eIDAS Trusted Lists: What Changes With the New Format Applicable Since 29 April 2026
Commission Implementing Decision (EU) 2025/2164 updates the format of European Trusted Lists effective 29 April 2026. Decoding this technical refresh, what it prepares for eIDAS 2.0, and what it means concretely when you need to verify the qualified status of a timestamp or trust service provider.
A lawyer receives an opposing party's evidence ahead of trial: an electronic timestamp presented as "qualified under eIDAS." Before deciding whether to challenge it, she has to verify two things β is the service actually listed in the European Trusted Lists, and was it listed at the exact date the evidence was produced? The official dashboard she usually clicked through has just changed format.
This change is not cosmetic. Since 29 April 2026, a new EU implementing decision overhauls the technical standard of eIDAS Trusted Lists. It is regulatory plumbing, but it lays the rails for eIDAS 2.0 and changes what you need to know to verify a qualified status.
If you only remember one thing: Trusted Lists remain the only reliable way to verify that a trust service is qualified. The new format does not change that rule β it extends it to the new services arriving with eIDAS 2.0.
Trusted Lists: what they actually are
A Trusted List (TSL β Trust Service List) is a signed XML file maintained by each EU Member State that lists every qualified trust service provider (QTSP) established on its territory. The European Commission aggregates these 27 national lists into its EU Trust Services Dashboard, a public interface available at eidas.ec.europa.eu/efda/tl-browser.
Concretely, each entry specifies:
- The provider (legal name, identifier, contact)
- The service (qualified electronic signature, qualified timestamp, seal, electronic registered delivery, identification, etc.)
- The status (
granted,withdrawn,expired,recognised at national level) - The dates of grant and, where applicable, withdrawal of status
- The certificates used by the service
This is the mechanism that gives the eIDAS Regulation its legal weight: a service listed with granted status enjoys the eIDAS legal presumption (Article 41 for qualified timestamping, Article 25 for qualified signatures). Outside the Trusted List there is no presumption β the evidence remains admissible, but without the benefit of the presumption.
Many providers display an eIDAS badge on their website without actually being qualified. The only authority is registration in the Trusted List with an active granted status. Everything else is marketing.
What Implementing Decision (EU) 2025/2164 changes
On 28 October 2025, the European Commission published Implementing Decision (EU) 2025/2164, which updates the common technical specifications that the Trusted Lists of the 27 Member States must comply with. The date of application was set at 29 April 2026.
Three main changes:
| Domain | Before 2026-04-29 | Since 2026-04-29 |
|---|---|---|
| Listable services | Closed list of eIDAS 1 services (signature, seal, timestamp, registered delivery, web certificate) | Extension to new eIDAS 2.0 services (wallets, attestations of attributes, qualified electronic ledgers) |
| TSL security | Signed XML format, legacy schemas | Strengthening of signature and seal algorithms used on the lists themselves (alignment with current cryptography) |
| Technical references | References to earlier ETSI standards | Updated ETSI references to follow 2024-2025 technical evolutions |
The full text of the decision is available on EUR-Lex: Implementing Decision (EU) 2025/2164. The technical annexes refer to applicable ETSI standards, including ETSI TS 119 612 (which defines the Trusted Lists format).
Why now?
The eIDAS 2.0 Regulation (EU 2024/1183, in progressive application since 2024) introduces new categories of qualified trust services that did not exist under eIDAS 1:
- European Digital Identity Wallets (EUDI Wallets) β European digital identity wallets
- Electronic Attestations of Attributes (EAA) β electronic attestations of attributes (proof of age, of degree, of licenseβ¦)
- Qualified Electronic Ledgers (QEL) β qualified distributed ledgers (the category that may, in time, host qualified blockchain services)
For these services to be listable and verifiable in the Trusted Lists, the format had to be extended. That is the purpose of this overhaul: laying the technical rails before the new qualified services arrive.
How to verify a qualified status in practice
The method has not changed with the update β the Dashboard interface has been preserved. Here is the recommended procedure for a lawyer, DPO, CISO, or IT counsel in 2026:
- 1Identify the provider and the exact serviceDo not confuse the provider (legal entity) with the specific service (e.g. 'qualified electronic timestamping'). The same provider may have some qualified services and others not. Capture the commercial name and ideally the ETSI service identifier.
- 2Open the EU Trust Services DashboardGo to eidas.ec.europa.eu/efda/tl-browser. This is the only official source aggregating the 27 national Trusted Lists into a unified interface.
- 3Filter by country and service typeSelect the country where the provider is established and the service type sought (qualified timestamp = QTimestamp, qualified signature = QSign, etc.). The returned list shows all matching services with their current status.
- 4Cross-reference the status with the evidence production dateThis is the critical step. Evidence produced on 12 March 2025 must be validated against the service status on that exact date β not the current status. Click on the service to access the historical status changes (granted, withdrawn, effective dates).
- 5Save a timestamped screenshotFor a legal file, archive a screenshot of the Dashboard with its consultation date. This documents your verification and constitutes a piece of evidence in the file.
A service may be qualified today and not have been two years ago (and vice versa). When validating older evidence, what matters is the status on the production date, not the current status. A subsequent withdrawal is not retroactive.
Why this matters even if you don't use a qualified service
At first glance, if you use neither qualified signatures nor qualified timestamps, Trusted Lists may seem abstract. In practice, they concern you as soon as a dispute brings digital evidence into play, whether from your side or the opposing party:
- You produce evidence from a qualified service β you must demonstrate (or be ready to demonstrate) that the service was listed
grantedat the right date. - The opposing party produces evidence presented as qualified β you will want to verify the same to challenge it if it does not hold up.
- You combine multiple sources (qualified timestamp + non-qualified blockchain timestamp + witness statements) β the bundle of evidence rests on the strength of each piece. Understanding the Trusted Lists mechanism helps classify what benefits from the eIDAS presumption and what does not.
It is also a signal for DPOs and CISOs selecting a provider as part of an RFP or annual review: requiring Trusted List registration with proof of history is an obvious due diligence criterion.
And what about LegalStamp?
Let us be clear: LegalStamp is not in the Trusted Lists. We are a non-qualified electronic timestamping service under eIDAS. We do not claim to be one, and our architecture follows a different logic.
| Model | Qualified trusted third party (QTSP) | Blockchain timestamping (LegalStamp) |
|---|---|---|
| Source of trust | The QTSP listed in the Trusted List | The Bitcoin network + the OpenTimestamps protocol |
| Verifiability | Depends on the QTSP existing and the certificate being valid | Independent: the Bitcoin blockchain remains verifiable even if LegalStamp shuts down |
| eIDAS legal presumption | Yes (Article 41 for qualified timestamping) | No (presumption not automatic) |
| Per-unit cost | Variable, typically several euros to several dozen euros | A few cents (volume) to a few euros (pack) |
| Case-law recognition | Established by eIDAS | Reinforced by recent national rulings on blockchain anchoring as admissible evidence |
Our conviction: these two worlds are complementary, not opposed. For a case that strictly requires qualified status β for example a procedure before a European public authority that explicitly demands a qualified eIDAS timestamp β you must go through a QTSP from the Trusted Lists, full stop. For bulk priority evidence at a reasonable cost (freelance deliverables, designer prospecting, manuscript deposits, contractual backups), a blockchain timestamping service like LegalStamp covers the majority of needs, relying on Article 41(1) of eIDAS, which prohibits dismissing a timestamp solely on the ground that it is non-qualified.
To understand the underlying technical mechanics (local SHA-256, Bitcoin anchoring, independent verifiability), see our How it works page.
Limitations of the Trusted Lists framework
The framework is not without blind spots:
- Update latency. A national Trusted List can take several days to reflect a status change (grant, suspension, withdrawal). In urgent litigation, this is a delay to anticipate.
- Heterogeneity across Member States. The 27 national lists follow the same format, but the depth of information varies. Some countries publish rich histories, others a minimal current status.
- Recognition outside the EU. Trusted Lists eIDAS apply within the EU and EEA. Outside this zone (United States, post-Brexit United Kingdom, Asia), a qualified eIDAS service has no automatic legal status β recognition depends on bilateral conventions or case-by-case assessment by the local judge.
- Strict eIDAS scope. Trusted Lists list only services within the eIDAS scope. A useful service in a different category (for example a non-qualified blockchain timestamp) is not meant to appear there β which does not legally disqualify it, but requires it to be justified by other means.
Conclusion
Implementing Decision (EU) 2025/2164 looks like a plumbing change. It is. But it lays the technical rails so that the new eIDAS 2.0 qualified services β identity wallets, attestations of attributes, qualified electronic ledgers β can be listed, verified, and challenged under the same conditions as the historical services.
For lawyers, DPOs, and IT counsel, the reflex remains the same: always go through the EU Trust Services Dashboard to verify a qualified status, and cross-reference that status with the exact production date of the evidence. Trusted Lists evolve; the method to consult them remains stable.
For LegalStamp, this update indirectly confirms our positioning: we operate in a distinct category (non-qualified blockchain timestamping), complementary to QTSPs, and the eIDAS 2.0 sequel may one day open the door to Qualified Electronic Ledgers β that is, qualified distributed registries. Until then, we remain honest about what we are: a fast and affordable priority evidence service, independently verifiable, that covers the majority of concrete needs without claiming a status it does not have.
FAQ
Disclaimer (general information): this article is provided for educational purposes and does not constitute legal advice. Verifying the qualified status of a trust service in a litigation context must be performed by a legal professional, cross-referencing the precise Dashboard history with the production date of the relevant evidence.
