What is a Qualified Electronic Signature (QES)?
A Qualified Electronic Signature (QES) is the most secure and legally binding form of e-signature under EU eIDAS regulations. Unlike simple or advanced e-signatures, QES requires strict identity verification, qualified certificates, and trusted providers, making it equivalent to a handwritten signature. QES is widely used in finance, healthcare, government, and other regulated industries where compliance and trust are essential.
Electronic signatures provide a streamlined approach when attaching identities to documents. Often referred to as e-signatures, these involve electronic entities, clearly linked to records that indicate the individual's intent to sign.
Many types of signatures promise to safeguard individuals and organizations, but few match the legal certainty and peace of mind conferred by qualified electronic signatures (QES).
The European Commission defines a QES as an advanced electronic signature "created by a qualified signature creation device" and "based on a qualified certificate for electronic signatures."
This is closely linked to the European Union's eIDAS: Electronic Identification, Authentication, and Trust Services. eIDAS ensures that, when spending time in other member states, EU citizens and businesses can access online public services by leveraging national electronic identification schemes. This regulation has evolved over time, becoming more comprehensive to ensure consistent protection across borders.
Central to the present-day arrangement is the designation of "qualified," which indicates that electronic signatures meet strict legal standards established by the EU and are, for all practical purposes, equivalent to a handwritten signature.
Types of electronic signatures
QES represents just one of three main types of electronic signatures described in the EU's eIDAS regulation. Other signatures include:
Simple electronic signature (SES). Involving limited verification, simple electronic signatures provide a straightforward solution, especially when convenience is prioritized. Although these may still qualify as legally binding, they are often less ideal from a security or compliance perspective.
Advanced electronic signature (AES). Promising a higher level of trust than SES, advanced electronic signatures call for stronger links between signatories (those providing electronic signatures) and the signatures themselves. These may be certified by Certificate Authorities (CAs) and transmitted by delivery services that offer audit trails.
QES extends AES by promising enhanced security and by meeting additional eIDAS requirements, it relies on PKI-based digital certificates and mandates a formal identity-verification process conducted by a Qualified Trust Service Provider (QTSP).
Characteristics and advantages of Qualified Electronic Signatures
Qualified Electronic Signatures deliver the highest level of security and legal certainty among e-signature options. Key advantages include:
EU-accredited issuance. Not just any trust service provider can be deemed "qualified." To achieve qualified status, providers must complete rigorous audits, which confirm adherence to strict legal obligations. EU Member States establish trusted lists of QTSPs, while the European Commission compiles Lists of Trusted Lists. Electronic signatures cannot be deemed QES unless the QTSPs that create these signatures are included on trusted lists. In short: QES validity depends on officially recognized providers which promise enhanced compliance along with cross-border trust.
Backed by qualified certificates. QES are backed by qualified digital certificates, issued only after undergoing strict identity verification processes. These rely on Qualified Signature Creation Devices (QSCDs), which could include USB tokens or smart cards. Businesses may also seek qualified electronic seals, which confirm document origins and integrity but without asserting personal identities.
Strong identity verification. With QES, the stringent identity verification often involves in-person checks, although secure video identification is also a possibility, especially when verifications need to be performed on a remote basis. Some citizens may be allowed to use government-issued digital IDs for identity verification purposes.
Strict eIDAS requirements. QES holds considerable legal weight due to uniquely strict requirements under eIDAS. This encompasses not only identity verifications but also, issuance from approved QTSPs, along with the use of approved QSCDs. Add audits by verified bodies and detailed records, and you have an inherently strict process that drives trust, accountability, and regulatory compliance.
How to obtain a QES
The QES process may seem complex, but its extra steps are crucial. This is where the unique advantages of the QES take shape. Follow these steps to obtain a QES and leverage its many advantages: strong identity verification, legal assurance, and cross-border recognition.
Request the QES
The QES process begins with selecting a QTSP. Sectigo, for example, is an accredited QTSP. Examine EU trust lists to verify accreditation. These lists are easily accessible from the European Commission's website. While it's important to work with a TSP that is actually qualified, you also want to feel confident that you can navigate this process with ease. Be mindful of these additional factors:
Identity verification methods. Consider whether your preferred approach to identity verification is covered. Depending on your location, for example, in-person verification (involving registration agencies) may not be practical.
User-friendliness and support. Examine the user interface, integration options, and tutorials or other resources to determine where friction might emerge during the QES process and how this can be overcome. Prioritize responsive providers that offer 24/7 assistance over the phone, via email, or through live chat.
Consider the QSCD. While QSCDs often involve hardware such as smart cards and USB tokens, some users prefer the comparative convenience of hardware security modules (HSMs), which allow for remote, yet highly secure, access.
Identity verification
Arguably the most important aspect of the QES process, identity verification confirms that those creating signatures are actually who they claim to be. For this critical step, select a verification method based on available QTSP options and individual preferences.
From there, request the certificate via the QTSP platform, providing personal details when prompted. This is followed by scheduling for either an in-person appointment or a video call. Be prepared to present government-issued documents such as a passport or driver's license. During video calls, it may be necessary to call extra attention to ID or passport-based security features. Facial recognition or other biometric data may be built into this process.
Certificate issuance and QSCD provisioning
With the identity check successfully completed, the QTSP is authorized to issue a qualified certificate, which will be stored via the selected QSCD. If this involves a hardware solution, the QSCD may be sent through the mail or provided in person. Remote signing solutions can be managed within QTSP-controlled HSMs.
Creating and using the signature
Following identity verification, specific drivers or software may need to be installed to facilitate the remainder of the QES process. Documents are often accessed within specific signing platforms, which may provide "apply signature" prompts. At this point, the QES can be selected, with signing systems connecting to QSCDs. At this point, it may be necessary to enter a previously selected PIN or complete other authentication processes.
Moving forward, the QES will verify integrity, making the document tamper-evident and ensuring that any unauthorized modifications are easily detected. The QES also confirms the signer's authenticity as a result of its strong identity proofing process.
Qualified Electronic Signature use cases
QES serves many functions across a wide range of industries. While SES or AES may be favored for certain low-risk scenarios, QES is the safer option when compliance or legal enforceability are key sources of concern. Top use cases include:
High-value transactions. When the stakes are high (as is commonly the case when completing major transactions in fields such as real estate or finance), QES promises a heightened level of assurance. This is a key element of digital transformation within the quickly evolving finance sector.
Highly-regulated industries. The dollar value of a given contract should not be the only factor determining whether QES is necessary. Also worth considering: the regulatory environments at play. In sectors such as energy or banking, strict requirements may demand higher levels of security or identity assurance.
Government documents. From permits to tax filings, QES supports many official public sector submissions. This brings digital innovation to government agencies, allowing them to better serve citizens via streamlined, yet secure (and highly accessible) solutions.
Healthcare documents. Used for everything from patient consent forms to discharge summaries, QES supports telemedicine and streamlines healthcare workflows without sacrificing digital security.
Why choose Sectigo for your signature needs
Ready to take the next step towards securing qualified electronic signatures? Look to Sectigo for expert support. As an accredited QTSP, Sectigo offers a wide range of trusted solutions for citizens and enterprises, including:
eIDAS-compliant certificates for citizens - SCD or QSCD
eIDAS-compliant certificates for enterprises - Certificates for advanced or qualified signatures
eIDAS-compliant certificates for enterprises - Certificates for advanced or qualified seals
Offering a comprehensive eIDAS product portfolio, Sectigo empowers enterprises and citizens to streamline workflows while meeting key compliance and security goals. Get in touch to learn how you can simplify digital trust.