TL;DR: EU product labelling now relies on EPREL registration, qualified electronic seals, and updated verification rules that tie organisational identity to market access, according to GlobalSign. For identity teams, the shift shows how regulated workflows increasingly depend on machine-readable assurance, not just document checks or human approval chains.
NHIMG editorial — based on content published by GlobalSign: an analysis of EPREL identity verification, qualified electronic seals, and the evolving energy label framework
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
Questions worth separating out
Q: How should organisations govern delegated access in regulated registration workflows?
A: Treat delegated access as a lifecycle-managed identity relationship, not a one-time approval.
Q: Why is login alone not enough for regulated submissions?
A: Login proves a session was established, but it does not prove the submitted data came from the correct legal entity or remained unchanged after approval.
Q: What breaks when delegate access is not lifecycle-managed?
A: Access can outlive the business relationship, the administrator role can drift beyond its original scope, and submitted records can no longer be trusted as current.
Practitioner guidance
- Map EPREL as a governed delegated-access workflow Document the legal entity, supplier administrator, trust provider, and approval path as distinct control points.
- Separate login assurance from submission authenticity Require a qualified electronic seal or equivalent organisational trust mechanism for actions that create regulatory evidence, not just a successful EU Login session.
- Tighten delegate lifecycle controls Review who can act as Supplier Admin, how that access is approved, and how quickly it is revoked when the organisational relationship changes or the task ends.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how EPREL organisation registration works in practice
- Specific verification requirements for qualified electronic seals and the NTR change on 22 April 2025
- How supplier administrators are authenticated to act on behalf of a legal entity
- The role of eIDAS and qualified trust service providers in the trust chain
👉 Read GlobalSign's analysis of EPREL identity verification and qualified seals →
EPREL verification and qualified seals: what identity teams need to know?
Explore further
Organisational identity is now a market access control, not an administrative afterthought. EPREL makes clear that a legal entity must prove who it is before it can participate in regulated digital processes. That is the same governance pattern identity teams already manage in NHI and delegated service contexts, where the actor is not a person but the entity allowed to act. The practitioner conclusion is straightforward: if the organisation cannot be bound to the action, the action should not proceed.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, according to the Ultimate Guide to NHIs.
A question worth separating out:
Q: How do teams decide whether a trust seal or digital signature is needed?
A: Use a seal or signature when the organisation itself must be bound to the action and the record must hold legal or regulatory weight. Use ordinary authentication only for session access or low-risk operations that do not create enduring evidence.
👉 Read our full editorial: EU product label governance now depends on digital identity assurance