Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/eIDAS/eIDAS
🪪Digital identity

Regulation (EU) No 910/2014 (eIDAS) — Electronic Identification and Trust Services

Analysis from 10 May 20262 sourcesConsolidated text of 18 October 2024, integrating amendments by Regulation (EU) 2024/1183 (in force from 20 May 2024) and Directive (EU) 2022/2555EUR-Lex Original

Will my e-signatures and qualified trust services still hold up after 21 May 2026 — and what does it cost if my QTSP misses the new conformity report?

From 21 May 2026, every pre-2024 qualified trust service provider must hold a fresh conformity assessment under Article 24, and any infringement of eIDAS exposes the legal entity to administrative fines of at least EUR 5 million or 1 % of worldwide annual turnover — Compliance and Legal must close the audit gap first.

Short Answer

Regulation (EU) No 910/2014, as substantially amended by Regulation (EU) 2024/1183 ('eIDAS 2.0'), governs cross-border electronic identification, the new European Digital Identity Wallet and qualified and non-qualified trust services in the Union [Art. 1, Art. 2(1)]. Article 16 obliges Member States to set the maximum administrative fine for infringements by trust service providers at no less than EUR 5 000 000, and for legal persons the higher of that amount or 1 % of worldwide annual turnover. Article 51(4) gives every qualified trust service provider that held qualified status before 20 May 2024 until 21 May 2026 to submit a conformity assessment report proving compliance with Article 24(1), (1a) and (1b). On the same date, qualified certificates issued to natural persons under the repealed Directive 1999/93/EC stop being treated as qualified [Art. 51(2)] and remote signature management without a dedicated qualified status under Article 29a/39a ends [Art. 51(3)].

Who is affected

Qualified and non-qualified trust service providers established in the Union; Member States providing or recognising electronic identification schemes and European Digital Identity Wallets; relying parties (private and public sector) that intend to rely on Wallets, including any organisation that issues or accepts qualified e-signatures, e-seals, electronic time stamps, electronic registered delivery, qualified website authentication certificates or electronic attestations of attributes [Art. 2(1), Art. 3(6)]. Microenterprises and small enterprises within the meaning of Recommendation 2003/361/EC retain a narrower exposure as private relying parties [Art. 12b].

Deadline

21 May 2026 — three converging transitional cut-offs: pre-2024 QTSPs must have filed the catch-up conformity assessment report under [Art. 51(4)]; qualified certificates issued to natural persons under the repealed Directive 1999/93/EC lose qualified status [Art. 51(2)]; and remote qualified signature/seal management performed without dedicated qualified status under Articles 29a/39a ceases to enjoy qualified effect [Art. 51(3)]. Member States must additionally provide at least one European Digital Identity Wallet within 24 months of the implementing acts adopted under [Art. 5a(23)] (Commission deadline: 21 November 2024).

Risk

Ceiling under [Art. 16(2)]: administrative fines of a maximum of at least EUR 5 000 000 for natural persons and, for legal persons, the higher of EUR 5 000 000 or 1 % of total worldwide annual turnover. Beyond fines, supervisory bodies may withdraw qualified status under [Art. 20(3)], which removes the EU trust mark [Art. 23] and the legal-effect presumption under [Art. 25(2)] / [Art. 35(2)]. In practice supervisory bodies act on status first; loss of trust-list entry under [Art. 22(1)] makes the service commercially unsellable long before fines are quantified.

Proof

Legal status

  • In force
  • as of 2026-05-10
  • Consolidated text of 18 October 2024, integrating amendments by Regulation (EU) 2024/1183 (in force from 20 May 2024) and Directive (EU) 2022/2555

Primary sources

What to do now

Legal / DPO

  • Audit every contract that names a specific qualified trust service provider or references 'qualified electronic signature', 'qualified electronic seal' or 'qualified electronic time stamp' against the 21 May 2026 conformity-assessment cut-off [Art. 51(4)] and add a substitution clause covering loss of qualified status [Art. 20(3)].
  • Confirm in writing that the trust services you rely on appear on a Member-State trusted list under [Art. 22(1)] and carry a current EU trust mark [Art. 23] — this is the documentary basis for invoking the legal-effect presumption of [Art. 25(2)] for signatures and [Art. 35(2)] for seals.
  • Document liability allocation against [Art. 13] (trust service damages, including reverse burden of proof for QTSPs) and [Art. 11] (cross-border eID damages); both apply mutatis mutandis to providers of European Digital Identity Wallets under [Art. 5a(19)].

Compliance

  • Schedule the recurring 24-month conformity assessment under [Art. 20(1)] and the one-off catch-up report mandated by [Art. 51(4)] so the supervisory body has a clean file before 21 May 2026.
  • Track the implementing acts adopted by 21 November 2024 under [Art. 5a(23)] and [Art. 5b(11)] and stand up the relying-party registration process [Art. 5b(1)–(2)] before national wallet rollout — registration is a precondition to accept wallet attestations.
  • Wire the trust-service incident-notification duty under [Art. 19a] / [Art. 24] (significant security breach to the supervisory body, and to affected users where relevant) into the existing incident-response playbook alongside the NIS2 reporting chain preserved by [Art. 16(1)].

IT / Security

  • Verify that every identity flow that touches the European Digital Identity Wallet operates at assurance level 'high' [Art. 5a(11)] — assurance level 'substantial' is only acceptable in combination with the remote-onboarding overlay specified under [Art. 5a(24)].
  • For remote qualified electronic signature creation, confirm that the operator holds the new dedicated qualified status for managing remote QSCDs under [Art. 29a] / [Art. 39a]; without that status, qualified effect is lost from 21 May 2026 [Art. 51(3)].
  • Enforce data-minimisation and logical-separation controls required by [Art. 5a(8)] and [Art. 5a(14)] in any system that issues or consumes wallet attestations — issuers must not be able to track wallet attribute usage by relying parties.

Product / Engineering

  • Build the relying-party registration interface to capture exactly the data set required by [Art. 5b(2)] (Member State of establishment, legal name and registration number, contact details, intended use of the Wallet, list of data points to be requested) and refresh it on change [Art. 5b(6)].
  • Restrict runtime requests to wallet attributes to the items declared at registration [Art. 5b(3)] and accept pseudonyms in any flow where identification is not legally required [Art. 5b(9)].
  • Surface the EU Digital Identity Wallet Trust Mark [Art. 3(48)] in user flows that offer wallet authentication and keep a non-wallet authentication path available — wallet use must remain voluntary and free of charge for natural persons [Art. 5a(13), Art. 5a(15)].

Key Terms

Trust service
Electronic service normally provided for remuneration consisting of the creation, verification and validation of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services, certificates for website authentication and electronic attestations of attributes [Art. 3(16)].
Qualified trust service provider (QTSP)
A trust service provider that has been granted qualified status by the national supervisory body and provides one or more qualified trust services on the trusted list [Art. 3(20), Art. 22(1)].
European Digital Identity Wallet
An electronic identification means provided under an eID scheme of assurance level 'high' that lets the user securely store, manage and share person identification data and electronic attestations of attributes and produce qualified electronic signatures or seals [Art. 3(42), Art. 5a(11)].
Relying party
Natural or legal person that relies on electronic identification, a European Digital Identity Wallet or a trust service to provide a public or private service [Art. 3(6)]; relying-party obligations sit in [Art. 5b].
Conformity assessment report
Report issued by a conformity assessment body accredited under Regulation (EC) No 765/2008 attesting that a trust service provider and the qualified trust services it provides meet the requirements of eIDAS [Art. 3(18), Art. 20(1)].
Assurance level
Degree of confidence ('low', 'substantial' or 'high') in claimed or asserted identity associated with an electronic identification means [Art. 8(2)]; wallets are issued exclusively at level 'high' [Art. 5a(11)].
EU Digital Identity Wallet Trust Mark
Verifiable, simple and recognisable indication that a European Digital Identity Wallet has been provided in accordance with the Regulation [Art. 3(48)].
?

Frequently Asked Questions

Are qualified electronic signatures created before 21 May 2026 still legally effective afterwards?
Yes. The legal-effect presumption under [Art. 25(2)] attaches to the signature at the moment of creation; what changes on 21 May 2026 is the issuance pipeline. Qualified certificates issued to natural persons under the repealed Directive 1999/93/EC stop being treated as qualified for the purpose of issuing or renewing under [Art. 51(2)], but already-created signatures are not retroactively downgraded.
Does eIDAS 2.0 force companies or citizens to use the European Digital Identity Wallet?
No. [Art. 5a(13)] makes wallet use voluntary for natural persons and prohibits restricting or disadvantaging access to public or private services, the labour market or the freedom to conduct business based on whether the wallet is used. Member States must, however, provide at least one wallet within 24 months of the entry into force of the implementing acts under [Art. 5a(23)].
What is the maximum administrative fine for an infringement of eIDAS?
[Art. 16(2)] sets a floor on the maximum administrative fine: at least EUR 5 000 000 for natural persons, and for legal persons the higher of EUR 5 000 000 or 1 % of total worldwide annual turnover in the preceding financial year. Member States may set higher ceilings — the Regulation only obliges them not to set lower ones.
Do we have to register before accepting Wallet authentication on our site?
Yes. [Art. 5b(1)] requires every relying party that intends to rely on a European Digital Identity Wallet to register in its Member State of establishment, declaring at minimum the items listed in [Art. 5b(2)] and updating that declaration on any change [Art. 5b(6)]. Member States make the registration data publicly available in machine-readable form [Art. 5b(5)].
Our company is already a QTSP — do we have new audit duties under eIDAS 2.0?
Yes. QTSPs that were granted qualified status before 20 May 2024 must submit a conformity assessment report proving compliance with [Art. 24(1), (1a) and (1b)] as soon as possible and in any event by 21 May 2026 [Art. 51(4)]. The standing 24-month re-assessment cycle under [Art. 20(1)] continues to apply on top of this.
Does NIS2 also apply to trust service providers, or is eIDAS sufficient?
Both apply. [Art. 16(1)] explicitly preserves Article 31 of Directive (EU) 2022/2555 (NIS2), and Article 19a refers non-qualified trust service providers to the risk-management measures of NIS2 Article 21. Trust service providers therefore operate under two parallel supervisory regimes — the eIDAS supervisory body and the competent NIS2 authority.
3

Assessment Factors & Checklist

Premium
Start 7-day free trial
4

Questions for Your Lawyer

Premium
Start 7-day free trial
5

Conclusion & Summary

Premium
Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial

Keine Kreditkarte heute. Kündigung jederzeit.