EU — eIDAS / eIDAS 2
Regulation (EU) No 910/2014 — electronic IDentification, Authentication and trust Services. In force since 2016, the foundation of the European digital single market for identity and signature. eIDAS 2 (Reg. 2024/1183) adds the EUDI Wallet (European digital identity wallet) and is mandatory by 2026.
The 3 signature levels
| Level | Definition (Art. 3 + Annexes IIIIII) | Legal recognition |
|---|---|---|
| SES — Simple Electronic Signature | Any data in electronic form attached to other data, used by the signatory to sign | Cannot be rejected solely for being electronic, but evidentiary value is case-by-case |
| AdES — Advanced Electronic Signature | (a) uniquely linked to the signatory; (b) capable of identifying them; (c) created under sole control; (d) linked to the data in such a way that any subsequent change is detectable | Recognized in all 27 member states |
| QES — Qualified Electronic Signature | AdES + created by a qualified device (QSCD) + based on a qualified certificate issued by an accredited QTSP (Qualified Trust Service Provider) | Legal equivalence to a handwritten signature (Art. 25 §2). Mutual recognition mandatory throughout the EU |
QTSPs — who can issue QES
Official list: EU Trusted List Browser. Each member state maintains its own digitally signed Trusted List.
Examples: D-Trust (DE), InfoCert (IT), AC Camerfirma (ES), Buypass (NO), Skaityk (LT).
To become a QTSP:
- Notification to the national supervisory body (BSI in Germany, ANSSI in France, etc.)
- Conformity audit (CAB — Conformity Assessment Body) — ETSI EN 319 401411421
- Inclusion in the national Trusted List
- Update of the EU LOTL (List of Trusted Lists)
Required technical formats
ETSI standardized "AdES" profiles on top of the generic formats (see 02-standards/):
- PAdES (EN 319 142) — in PDF
- XAdES (EN 319 132) — in XML
- CAdES (EN 319 122) — in CMS
- JAdES (EN 319 182) — in JSON/JWS
- ASiC (EN 319 162) — container that bundles signatures + data
Each one has BTLT/LTA sublevels:
| Sublevel | Adds |
|---|---|
| B (Baseline) | Raw signature |
| T (with Time) | + RFC 3161 timestamp of the signature |
| LT (Long Term) | + revocation of each cert in the embedded chain (OCSP responses + CRLs) |
| LTA (Long Term with Archive) | + timestamp of the LT set, periodically renewable — allows validation 50 years from now |
eIDAS 2 — what changes
Regulation 2024/1183, in force 2024-05-20.
Main novelties:
- EUDI Wallet — every member state must offer a digital wallet to its citizens by 2026-12-21. The wallet stores identity + verifiable attributes + signing keys.
- Qualified Web Authentication Certificates (QWAC) — qualified certificates for TLS of public websites; their use is still controversial (tension with the browsers' root programs).
- Electronic Attestation of Attributes (EAA) — verifiable credentials signed by TSPs, the basis of the SSI model.
- Ledger-based registries — recognizes distributed ledgers as a qualified trust service.
- Cross-border interop — a wallet from any EU country must work in any other.
Tech stack: ISOIEC 18013-5 (mDL), W3C Verifiable Credentials, OpenID4VPVCI, ARF (Architecture & Reference Framework).
Implications for Koder
If any Koder product comes to operate in the EU with fully legally binding signatures:
- QES client (accept qualified certs issued by QTSPs) — same pattern as the Brazilian A1/A3 but with a European TSP.
- Support for PAdES B-T-LT at minimum for PDF (covers most B2B cases).
- Integration with the EUDI Wallet when it ships (2026+) — relevant for Koder ID and the future Koder Sign.
- The ARF is worth studying right now — it defines the stack that will dominate European identity.