Electronic Identification, Authentication and Trust Services Regulation

What Is eIDAS?

The Electronic Identification, Authentication and Trust Services (eIDAS) is an European Union regulation that establishes a legal framework for electronic identification and trust services for electronic transactions within the European Single Market. Originally adopted in 2014, it was updated in 2024 with eIDAS 2.0 introducing the EU Digital Identity Wallet.

Because it establishes three levels of electronic signatures (basic, advanced, and qualified) with varying legal weight, eIDAS is essential to clickwrap agreements.

Who Does eIDAS Apply To?

eIDAS applies directly across all 27 EU member states as a regulation, meaning its provisions are immediately binding without national transposition. It governs three distinct groups:

• Trust service providers - Organizations offering electronic signature, seal, timestamp, delivery, and website authentication services.
• Relying parties - Any business or public body that accepts or relies on electronic signatures and trust services.
• Non-EU businesses serving EU customers - Electronic signatures created outside the EU are only recognized if an international agreement exists or on a case-by-case basis.

There is no size threshold as a startup collecting consent from EU users is subject to the same signature classification framework as a multinational corporation.

eIDAS and Clickwrap Agreements

Every clickwrap acceptance made within the EU is classified legally by eIDAS. The design of a clickwrap flow directly influences whether the resultant acceptance can withstand legal scrutiny. Any business using clickwrap agreements to create legally binding contracts with EU users must understand which tier applies and what proof each tier requires.

How eIDAS Affects Clickwrap Design

The non-discrimination principle is established in Article 25(1), which states that the mere fact that an electronic signature is in electronic form does not deny it legal effect or admissibility as evidence in court. According to Article 3(10), a normal clickwrap "I agree" action is therefore considered a simple electronic signature - that is, data in electronic form that is attached to or logically related to other data, utilized by the signatory to sign.

Simple electronic signatures are admissible, but national courts have the last say over their worth. In actuality, this means that a company that relies only on a simple checkbox click may have trouble demonstrating that a particular person carried out the action, especially in cross-border conflicts. Clickwrap platforms can incorporate identity verification layers to improve enforceability by elevating the acceptance to an advanced electronic signature under Article 26. This signature must be uniquely linked to the signatory, able to identify them, created using data under their exclusive control, and linked to the signed data in a way that detects subsequent changes.

An extra degree of security is offered by qualified electronic timestamps (Article 41). The integrity of the data that a qualified timestamp is connected to, as well as the date and time it represents, are assumed to be accurate. Clickwrap consent events that have qualified timestamps attached to them offer tamper-evident evidence of the acceptance's date, which is difficult to refute.

What Must Be Shown Under eIDAS

Specific disclosure requirements at the time of signature are not mandated by eIDAS. Rather, the rule functions as a classification and recognition framework: the legal impact of a clickwrap acceptance is contingent upon the level of electronic signature used and the evidence kept.

Because the evidentiary burden falls on the party relying on the signature, best practice dictates that the clickwrap interface clearly present:

• The identity of the contracting parties meaning the service provider and the signatory.
• The specific document or terms being signed, with a direct link to the full text.
• The nature of the action that clicking constitutes an electronic signature binding the user to the presented terms.

Through the trust services framework, eIDAS sets extra standards for advanced and certified electronic signatures. Before providing a qualified certificate, qualified trust service providers are required by Article 24 to verify the identity of the signatory. The identity verification phase must take place either before or during the signature procedure when a clickwrap flow incorporates qualified signing.

What Records You Must Keep Under eIDAS

For simple electronic signatures, the party relying on the clickwrap agreements must be prepared to prove:

• The association between the signatory and the signature - IP address, session data, authenticated account, device fingerprint.
• The integrity of the signed data - Proof that the terms presented at the moment of acceptance have not been altered since the signature event.
• The timestamp of the signature - When the acceptance occurred and a qualified electronic timestamp under Article 41.

Under Article 24(2), the trust service provider is primarily responsible for keeping records pertaining to qualified electronic signatures. This includes keeping all pertinent information about data issued and received by the qualified trust service provider for an appropriate period of time, at least as long as required by national law, and in practice for the duration of the certificate's validity plus the applicable limitation period.

A qualified electronic signature based on a qualified certificate issued in one member state shall be accepted as a qualified electronic signature in every other member state, according to Article 25(3). According to Commission Implementing Decision (EU) 2015/1506, records related to such a signature, such as the certificate and validation data, must be kept in a format that facilitates cross-jurisdictional verification.