The Biggest Digital Identity Mandate in History
The European Union's eIDAS 2.0 regulation requires all 27 member states to offer EU Digital Identity Wallets (EUDI Wallets) to their citizens by December 31, 2026. This isn't a recommendation — it's a legal requirement that will fundamentally reshape how digital identity and trust services work in Europe.
For PKI teams, eIDAS 2.0 introduces new certificate types, trust service requirements, and compliance obligations that extend well beyond traditional TLS certificate management.
What Is eIDAS 2.0?
The Evolution from eIDAS 1.0
The original eIDAS regulation (2014) established a framework for electronic identification and trust services across the EU. It introduced:
- Electronic signatures and seals
- Qualified Trust Service Providers (QTSPs)
- Website authentication certificates (QWACs)
- Cross-border recognition of electronic identification
eIDAS 2.0 builds on this foundation with a much more ambitious scope:
- EU Digital Identity Wallets for every EU citizen
- Verifiable credentials for government-issued documents
- Qualified Electronic Attestations of Attributes (QEAAs)
- Updated trust service requirements aligned with NIS 2 cybersecurity rules
- Mandatory acceptance by private sector relying parties
The EUDI Wallet
The centerpiece of eIDAS 2.0 is the EU Digital Identity Wallet — a mobile application that allows citizens to:
- Store and present government-issued identity documents
- Authenticate to online services without passwords
- Sign documents with qualified electronic signatures
- Present verifiable credentials (diplomas, licenses, certifications)
- Control what personal data is shared with each service
PKI Implications
New Certificate Types
eIDAS 2.0 introduces or expands several certificate types that PKI teams must understand:
1. Qualified Website Authentication Certificates (QWACs)
QWACs are the eIDAS equivalent of EV certificates, but with legal recognition across the EU:
| Feature | QWACs | Traditional EV |
|---|---|---|
| Identity verification | Government-level | CA-determined |
| Legal recognition | Legally binding in EU | No legal status |
| Issuer requirements | Must be QTSP | Any CA |
| Browser display | Under negotiation | Varies by browser |
| Cross-border validity | All 27 EU states | No special status |
Implication: Organizations operating in the EU may need QWACs for websites that interact with EUDI Wallets or government services. These cannot be issued by regular CAs — they require a Qualified Trust Service Provider.
2. Qualified Electronic Seals
Electronic seals are the organizational equivalent of electronic signatures. Under eIDAS 2.0, qualified electronic seals provide:
- Proof that a document originated from a specific organization
- Legal presumption of data integrity
- Cross-border recognition across all EU member states
Implication: Organizations that exchange documents with EU entities may need qualified seal certificates for document authentication.
3. Wallet Trust Infrastructure Certificates
The EUDI Wallet ecosystem requires its own trust infrastructure:
┌──────────────────────────────────────────────────┐
│ EUDI Trust Framework │
├──────────────────────────────────────────────────┤
│ │
│ Trust Lists ──→ QTSPs ──→ Certificates │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ EU Trusted Qualified QWACs, Seals, │
│ Lists Services eSignatures │
│ │
│ Wallet ◄──── Verifiable ◄──── Issuers │
│ Holders Credentials (Government, │
│ Education, │
│ Healthcare) │
└──────────────────────────────────────────────────┘
Qualified Trust Service Provider Requirements
Under eIDAS 2.0, QTSPs face enhanced requirements:
Security Requirements (NIS 2 Alignment)
- Comprehensive cybersecurity risk management
- Incident reporting within 24 hours
- Supply chain security measures
- Regular security audits and penetration testing
- Business continuity and disaster recovery plans
Technical Requirements
- HSM-based key storage for all qualified certificates
- Certificate revocation within 24 hours of request
- Conformity assessment every 24 months
- Compliance with ETSI standards (EN 319 401, EN 319 411)
Operational Requirements
- Qualified staff with PKI and security expertise
- Documented procedures for all trust services
- Liability insurance for qualified trust services
- Supervision by national regulatory body
Impact on Certificate Lifecycle Management
eIDAS 2.0 affects CLM in several ways:
1. New Certificate Types to Manage
CLM platforms must support eIDAS-specific certificate types:
- QWACs with eIDAS-specific extensions
- Qualified seal certificates
- Qualified signature certificates
- PSD2 (Payment Services Directive) certificates for financial services
2. QTSP Integration
Organizations need their CLM platform to integrate with QTSPs, not just traditional CAs:
# CLM configuration for eIDAS certificates eidas_providers: qwacs: provider: "qualified-tsp.eu" certificate_type: "QWAC" validation: "eIDAS-OV" required_documents: - business_registration - authorized_representative renewal_threshold_days: 30 seals: provider: "qualified-tsp.eu" certificate_type: "QSealC" key_storage: "hsm_required" renewal_threshold_days: 30
3. Compliance Reporting
eIDAS 2.0 requires detailed record-keeping for qualified trust services:
- Certificate issuance and revocation logs
- Key usage audit trails
- Conformity assessment results
- Incident reports and remediation records
Preparing Your Organization
Step 1: Assess Your EU Exposure
Determine how eIDAS 2.0 affects your organization:
- Do you operate websites accessed by EU citizens?
- Do you process documents with EU organizations?
- Do you provide services that require identity verification in the EU?
- Are you a relying party that will accept EUDI Wallet credentials?
- Are you required to accept QWACs for website authentication?
Step 2: Identify Required Trust Services
Based on your EU exposure, determine which trust services you need:
| Use Case | Required Certificate/Service |
|---|---|
| Website serving EU users | QWAC (may be required) |
| Document signing with EU entities | Qualified electronic seal |
| Processing EU citizen identity | EUDI Wallet relying party integration |
| Financial services in EU | PSD2 qualified certificates |
| Remote signing for EU users | Qualified electronic signature service |
Step 3: Select a QTSP
If you need qualified certificates, choose a QTSP that:
- Is listed on the EU Trusted List for the relevant member state(s)
- Offers the specific qualified services you need
- Provides API-based or ACME-based automation
- Has experience with your industry's specific requirements
- Offers multi-country coverage if you operate across EU states
Step 4: Update Your CLM Platform
Ensure your certificate lifecycle management platform can handle:
- eIDAS certificate types and their specific extensions
- QTSP integration for issuance and renewal
- HSM key storage requirements for qualified certificates
- eIDAS-specific compliance reporting
- Certificate transparency monitoring for QWACs
Step 5: Plan for the December 2026 Deadline
April-June 2026: Assessment and QTSP selection
July-August 2026: Integration and testing
September-October: Pilot deployment
November 2026: Full deployment
December 31, 2026: Compliance deadline
The Browser Trust Debate
QWACs and Browser Recognition
One of the most contentious aspects of eIDAS 2.0 is the requirement for browsers to recognize QWACs. The regulation mandates that browsers must:
- Accept and process QWACs
- Display identity information from QWACs to users
- Not impose additional requirements beyond those in the regulation
Browser vendors (Google, Mozilla, Apple) have raised concerns about:
- Security implications of mandated trust
- Potential for government-issued certificates to enable surveillance
- Compatibility with existing browser trust models
- User experience and security indicator design
This debate remains ongoing. PKI teams should monitor developments and be prepared for whatever trust model emerges.
The Intersection with SC-081
Two Mandates, One Infrastructure
Organizations operating in the EU face two simultaneous certificate management challenges:
- SC-081: Shorter TLS certificate lifetimes (200 days → 100 days → 47 days)
- eIDAS 2.0: New certificate types and trust requirements
These mandates converge on the same infrastructure — your CLM platform. The organizations best positioned are those with a unified approach to managing both traditional TLS certificates and eIDAS-specific certificates through a single platform.
How TigerTrust Supports eIDAS 2.0
TigerTrust is preparing for the eIDAS 2.0 landscape:
- Multi-provider support for both traditional CAs and Qualified Trust Service Providers
- eIDAS certificate type management including QWACs and qualified seals
- Compliance reporting aligned with eIDAS record-keeping requirements
- HSM integration for qualified certificate key storage requirements
- EU Trusted List monitoring for QTSP status verification
Navigate the eIDAS 2.0 transition with confidence. Learn more at tigertrust.io.