EU — eIDAS / eIDAS 2

seed

Regulation (EU) No 910/2014electronic IDentification, Authentication and trust Services. In force since 2016, the foundation of the European digital single market for identity and signature. eIDAS 2 (Reg. 2024/1183) adds the EUDI Wallet (European digital identity wallet) and is mandatory by 2026.

The 3 signature levels

Level Definition (Art. 3 + Annexes IIIIII) Legal recognition
SES — Simple Electronic Signature Any data in electronic form attached to other data, used by the signatory to sign Cannot be rejected solely for being electronic, but evidentiary value is case-by-case
AdES — Advanced Electronic Signature (a) uniquely linked to the signatory; (b) capable of identifying them; (c) created under sole control; (d) linked to the data in such a way that any subsequent change is detectable Recognized in all 27 member states
QES — Qualified Electronic Signature AdES + created by a qualified device (QSCD) + based on a qualified certificate issued by an accredited QTSP (Qualified Trust Service Provider) Legal equivalence to a handwritten signature (Art. 25 §2). Mutual recognition mandatory throughout the EU

QTSPs — who can issue QES

Official list: EU Trusted List Browser. Each member state maintains its own digitally signed Trusted List.

Examples: D-Trust (DE), InfoCert (IT), AC Camerfirma (ES), Buypass (NO), Skaityk (LT).

To become a QTSP:

  1. Notification to the national supervisory body (BSI in Germany, ANSSI in France, etc.)
  2. Conformity audit (CAB — Conformity Assessment Body) — ETSI EN 319 401411421
  3. Inclusion in the national Trusted List
  4. Update of the EU LOTL (List of Trusted Lists)

Required technical formats

ETSI standardized "AdES" profiles on top of the generic formats (see 02-standards/):

Each one has BTLT/LTA sublevels:

Sublevel Adds
B (Baseline) Raw signature
T (with Time) + RFC 3161 timestamp of the signature
LT (Long Term) + revocation of each cert in the embedded chain (OCSP responses + CRLs)
LTA (Long Term with Archive) + timestamp of the LT set, periodically renewable — allows validation 50 years from now

eIDAS 2 — what changes

Regulation 2024/1183, in force 2024-05-20.

Main novelties:

  1. EUDI Wallet — every member state must offer a digital wallet to its citizens by 2026-12-21. The wallet stores identity + verifiable attributes + signing keys.
  2. Qualified Web Authentication Certificates (QWAC) — qualified certificates for TLS of public websites; their use is still controversial (tension with the browsers' root programs).
  3. Electronic Attestation of Attributes (EAA) — verifiable credentials signed by TSPs, the basis of the SSI model.
  4. Ledger-based registries — recognizes distributed ledgers as a qualified trust service.
  5. Cross-border interop — a wallet from any EU country must work in any other.

Tech stack: ISOIEC 18013-5 (mDL), W3C Verifiable Credentials, OpenID4VPVCI, ARF (Architecture & Reference Framework).

Implications for Koder

If any Koder product comes to operate in the EU with fully legally binding signatures:

  • QES client (accept qualified certs issued by QTSPs) — same pattern as the Brazilian A1/A3 but with a European TSP.
  • Support for PAdES B-T-LT at minimum for PDF (covers most B2B cases).
  • Integration with the EUDI Wallet when it ships (2026+) — relevant for Koder ID and the future Koder Sign.
  • The ARF is worth studying right now — it defines the stack that will dominate European identity.

References