Trust in QEAA and PubEAA Issuance and Presentation¶
Overview¶
Qualified Electronic Attestations of Attributes (QEAA) and Public Electronic Attestations of Attributes (PubEAA) provide the highest level of legal assurance in the eIDAS framework. Both offer document-equivalent evidentiary value—the same legal effect as lawfully issued attestations in paper form.
QEAA and PubEAA are special-purpose instruments
QEAA and PubEAA are not the default choice for all use cases. They should be used only when document-equivalent evidentiary value is legally or practically required.
For guidance on choosing between EAA, QEAA, and PubEAA, see the Trust Overview and Decision Guide.
QEAA: Qualified Electronic Attestations of Attributes¶
When QEAA is Required¶
QEAA are appropriate in exceptional cases, particularly when:
- No existing trust or acceptance structure exists between issuer, user, and relying party
- Regulatory requirements explicitly demand original-document equivalence
- Cross-border use is intended and acceptance conditions in other Member States are unknown
- Risk must be outsourced to a supervised third party via statutory liability
Trust Model for QEAA¶
Trust in QEAA is anchored in the qualified status of the Trust Service Provider (QTSP), including:
| Trust Element | Description |
|---|---|
| Conformity assessment | Ex-ante verification by a conformity assessment body |
| Supervision | Ongoing supervision by the national supervisory body |
| EU Trusted List inclusion | Publication in the EU List of Trusted Services |
| Qualified signatures/seals | QEAA must be signed with a qualified electronic signature or seal |
| Statutory liability | QTSP assumes liability for damages under eIDAS |
QEAA Issuers¶
- QEAA may only be issued by QTSPs (Qualified Trust Service Providers)
- QTSPs must undergo conformity assessment and be supervised
- QTSPs must be listed in the EU Trusted List of qualified services
- QTSPs must verify attributes against authentic sources per Article 45e eIDAS
Liability under QEAA¶
The QTSP is liable for damages caused to any natural or legal person due to failure to comply with the obligations under eIDAS. This statutory liability regime provides:
- Mandatory professional liability insurance
- Presumption of fault (QTSP must prove absence of negligence)
- Direct statutory claims against the QTSP
PubEAA: Public Electronic Attestations of Attributes¶
When PubEAA is Appropriate¶
PubEAA are specifically for public bodies responsible for authentic sources that need to:
- Issue attestations with document-equivalent evidentiary value
- Maintain issuance under their own authority and control
- Issue attestations in their own name (not via a QTSP)
- Avoid the obligation to provide verification mechanisms for QTSPs per Article 45e
Trust Model for PubEAA¶
Trust in PubEAA is anchored in the public-law mandate of the issuing authority:
| Trust Element | Description |
|---|---|
| Public mandate | Authorization by the Member State under public law |
| Authentic source responsibility | The public body is responsible for the authentic source |
| Certified attributes | Authorization evidenced via qualified certificates |
| Annex VII compliance | Must meet requirements specified in Annex VII of eIDAS |
| Member State notification | Public body must be designated and notified to the EU Commission |
PubEAA Issuers¶
- Issued by or on behalf of a public body responsible for an authentic source
- The public body must be designated by the Member State
- Must be listed by the Member State and notified to the European Commission
- Published on the national PubEAA providers list
Public vs. QTSP Issuance¶
Public bodies have a choice:
| Option | Issuer | Control | Name on Attestation | Cost |
|---|---|---|---|---|
| PubEAA | Public body | Full | Public body | Higher |
| QEAA via QTSP | QTSP | Shared | QTSP | Lower |
The decision depends on whether the public body needs to maintain control and issue in its own name versus leveraging QTSP infrastructure.
EU Catalogue of Schemes for Attestation¶
QEAA and PubEAA schemes are registered in the EU catalog of schemes for the attestation of attributes, as defined in EU Implementing Act 2025/1569, Article 8.
EU Catalogue for Trust Validation¶
The EU catalog serves as a trust anchor for cross-border recognition:
| Aspect | National Catalogue | EU Catalogue |
|---|---|---|
| Initial publication | Required | Optional |
| Cross-border recognition | National only | EU-wide |
| Trust level | Member State | EU-wide interoperability |
Relying parties verify QEAA/PubEAA by looking up the scheme in the EU catalog to confirm it meets qualified requirements.
For general catalog concepts, structure, and governance, see Attribute Catalogs.
Trust Architecture¶
Figure: Trust architecture for QEAA / PubEAA issuance and presentation
For a description of general trust management between the participants of the ecosystem see Trust Validation Overview.
During QEAA/PubEAA Issuance¶
QEAA Issuance¶
The QTSP must:
- Verify the holder's identity according to Article 24(1) eIDAS
- Verify attributes against authentic sources per Article 45e
- Issue the QEAA signed with a qualified electronic signature or seal
- Ensure inclusion in the EU catalogue of schemes
PubEAA Issuance¶
The public body must:
- Verify the holder's identity (Article 24(1) applies indirectly; higher levels possible)
- Verify attributes directly from the authentic source (the public body is the authentic source)
- Issue the PubEAA signed with a qualified electronic signature or seal
- Ensure inclusion in the EU List of Enabled Authentic Sources
During QEAA/PubEAA Presentation¶
The Relying Party Instance verifies:
- Look up the scheme by name from the credential in the EU catalogue of attestations
- If not found in EU catalogue: look up in national catalogue
- Verify credential type (QEAA or PubEAA)
- Validate the qualified signature/seal against the EU Trusted List
- Check status/revocation via Token Status List
Trust Chain Validation¶
For QEAA:
- Verify the issuing QTSP is listed in the EU Trusted List
- Verify the signature certificate chains to a qualified trust anchor
- Verify the scheme is registered in the catalogue
For PubEAA:
- Verify the issuing public body is in the EU List of Enabled Authentic Sources
- Verify the signature with qualified seal/signature
- Verify the scheme is registered in the catalogue
Legal Effect and Recognition¶
Both QEAA and PubEAA have:
- Same legal effect as lawfully issued attestations in paper form
- Recognition across all Member States under eIDAS qualified trust services
- Admissibility as evidence in legal proceedings throughout the EU
Use Cases¶
QEAA Use Cases¶
- Banking and insurance sector: Regulatory requirements demand document equivalence
- Cross-border transactions: Unknown acceptance conditions in other Member States
- High-risk scenarios: Where statutory liability and supervision provide assurance to relying parties
PubEAA Use Cases¶
- Government-issued attestations: Driving licenses, professional qualifications, residence permits
- Authentic source attestations: Where the public body is the authoritative source of the data
- Exemption from Article 45e: To avoid providing verification mechanisms for QTSPs
Related Resources¶
- Trust Overview and Decision Guide — For choosing between attestation types
- Trust in EAA — For EAA
- Trust Validation Overview — For technical validation details
- EAA Design Section — For credential design, formats, and technical mechanisms
- Design Recommendations — Best practices applicable to all credential types
Legal References¶
The following are the primary normative sources for QEAA and PubEAA:
Primary Regulation¶
Regulation (EU) No 910/2014 (eIDAS) on electronic identification and trust services for electronic transactions in the internal market, as amended by Regulation (EU) 2024/1183 (eIDAS 2.0).
Key articles for QEAA and PubEAA:
| Article | Topic |
|---|---|
| Article 45a | European Digital Identity Wallets |
| Article 45b | Relying parties of European Digital Identity Wallets |
| Article 45d | Electronic attestation of attributes |
| Article 45e | Verification of attributes against authentic sources |
| Article 45f | Qualified electronic attestation of attributes |
| Article 45g | Electronic attestation of attributes issued by public bodies |
| Article 24(1) | Identity verification requirements for trust services |
Annexes to eIDAS 2.0¶
| Annex | Content | Applies to |
|---|---|---|
| Annex V | Requirements for qualified electronic attestations of attributes | QEAA |
| Annex VI | Minimum list of attributes (attribute catalogue context) | EAA, QEAA, PubEAA |
| Annex VII | Requirements for electronic attestations of attributes issued by public bodies | PubEAA |
Implementing Acts¶
| Implementing Act | Topic |
|---|---|
| Commission Implementing Regulation (EU) 2025/1569 | Catalogue of schemes for attestation of attributes |
| Implementing acts under Article 19a | Organisational and technical measures for trust service providers |
ETSI Standards¶
| Standard | Topic |
|---|---|
| ETSI TS 119 472-1 | General requirements for electronic attestations of attributes |
| ETSI TS 119 472-2 | Presentation requirements |
| ETSI TS 119 472-3 | Issuance requirements |
| ETSI TS 119 411-8 | Access Certificates |
| ETSI TS 119 475 | Registration Certificates |
Legal Disclaimer
This document reflects a systematic interpretation of the eIDAS framework and supports informed decision-making. It does not replace legal analysis for individual cases.