Subscribe to the Non-Human & AI Identity Journal

Who is accountable for maintaining eIDAS 2.0 readiness after validation?

The accountable party is the organisation operating the trust service, not the assessor. Security, IAM, privacy, and engineering teams all share responsibility for keeping controls current, but leadership must assign ownership for evidence, policy change, and revalidation as standards mature.

Why This Matters for Security Teams

eIDAS 2.0 readiness does not end when validation is complete. The trust service operator remains accountable for keeping identity proofing, cryptographic controls, audit evidence, and operational procedures aligned with evolving regulatory expectations. The assessor validates a point in time; the organisation must sustain compliance across change, staffing shifts, and control drift. That distinction is especially important because eIDAS 2.0 is part of a broader digital trust stack, not a one-time checklist, as set out in the eIDAS 2.0 — EU Digital Identity Framework.

Security teams often underestimate how quickly validated controls become stale when evidence lives in different systems, policy changes bypass formal review, or ownership is not assigned for revalidation. That creates gaps between what was approved and what is actually running in production. The same pattern shows up in NHI programs, where static trust assumptions fail once operational reality changes. In practice, many security teams encounter control decay only after a renewal, audit exception, or incident has already exposed the gap, rather than through intentional monitoring.

How It Works in Practice

Accountability should sit with the organisation operating the trust service, but execution has to be distributed across security, IAM, privacy, engineering, and compliance functions. The useful operating model is to assign a named control owner for each readiness domain: evidence collection, policy maintenance, cryptographic lifecycle, vendor dependencies, and revalidation timing. That owner is responsible for proving the control still works, not just that it once passed assessment.

For eIDAS 2.0 readiness, the recurring work is usually more operational than strategic. Teams need to maintain current system inventories, document changes that affect trust assumptions, and preserve audit trails that can survive staff turnover. This is where continuous control monitoring matters. A control that was valid at certification may fail later if certificate lifetimes change, identity proofing flows are modified, or logging retention no longer matches policy. The baseline should be mapped to a control framework such as NIST SP 800-53 Rev 5 Security and Privacy Controls so that ownership is tied to repeatable checks, not informal memory.

NHIMG research on secrets and identity abuse reinforces why this must be continuous. The State of Secrets in AppSec found that remediation lags and fragmented ownership are common even in mature organisations, which is a warning sign for trust-service readiness as well.

  • Assign one accountable owner for each control family, with backup owners named in policy.
  • Track evidence freshness, not only evidence existence, and tie it to review cycles.
  • Require formal review for changes to identity proofing, crypto settings, logging, and third-party dependencies.
  • Set revalidation triggers for major releases, regulatory updates, incidents, and supplier changes.

These controls tend to break down when responsibility is split across procurement, engineering, and compliance without a single owner for revalidation.

Common Variations and Edge Cases

Tighter readiness governance often increases operational overhead, requiring organisations to balance assurance against speed of change. That tradeoff becomes sharper when the trust service depends on external platforms, managed service providers, or national identity ecosystems. Guidance is still evolving on how much of the assurance burden can be delegated to suppliers versus retained by the operator, so current practice suggests treating third-party attestations as inputs, not substitutes, for internal ownership.

Another common edge case is organisational change. If a trust service is transferred, restructured, or expanded across jurisdictions, accountability should be re-issued explicitly rather than assumed to carry over. The same is true when evidence is generated by one team but reviewed by another. If no one owns the control after validation, the organisation can still appear compliant while losing the ability to prove it. That is why the operator should maintain a living readiness register linked to policy change management and periodic re-assessment. For additional context on operational exposure, the DeepSeek breach illustrates how quickly weak operational discipline can turn into broad trust failure.

There is no universal standard for assigning revalidation cadence yet, so best practice is to base it on change velocity, control criticality, and regulatory impact.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 ID.GV-1 Governance needs defined roles, responsibilities, and authority for ongoing readiness.
OWASP Non-Human Identity Top 10 NHI-01 Identity and secret ownership must remain clear after validation to avoid control drift.
CSA MAESTRO GOV-02 Agent and trust governance require explicit accountability beyond initial approval.
NIST AI RMF GOVERN AI RMF governance principles support accountable, repeatable oversight of operational risk.

Establish governance that keeps control assurance current as systems, risks, and regulations evolve.