[en] The revision of the European electronic Identification and Trust Services (eIDAS) Regulation (EU) 910/2014 has sparked considerable debate, particularly concerning the mandatory recognition and display of Qualified Website Authentication Certificates (QWACs) by browsers under Article 45. Open letters from security researchers and browser vendors, among others, have highlighted potentially harmful implications for trust, sovereignty, and interoperability, while other stakeholders have labeled the corresponding arguments as disinformation and emphasized anticipated benefits. This study scrutinizes the origins, governance context, and arguments surrounding the "QWAC controversy'' using a qualitative mixed-methods approach. Our data collection relies on a multivocal literature review that encompasses academic publications, position papers, and social media posts, as well as 15 semi-structured stakeholder interviews with supporters and critics of the revised Article 45. We map 20 core arguments that emerged from a coding of our data into 1247 Toulmin components into three themes: Security & Trust, Governance & Sovereignty, and Compliance & Interoperability. The analysis reveals divergent viewpoints, advocacy strategies, and the dissemination of conflicting information in a situation of uncertainty. Indeed, our evaluation demonstrates that the strength of many exchanged arguments still hinges on future implementation choices. This research clarifies socio-technical trade-offs in EU digital trust policy colliding with the established WebPKI and offers evidence-informed considerations for balancing public and private interests in the future discourse.
Research center :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > FINATRAX - Digital Financial Services and Cross-organizational Digital Transformations NCER-FT - FinTech National Centre of Excellence in Research
Disciplines :
Computer science
Author, co-author :
DIKSHIT, Pratyush ✱; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
HÖLZMER, Pol ✱; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
FRIDGEN, Gilbert ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > FINATRAX
✱ These authors have contributed equally to this work.
Language :
English
Title :
EU Policies Meet Global Practices: The Discourse on Qualified Website Authentication Certificates
Publication date :
12 November 2025
Edition :
preprint
Number of pages :
82
Focus Area :
Security, Reliability and Trust
FnR Project :
FNR13342933 - DFS - Paypal-fnr Pearl Chair In Digital Financial Services, 2019 (01/01/2020-31/12/2024) - Gilbert Fridgen FNR16326754 - PABLO - Privacy-preserving Tokenisation Of Artworks, 2021 (01/06/2022-31/05/2025) - Gilbert Fridgen FNR16570468 - NCER-FT - 2021 (01/03/2023-28/02/2025) - Gilbert Fridgen
Funders :
FNR - Luxembourg National Research Fund Luxembourg's Ministry for Digitalisation
Funding number :
13342933; 1632675; 16570468
Funding text :
This research was supported in part by Luxembourg’s Ministry for Digitalisation, PayPal, and the Luxembourg National Research Fund (FNR) (PEARL grant reference FNR13342933, PABLO, grant reference FNR163267543, and NCER-FT grant reference FNR165704683, as well as by the Ministry of Finance of Luxembourg through the FutureFinTech National Centre of Excellence in Research & Innovation. For open-access purposes, the authors have applied a CC BY 4.0 license to any Author Accepted Manuscript arising from this submission.
