Skip to main content

2 posts tagged with "eidas"

View All Tags

2027 Is Closer Than It Looks. What eIDAS 2.0 Means for Companies in Romania.

· 6 min read
Cătălin Toma
Cătălin Toma
Founder, EidKit

On 4 December 2024, the European Commission published the first implementing acts of Regulation (EU) 2024/1183 — eIDAS 2.0. Twenty days later, they entered into force. Since then, the clock has been running.

The deadlines are legal, not aspirational. By the end of 2026, every EU Member State must make at least one certified European Digital Identity Wallet available to citizens. By the end of 2027, private companies in regulated sectors are required to accept it. And the sectors that fall under this obligation include, explicitly, banks, payment service providers, insurers, and telecoms.

If you work in any of these domains in Romania, 2026 is the year to understand what this transition involves — not 2027.

What the EUDI Wallet Is, and Its Connection to the Electronic ID Card

The EUDI Wallet is a standardised mobile app in which citizens can store and present verified identity credentials — their identity card, driving licence, diplomas, professional qualifications, and other attributes. Users control what data they share and with whom, through selective disclosure: you can prove you are over 18 without revealing your exact date of birth, or confirm you are a resident of a Member State without giving your full address.

The connection to the Romanian CEI is direct and intentional. The Director of DGEP, Cătălin Giulescu, has publicly stated that the electronic identity card is "an intermediary" in the digitisation process — the platform on which Romania's EUDI Wallet will be built. The CEI chip, with its MAI-issued digital certificates, is the primary enrollment mechanism for the wallet. Without CEI, there is no Romanian EUDI Wallet.

Romania is already participating in the EUDIW-PACT pilot project coordinated by the French Ministry of the Interior, alongside 24 other Member States. On 17-18 March 2026, cross-border interoperability tests took place in Bucharest in a live environment — working credential exchange between different Member States.

The Timeline, Clearly

DeadlineObligation
24 Dec 2024First implementing acts enter into force — clock starts
31 Dec 2026Each Member State provides at least one certified EUDI Wallet
31 Dec 2026Public and semi-public bodies required to accept it
31 Dec 2027Private companies in regulated sectors required to accept it

Article 5f(2) of the Regulation is direct: private companies already legally required to use strong user authentication — Strong Customer Authentication — must accept the EUDI Wallet at the user's request, within 36 months of the implementing acts entering into force. The legal basis for SCA in financial services is PSD2. If you are a bank or fintech processing payments, the obligation is certain.

Penalties for non-compliance reach €5 million or 1% of global turnover, whichever is higher.

Why 2026 Is the Year to Act, Not 2027

There is a common trap in how companies read regulatory deadlines: they see 2027 and plan for 2027. The problem is that an enterprise-level integration does not complete in a few weeks.

Implementation experts estimate that a full integration, from decision to production, takes between 9 and 18 months for a mid-to-large organisation. A bank with legacy systems, procurement processes, internal audit requirements, and well-defined release cycles will be at the upper end of that range, not the lower.

Companies that start in 2027 will go live in 2028 — after the mandatory deadline. Companies that start in 2026 will be ready on time, and will have gained a competitive advantage: they can offer customers EUDI Wallet authentication before it becomes the standard.

Chambers & Partners, in their Romania FinTech analysis, confirm explicitly: in practice, 2026 is the preparatory year to achieve wallet acceptance and adapt onboarding flows for 2027.

What to Prepare, Concretely

1. Map your identity flows

The first step is not technical — it is a business exercise. Any company under the obligation must identify every point in its products and services where strong authentication or identity verification occurs: KYC onboarding, authentication for significant transactions, contract signing, access to sensitive data. These are the points that must accept EUDI Wallet credentials.

2. Register as a Relying Party

Companies that want to accept the EUDI Wallet must register as a relying party with the competent national authority. Without registration, you cannot request credentials from user wallets. The registration process is not instant — it involves identifying your legal entity, specifying the attributes you intend to access, and the business reasons why you need them.

3. Technical integration

The technical standards for interacting with the EUDI Wallet — OpenID4VP for credential presentation, OpenID4VCI for issuance, SD-JWT for selective disclosure — are established through the implementing acts. Integration means implementing these protocols alongside existing systems, not replacing them.

4. Redesign KYC data flows

The Regulation mandates data minimisation — you may only request the attributes necessary for the given transaction. If you currently have a KYC flow that collects all available data, you will need to redesign it to request selectively only what is needed for each context. This is an architectural change, not just a UI change.

The Situation in Romania: Solid Foundation, Operational Uncertainty

Romania is not starting from scratch. The CEI is already in national rollout, with over 1.5 million cards issued and a target of 5 million by mid-2026. ROeID exists as a government SSO application. EUDI Wallet interoperability tests have already taken place on Romanian soil.

What is missing is operational clarity for the private sector. A recent Accace report finds that while legal alignment exists through Law 214/2024, many companies lack clarity on short-term practical requirements. Awareness remains limited outside heavily regulated sectors.

There is also an honest nuance to add: at the European level, some Member States may not meet the 2026 deadline for wallet availability, due to the technical complexity and standards still being finalised in parallel. But the 2027 deadline for the private sector is independent of the exact wallet launch timing — the acceptance obligation exists regardless. And in Romania, the CEI is already available and functional as the foundation.

The Connection to Today's Identity Infrastructure

There is a direct continuity between what is available now and what will be mandatory in 2027. The EUDI Wallet in Romania will be populated with data from the CEI. NFC-based KYC flows that read the CEI chip today are architecturally compatible with what accepting EUDI Wallet credentials will require tomorrow — the same assurance level, the same identity data source, the same MAI certificates in the verification chain.

Companies integrating CEI NFC reading today for onboarding and identity verification are not building a temporary solution. They are building the identity infrastructure they will need in 2027 — with one or two years ahead of the legal obligation.

We write about the Romanian CEI — its capabilities, its integration challenges, and the regulatory context around it. If a topic here is relevant to something you're building, feel free to reach out.

Romania's 2024 Electronic Signature Law, Explained. What Your ID Card Can Sign — and What It Can't.

· 10 min read
Cătălin Toma
Cătălin Toma
Founder, EidKit

This is the second article in our series on Romania's electronic identity card. The first covers the address problem that's quietly breaking KYC flows. The third goes into the technical details: what it actually takes to integrate the CEI over NFC.

On 8 October 2024, Romania's Law 214/2024 on the use of electronic signatures entered into force — the most significant piece of legislation in this domain since the country first regulated electronic signatures in 2001. It repealed the old law, clarified the legal framework for all three signature types recognised under European eIDAS regulation, and for the first time gave a clear legal basis to the signature embedded in the new electronic identity card.

Many people read this as a simple announcement: your ID card can now sign documents with legal weight. The reality is more nuanced — and the nuance has immediate practical consequences for anyone building software that involves signed documents, or for individuals trying to understand what their card actually does.

Three Types of Signature, Three Levels of Security

The law, following the EU's eIDAS Regulation, recognises three types of electronic signature. They are not interchangeable.

Simple Electronic Signature (SES) The most basic level. Examples: typing your name at the end of an email, or attaching a PNG image of your signature to a Word document. The law recognises its legal effect in limited circumstances: acts valued below half the gross minimum wage (~925 RON currently), where the other party acknowledges the document through conduct (for instance, by performing the obligations in it), or where both parties — both legal entities — have agreed in writing in advance to accept this signature type.

Advanced Electronic Signature (AdES) A step up. Must be uniquely linked to the signatory, capable of identifying them, created using data under the signatory's exclusive control, and able to detect any subsequent modification to the signed document. The CEI signature falls into this category — it is created using a certificate issued by the Ministry of Internal Affairs, stored on the card's chip, under the holder's control via PIN.

Qualified Electronic Signature (QES) The highest level. An advanced signature that is additionally created using a qualified signature creation device and based on a qualified certificate issued by a qualified trust service provider (QTSP) — an entity accredited and supervised by the state. Romania has several such providers: certSIGN, DigiSign, CertDigital, Trans Sped and others. The certificate is obtained separately, at cost, usually on a USB token or in the cloud.

The CEI signature is not qualified. It is advanced, with a certificate issued by a public authority — which places it in a subcategory with broader legal effects than an ordinary advanced signature, but still below qualified.

What the CEI Signature Can Do, per Art. 4 of Law 214/2024

Article 4(5) of the law states that an advanced electronic signature has the same legal effects as a handwritten signature if at least one of the following conditions is met:

a) the act was signed with an advanced electronic signature created with a certificate issued by a Romanian public authority or institution or by a qualified trust service provider

b) the electronic document is acknowledged by the party against whom it is invoked — including through performance of the document's obligations

c) the parties have expressly agreed, in a separate document signed by hand or with a qualified electronic signature, that they will give the advanced signature the legal effects of a handwritten signature

The CEI satisfies condition (a) directly: the certificate is issued by MAI, which is a Romanian public authority. This means that for any act the law requires in written form as a condition of proof (ad probationem), or for which it imposes no particular form, the CEI signature is equivalent to a handwritten signature — with no further conditions required.

Practical examples where it works: service agreements, consultancy contracts, employment contracts (under GEO 36/2021 which explicitly permits AdES for individual employment contracts), official correspondence, administrative applications, commercial agreements between professionals.

What the CEI Signature Cannot Do

There are two categories where the CEI's advanced signature is not sufficient, regardless of what the law says in theory.

1. Acts Requiring Written Form ad validitatem

Some legal acts are valid only if they are in written form — not as a condition of proof, but as a condition of validity. Examples: mortgage agreements, donation contracts, articles of association for legal entities. The law says that for these acts, the electronic form is valid if the document is signed with a qualified signature or with an advanced signature that produces the effects of a handwritten signature under the conditions of the law.

The CEI can technically satisfy this condition (MAI certificate = public authority = condition (a) met), but in practice notaries and public registries require a qualified signature. They are within their rights to do so, since the law does not prohibit them from imposing stricter technical requirements in their internal procedures.

2. Automated Government Platforms — the Practical Problem

ANAF / SPV: As of the date of this post, the ANAF Private Virtual Space does not recognise the CEI signature. Platforms with automated validation check certificates without human intervention and accept only qualified signatures. You can sign a document correctly and legally with your CEI, and the platform will reject it automatically. This applies to: tax declarations D212, D112, D300, and any other filing through SPV.

ONRC: Same situation. Registration of corporate acts, statutory amendments, any legally binding operation at the Trade Registry requires a qualified signature.

SICAP/SEAP: Participation in public procurement requires a qualified signature.

The technical reason: these platforms were built and configured before the CEI existed at national scale. Automated validation accepts only qualified certificates — the only ones with a well-defined structure that can be validated instantly. The CEI's advanced certificate, though legally valid, does not pass through the same technical channel.

An important distinction

The law does not say the CEI signature is legally refused by ANAF. The problem is not legal — it is technical. A document signed with a CEI is valid. The platform cannot process it. These are two different things, and the confusion between them has caused considerable frustration.

An Exception Worth Knowing: Closed Electronic Systems

Art. 4(5)(d) of the law allows an advanced signature to produce the effects of a handwritten signature within a closed electronic system — a platform used by a defined set of participants, subject to a security audit process. This means a private company can build a signing flow that accepts CEI signatures and give them full legal weight in its internal operations or customer-facing processes, if the system architecture meets the law's conditions.

This is the space where the private sector can and should move faster than the state.

The CEI Certificate: a Few Technical Details

Law 214/2024 contains a specific provision for the CEI certificate: by way of exception from the general two-year rule for advanced signatures, the certificate issued by MAI and inscribed on the electronic identity card is valid for up to five years (Art. 3(5)). The exact validity is set by MAI at issuance.

The certificate covers the advanced electronic signature. It is not a qualified certificate. If you need a qualified signature for SPV or ONRC, you must obtain a separate certificate from an accredited provider — certSIGN, DigiSign, CertDigital or another on the list approved by the Authority for the Digitalisation of Romania.

Where It Works Well Now: The Private Sector

If the automated government platforms are the problematic exception, the entire private sector is open territory. The CEI certificate is issued by MAI — a public authority — which means it satisfies condition (a) of Art. 4(5) directly. Any company building a signing flow with the CEI needs no additional conditions: no prior written agreement between parties, no tacit acknowledgement. The signature is valid from the first use.

The domains with the strongest practical potential:

HR and employment contracts. GEO 36/2021 explicitly permits advanced electronic signatures for individual employment contracts and all related HR documents. Companies hiring remotely or processing large volumes of HR paperwork need exactly this — verified identity and a signed contract in the same flow.

Fintech and financial onboarding. Service agreements, mandate documents, consent forms, credit agreements (excluding mortgages which require a notary). A fintech building its onboarding on CEI gets identity verification, domicile address, and a legally valid signature in a single NFC interaction.

Real estate — rental. Lease contracts are ad probationem, not ad validitatem. The CEI's advanced signature is entirely sufficient. Proptech platforms eliminating in-person attendance at lease signings have the legal foundation to do so.

Insurance. Policy contracts, broker mandates, damage claim declarations. The ASF (Financial Supervisory Authority) has actively pushed toward digital workflows. Insurance companies need identity verification at onboarding and a signature on policy documents — the CEI handles both.

Telecommunications. Subscription contracts are standard commercial agreements, fully valid with an advanced signature. Orange, Vodafone, Digi — each currently has massive onboarding friction.

Private healthcare. Consent forms, treatment agreements, admission documents for private clinic networks.

Freelance and B2B collaboration platforms. Collaboration agreements, service contracts between professionals. Under Law 214/2024, B2B contracts between professionals with a prior written agreement are valid with any advanced electronic signature.

Legal services. Client retainer agreements, mandates (împuterniciri), internal document flows for law firms.

Banking — customer-facing contracts. Distinct from the SPV/ANAF problem: banking service contracts with individuals, investment mandate agreements, onboarding documents for new accounts — all of these are private relationships, not interactions with automated government platforms. The CEI signature is valid.

What all these domains have in common: they need verified identity and a signature and they benefit from eliminating friction in their onboarding or signing process. The CEI is the only mechanism available in Romania that delivers all three simultaneously, from a phone, without additional hardware, without a visit to an office.

What Comes Next

The situation is not fixed. The government has indicated it is working on making state platforms technically compatible with the CEI signature, though no public deadline has been committed to. Pressure is building from several directions: the number of CEI cards in circulation is growing quickly, the eIDAS 2.0 Regulation requires institutions to accept recognised electronic identification means, and the EUDI Wallet — the EU digital identity wallet — must be available in Romania by the end of 2026.

For now, the practical picture is straightforward: the CEI signature works well in private-sector relationships and anywhere a human reviews the document. It does not yet work on automated government platforms.

We write about the Romanian CEI — its capabilities, its integration challenges, and the regulatory context around it. If a topic here is relevant to something you're building, feel free to reach out.