformity assessment request, remedy notice, remedy deadline, possible withdrawal of qualified status, and trusted-list update.
  • Save evidence: Article 16 analysis, supervisory-body identity, correspondence, conformity assessment reports, trusted-list current and historical status, incident or breach notifications, and the final outcome.
Sources for this answer
Regulation (EU) 2024/1183 - eIDAS Article 16 penalties
Supports the checklist fields for Article 16 penalty rules, administrative fine mechanics, and Member State procedure.
Regulation (EU) 2024/1183 - eIDAS Article 20 supervision of qualified trust service providers
Supports the checklist fields for audits, remedies, withdrawal of qualified status, and trusted-list notification.
Commission Implementing Decision (EU) 2015/1505 - eIDAS trusted lists
Supports the trusted-list evidence fields for current and historical status of listed trust services.
Recommended next step

Turn Article 16 exposure into a reviewed evidence pack

Sorena can help structure the provider classification, supervisory route, trusted-list evidence, Article 16 fine analysis, and qualified-status risk record for eIDAS trust-service work.

Research workflow
Open Research Copilot for eIDAS

Ask grounded questions about Article 16 penalties, supervisory powers, and trusted-list evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Review enforcement readiness

Check whether your trust-service evidence covers fine exposure, remedy actions, qualified-status risks, and trusted-list updates.

Explore next step
Primary sources

References and citations

Commission Implementing Decision (EU) 2015/1505 - Trusted lists
eur-lex.europa.eu
Referenced sections
  • Requires Member States to publish and maintain trusted lists showing supervised qualified trust service providers and qualified trust services, including current and historical status information.
"Member States shall establish, publish and maintain trusted lists"
ETSI TS 119 612 - Trusted Lists
etsi.org
Referenced sections
  • Defines trusted-list service status values used to interpret supervision, cessation, revocation, withdrawal, and historical status evidence.
"Service current and previous statuses"
Regulation (EU) 2024/1183 - eIDAS Article 16 penalties
eur-lex.europa.eu
Referenced sections
  • Supports the checklist fields for Article 16 penalty rules, administrative fine mechanics, and Member State procedure.
"infringements of this Regulation by qualified and non-qualified trust service providers"
Regulation (EU) 2024/1183 - eIDAS Article 46b supervision of trust services
eur-lex.europa.eu
Referenced sections
  • Defines the supervisory body role for qualified and non-qualified trust service providers and lists tasks such as audits, remedy requirements, grant or withdrawal of qualified status, and cooperation with data protection and NIS2 authorities.
"Member States shall designate a supervisory body"
Regulation (EU) 2024/1183 - European Digital Identity Framework
eur-lex.europa.eu
Referenced sections
  • Amends the eIDAS framework for trust-service supervision, qualified trust-service audits, remedy requirements, withdrawal of qualified status, and supervisory-body tasks.
"Member States shall designate a supervisory body"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.