2 min read
4 Execution Priorities for Trust Service Provider Managers
By 2026, trust service providers (TSPs) sit at the centre of Europe’s digital trust infrastructure. Under eIDAS 2, qualified and non-qualified trust services underpin high-value digital signatures, seals, timestamps and certificates across the EU.
At the same time, EUDI Wallets are moving from large-scale pilots toward end-2026 launch, changing how users experience signing and how TSPs integrate.
NIS2 and other sectoral regulations pull many TSPs into the category of essential or important entities, with stricter cyber risk management and incident reporting obligations.
For TSP managers, the question in 2026 is no longer whether these changes will happen, but whether the organisation can operate and scale under the new rules while staying profitable. Four priorities stand out.
1) Operational Readiness for EUDI Wallets & eIDAS 2
EUDI Wallets shift where and how users experience digital signatures. The wallet becomes the user’s main touchpoint, but TSPs still carry the legal and operational responsibility for signature creation, certificate status and evidence.
Operational readiness means:
New integration models: TSPs must expose wallet-friendly APIs, support required formats and assurance levels, and manage new trust relationships with wallet providers and Member States.
Consistent user journeys: Signature flows must be simple, fast and understandable across borders, while still complying with TSP policies
Aligned risk management: eIDAS 2 and its Implementing Acts introduce detailed requirements on risk management and service operation for TSPs, including those integrating with EUDI Wallets.
2) Crypto Agility & PQC Readiness
Digital signature services are entirely dependent on cryptography. Remote signing servers, QCSDs and timestamping services all rely on specific algorithms and signature formats that must remain secure and compliant over many years.
TSPs must ensure that have a crypto inventory, central crypto policy and a PQC roadmap aligned with EU and ETSI guidance. If cryptography is hard-wired into each application, every change becomes an emergency project. If it is governed centrally, change becomes manageable.
3) Compliance, Auditability & Transparency
Under eIDAS 2, trust services face tighter requirements around governance, risk management and auditability. Qualified TSPs must undergo regular conformity assessments; non-qualified TSPs also face defined risk-management and reporting obligations.
For TSP managers, three themes matter most:
Permanent audit-readiness: Align securing policies and operational procedures with related standards, ensure critical processes are documented and evidenced, maintain tamper-resistant logs for signature creation, validation and key management.
Coherent control framework: Map overlapping obligations from eIDAS 2 and sectoral regulations onto a single internal control set.
Transparency to relying parties: Communicate service status and incidents clearly and promptly, and provide accurate technical and policy information in both human-readable and machine-readable form.
Missing or inconsistent evidence is likely to be treated as a control failure.
4. Security, Automation & Operational Efficiency
Wallet readiness, crypto-agility and continuous compliance all increase operational load. At the same time, most TSPs face cost pressure and a limited pool of specialised staff. Manual, ticket-driven processes do not scale.
Security automation and operational efficiency are therefore core risk controls, not only cost-saving measures.
Automation itself must be governed. Access to orchestration tools must be controlled and logged, automated changes must follow change-management rules, and all security-relevant actions must appear in your evidence trail.
The goal is that the default way of working is both efficient and compliant. not that compliance is added as a separate layer of manual checks.
What this means for TSPs
These four priorities are tightly connected. EUDI Wallet readiness exposes integration and evidence gaps. Crypto-agility and PQC readiness determine whether your trust services remain viable over the long term. Compliance and transparency shape your relationship with supervisors and relying parties. Automation and efficiency decide whether you can deliver all of this at scale.
TSPs that move early on these fronts will not only be ready for eIDAS 2 and EUDI Wallets, but will be better placed to win and retain high-value customers who depend on reliable, scalable digital signature services.
If you’re shaping your 2026 roadmap as a trust service provider, you don’t have to start from scratch. Cryptomathic works with qualified and non-qualified TSPs to deliver eIDAS-compliant digital signature platforms, EUDI Wallet integrations and PQC-ready crypto control. Learn more.