Artificial Intelligence (AI) has accelerated both the volume and sophistication of identity- based attacks. Deepfakes, synthetic identities, and largescale automated fraud make it harder for relying parties to distinguish legitimate users from adversaries.
In response, the EU’s eIDAS framework and its updated regulation (known as eIDAS 2.0) provide a trusted, regulated foundation for secure electronic identification and a range of trust services - such as electronic signatures, seals, timestamps, registered delivery, and website authentication. Together, these measures ensure consistent assurance levels and legal validity across the EU Single Market, in line with ETSI standards.
Responsible usage of AI relating to eIDAS regulatory compliance
Advancements in technologies such as AI and machine learning can support process and efficiency improvements. However, if AI is used in supporting processes (e.g., fraud detection), it should be governed, validated, explainable and auditable - and should not replace cryptographic controls or required identity proofing steps.
AI can enhance trust service journeys - faster KYC, anomaly detection, adaptive authentication - these gains must sit inside a robust cryptographic and independently assessed trust framework. eIDAS establishes interoperable and harmonised legal requirements across EU Member States. Conformity assessment evaluates whether the trust service, including any supporting technologies, meets the applicable regulatory and standards-based requirements.
Regulatory recognition of eIDAS Conformity Assessments
- In the EU, eIDAS establishes a single legal and technical framework for electronic identification and trust services, backed by ETSI standards that define how providers must operate and be independently assessed.
- The UK sets rules for trust services under the ICO’s supervision (audits, qualified status, trusted list). Crucially, the legal effect of EU eIDAS qualified trust services is recognised and used in the UK, but there’s no reciprocal automatic recognition for UK qualified services in the EU. UK providers serving EU markets must comply with EU eIDAS.
Why AI raises the bar for Trust Service Providers (TSPs)
AI has introduced simpler pathways and new methodologies for cybercriminals to conduct sophisticated fraud operations with fewer resources (such as widespread access to tools that can create convincing deepfakes and synthetic identities). These enhanced, or more prevalent operational risks present TSPs with the challenge to respond appropriately, ensuring that mitigation strategies are robust, and are kept up to date with the evolution of technology.
However, AI doesn’t invalidate trust frameworks - but it does raise expectations on TSPs. Regulators and relying parties need evidence of appropriate, auditable controls relating to risks, including those introduced or increased by advancing technologies.
Under eIDAS, Qualified Trust Service Providers (QTSPs) operate against ETSI references (e.g., EN 319 401/411), and conformity assessment reports (CARs) are central to gaining or renewing qualified status. EU supervisory bodies and the ICO require periodic assessments and reporting, which aligns well with AI era demands for transparency and resilience.
Practical steps for Trust Service Providers (TSPs) to establish confidence and conformity aligned with eIDAS 2.0
- Map services to ETSI standards - e.g., EN 319 401/411/412 for the issuance of qualified certificates for electronic signatures and use the content to implement audit ready controls and evidence.
- Catalogue trust services against ETSI references (certificates, time stamping, remote signing, delivery).
- Know your recognition path. EU services are recognised EU-wide: UK recognises EU qualified services, however, UK qualified services are not automatically recognised in the EU. Design contracts and compliance accordingly.
- When utilising AI or similar technologies, ensure that they complement, rather than replace, cryptographic assurance and audited processes.
- Plan for wallet integration (APIs, selective disclosure, attribute attestation). Prioritise privacy preserving flows that reduce data exposure.
- Keep pace with implementing acts: Track supervisory reporting formats, accreditation updates, and wallet ecosystem requirements.
- Check relevant information sources: Such as the ICO, ETSI, EUROPEAN COMMISSION and BSI websites for information and updates on eIDAS regulations and related directives, such as NIS2.
