Home/eIDAS compliance

Canadian certificate guidance

eIDAS compliance

eIDAS (Electronic Identification, Authentication and Trust Services) is the EU regulatory framework governing electronic signatures, seals, and website authentication. Canadian fintechs and enterprises operating in European markets or partnering with EU-regulated...

Discuss your use case
On this page
  1. What eIDAS Actually Regulates
  2. eIDAS 2.0 vs eIDAS 1.0: Key Differences
  3. QWAC Certificates: The Core Technical Requirement
  4. How PSD2 Connects to eIDAS
  5. Qualified Electronic Signatures vs Advanced Electronic Signatures
  6. eIDAS Compliance Checklist for Canadian Organizations
  7. Digital Identity Under eIDAS 2.0: EUDI Wallet Implications
  8. Common Compliance Errors

eIDAS (Electronic Identification, Authentication and Trust Services) is the EU regulatory framework governing electronic signatures, seals, and website authentication. Canadian fintechs and enterprises operating in European markets or partnering with EU-regulated entities cannot ignore it. This article breaks down the technical and compliance requirements, certificate types, and practical steps for achieving eIDAS conformance in 2026.

eIDAS compliance — digital certificate and security infrastructure
Illustrative security infrastructure context.

What eIDAS Actually Regulates

eIDAS 1.0 came into force in 2016. The updated eIDAS 2.0 regulation, adopted by the European Parliament in 2024, significantly expands scope — it introduces the European Digital Identity Wallet (EUDI Wallet), extends trust services to attestation of attributes, and tightens requirements on Qualified Trust Service Providers (QTSPs).

The framework covers five primary domains:

DomainDescription
Electronic signaturesSimple, advanced, and qualified (QES)
Electronic sealsMachine-generated equivalent of signatures for legal entities
Time stampingTrusted timestamps for document integrity
Registered electronic deliveryCertified email and document delivery
Website authenticationQWAC certificates for TLS

For organizations in Canada, the most operationally relevant areas are qualified website authentication certificates (QWACs) and qualified electronic signatures, particularly when dealing with EU banking partners, payment processors, or government procurement.

eIDAS 2.0 vs eIDAS 1.0: Key Differences

eIDAS 2.0 introduces changes that affect certificate issuance, identity verification, and cross-border recognition. The table below compares the two versions across criteria that matter for technical teams.

CriterioneIDAS 1.0 (2016)eIDAS 2.0 (2024+)
Digital identity scopeElectronic signatures and trust servicesAdds EUDI Wallet and attribute attestation
QWAC browser recognitionRecommendedMandated for major browsers
Wallet infrastructureNot definedEUDI Wallet interoperability required
Cross-border recognitionEU-only QTSPsExtends framework toward third-country recognition
PSD2 connectionDirect — QWACs required for Open Banking APIsReinforced under revised PSD3 alignment
Attribute attestationNot coveredQEAAs (Qualified Electronic Attribute Attestations) introduced

For Canadian organizations, eIDAS 2.0 is the version to build compliance against now. eIDAS 1.0 remains technically valid but does not satisfy requirements emerging from EU Digital Finance Package obligations.

QWAC Certificates: The Core Technical Requirement

A Qualified Website Authentication Certificate (QWAC) is a specific type of TLS certificate issued by a Qualified Trust Service Provider listed on an EU Member State's national Trusted List. Standard DV or OV certificates issued by commercial CAs do not meet QWAC requirements under eIDAS.

What makes a QWAC different from a standard TLS certificate

  • Issued by a QTSP, not a standard commercial CA
  • Contains identity fields defined in ETSI EN 319 412-5 standard
  • Includes organizationIdentifier field with VAT, NTR, PSD2, or LEI identifier
  • Subject to qualified audit and supervision by a national supervisory body
  • Carries legal presumption of authenticity under EU law

For PSD2 specifically, the European Banking Authority (EBA) mandated QWACs for strong customer authentication (SCA) and secure communication between Account Servicing Payment Service Providers (ASPSPs) and Third Party Providers (TPPs). A payment service provider accessing EU Open Banking APIs without a valid QWAC will be rejected by the API gateway.

QWAC certificate fields relevant to PSD2

FieldPurpose
organizationIdentifierIdentifies PSP using PSD2 prefix + NCA identifier + authorization number
qcStatementsMachine-readable indication of QWAC qualified status
subjectAltNameDomains covered by the certificate
policyIdentifiersReference to ETSI policy for QWACs

How PSD2 Connects to eIDAS

PSD2 (Payment Services Directive 2) explicitly references eIDAS for the technical security layer of Open Banking. Article 34 of the EBA RTS on Strong Customer Authentication requires QWACs or QSealCs (Qualified Electronic Seal Certificates) for secure communication.

In practice, this means:

  • A Canadian fintech building an EU-facing payment API must obtain a QWAC from an EU-supervised QTSP
  • The certificate must be renewed before expiry — most QWACs have 1-year or 2-year validity
  • Certificate revocation status must be checkable via OCSP or CRL published by the QTSP
  • The QTSP must appear on the European Commission's central Trusted List database

PSD3, currently in legislative progress as of 2026, is expected to align more tightly with eIDAS 2.0 and the EUDI Wallet infrastructure. Organizations planning API infrastructure for 2026-2027 should architect for both QWACs and attribute-based identity under EUDI Wallet flows.

Qualified Electronic Signatures vs Advanced Electronic Signatures

This distinction matters operationally. Many contract workflows use advanced electronic signatures (AdES), which are legally valid in most commercial contexts but carry less evidentiary weight than qualified signatures (QES).

Signature TypeLegal WeightHardware RequirementEU Recognition
Simple (SES)BasicNoneVaries by member state
Advanced (AdES)SignificantNone mandatoryCross-border, not automatic equivalence
Qualified (QES)Equivalent to handwrittenQSCD requiredMandatory cross-border recognition

A Qualified Signature Creation Device (QSCD) is a hardware or cloud-based device certified to meet Annex II of eIDAS. Remote signing solutions using Hardware Security Modules (HSMs) certified to FIPS 140-2 Level 3 or Common Criteria EAL4+ can qualify as QSCDs if the QTSP has obtained the relevant certification.

Canadian organizations issuing contracts to EU counterparties should verify which signature level is required — some EU government procurement now mandates QES.

eIDAS Compliance Checklist for Canadian Organizations

The following steps apply to organizations with EU operations, EU banking partners, or EU-regulated API integrations.

1. Determine your applicable trust service category

  • Payment service provider: QWAC + QSealC required
  • Document signing for EU contracts: QES recommended
  • Timestamping for audit trails: Qualified timestamps from a QTSP

2. Identify a QTSP on the EU Trusted List

  • Check the EU Commission's Trust Service Status List (TSSL) for QTSPs offering QWAC issuance
  • Confirm the QTSP is supervised in an EU member state
  • Verify ETSI EN 319 411-2 certification for the QTSP

3. Complete identity verification

  • QWACs require in-person or remote video identity verification of authorized representatives
  • Legal entity verification includes business registration, LEI or VAT number, and authorized signatory confirmation
  • Typical onboarding time: 5 to 15 business days depending on jurisdiction and QTSP

4. Configure TLS infrastructure

  • QWAC must be installed on the server handling API or web traffic
  • OCSP stapling recommended for performance under load
  • Certificate must not be mixed with non-qualified intermediate chains

5. Set renewal and monitoring procedures

  • QWAC expiry is operationally critical — a lapsed QWAC causes API connection failures
  • Monitor expiry with automated alerting at 60-day and 30-day thresholds
  • Maintain inventory of all QWACs issued across domains

Digital Identity Under eIDAS 2.0: EUDI Wallet Implications

The EUDI Wallet changes how identity attributes are exchanged in digital transactions. Rather than relying solely on certificate-embedded identity, eIDAS 2.0 enables wallet-to-service presentation of verified attributes — national ID, professional qualifications, business registration status.

For B2B financial services, the practical implication is that onboarding workflows for EU clients or partners may shift partially from certificate-based authentication toward wallet-presented attestations. ISO 18013-5 (mDL standard) and W3C Verifiable Credentials are both referenced in the EUDI Wallet Architecture and Reference Framework (ARF).

Canadian organizations building digital identity infrastructure should monitor the ARF releases (v1.4 was current as of early 2026) and consider whether their KYC and onboarding flows can accept wallet-presented credentials.

Common Compliance Errors

Organizations attempting eIDAS compliance for the first time frequently make the following mistakes:

  • Using OV/EV TLS certificates and assuming equivalence with QWACs — They are not equivalent. OV and EV certificates do not appear on Trusted Lists and do not satisfy PSD2 SCA requirements.
  • Purchasing from a non-QTSP CA — Major commercial CAs offer eIDAS-labeled products; verify that the specific product is issued under a qualified certificate policy.
  • Misidentifying the organizationIdentifier format — PSD2 QWACs require a specific prefix structure (e.g., PSDPL-PFSA-1234567) based on the issuing NCA. Errors here cause API authentication failures.
  • Ignoring QSealC for API responses — QWACs authenticate the server. QSealCs seal the API response payload. PSD2 open banking architectures typically require both.
  • Treating eIDAS as a one-time setup — Certificate lifecycle management, QTSP audit cycles, and regulatory updates (especially under eIDAS 2.0 transition timelines) require ongoing attention.

Planning an implementation?

Keep the legal entity, domain controls and certificate lifecycle in the same review.

Discuss your use case

Frequently asked questions

Practical answers

What is the difference between a QWAC and a standard SSL certificate?

A QWAC is issued by a Qualified Trust Service Provider supervised under EU law and contains regulated identity fields defined by ETSI EN 319 412-5. A standard SSL certificate — including EV certificates — is issued by a commercial CA without supervision under eIDAS.

Does a Canadian company need eIDAS compliance if it operates only domestically?

Not if all operations, partners, clients, and regulated activities are within Canada. However, if your organization accesses EU Open Banking APIs, signs contracts with EU government entities, processes payments through EU-regulated PSPs, or builds financial products for EU users, eIDAS requirements apply to the relevant interface.

How long does it take to obtain a QWAC?

Typical timelines range from 5 business days to 3 weeks, depending on the QTSP, the complexity of legal entity verification, and whether the authorized representative passes identity verification in the first attempt. Organizations with an LEI (Legal Entity Identifier) already registered tend to complete verification faster.

What happens when a QWAC expires without renewal?

An expired QWAC causes TLS handshake failures at any relying party that validates certificate status against the QTSP's OCSP or CRL. For PSD2 API integrations, this means immediate disconnection from ASPSP APIs — no fallback, no grace period.