EU Regulatory Intelligence — by YRproject

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Explainer

Qualified trust services under eIDAS

Adopted 2026-06-29 · ≈ 2 min read · Dirk Baaijen

The eIDAS Regulation defines which trust services qualify as "qualified", sets the requirements for that status, and establishes a supervision framework — including precise timelines for conformity assessment reporting.

Short answer: A qualified trust service is a trust service that meets the stringent requirements of the eIDAS Regulation and is included in the national trusted list. Only providers that have formally obtained qualified status — granted by the national supervisory body — may display the EU trust mark. In the Netherlands, the Rijksinspectie Digitale Infrastructuur (RDI) is the competent supervisory body.

What are qualified trust services?

The eIDAS Regulation (Regulation (EU) 910/2014, as amended by Regulation (EU) 2024/1183) draws a clear distinction between ordinary trust services and qualified ones. Qualified services carry specific legal effects across all EU Member States: a qualified electronic signature has the same legal effect as a handwritten signature (Art. 25), a qualified electronic seal enjoys a presumption of integrity and correctness of origin (Art. 35), and a qualified electronic timestamp enjoys a presumption of accuracy of the date and time it indicates (Art. 41).

The following categories may be provided as qualified trust services: qualified electronic signatures and the certificates underpinning them, qualified electronic seals, qualified website authentication certificates (QWACs), qualified electronic timestamps, qualified electronic registered delivery services, electronic archiving services, remote management of qualified signature and seal creation devices, qualified electronic attestations of attributes, and qualified electronic ledgers.

Obtaining qualified status (Art. 21)

A provider wishing to obtain qualified status must notify the supervisory body and include a conformity assessment report issued by an accredited conformity assessment body confirming compliance with eIDAS requirements. The supervisory body must grant qualified status no later than three months after notification. The provider may only offer qualified services once its status has been entered in the national trusted list.

Ongoing supervision (Art. 20)

Qualified providers must be audited at least once every 24 months, at their own expense, by a conformity assessment body. The provider must inform the supervisory body at least one month before any planned audit. The conformity assessment report must be submitted to the supervisory body within three working days of receipt — meaning the three-day clock starts when the provider receives the report from the conformity assessment body, not when the body issues or finalises it. The supervisory body may at any time request an ad hoc conformity assessment.

National trusted lists and the EU trust mark (Art. 22-23)

Each Member State must establish, maintain and publish a trusted list in electronically signed form suitable for automated processing (Art. 22). Once qualified status appears in the trusted list, the provider may use the EU trust mark for its qualified services (Art. 23). A service is only considered qualified if it is listed as such in the valid national trusted list. The European Commission provides the EU Trusted List Browser as a central access point to all national lists.

Obligations for qualified providers (Art. 24)

Beyond the audit requirement, qualified providers must maintain sufficient financial resources or appropriate liability insurance, employ personnel with the necessary expertise and reliability, notify the supervisory body at least one month before any planned change (and three months before ceasing activities), and revoke certificates within 24 hours of receiving a valid revocation request.

Sources

  1. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02014R0910-20241018
    Consolidated text Regulation (EU) 910/2014, Articles 17-24 (updated to 18-10-2024)
  2. https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng
    Original publication Regulation (EU) 910/2014
  3. https://digital-strategy.ec.europa.eu/en/faqs/questions-answers-trust-services-under-european-digital-identity-regulation
    European Commission Q&A on trust services under the EUDI Regulation
  4. https://www.rdi.nl/onderwerpen/elektronische-vertrouwensdiensten
    RDI — supervision of electronic trust services in the Netherlands

Share on LinkedIn

Read next

W

Digital identity: the guide to eIDAS 2 and the EU Wallet

The revised eIDAS Regulation requires member states to offer a European Digital Identity Wallet and renews trust services (signatures, seals). This guide brings together what the wallet means for citizens and businesses, the timeline and the links with transport.

A

MDR and the AI Act: regulatory overlap for medical software

Medical software with AI components falls simultaneously under the MDR and the AI Act; the high-risk classification via the MDR route (Article 6(1) AI Act) does not apply until 2 August 2027.

U

National supervisors: how AI Act enforcement is divided (the Dutch case)

The AI Act is largely enforced nationally. In the Netherlands a draft Implementation Act (consultation 20 April–1 June 2026) gives the AP and RDI a coordinating role over ten existing market surveillance authorities, with the AFM and DNB supervising the financial sector.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.