Some background makes the stakes legible. When you connect to a site over HTTPS, your browser checks the site's TLS certificate against a built-in list of trusted certificate authorities. That list is a root store, and each browser vendor runs a root program that decides who gets in and, just as importantly, who gets thrown out. Admission requires audits, compliance with the CA/Browser Forum's baseline requirements, and logging of issued certificates to public Certificate Transparency logs. Ejection happens when a CA proves untrustworthy: browsers collectively distrusted Symantec's certificate business in 2017 and 2018 after repeated mis-issuance, at the time one of the largest CAs on the web.
The system's central weakness is well understood: any trusted CA can issue a certificate for any domain. There is no scoping. A CA in one country can issue a technically valid certificate for a bank, a mail provider, or a government portal in another, and every browser trusting that CA will accept it. The only real safeguards are the root programs' vetting on the way in, Certificate Transparency making mis-issuance publicly visible, and the credible threat of distrust on the way out.
What Article 45 requires
eIDAS 2.0, formally Regulation (EU) 2024/1183, is mostly about digital identity wallets. But Article 45 concerns the web: it requires browsers to recognize Qualified Website Authentication Certificates, QWACs, issued by trust service providers that EU member states have granted qualified status. The qualification decision belongs to national supervisory bodies, not to the browser root programs. In the original draft, browsers would have been obliged to accept these CAs without applying their own admission criteria, and without a clear right to remove one that misbehaved.
The stated purpose is reasonable on its face: giving European users a reliable, legally backed way to know which company operates a website. The objection was never to the goal. It was to the mechanism of compelled trust.
Why compelled trust alarmed cryptographers
History supplies the argument. In 2011, the Dutch CA DigiNotar was compromised and used to issue fraudulent certificates for Google domains, which were then used to intercept the traffic of hundreds of thousands of users in Iran. Browsers pulled DigiNotar's roots within days and the company was bankrupt within a month. That speed was possible because root store decisions belonged to the vendors alone. In 2019, Kazakhstan instructed ISPs to have citizens install a government root certificate, which was then used to intercept HTTPS traffic to social media and messaging sites; Google, Mozilla, and Apple responded by hard-blocking that certificate in their products.
Both episodes turn on the same lever: whoever controls what the browser trusts controls whether HTTPS interception is possible. A legal regime in which a member state grants a CA qualified status and browsers are forbidden from second-guessing it converts twenty-seven governments into potential single points of failure for the entire TLS ecosystem, because a certificate mis-issued by a qualified CA would be accepted for any domain, not just European ones.
Article 45 relocates the power to say "this authority is trustworthy" from the parties accountable for browser security to political bodies, while the blast radius of a bad decision remains global.
This is why the reaction was unusually broad. In November 2023, as trilogue negotiations closed, Mozilla organized an open letter signed by hundreds of academic security researchers and joined by civil society organizations including EFF, warning that the text as drafted would expand the surveillance capabilities of any government able to lean on its national supervisory body. Cryptographers who rarely comment on legislation commented on this one.
What the final text actually says
The pressure produced amendments. The version that entered into force retains the recognition mandate but adds language preserving browsers' ability to take proportionate, precautionary measures in response to substantiated security concerns about specific certificates or providers, with notification obligations to the affected CA and authorities. How much room that language really leaves is the open question, because the answer depends on implementing acts and on how the first real conflict gets resolved. A browser blocking a qualified CA over mis-issuance evidence, against the objection of the member state that qualified it, is the scenario the compromise text papers over rather than settles. As of mid-2026 that collision has not happened, and the technical standards work for how browsers display QWAC identity data is still grinding through the process.
The EV lesson nobody wanted to relearn
There is a second, quieter problem with the QWAC concept: the web already ran this experiment. Extended Validation certificates bound verified legal identity to TLS certificates beginning in 2007, and browsers displayed the company name in green next to the padlock. Usability research consistently found that users did not notice when the indicator was absent and could not use it to detect phishing, and researchers demonstrated that colliding or confusable legal names could be registered legitimately. Chrome and Firefox removed the EV indicator from the address bar in 2019. QWACs are, mechanically, EV with a legal mandate attached, and the mandate does not repeal the usability findings. Legal identity in certificates has value for auditors, regulators, and automated systems; the evidence that it protects end users making trust decisions in the moment is thin.
What this means in practice
For users, nothing visible has changed yet, and the mitigating machinery of the web still operates: Certificate Transparency makes every certificate from a qualified CA publicly auditable, and monitoring for unexpected certificates on domains you control remains the practical defense it has always been. Site operators, especially those serving at-risk users, should already be monitoring CT logs for their domains; that advice predates eIDAS and survives it. The deeper takeaway is architectural, and it applies well beyond browsers. Trust that is centrally granted can be centrally abused, whichever institution holds the grant, and systems designed so that no single authority's failure is catastrophic, through transparency logs, pinning, DNS-based authentication, or end-to-end encryption that does not depend on the transport layer's honesty, age better than systems that assume the authority will stay benign.
That last point is why messaging security people watched this fight closely. End-to-end encryption exists precisely so that the confidentiality of a conversation does not rest on every CA, every network, and every government between two people behaving well. The eIDAS episode is a live demonstration of why that design assumption keeps earning its complexity.