Artifact GuideEU

eIDAS QWACs website authentication certificates

Qualified website authentication certificates are eIDAS trust-service certificates that authenticate a website and link it to the natural or legal person that operates the domain.

Use this page to check Annex IV certificate content, QTSP qualification, trusted-list status, browser-recognition obligations, and validation evidence without treating an ordinary TLS certificate as automatically qualified.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
4

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

A QWAC is a qualified certificate for website authentication under eIDAS. The core question is not only whether a site has a TLS certificate, but whether the certificate is issued by a qualified trust service provider, meets the eIDAS Annex IV data requirements, is represented correctly in certificate policy and QCStatement evidence, and can be checked against EU trusted-list information.

Section 1

What a QWAC is under eIDAS

eIDAS defines a certificate for website authentication as an electronic attestation that authenticates a website and links that website to the natural or legal person to whom the certificate is issued. A qualified certificate for website authentication is that certificate type when it is issued by a qualified trust service provider and meets Annex IV.

For product and security teams, the practical distinction is important: a TLS certificate may support encrypted website connections, but eIDAS qualification depends on legal status, issuer qualification, Annex IV certificate data, certificate policy evidence, and trusted-list status. ETSI EN 319 412-5 also states that the QCStatements extension is not processed as part of ordinary RFC 5280 path validation, so QWAC qualification needs checks beyond a basic certificate-chain result.

  • Confirm that the certificate is for website authentication, not electronic signature or electronic seal use.
  • Confirm that the issuing provider is a qualified trust service provider for the relevant certificate service.
  • Confirm that the certificate includes an automated indication that it was issued as a qualified certificate for website authentication.
  • Keep the certificate, issuer details, certificate policy or CPS reference, trusted-list result, and validation timestamp together as the evidence pack.
Sources for this answer
Regulation (EU) No 910/2014 consolidated eIDAS text
Defines certificate services for website authentication and sets the Article 45 and Annex IV requirements for qualified website authentication certificates.
ETSI EN 319 412-5 QCStatements
Explains QCStatements for EU qualified certificates, including the website-authentication certificate type and the distinction from ordinary certificate-path validation.
Section 2

What Annex IV requires a QWAC to contain

Annex IV is the first content checklist. A QWAC must identify itself, in at least an automated-processing form, as a qualified certificate for website authentication. It must also identify the qualified trust service provider, the subject, address elements, operated domain name or names, validity period, certificate identity code, issuer signature or seal, and certificate-status information.

This makes the evidence review concrete. The certificate should link the website to the person or legal person operating the domain, and the record should show the free location of the certificate supporting the issuer signature or seal plus the place where certificate validity status can be checked.

  • Issuer data: Member State of establishment plus the QTSP name and, where applicable, registration number.
  • Subject data: natural-person name or pseudonym, or legal-person identifying data and registration number where applicable.
  • Website data: the domain names operated by the certificate subject.
  • Lifecycle data: validity start and end, unique certificate identity code, and validity-status service location.
  • Issuer assurance: advanced electronic signature or seal of the issuing QTSP and the free location of the supporting certificate.
Sources for this answer
Regulation (EU) No 910/2014 consolidated eIDAS text
Annex IV lists the required data elements for qualified certificates for website authentication.
Section 3

How trusted lists support QWAC validation

A certificate should not be treated as qualified only because its visible subject fields look plausible. ETSI TS 119 612 explains that trusted lists let interested parties determine whether a trust service is or was operating in compliance with relevant requirements, including the current status and status history of the service.

For QWACs, check the EU List of Trusted Lists route to the relevant Member State trusted list, the trust service provider entry, the service type and service status, and the service information extensions that indicate website authentication. ETSI TS 119 612 includes QCForWSA and For Web Site Authentication indicators for certificates or services issued for website authentication.

  • Validate the source of the trusted list and the relevant national trusted-list entry before relying on it.
  • Check that the trust service and provider have a qualifying status for the date being assessed, not only at the time of your review.
  • Look for website-authentication-specific trusted-list information such as QCForWSA or For Web Site Authentication where the list uses those extensions.
  • Retain the LOTL or national-list version, issue time, service status, status start time, selected CA entry, and validation policy used.
Sources for this answer
ETSI TS 119 612 Trusted Lists
Specifies trusted-list structure and explains how trusted lists support trust-service status checks, status history, and certificate-path validation inputs.
Section 4

Browser recognition and the certificate distinction

Article 45 says qualified certificates for website authentication issued in accordance with the Article 45 requirements must be recognised by providers of web browsers. It also says browser providers must display identity data and additional attested attributes in a user-friendly manner, with a limited exception for microenterprises or small enterprises during their first five years of operating as browser-service providers.

Do not turn that into a broader claim than the sources support. The grounded distinction is that browsers have eIDAS recognition and display obligations for qualifying QWACs, while certificate qualification itself still depends on the eIDAS and ETSI evidence: Annex IV content, QTSP issuance, QCStatement or certificate-type indicators, trusted-list status, and certificate policy or CPS support.

  • Separate browser display behavior from certificate qualification evidence.
  • Do not infer QWAC status from a padlock, ordinary domain validation, or a successful TLS handshake alone.
  • For procurement or relying-party onboarding, ask the provider for the certificate policy, CPS or disclosure material, trusted-list status evidence, and certificate-profile evidence.
  • Record whether the review is for website authentication, EUDI Wallet relying-party presentation, procurement, or internal trust-anchor configuration because the evidence use may differ.
Sources for this answer
Regulation (EU) No 910/2014 consolidated eIDAS text
Article 45 contains the browser-recognition and user-friendly display obligations for qualified website authentication certificates.
ETSI EN 319 411-1 certificate policy requirements
Explains certificate policy and certification practice statement evidence for trust service providers issuing certificates, including web-authentication certificate policy context.
Section 5

Validation and evidence checklist

Use this checklist when accepting a QWAC from a supplier, configuring relying-party trust, reviewing a website authentication claim, or preparing evidence for compliance review. The aim is a reproducible validation record, not a general certificate inventory.

A strong QWAC record shows the certificate was qualified for website authentication at the relevant time, the issuing service was granted or otherwise qualified in the trusted-list evidence used, and the certificate content matches the website and legal person facts relied on by the business.

Is every TLS certificate a QWAC under eIDAS?

No. A QWAC is a qualified certificate for website authentication issued by a qualified trust service provider and meeting Annex IV. Ordinary TLS certificate validation does not by itself prove eIDAS qualified status.

What should a team check first when reviewing a QWAC claim?

Start with the certificate's website-authentication purpose, the issuing QTSP, Annex IV data fields, and trusted-list status for the relevant date. Then review certificate policy, CPS, QCStatement, and status-service evidence.

  • Capture the certificate chain, leaf certificate, subject identity data, domain names, validity period, serial or identity code, and status-service URL.
  • Verify Annex IV elements and flag missing or conflicting issuer, subject, domain, validity, signature or status-service data.
  • Check QCStatement evidence for EU qualified-certificate status and website-authentication type, including the id-etsi-qct-web purpose where available.
  • Check trusted-list evidence for the issuing QTSP, service type, qualified status, website-authentication extension, status history, and list issue time.
  • Review the issuer CP, CPS, terms or PKI disclosure statement for the certificate policy asserted in the certificate and the web-authentication service it covers.
  • Save the validation result, validation time, trusted-list source and version, certificate-status result, reviewer, and the reason the certificate is accepted, rejected, or escalated.
Sources for this answer
Regulation (EU) No 910/2014 consolidated eIDAS text
Provides the binding QWAC definition, Article 45 recognition rule, and Annex IV certificate-content requirements.
ETSI EN 319 412-5 QCStatements
Supports checking QCStatement evidence that a certificate is an EU qualified certificate and is issued for website authentication.
ETSI TS 119 612 Trusted Lists
Supports the trusted-list checks for qualified status, service status history, CA selection, and website-authentication indicators.
ETSI EN 319 411-1 certificate policy requirements
Supports the CP, CPS, subscriber, relying-party, and web-authentication certificate-policy evidence expected for certificate issuing services.
Recommended next step

Turn QWAC validation into a reusable evidence record

Sorena can help map certificate content, trusted-list evidence, CP/CPS material, and validation results into a repeatable QWAC review workflow.

Research workflow
Open Research Copilot for eIDAS

Ask source-linked questions about QWAC definitions, trusted lists, certificate profiles, and validation evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your QWAC acceptance criteria, evidence gaps, and supplier certificate checks with Sorena.

Explore next step
Primary sources

References and citations

ETSI EN 319 411-1 certificate policy requirements
etsi.org
Referenced sections
  • Supports the CP, CPS, subscriber, relying-party, and web-authentication certificate-policy evidence expected for certificate issuing services.
"Certification Practice Statement"
ETSI EN 319 412-5 QCStatements
docbox.etsi.org
Referenced sections
  • Supports checking QCStatement evidence that a certificate is an EU qualified certificate and is issued for website authentication.
"id-etsi-qct-web"
ETSI TS 119 612 Trusted Lists
etsi.org
Referenced sections
  • Supports the trusted-list checks for qualified status, service status history, CA selection, and website-authentication indicators.
"For Web Site Authentication"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.