I just came back from a fantastic joint session organized by ENISA: Trust Services, eID Forum and CA Day 2025. The room was full of trust service providers, policymakers, and supervisors.
What struck me most was how quickly the regulatory landscape is shifting in Europe—and how much more demanding it has become since I first lived through it five years ago.
In 2020, ZealiD was still a young company. To operate as a qualified trust service provider, we had to comply with ETSI EN 319 401 and related standards. For those outside our niche: this was not a light touch. We had to document every process, implement controls at enterprise level, and present auditors with clear evidence.
For us, it was painful. We were a small team operating on limited resources, yet we were suddenly expected to meet the compliance standards of banks and large institutions. Looking back, I thought at the time: this is the highest bar possible. Passing that audit felt like the summit.
What I realize now is that 2020 was just the beginning. The regulatory bar has risen—and it has multiplied. Companies are not facing a single peak, but a whole range of obligations:
The result is that companies are now subject to overlapping, non-harmonized requirements. Each framework comes with its own scope, supervisor, and penalties.
In 2020, success meant showing you had policies, risk assessments, and control structures in place. Today, it is about operational proof:
In short: it is no longer enough to design a compliance framework. You must live it every day.
On one hand, I welcome this evolution. As someone who works in identity and trust, I know society benefits from stronger digital security and resilience. On the other hand, the burden is undeniable—especially for small and mid-sized companies.
Complying with ETSI in 2020 nearly stretched us to breaking point. Today’s combined requirements of NIS2, DORA, CRA, and eIDAS2 demand even more resources, expertise, and operational maturity. For many, the compliance burden is no longer a side project; it defines how they must run their businesses.
My advice to fellow leaders is clear:
Back in 2020, I believed ETSI 319 401 was the toughest hurdle we would ever face. I now see it was just a warm-up. The bar in 2025 is higher, wider, and heavier. But if Europe is to lead the world in digital trust, this is the path we must walk.
As founders, leaders, and service providers, our challenge is not just to survive this regulatory squeeze, but to turn it into resilience—and ultimately, trust. And trust is the one currency in digital society that never loses its value.
ZealiD is an EU Qualified Trust Service Provider offering identity wallets and qualified electronic signatures across Europe. We are a certified Microsoft ISV Partner and trusted by financial institutions, Fortune 500 companies, and national governments.
Take the next step
Contact ZealiD to implement a plug-and-play digital identity wallet for your organisation.
Stay up to date with news and trends on digital identity and Qualified Electronic Signature
.svg "ZealiD Logo New (1)"){kind=small}
