Artifact GuideEU

EU eIDAS Requirements

A practical guide to the eIDAS requirements that matter most for trust services, qualified certificates, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet integrations.

Use it to separate provider duties, relying-party checks, validation evidence, and wallet data-request obligations without treating every electronic signature or identity flow as qualified.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
6

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The eIDAS requirements page is for teams that need to know which electronic identity or trust-service obligations apply before they design a signing, sealing, timestamping, certificate, wallet, or validation workflow. The main distinction is role-based: a qualified trust service provider has regulatory duties and supervision requirements, while a customer, relying party, or verifier must usually prove that it used the right qualified status, certificate status, wallet registration, and validation evidence for the transaction.

Section 1

Start with the eIDAS role and service type

eIDAS covers electronic identification, trust services, electronic signatures, electronic seals, electronic time stamps, electronic registered delivery, website authentication certificates, electronic attestations of attributes, electronic archiving, electronic ledgers, and the European Digital Identity Wallet. A requirements review should start by naming the service and the actor: trust service provider, qualified trust service provider, wallet provider, relying party, issuer, signatory, seal creator, browser provider, or customer relying on a certificate or validation result.

Do not label a workflow as qualified only because it is electronic or cryptographic. Qualified status depends on the eIDAS legal category, the provider's status, the certificate or device requirements, and trusted-list evidence.

  • Classify the workflow as electronic identification, signature, seal, time stamp, registered delivery, website authentication, attestation of attributes, archiving, ledger, or wallet use.
  • Record whether the provider is qualified, non-qualified, or only a relying party using a third-party trust service.
  • For qualified services, verify that the provider and the specific service appear with the right status on the relevant trusted list.
  • For signatures and seals, separate legal effect from format: advanced, qualified-certificate-backed, and qualified signatures or seals are not interchangeable.
  • For EUDI Wallet use, record whether the organisation is asking wallet users for data, issuing attestations, providing wallet infrastructure, or only validating a presented credential.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Defines the eIDAS trust-service categories, qualified status concepts, legal effects, trusted lists, and wallet-related amendments in the consolidated framework.
Regulation (EU) 2024/1183 (European Digital Identity Framework)
Amends eIDAS to add the European Digital Identity Wallet framework and related requirements for wallets, relying parties, attestations, and supervision.
Section 2

Qualified trust service provider duties

A qualified trust service provider must be treated as a regulated provider, not only as a technology supplier. Before starting a qualified trust service, the provider must notify the supervisory body and submit a conformity assessment report. Qualified providers are audited at their own expense at least every 24 months by a conformity assessment body, and they must submit the resulting report to the supervisory body within three working days of receipt.

The operational requirements include identity or attribute verification before issuing qualified certificates or qualified electronic attestations of attributes, clear terms and limitations before contracting, trustworthy systems, reliable stored data, risk-management policies, security-breach and disruption notification, measures against forgery or misappropriation, accessible records for evidence and continuity, termination planning, and certificate databases where qualified certificates are issued.

  • Keep the supervisory notification, conformity assessment report, audit schedule, audit result, and any supervisory correspondence together.
  • Maintain identity and attribute verification evidence for qualified certificates and qualified electronic attestations of attributes.
  • Keep customer terms, service limitations, certificate policies, practice statements, liability insurance or financial-resource evidence, and change notices.
  • For significant security breaches or disruptions affecting the trust service or personal data, retain the 24-hour notification analysis, recipients, timestamps, and remediation evidence.
  • For revocation, keep request time, publication time, certificate or attestation status, validity-response logs, and evidence that the status was available to relying parties.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Supports QTSP initiation, supervision, audit cadence, identity verification, breach notification, records, termination plan, revocation, and certificate-status duties.
ETSI EN 319 401 general policy requirements
ETSI EN 319 401 is grounded as the general policy baseline for trust service provider controls, including risk assessment, policies, security operations, evidence collection, continuity, termination, compliance, and supply-chain controls.
Section 3

Electronic signatures, seals, time stamps, and validation evidence

eIDAS gives electronic signatures and electronic seals legal-effect rules, but qualified status still requires specific supporting evidence. A qualified electronic signature has the equivalent legal effect of a handwritten signature; a qualified electronic seal carries presumptions about data integrity and origin; and a qualified electronic time stamp carries presumptions about the accuracy of date and time and integrity of the bound data.

For validation, the evidence record should prove the certificate status at signing, the provider's qualified status, the integrity of the signed or sealed data, the signatory or seal-creator information made available to the relying party, the qualified signature or seal creation device where required, and any pseudonym indication. A validation result alone is weak if it cannot be tied back to the trusted list, certificate status, signed object, and time of validation.

  • For qualified electronic signatures, retain the signed object, validation report, qualified certificate status at signing, QTSP identity, QSCD evidence, integrity check, and signatory data supplied to the relying party.
  • For qualified electronic seals, retain the sealed object, creator identity evidence, certificate status, integrity check, and qualified validation or preservation result where used.
  • For qualified electronic time stamps, retain the timestamp token, bound data hash or object reference, UTC-linked time-source evidence, and QTSP signature or seal evidence.
  • For public-sector online services, record which advanced or qualified signature or seal formats or methods were accepted for cross-border use.
  • For long-term reliance, retain preservation-service records or renewal evidence so the signature, seal, or timestamp remains verifiable after certificate or algorithm changes.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Supports the legal effects and validation requirements for electronic signatures, seals, qualified certificates, qualified creation devices, validation services, preservation services, and qualified time stamps.
ETSI EN 319 401 general policy requirements
Provides the grounded standards context for trust-service provider policy, security, continuity, evidence, and operational controls that support qualified service assurance.
Section 4

EUDI Wallet relying-party requirements

A relying party that intends to rely on European Digital Identity Wallets for public or private digital services must register in the Member State where it is established. The registration must include information needed to authenticate to wallets, contact details, and the intended wallet use, including the data the relying party will request from users.

After registration, the relying party must not ask wallet users for data beyond the registered purpose, must identify itself to the user, must authenticate and validate person identification data and electronic attestations of attributes requested from wallets, must inform the Member State without delay about registration-information changes, and must not refuse pseudonyms where user identification is not required by Union or national law. Intermediaries acting on behalf of relying parties are treated as relying parties and must not store data about the content of the transaction.

  • Keep the Member State registration record, relying-party identity data, contact details, intended-use statement, and list of wallet data requested from users.
  • Show that user-facing wallet requests match the registered data categories and purpose.
  • Retain wallet authentication, relying-party identification, PID validation, EAA validation, and pseudonym handling evidence.
  • Record changes to relying-party information and the date the Member State was informed.
  • For intermediaries, retain contracts and technical logs proving they act as relying parties and do not store transaction-content data.
Sources for this answer
Regulation (EU) 2024/1183 (European Digital Identity Framework)
Supports the wallet relying-party registration, data-request, identification, validation, pseudonym, intermediary, and update-notification obligations added to eIDAS.
European Commission - Wallet for service providers
Commission service-provider guidance mirrors the practical wallet obligations: register, state intended use and requested data, avoid extra data requests, identify to users, validate PID and EAA data, accept pseudonyms where legally allowed, and update registration information.
EUDI Wallet Architecture and Reference Framework
Provides the grounded architecture context for wallet units, relying-party instances, attestations, trust model, access certificates, certification, and ecosystem interoperability.
Section 5

Trusted lists and qualification checks

Trusted lists are central evidence under eIDAS. Each Member State must establish, maintain, and publish trusted lists containing information on qualified trust service providers and their qualified trust services. A qualified trust service provider may begin providing a qualified trust service only after qualified status has been indicated in the trusted list.

A relying party should therefore preserve the trusted-list result used for each material decision: whether a provider was qualified, whether the specific service was qualified, whether a certificate or attestation was valid or revoked, and whether the trusted-list data was current when checked.

  • Record the trusted-list location, scheme territory, provider name, service name, service type, current status, status start time, and validation timestamp.
  • For EU trust mark claims, verify that the provider links from its website to the relevant trusted list for the qualified service.
  • For certificate validation, retain revocation and validity-status responses beyond the certificate validity period where the provider makes them available.
  • For wallet ecosystems, distinguish eIDAS trusted lists for qualified trust services from wallet, PID, QEAA, or service-provider certification and trust-list checks.
  • Treat trusted-list failures, missing service status, expired or revoked certificates, and mismatched service type identifiers as stop-and-escalate conditions.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Supports Member State trusted-list duties, qualified-status publication, EU trust mark linkage, and reliance on trusted lists for qualified service status.
ETSI TS 119 612 trusted lists
Grounds the technical trusted-list context: scheme information, trust service provider information, service type identifiers, status fields, status start date and time, and service history.
Section 6

Evidence checklist for eIDAS requirements

The minimum useful eIDAS evidence package is a role-and-service classification, a source citation, status proof, and transaction-level validation evidence. It should be possible for a reviewer to reconstruct why a signature, seal, timestamp, wallet request, certificate, attestation, or provider status was accepted at the time of use.

The checklist below is intentionally evidence-first. It avoids broad compliance claims and focuses on records that prove the actual eIDAS requirement that applied.

What is the first requirement to check under eIDAS?

First classify the actor and service: trust service provider, qualified trust service provider, relying party, wallet provider, issuer, signatory, seal creator, or customer relying on a validation result. Then verify whether the specific service is qualified and whether trusted-list or wallet-registration evidence is required.

What evidence proves a qualified electronic signature was valid under eIDAS?

Keep the signed object, the validation result, the qualified certificate status at signing, the QTSP and service status from the trusted list, evidence that the qualified signature creation device requirement was met, and proof that the signed data integrity was not compromised.

What must an EUDI Wallet relying party keep under eIDAS?

Keep the Member State registration record, relying-party identity and contact details, intended wallet use, requested data categories, user-facing request evidence, PID or EAA validation records, pseudonym handling rationale, and updates sent to the Member State.

  • Role record: actor, service type, jurisdiction, provider status, relying-party status, wallet role, and whether the activity is qualified or non-qualified.
  • Source record: eIDAS article or official guidance used, source URL with retrieval date, and the specific requirement being applied.
  • Provider record: QTSP status, supervisory notification or approval where relevant, conformity assessment reports, audit cadence, service terms, termination plan, and breach-notification records.
  • Transaction record: signed or sealed object, timestamp token, certificate chain, revocation status, trusted-list proof, validation result, data requested from a wallet, and user-facing request screen or API evidence.
  • Change record: provider changes, certificate revocations, wallet relying-party registration changes, trusted-list changes, security incidents, and product changes that alter the eIDAS role or service type.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Supports the evidence categories for qualified trust services, signatures, seals, time stamps, revocation, trusted lists, and validation.
Regulation (EU) 2024/1183 (European Digital Identity Framework)
Supports the wallet relying-party and attestation evidence categories added by the European Digital Identity Framework.
Recommended next step

Build an eIDAS evidence file for signatures, seals, wallet flows, and qualified services

Sorena can help convert these eIDAS requirements into role classification, trusted-list checks, validation evidence, wallet relying-party records, and review-ready source citations.

Research workflow
Open Research Copilot for eIDAS

Ask source-linked questions about eIDAS trust services, wallet roles, validation records, and qualified-status evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through implementation

Review your eIDAS service classification, trusted-list checks, and evidence plan with Sorena.

Explore next step
Primary sources

References and citations

ETSI EN 319 401 general policy requirements
etsi.org
Referenced sections
  • Provides the grounded standards context for trust-service provider policy, security, continuity, evidence, and operational controls that support qualified service assurance.
"Collection of evidence"
ETSI TS 119 612 trusted lists
etsi.org
Referenced sections
  • Grounds the technical trusted-list context: scheme information, trust service provider information, service type identifiers, status fields, status start date and time, and service history.
"Trusted Lists"
EUDI Wallet Architecture and Reference Framework
eu-digital-identity-wallet.github.io
Referenced sections
  • Provides the grounded architecture context for wallet units, relying-party instances, attestations, trust model, access certificates, certification, and ecosystem interoperability.
"Architecture and Reference Framework"
European Commission - Wallet for service providers
ec.europa.eu
Referenced sections
  • Commission service-provider guidance mirrors the practical wallet obligations: register, state intended use and requested data, avoid extra data requests, identify to users, validate PID and EAA data, accept pseudonyms where legally allowed, and update registration information.
"Register in the Member State"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Supports the evidence categories for qualified trust services, signatures, seals, time stamps, revocation, trusted lists, and validation.
"for the purpose of providing evidence"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.