🛡️ STATUS BADGE: 🟡 READY (Self-Hosted) | 🟡 READY (SaaS)
Executive Summary: What is it?
eIDAS (Electronic IDentification, Authentication and Trust Services) is EU Regulation 910/2014, updated by Regulation 2024/1183 (eIDAS 2.0). Unlike the technology-neutral US ESIGN Act, eIDAS is prescriptive — it defines three signature tiers with distinct legal weight, mandates government-supervised Qualified Trust Service Providers (QTSPs), and guarantees automatic cross-border recognition across all 27 EU member states plus the EEA. A Qualified Electronic Signature (QES) carries the legal equivalence of a handwritten signature in every member state. Enforcement is handled by national supervisory bodies (e.g., ANSSI in France, BNetzA in Germany). Software platforms are described as "eIDAS Ready" — only QTSPs receive formal qualification.
CFO / Business Impact: What does it cost/risk?
- EU Market Access: Mandatory for public sector procurement, regulated industries (banking, insurance, healthcare), and cross-border contracts across 27+ states. Without eIDAS alignment, signatures executed in one member state may be rejected in another.
- Legal Certainty: A QES carries a presumption of integrity and authenticity (Article 25(2)). Lower tiers shift the burden of proof to the relying party — increasing litigation risk.
- eIDAS 2.0 Wallet: By 2027, every member state must offer an EU Digital Identity Wallet. Large online platforms must accept it for authentication, expanding the regulation's commercial reach.
Technical Reality: How does it work?
- Three Signature Tiers: Simple (SES — click/type, minimal bar), Advanced (AES — PKI-based, uniquely linked to signer, tamper-evident), and Qualified (QES — AES created on a certified HSM via a QTSP, with identity verification).
- ETSI Standards: Compliant software must support PAdES (PDF), XAdES (XML), or CAdES signature formats per ETSI EN 319 122/132/142 baseline profiles.
- QTSP Integration: For QES, software must integrate with Qualified Trust Service Providers who host certified Hardware Security Modules (HSMs) and issue qualified certificates listed on the EU Trusted List.
- Long-Term Validation: Signatures must embed revocation data (OCSP/CRL) and qualified timestamps to remain verifiable beyond certificate expiry.