Trust service type
Understand how Adobe Acrobat and Acrobat Reader use the European Union Trusted List to determine whether an electronic signature, seal, or timestamp qualifies under EU Regulation 910/2014 (eIDAS) — and what the limitations of that determination are.
What is the EU Trusted List?
The European Union Trusted List (EUTL) is the authoritative public registry of Trust Service Providers (TSPs) that have been granted qualified status by a supervisory body in an EU Member State, in accordance with EU Regulation 910/2014 on electronic identification and trust services (eIDAS) and its successor, EU Regulation 2024/1183 (eIDAS 2.0).[AV1]
Each Member State maintains its own national Trusted List, which is published electronically and compiled at the EU level into a single consolidated list. Collectively, these lists identify more than 400 active and legacy qualified Trust Service Providers across the EU. A TSP must appear on its Member State's Trusted List with an active qualified status before any of its services can carry the legal effects of a qualified trust service under eIDAS.
In eIDAS, the qualified tier of electronic signatures, seals, and timestamps carries the strongest legal effects. A Qualified Electronic Signature (QES) is legally equivalent to a handwritten signature across all EU Member States and is the only type of electronic signature automatically recognized in cross-border transactions within the EU. Each Member State supervises the providers established on its territory, but services of a qualified TSP approved in one Member State may be used in any other Member State, provided they comply with the same level of compliance.
Looking for a digital ID provider outside the EU? Explore the Adobe Approved Trust List (AATL) ›
Learn how Adobe and TSP leaders are advancing standards for cloud-based signatures on web and mobile. Learn about cloud signatures ›
How Acrobat implements EUTL support
Adobe Acrobat and Acrobat Reader include built-in support for the EUTL to assist users in determining whether a digital signature, seal, or timestamp on a PDF document meets the technical criteria for qualification under eIDAS. This support is implemented as an extension of the Adobe Approved Trust List (AATL) framework, which governs how Acrobat manages and periodically refreshes its local store of trusted root certificates.
Scope: Which qualified services are covered
Acrobat's EUTL implementation is scoped to a specific subset of qualified trust services. It includes only those Qualified Trust Service Providers that issue certificates and operate the infrastructure used to create certificate-based digital signatures within PDF workflows. Specifically, Acrobat recognizes qualified trust anchors associated with the following trust services:
|
|
Coverage in Acrobat |
Notes |
|---|---|---|
|
Qualified certificates for electronic signatures (natural persons) |
Included |
Issued via Qualified Signature Creation Devices (QSCD), including remote QSCDs |
|
Qualified certificates for electronic seals (legal entities) |
Included |
Issued via Qualified Seal Creation Devices |
|
Qualified electronic timestamp services |
Included |
Used to establish the time of signing for long-term validation |
|
Qualified validation services for QES |
Not included |
Acrobat does not call out to or integrate with external qualified validation service providers |
Only qualified TSPs whose trust anchors are relevant to PDF-based digital signature, seal, and timestamp workflows are incorporated into Acrobat's local trust store. Non-qualified TSPs, and qualified TSPs operating trust services outside the scope above, are not included in Acrobat's EUTL-derived configuration.
Update frequency and temporal limitations
Acrobat does not query the authoritative EUTL in real time at the moment of signature validation. Instead, Acrobat maintains a local snapshot of the relevant qualified trust anchors derived from the EUTL, which is updated on a periodic basis.
- Update frequency
Approximately monthly, typically during the first week of each calendar month. - Update mechanism
A new EUTL-derived snapshot is published by Adobe and downloaded automatically by Acrobat installations with internet access, following the same infrastructure used for AATL updates. - Source
Derived from the authoritative EU Trusted Lists published by Member States and compiled at the EU level, Acrobat's snapshot is restricted to the service types listed in the scope table above. - Update delay
Up to approximately 30 days may pass between the publication to any Member State's Trusted List and its reflection in Acrobat's local trust store. After the publication, Acrobat may take up to 14 days to fetch the updated EUTL snapshot and make it available locally. This additional latency depends on the trust store refresh rate, which limits updates to no less than 14 days from the previous one.
If needed, users can force a manual EUTL refresh at any time from the Acrobat Preferences > Trust Manager > Automatic European Union Trust Lists (EUTL) updates > Update Now.
Because Acrobat does not validate signatures against a real-time copy of the EUTL, the determination of whether a signature, seal, or timestamp is qualified under eIDAS may not be accurate in all circumstances. In particular, if a Member State's Trusted List is updated — for example, to add a newly approved qualified TSP or to reflect a change in the status of an existing one — that change will not be reflected in Acrobat until the next scheduled update. During this interval, Acrobat may fail to recognize a legitimately qualified trust anchor or may recognize a trust anchor that has since been revoked.
Validation output: three possible states
When Acrobat validates a digital signature, seal, or timestamp on a PDF document, it evaluates the certificate chain against its local trust store (including the EUTL-derived snapshot) and presents one of three states in the Signature Validation Panel:
- EU Qualified — trust anchor confirmed
The certificate chain resolves to a trust anchor present in Acrobat's current EUTL-derived snapshot, and the signature, seal, or timestamp meets the structural requirements for qualification under eIDAS. Acrobat displays: "This is a Qualified Electronic Signature according to EU Regulation 910/2014, based on EU Trusted List information last checked on yyyy-mm-dd.” This determination is based on the trust information available at the time of Acrobat's last EUTL update, not necessarily at the current moment. - Indeterminate — trust anchor not found locally
The certificate chain does not resolve to a trust anchor in Acrobat's current EUTL-derived snapshot. This does not necessarily mean the signature, seal or timestamp isn't qualified. The issuing TSP may have been added to a Member State's Trusted List after Acrobat's last update. Relying parties should verify the current status of the trust anchor directly against the EU Trusted List Browser before drawing conclusions about qualification status. - Invalid — signature is broken, or policy requirements are not met
Acrobat has determined that the signature, seal, or timestamp does not meet cryptographic validation. This may be because the certificate used for signing had expired or been revoked, the certificate chain is invalid, or the document was modified after the signature was applied.
For document signers
If you are signing a document using a digital ID obtained from a qualified TSP listed below, the qualified status of your signature derives from the issuing TSP and the creation device used, and is not affected by how a viewing application displays the validation result.
Important considerations for relying parties
Because Acrobat validation results are based on a periodic snapshot of the EU Trusted List, relying parties in regulated or legally sensitive contexts should verify the current qualification status of the signing TSP directly against the EU Trusted List Browser before relying on the result.
Where a legally binding determination is required, relying parties should use a qualified validation service.
Finding a qualified Trust Service Provider
Adobe is the first global PDF vendor to offer comprehensive support for EUTL-based qualified TSPs within the PDF signing experience. Once you obtain a digital ID from a qualified TSP listed on the EUTL, you can sign documents securely using Adobe Acrobat Reader, Adobe Acrobat, or Adobe Acrobat Sign. Adobe's platform supports the full range of qualified TSPs across EU Member States, giving your organization the flexibility to choose the provider best suited to your compliance requirements.
The full list of qualified trust service providers, organized by Member State and service type, is maintained by the European Commission at the EU Trusted List Browser. Adobe's supported subset of these providers is reviewed and updated monthly.
Looking for a digital ID provider outside the EU? Explore the Adobe Approved Trust List (AATL) ›
Learn how Adobe and TSP leaders are advancing standards for cloud-based signatures on web and mobile. Learn about cloud signatures ›