eFTI Article 5: Identity Verification for Freight Platforms
From July 2027, every eFTI platform must verify the identity of every business user. Here is what Article 5 actually requires — and why most platforms are not ready.
eFTI Implementing Regulation (EU) 2025/2243, Article 5 requires every certified eFTI platform to verify the identity of every business user at eIDAS level before they can access or submit electronic freight transport information. This requirement takes effect when eFTI becomes mandatory on 9 July 2027, and it applies to all 27 EU Member States.
This article explains what Article 5 says, what it means in practice for eCMR platforms and freight operators, why most platforms do not meet the requirement today, and what steps are needed for compliance.
What Article 5 Actually Says
The eFTI Implementing Regulation (EU) 2025/2243, adopted under the eFTI Regulation (EU) 2020/1056, establishes the technical requirements for eFTI platforms. Article 5 addresses identification, authentication, and authorisation of business users.
Article 5 of Regulation (EU) 2025/2243 states that "for each login session, the eFTI platform shall ensure the identification, authentication and authorisation of the business user, before allowing the business user to process eFTI data." The electronic identification scheme used must comply, as a minimum, with the requirements laid down in Article 8(2), point (b) of the eIDAS Regulation (EU) No 910/2014 — corresponding to the "substantial" assurance level under the European electronic identification framework.
In practical terms, this means:
- Every person who accesses an eFTI platform to submit, modify, or view freight transport information must be individually identified
- The identification must meet a recognised standard — not a self-asserted login or a one-time access code
- The platform operator bears responsibility for ensuring this identification is in place
This is not a recommendation. It is a regulatory requirement that applies to every eFTI-certified platform operating in the EU from July 2027.
What "Identification at eIDAS Level" Means in Practice
The eIDAS Regulation (EU) No 910/2014 defines three assurance levels for electronic identification: low, substantial, and high. Article 5 of the eFTI implementing regulation references Article 8(2), point (b) of eIDAS, which establishes the "substantial" level as the minimum.
At the substantial assurance level, the identity of the person must be verified against a government-issued identity document. This means:
| Assurance Level | What It Requires | Meets Article 5? |
|---|---|---|
| Low | Self-registration with email and password | No |
| Substantial | Identity verified against a government document, with reliable binding to the person | Yes |
| High | In-person verification or equivalent, using certified identity means | Yes (exceeds requirement) |
For logistics operations, the practical implication is clear. A driver or carrier representative who signs an eCMR or submits freight data through an eFTI platform must have their identity verified at substantial level. A username and password do not meet this threshold. A one-time SMS code does not meet this threshold. A finger signature drawn on a tablet screen — what the industry calls Sign-on-Glass — does not meet this threshold.
What does meet it: identity verification against a government-issued document such as a national eID card, the upcoming EUDI wallet, or a biometric passport verified via NFC chip reading.
Why Most eCMR Platforms Do Not Meet Article 5 Today
The eCMR protocol has been ratified by 39 countries, and digital consignment note platforms are operational across Europe. However, the identity verification methods used by most platforms today fall short of the Article 5 requirement. Here is why.
Sign-on-Glass is not sufficient
Many eCMR platforms authenticate drivers through Sign-on-Glass — the driver draws a signature with their finger on a tablet screen. Under eIDAS, this produces a Simple Electronic Signature (SES), the lowest category. It does not identify the signer. It does not verify their identity against any document. In a legal dispute, the burden of proof falls entirely on the party relying on the signature.
Sign-on-Glass may have been acceptable when eCMR was a voluntary tool for operational efficiency. Under eFTI Article 5, it is not compliant.
One-time access codes do not verify identity
Some platforms issue a one-time code via SMS or email to authenticate drivers at the point of signing. This confirms that someone has access to a phone number or email account — but it does not identify who that person is. A one-time code sent to an unverified phone number does not meet the substantial assurance level.
Login credentials are not identity verification
Standard username-and-password authentication verifies that someone knows the credentials, not that they are who they claim to be. This is the low assurance level under eIDAS — explicitly below the Article 5 threshold.
The non-EU driver gap
Even platforms that have implemented stronger identity verification for EU users face a structural challenge: a significant share of international road freight in the EU is carried by vehicles registered in non-EU countries (Eurostat reports international operations account for the majority of cross-border corridors, with substantial volumes by non-EU carriers from Turkey, Ukraine, Belarus, Moldova and others). Drivers from Turkey, Ukraine, Morocco, and other non-EU states have no access to European eID infrastructure and will not be covered by the EUDI wallet. For these drivers, no scalable mechanism currently exists on most platforms to verify identity at the required level.
Compliance Checklist for Platform Operators
If you operate an eCMR or freight document platform, here are five questions to assess your Article 5 readiness:
1. Does your platform verify the identity of every business user against a government-issued document? If the answer involves only login credentials, SMS codes, or Sign-on-Glass, you do not meet the substantial assurance level.
2. Does your identity verification cover non-EU users? If your verification depends on European eID systems or the EUDI wallet, you have a gap for the 13+ non-EU countries whose carriers operate on European corridors.
3. Is the identity verification linked to the electronic signature? Article 5 requires identification, authentication, and authorisation. The signature on a freight document must be traceable to a verified identity — not just to a device or a session.
4. Can you demonstrate compliance in an audit? eFTI platforms will be subject to conformity assessment. You must be able to show auditors that every business user was identified at the required level before accessing the platform.
5. Does your platform support Advanced Electronic Signatures (AES)? While Article 5 addresses identification, the eCMR protocol separately requires signatures that ensure authenticity and integrity. An Advanced Electronic Signature, uniquely linked to a verified signatory, satisfies both requirements simultaneously.
How to Implement Article 5 Compliant Identity Verification
There are three practical paths to Article 5 compliance, each with different trade-offs:
Path 1: National eID / EUDI Wallet
The EUDI wallet, mandated for all 27 EU Member States by the end of 2026, will provide substantial-level identity for EU citizens. National eID systems (such as the Estonian ID-kaart, German Personalausweis, or Swedish BankID) already meet this level in many countries.
Advantages: Government-backed, high assurance, free for users. Limitations: Covers only EU citizens. Several Member States are unlikely to meet the December 2026 deadline — the Netherlands and Bulgaria have already signalled delays. Does not cover non-EU drivers who carry a significant share of European freight.
Path 2: Qualified Trust Service Providers (QTSPs)
QTSPs on the EU Trusted List can issue qualified certificates that meet the highest eIDAS assurance level. Some offer remote identity verification through video identification.
Advantages: Highest legal certainty. EU-wide recognition. Limitations: Expensive per verification ($8–$15+). Slow onboarding process (often 10+ minutes). Requires an EU-based QTSP, making it inaccessible for most non-EU drivers. Impractical for high-volume, time-sensitive logistics operations.
Path 3: NFC Biometric Passport Verification
Modern biometric passports contain an NFC chip with cryptographically signed identity data, issued under the ICAO 9303 standard. The chip stores biometric and biographical data signed by the issuing government's document signing certificate. Reading the chip via a smartphone verifies the document's authenticity cryptographically — not visually.
Advantages: Works for more than 170 countries worldwide. Verification takes approximately 90 seconds. Produces a reusable digital identity — one-time onboarding, then authenticate and sign repeatedly. Supports Advanced Electronic Signatures. Does not require EU citizenship or access to European eID infrastructure. Limitations: Requires a smartphone with NFC capability (standard in 80%+ of smartphones since 2020). Requires physical possession of the passport at the moment of initial verification.
For platforms serving cross-border freight with non-EU drivers, Path 3 is currently the only scalable method that covers the full geographic scope of eCMR operations while meeting the Article 5 identification requirement.
IdentiGate provides NFC biometric passport verification from more than 170 countries, producing a reusable digital identity and Advanced Electronic Signatures that meet both eFTI Article 5 identification requirements and eCMR signature requirements via a single API integration. The company is currently preparing a cross-border eCMR signing pilot on EU-Turkey routes.
Timeline: When Does This Take Effect?
| Date | Milestone |
|---|---|
| January 2025 | eFTI delegated and implementing acts enter into force |
| January 2026 | Member States may begin voluntarily accepting digital freight data from certified platforms |
| December 2026 | EUDI wallets must be available in all 27 Member States (delays expected in several countries) |
| 9 July 2027 | eFTI mandatory: all Member State authorities must accept electronic freight transport information from certified platforms |
| 2027–2029 | Expected large-scale eCMR adoption, full industry transition |
The voluntary acceptance window (January 2026 onwards) means that platforms can begin testing Article 5 compliant identity verification now — and the companies that do will have a significant head start over those that wait until the mandatory date.
Frequently Asked Questions
Does Article 5 require a Qualified Electronic Signature (QES)? No. Article 5 addresses identification, not signature level. The eCMR protocol separately requires a signature that ensures authenticity and integrity — an Advanced Electronic Signature (AES) meets this standard. QES is not required for freight documentation.
Does Article 5 apply to drivers or only to companies? Article 5 requires identification of every business user. In the eCMR workflow, the driver is a business user who signs at the point of goods handover. The company is also a business user. Both must be identified.
What happens if a platform does not meet Article 5? The platform will not be eligible for eFTI certification. Without certification, it cannot be used to submit freight data to authorities under the eFTI regulation. Operators using non-certified platforms would need to fall back to paper documentation.
How does Article 5 affect non-EU carriers? Non-EU carriers and drivers must also be identified when using eFTI platforms. Since they have no access to EUDI wallets or European eID systems, platforms must provide an alternative verification method — such as NFC biometric passport verification — that meets the substantial assurance level.
Is Sign-on-Glass acceptable under Article 5? No. Sign-on-Glass does not verify the signer's identity. It records a finger-drawn image, which is a Simple Electronic Signature (SES) with no identity assurance. Article 5 requires identification at the substantial level, which Sign-on-Glass cannot provide.
When should platforms start preparing? Now. The voluntary acceptance window began in January 2026, and eFTI platform certification requires demonstrating Article 5 compliance. Companies that begin testing identity verification in 2026 will be ready for the July 2027 mandatory date. Companies that wait will face compliance pressure under time constraints.
Does the EUDI wallet solve this for all users? For EU citizens, the EUDI wallet will eventually provide Article 5 compliant identification. However, several Member States are expected to miss the December 2026 deadline, and the wallet does not cover non-EU nationals. For platforms serving cross-border freight, an additional identity solution is needed for non-EU drivers.
Can one verification method cover both Article 5 and eCMR signature requirements? Yes. NFC biometric passport verification can simultaneously establish the user's identity (meeting Article 5) and enable an Advanced Electronic Signature (meeting the eCMR signature requirement). This avoids the need for separate identity and signature systems.
Sources
- eFTI Regulation (EU) 2020/1056 — EUR-Lex — application from 21 August 2024; full application of mandatory acceptance from 9 July 2027
- Commission Implementing Regulation (EU) 2025/2243 — EUR-Lex — Article 5 (identification, authentication and authorisation of business users)
- eIDAS Regulation (EU) No 910/2014, Article 8 — EUR-Lex — assurance levels (low, substantial, high); point (b) = substantial
- Commission Implementing Regulation (EU) 2015/1502 — EUR-Lex — minimum technical specifications for eIDAS assurance levels
- European Commission — Towards paperless freight transport
- Eurostat — Road freight transport by journey characteristics
- ICAO Doc 9303 — Machine Readable Travel Documents
IdentiGate provides eFTI Article 5 compliant identity verification for freight platforms — NFC biometric passport verification from more than 170 countries, producing reusable digital identities and Advanced Electronic Signatures via a single API. Learn more at identigate.com
About the author
Gustav Poola is co-founder of IdentiGate. He focuses on the technical architecture of passport-chip identity verification, advanced electronic signature production under eIDAS, and the engineering of identity flows that survive regulator and auditor walk-back.