Qualified trust service providers (QTSPs) are under no illusions about what 2027 will bring. Awareness of EUDI Wallets, notified eIDs and the revised Article 24 regime is widespread, and technical literacy across the market is already strong. The real gap, however, lies in operational readiness, and the scale of work required is being consistently underestimated.
According to Hopae, the timelines are far less generous than they appear. For QTSPs that are not already close to ETSI TS119-461 LoIP Extended alignment, recertification can stretch beyond 20 months. Even comparatively mature teams should budget for six to nine months of effort, meaning the window to begin is effectively now.
Hopae recently detailed the 3 things slipping under QTSPs’ radar before the 2027 eIDAS deadlines.
The first underestimated issue is that document-based identity proofing is being squeezed from two directions at once. On the regulatory side, the updated Article 24(1a) requirements demand audited conformity under ETSI TS119-461, a standard many existing document-based methods do not currently meet.
On the technical side, generative AI has slashed the cost of producing convincing fake documents and injecting them into onboarding flows. Document-based methods remain a legitimate Article 24(1a) route and an important fallback while wallet and LoA High eID coverage matures, but the assumption that fallback stacks can simply be modernised later is a risky one. Fallback methods require the same conformity work as primary methods and face the same deadline pressure.
The second issue is that cross-border wallet and notified eID acceptance is not a one-off technology project but a permanent operational function. Every Member State will issue its own EUDI Wallet, and most will maintain notified eID schemes alongside them. Although wallets share a common architecture under the ARF, national implementations differ in trusted issuers, registration requirements and feeder eID schemes.
Supporting a single eID provider already involves registration, integration, testing, monitoring, incident handling and continuous adaptation, and in some cases a local legal presence. Multiplied across the EU, this becomes an ongoing interoperability operation. Since the value of the qualified framework is fundamentally cross-border, a QTSP accepting only its domestic wallet is offering portability that stops at the border, something users in Belgium, Italy or Poland will notice quickly.
The third issue is that the build-versus-partner decision is too often made by default. Many organisations start a small internal integration project, discover the complexity midway, and either persist because of sunk costs or scramble for a partner under deadline pressure. Both routes are expensive. The sharper question is where a QTSP’s differentiation genuinely lies.
Certificate issuance, signature creation, supervisory relationships and audit posture create long-term value, whereas wallet and eID acceptance infrastructure is operationally heavy, continuously maintained and largely undifferentiated across the market. Whether building it internally is the best use of the next 12 to 18 months of engineering, compliance and product capacity is a decision that deserves scrutiny.
QTSPs are advised to convene one cross-functional meeting this quarter, bringing product, compliance and engineering together to answer three questions: where the document-based fallback sits on the ETSI TS119-461 recertification curve, who owns the ongoing cross-Member-State acceptance workload, and whether the build-or-partner choice reflects strategy or drift.
Providers that move early also gain faster onboarding, better conversion, lower fraud exposure and a superior user experience. The deadline is a forcing function, and the competitive advantage is what follows it.
Read the full Hopae post here.
Copyright © 2026 RegTech Analyst
Copyright © 2018 RegTech Analyst





