On this page
- What Makes a Certificate "Qualified"
- eIDAS and Its Relevance to Canadian Organizations
- How QWACs Differ from Standard TLS in Practice
- Canadian Compliance Context
- When Your Organization Actually Needs a Qualified Certificate
- Technical Implementation Notes
- Qualified Electronic Seals vs. QWACs
- Choosing a QTSP: What to Verify
Qualified certificates are a specific class of digital certificates issued by accredited trust service providers under legally defined frameworks. They carry a higher legal weight than standard TLS certificates because the issuing authority has been audited and approved by a regulatory body. In Canada and under international standards like eIDAS, qualified certificates are increasingly required for financial services, government portals, and cross-border identity verification.

What Makes a Certificate "Qualified"
Not every TLS or SSL certificate is qualified. The distinction matters in procurement, compliance audits, and legal enforceability.
A qualified certificate must be:
- Issued by a Qualified Trust Service Provider (QTSP) that has passed independent conformity assessment
- Bound to a verified legal entity or natural person, not just a domain name
- Compliant with a recognized technical standard (e.g., ETSI EN 319 412 under eIDAS, or equivalent CSE/CIO frameworks in Canada)
- Supported by a Certificate Policy (CP) and Certification Practice Statement (CPS) that are publicly auditable
Standard Domain Validation (DV) certificates confirm only that the requester controls a domain. Qualified certificates confirm who that requester actually is, a legal organization or individual, with verified identity documentation.
eIDAS and Its Relevance to Canadian Organizations
eIDAS (Electronic Identification, Authentication and Trust Services) is an EU regulation, but its reach extends beyond Europe. Canadian companies operating in EU markets, processing EU payment data under PSD2, or integrating with European digital identity infrastructure must meet eIDAS requirements.
Under eIDAS Article 45, Qualified Certificates for Website Authentication (QWACs) must be accepted by relying parties as proof of organizational identity. Unlike Extended Validation (EV) certificates, QWACs are legally mandated to carry specific identity attributes:
| Attribute | DV Certificate | EV Certificate | QWAC |
|---|---|---|---|
| Domain ownership verified | Yes | Yes | Yes |
| Legal entity name | No | Yes | Yes |
| Registration number | No | Optional | Required |
| Country of incorporation | No | Yes | Required |
| Regulatory body / LEI | No | No | Required (fintech) |
| Legal weight under EU law | None | Limited | Full |
For a Canadian fintech operating as an EU Payment Service Provider (PSP), a QWAC is not optional. PSD2 mandates that PSPs use QWACs for client authentication in open banking API calls. This includes Canadian companies processing euro-denominated transactions or holding EU banking licenses.
How QWACs Differ from Standard TLS in Practice
The certificate chain matters. A standard TLS certificate chains to a root CA trusted by browsers (Chrome, Firefox, Safari). A QWAC chains to a QTSP root that is listed in an EU Trust List (EUTL) or equivalent national trust framework.
As of 2026, browser treatment of QWACs has evolved significantly. Following years of debate between the CA/Browser Forum and EU regulators, modern browsers display QWAC-specific identity indicators in the address bar for sites that present a valid QWAC. This distinguishes them visually from standard EV or DV certificates for users who look.
What this means operationally:
- A QWAC must be installed alongside or instead of a standard TLS certificate depending on the use case
- Certificate revocation via OCSP or CRL must be monitored continuously, QTSP revocation timelines are shorter than commercial CAs
- QWAC validity periods are typically 1 year, renewal requires re-verification of identity documents
- If the issuing QTSP loses accreditation, all issued QWACs lose their qualified status immediately
Canadian Compliance Context
Canada does not yet have a direct equivalent to eIDAS, but several frameworks govern digital certificates and trust services:
Pan-Canadian Trust Framework (PCTF): Developed by the Digital ID and Authentication Council of Canada (DIACC), the PCTF defines assurance levels for digital identity. Level of Assurance 3 (LOA3) requirements align closely with what a QWAC delivers for organizational identity.
PIPEDA and Bill C-27: Canadian privacy law requires demonstrable controls over data in transit. Qualified certificates provide a legally auditable mechanism for proving encryption and organizational accountability simultaneously.
OSFI Guideline B-10 (Third-Party Risk): Financial institutions regulated by OSFI must verify the identity of third parties in their supply chain. QWACs and equivalent qualified certificates are increasingly cited in vendor security questionnaires as acceptable proof of identity assurance.
CSE's Canadian Centre for Cyber Security (CCCS): The CCCS recommends certificate-based authentication at the organizational level for government-connected services. QWACs or certificates meeting equivalent standards are referenced in ITSG-33 controls.
When Your Organization Actually Needs a Qualified Certificate
Not every website needs a QWAC. A useful decision framework:
You likely need a QWAC if:
- Your organization is a licensed Payment Service Provider under PSD2 or equivalent
- You operate APIs consumed by EU financial institutions
- You are building eIDAS-compliant cross-border identity services
- Your contracts or RFPs from EU government clients specify QTSP-issued certificates
- You participate in open banking ecosystems requiring strong organizational authentication
An EV certificate may be sufficient if:
- Your operations are entirely domestic to Canada or the US
- You need visible organizational identity assurance but no legal obligation to a specific standard
- Your compliance framework accepts CA/Browser Forum EV guidelines
A DV certificate is enough if:
- You need encrypted transport only, with no identity claims
- You are running internal services, staging environments, or low-risk consumer pages
Technical Implementation Notes
Installing a QWAC requires more planning than a standard certificate. Key technical considerations:
Key generation: Many QTSPs require that the private key be generated on an HSM (Hardware Security Module) at LOA3 or higher. Cloud HSM services (AWS CloudHSM, Azure Dedicated HSM) are generally acceptable if properly configured and attested.
Certificate profile: QWACs include a specific extension: qcStatements (OID 1.3.6.1.5.5.7.1.3). This extension carries machine-readable claims about the certificate's qualified status, the applicable legislation, and the QTSP's identity. If your application needs to validate QWAC status programmatically, parse this extension.
Dual-certificate deployment: Some organizations run both a QWAC and a standard TLS certificate on the same endpoint. This is technically possible using SNI, but it adds operational complexity. For most PSD2 use cases, the QWAC replaces the standard TLS cert entirely on the relevant API endpoint.
Monitoring and automation: Unlike DV certificates, QWACs cannot typically be automated via ACME protocol. Renewal is a manual or semi-automated process involving identity re-verification. Build certificate expiry monitoring into your operations pipeline with at least 60 days lead time.
Qualified Electronic Seals vs. QWACs
A related but distinct product is the Qualified Electronic Seal (QESeal). Where QWACs authenticate websites, QSeals authenticate documents and data payloads originating from a legal entity.
| QWAC | Qualified Electronic Seal | |
|---|---|---|
| What it authenticates | Website / TLS endpoint | Document or data object |
| Bound to | Legal entity + domain | Legal entity |
| Typical use | API authentication, HTTPS | Signed invoices, contracts, reports |
| PSD2 relevance | Strong customer auth, API identity | Payment initiation confirmations |
| Key storage | Server / HSM | HSM required |
For a fintech operating in both areas, both products may be required. A QWAC on the API gateway, and QSeals on outbound transaction records.
Choosing a QTSP: What to Verify
Not all certificate authorities offer qualified certificates. A QTSP must appear on an EU Trust List or equivalent national supervisory list to issue valid QWACs.
Before selecting a QTSP, verify:
- Trust List status: Confirm the QTSP is listed on the EU Trust List at the time of purchase. QTSP status can be suspended.
- Certificate policy scope: The CP must explicitly cover QWACs under eIDAS Annex IV requirements.
- Geographic coverage: Some QTSPs issue qualified certificates only to entities incorporated in specific jurisdictions. Confirm Canadian entities are supported.
- Support for Canadian identity documents: Identity verification workflows must accept Canadian business registration documents (e.g., Corporations Canada records, provincial incorporation certificates).
- Revocation infrastructure: Confirm OCSP responder availability and SLA. For PSD2 use cases, real-time revocation checking is expected.
- Audit reports: Request current ETSI EN 319 403 conformity assessment reports.
Planning an implementation?
Keep the legal entity, domain controls and certificate lifecycle in the same review.
Discuss your use caseFrequently asked questions
Practical answers
What is the difference between a QWAC and an EV certificate?
An EV certificate is issued under CA/Browser Forum guidelines and displays the organization name in some browser interfaces. A QWAC is issued by a QTSP under eIDAS or an equivalent legal framework and carries legal weight in EU member states and aligned jurisdictions.
Does a Canadian company need a QWAC if it only serves Canadian customers?
Not based on domestic Canadian regulation alone, as of 2026. However, if the company processes EU payment data, participates in PSD2-regulated open banking, or contracts with EU government entities, a QWAC becomes a contractual or regulatory requirement regardless of where the customer base is located.
How long does it take to obtain a qualified certificate?
Typically 3 to 10 business days, depending on the QTSP and the completeness of the submitted documentation. Identity verification for the organization and the authorized representative (a named individual) must be completed.
Can a QWAC be used for internal services or non-public APIs?
Technically yes, but it is cost-inefficient and operationally heavier than alternatives. QWACs are designed for publicly accessible endpoints where relying parties need to verify organizational identity against a trust framework.