Qualified Electronic Signatures (QES) Explained
Qualified Electronic Signatures (QES) represent the highest level of electronic signature under the EU eIDAS Regulation. With the same legal effect as a handwritten signature, QES opens doors to regulated industries and high-value transactions. This comprehensive guide explains what QES is, how it works, when you need it, and how to implement it correctly.
Table of Contents
1. What Is a Qualified Electronic Signature?
A Qualified Electronic Signature (QES) is the most secure and legally robust form of electronic signature recognized under the European Union's eIDAS Regulation (Regulation (EU) No 910/2014). It is the only type of electronic signature that has the equivalent legal effect of a handwritten signature in all EU member states.
Article 25(2) of the eIDAS Regulation states clearly:
"A qualified electronic signature shall have the equivalent legal effect of a handwritten signature."
-- Article 25(2), Regulation (EU) No 910/2014
This equivalence is automatic and applies across all 27 EU member states. Unlike Simple Electronic Signatures (SES) or Advanced Electronic Signatures (AES), which are admissible but may require additional evidence of authenticity, a QES carries a presumption of validity. If someone challenges a QES, the burden of proof falls on them to demonstrate it is invalid—not on you to prove it is valid.
QES is built on a foundation of strict technical standards, identity verification, and qualified certificates issued by Qualified Trust Service Providers (QTSPs) that are supervised by national authorities. This creates a robust chain of trust that ensures the signer's identity, the integrity of the signed document, and the non-repudiation of the signature.
2. Legal Framework and Requirements
The eIDAS Regulation defines three cumulative requirements for a signature to qualify as a QES. All three must be met:
1. It must be an Advanced Electronic Signature (AES)
First, the signature must meet all requirements of an AES under Article 26 of eIDAS. This means it must be uniquely linked to the signatory, capable of identifying the signatory, created using electronic signature creation data that the signatory can use with a high level of confidence under their sole control, and linked to the signed data in such a way that any subsequent change is detectable.
2. Based on a Qualified Certificate for Electronic Signatures
The signature must be based on a qualified certificate issued by a Qualified Trust Service Provider (QTSP). This certificate contains the signer's identity data and a public cryptographic key. The certificate must comply with Annex I of the eIDAS Regulation and be issued following strict identity verification procedures.
3. Created by a Qualified Electronic Signature Creation Device (QSCD)
The signature must be created using a Qualified Electronic Signature Creation Device (QSCD), which is a secure hardware or software device that protects the signer's private cryptographic key. QSCDs must meet the requirements of Annex II of the eIDAS Regulation and are typically certified under Common Criteria EAL 4+ or equivalent standards.
Only when all three requirements are met does a signature qualify as a QES. If any element is missing—for example, if the certificate comes from a non-qualified provider, or if a QSCD is not used—the signature may still be valid as an AES or SES, but it will not have the equivalent legal effect of a handwritten signature.
3. Technical Requirements
From a technical perspective, implementing QES involves several cryptographic and procedural components:
- Public Key Infrastructure (PKI): QES relies on asymmetric cryptography. The signer holds a private key (kept secure in the QSCD) and a corresponding public key (published in the qualified certificate). Documents are signed with the private key and verified using the public key.
- Qualified Certificate: Issued by a QTSP after identity verification (typically in-person or via video identification). The certificate includes the signer's name, email, unique identifier, certificate validity period, QTSP information, and the public key.
- QSCD: This can be a hardware token (USB smartcard), a mobile device with secure element, or a remote HSM (Hardware Security Module) managed by the QTSP. The critical requirement is that the private key cannot be extracted or copied.
- Hash and Sign: When signing, the document is hashed (e.g., SHA-256), and the hash is encrypted with the private key to create the signature. The signature, certificate, and original document are bundled together, often in PAdES (PDF Advanced Electronic Signature) or XAdES (XML Advanced Electronic Signature) format.
- Timestamp: For long-term validity, a qualified timestamp from a qualified time-stamping authority is often added. This proves when the signature was created and protects against certificate expiration issues.
These technical layers ensure that a QES is tamper-evident, cryptographically secure, and verifiable by anyone with access to the EU Trusted Lists of qualified providers.
4. Qualified Trust Service Providers (QTSP)
A Qualified Trust Service Provider (QTSP) is an organization authorized and supervised by a national competent authority to issue qualified certificates and provide related trust services. QTSPs operate under strict regulatory oversight and must comply with security, organizational, and procedural requirements defined in the eIDAS Regulation.
Key characteristics of QTSPs:
- National Supervision: QTSPs are supervised by competent national authorities (e.g., ILNAS in Luxembourg, ANSSI in France, BNetzA in Germany). These authorities perform regular audits to ensure compliance.
- Listed in EU Trusted Lists: Each EU member state publishes an official Trusted List identifying its QTSPs. These lists are publicly available and machine-readable, allowing automated verification of qualified status.
- Cross-Border Recognition: A qualified certificate issued by a QTSP in one member state is automatically recognized in all other member states. A QES from a Luxembourg QTSP is valid throughout the EU.
- Identity Verification: QTSPs must perform rigorous identity verification before issuing a qualified certificate. This typically involves in-person appearance with identity documents, or video identification with liveness detection.
Examples of well-known QTSPs in Europe include LuxTrust (Luxembourg), Swisscom (Switzerland), Intesi Group (Italy), and many others. The European Commission maintains a central portal where you can access all member state Trusted Lists.
5. QES vs AES vs SES Comparison
The eIDAS Regulation defines three levels of electronic signatures. Understanding the differences is essential for choosing the right solution:
| Feature | SES | AES | QES |
|---|---|---|---|
| Legal Effect | Admissible but may require additional evidence | Admissible, stronger evidence than SES | Equivalent to handwritten signature |
| Signer Identification | Basic (e.g., email) | Strong authentication required | Identity verification by QTSP |
| Certificate | Not required | Certificate (not necessarily qualified) | Qualified certificate from QTSP |
| Signature Device | Any device | Secure device recommended | QSCD required |
| Cost | Low | Medium | High |
| Typical Use Cases | Contracts, NDAs, approvals | Regulated transactions, HR, finance | High-value, regulated, public procurement |
For most business transactions, SES or AES is sufficient and cost-effective. QES is reserved for situations where the law explicitly requires a handwritten signature equivalent, or where the transaction value or risk justifies the additional assurance.
6. When Do You Need QES?
While QES is the gold standard, it's not always necessary. Use QES when:
Legal Requirement
Some transactions explicitly require a signature equivalent to a handwritten one. Examples include certain public procurement contracts, regulated financial services documents, and some corporate filings. Always check the specific legal requirements of your jurisdiction and industry.
High-Value Transactions
For contracts involving significant financial value—such as M&A agreements, large procurement contracts, or major asset sales—QES provides the highest level of assurance and minimizes the risk of repudiation.
Regulated Industries
Industries such as banking, insurance, healthcare, and pharmaceuticals often operate under strict regulatory frameworks that mandate or strongly recommend QES for certain document types.
Cross-Border EU Transactions
When dealing with counterparties in multiple EU member states, QES provides automatic legal recognition without the need to navigate different national interpretations of SES or AES validity.
Risk Mitigation
If there is a significant risk of the signature being challenged in court, or if the business relationship is uncertain, QES shifts the burden of proof to the challenger and provides maximum evidential weight.
For routine business contracts, NDAs, purchase orders, and internal approvals, SES or AES is typically sufficient and far more cost-effective.
7. How to Implement QES
Implementing QES involves several steps:
- 1Choose a Qualified Trust Service Provider
Select a QTSP listed in your member state's Trusted List. Consider factors like pricing, support, integration options, and whether they offer remote or local QSCDs.
- 2Complete Identity Verification
Undergo identity verification with the QTSP. This typically requires presenting a government-issued ID (passport or national ID card) in person or via video identification.
- 3Obtain a Qualified Certificate
Once identity is verified, the QTSP issues a qualified certificate. This certificate is stored on a QSCD—either a physical token you receive, or a remote HSM managed by the QTSP.
- 4Integrate with Your Signing Platform
If using an e-signature platform like LuxSign, integrate the QES service. Most platforms support remote signing via API connections to QTSPs. Signers authenticate with 2FA and the signature is created server-side using the remote QSCD.
- 5Sign and Store
Sign documents using the QES workflow. The signed document, certificate, and timestamp are bundled together in a standardized format (typically PAdES for PDFs). Store securely with full audit trail.
Modern e-signature platforms handle much of this complexity behind the scenes, making QES accessible even to non-technical users.
8. Costs and Considerations
QES is more expensive than SES or AES due to the infrastructure and regulatory oversight involved. Typical costs include:
- Certificate Issuance: €50-€200 per year depending on the QTSP and certificate type.
- Per-Signature Fees: €0.50-€2.00 per QES transaction, depending on volume.
- Identity Verification: One-time cost of €20-€50 for video identification or in-person verification.
- Platform Integration: May require enterprise-tier subscription to your e-signature platform.
Weigh these costs against the value and risk of the transactions you're signing. For high-stakes contracts or legally mandated use cases, QES is worth the investment. For routine business documents, SES or AES offers better value.
Ready to sign with confidence?
LuxSign supports all three eIDAS signature levels: SES, AES, and QES. Start with simple signatures for free, upgrade to qualified when you need it.
Get Started Free