What is the Qualified Electronic Signature? Definition of QES

The Qualified Electronic Signature (QES) is the most advanced and secure form of digital signature available today.

In accordance with the European eIDAS (electronic IDentification, Authentication and trust Services) regulation, a qualified digital signature is an advanced electronic signature backed by a qualified certificate. Only Trust Service Providers (TSPs) who have been granted“qualified” status by the relevant authorities (i.e. ANSSI in France) can issue this certificate.

QES differs from the 3 other types of electronic signature in 2 respects:

  • Verification of identity prior to issue of certificate
  • Its creation requires the use of a Qualified Signature Creation Device (QSCD).

These 2 specific features guarantee irrefutable authentication of the signatory’s identity, as well as the integrity and non-repudiation of the signature. Once affixed, it is virtually impossible to contest or alter without leaving obvious traces. Its reliability is such that it enjoys the same legal status as a handwritten signature. This means that, in the event of a dispute, your qualified electronic signature will have the same probative value in court as a traditional pen-and-ink signature.

QES stakes

As you can imagine, the need for security and authenticity is at the forefront of your mind when it comes to remote identity verification. To meet these needs, qualified electronic signatures offer a reliable and robust solution. It assures you that the signatory is who he or she claims to be, thanks to strict control mechanisms and advanced technology.

In the digital age, where remote identity verification is becoming essential, the qualified electronic signature stands out for its ability to protect transactions and documents against falsification. Used in a professional or personal context, it confirms your commitment with unquestionable legal validity.

Do you have any questions?

Make an appointment with one of our experts to find out how Netheos solutions can help you verify the identity of your users, securely and without loss of conversion.

How qualified electronic signatures work

eIDAS logo

The electronic signature is the most secure signature in the eIDAS regulation because it has 2 distinctive features:

  • The qualified electronic certificate, an essential component of the QES, can only be issued once the identity of the signatory has been verified.
  • The qualified electronic signature can only be created using a QSCD, validated by ANSSI, which contains the qualified certificate.

What is a qualified electronic certificate?

A qualified electronic certificate is, to use a metaphor, the digital seal that irrevocably binds your identity to your electronic signatures. This certificate, issued by a qualified Certification Authority (CA), establishes an unmistakable link between your personal identification data and the electronic signature you affix to digital documents. The integrity of your signature is based on the unambiguity of your identity, indisputably attested by this act of certification. The qualified electronic certificate is the signatory’s digital identity card, attesting to the veracity of his or her personal information.

This certification document is the result of a rigorous process. Your presence, virtual or physical, is required for its issuance, ensuring a direct and verifiable link with yourself, and guaranteeing the highest level of security.

What is a QSCD?

The QSCD, or Qualified Signature Creation Device, is the hardware or software approved by a European information systems security and defense authority (i.e. ANSSI in France) that creates and protects the private cryptographic key used to generate the qualified electronic signature. They are provided by Qualified Trusted Service Providers (QTSPs) during the identity verification stage. QSCDs are physically embodied in “tokens“: USB keys, smart cards or badges. Today, the ANSSI authorizes certain QTSPs like Netheos to use them remotely, in the Cloud.

Thales QSCD USB key
USB Key token from Thales

Their role is to securely store the user’s private cryptographic key and ensure that it never leaves the token. They are designed to be robust against any attempt at hacking or forced extraction of token data.

QSCDs are therefore vital in ensuring that your digital signature is valid and legally equivalent to a face-to-face signature. It also protects your identity by ensuring that the signature cannot be falsified or reused.

What is a cryptographic key?

This is the central technical component of the electronic signature. Technically, it is based on RSA encryption, an asymmetrical cryptographic algorithm widely used in the exchange of confidential data over the Internet. But kesako, you may ask! This mathematical term means that 2 different keys are used to create and then read a digital signature: a public key to encrypt confidential data and an associated private key to decrypt it. For electronic signatures, the use is reversed: only the signatory can encrypt his signature with his private key, and anyone in possession of the associated public key will be able to decrypt it.

Asymmetric cryptography - Source Wikipedia

Here are the steps involved in creating a qualified electronic signature using asymmetric cryptography:

  1. Preparing and protecting the document to be signed: When a user wishes to digitally sign a document, he or she first creates a hash-function fingerprint of the document to be signed. The fingerprint is a unique alphanumeric sequence (numbers + letters) used to condense and codify the textual data in the document. Even a small change in the original document will result in a completely different print.
  2. Encrypting the fingerprint with the private key: The signatory’s private key, generated by QSCD and validated by the trusted provider, is then used to “encrypt” the fingerprint, creating a digital signature (in alphanumeric format). This technique certifies that the signature was indeed created by the verified signatory, who is the sole owner of the private key.
  3. Qualified signature: In parallel, the signatory’s qualified certificate will be associated with the electronic signature to generate the digitally signed document, meeting the requirements of the eIDAS regulation (QES = qualified certificate + advanced signature). As a reminder, the certificate links your public key, also created by QSCD, to your identity. This allows anyone holding this key to confirm that the fingerprint has been encrypted (signed) with your private key.
  4. Fingerprint verification: The sender in turn creates a hash of the signed document received, using the same hash function. It then uses the public key received to decrypt the signature and recover the original fingerprint. If these 2 generated fingerprints are identical, then the signature is valid: the document has never been altered after signing.

This system makes it possible to protect the document against any alteration and to prove that the signatory is the person who possesses the private key associated with the public key.

Physical or remote qualified electronic certificate

Historically, the preliminary identity verification phase was carried out during a physical meeting between the signatory and the certification authority. At this stage, the QTSP validates his identity and gives him the hardware“token” containing his private cryptographic key. The signatory can then sign his documents after unlocking it by entering a PIN code.

With the advent of cloud technologies, you now have the option of a remote electronic certificate. Here, instead of having a physical object, your cryptographic key is secured on a cloud server via a remote Hardware Security Module (HSM ). This cloud-based system, managed by a Trusted Service Provider (TSP), offers more flexibility than a physical device, as you can access your electronic signature wherever you are, as long as you have an Internet connection. This simplifies the electronic signature process by eliminating the need for specific hardware to be transported and maintained. This ease of access does not, however, compromise security, as the trusted service providers who manage these systems must meet the extremely stringent security requirements set out in the eIDAS regulation.

Legal value of the qualified electronic signature

QES: the only legal equivalent of a handwritten signature

In terms of legal value, the qualified electronic signature differs significantly from other forms of electronic signature. Under the European eIDAS regulation, QES is explicitly recognized as the legal equivalent of a handwritten signature in all EU member states.

Here’s why its legal status makes it so special:

  • Legal recognition: In accordance with article 25 of the eIDAS regulation, a qualified electronic signature has the same legal value as a handwritten signature. This means that in legal proceedings, a qualified signature cannot be rejected as evidence simply because it is in electronic form.
  • Authenticity and integrity: QES ensures the authenticity of the signatory’s identity through rigorous verification procedures established by Certification Authorities. It also ensures document integrity, as any modification of content after signature is technically detectable, rendering the signature invalid in the event of a dispute.
  • European acceptance: The eIDAS regulation defines the legal framework for the use and recognition of the 3 types of electronic signature, of which QES is one, in all European Union Member States, including France. Only Qualified Trusted Service Providers (QTSPs) recognized and certified by eIDAS are authorized to issue qualified certificates.

Validity of QES in the event of a dispute and reversal of the burden of proof

In the event of a dispute, your qualified electronic signature has the same legal value as a traditional handwritten signature. In practical terms, this means that it is recognized by the courts in the same way as written evidence. This level of recognition is made possible by strict compliance with regulations that require Qualified Trusted Service Providers (QTSPs) to follow rigorous procedures for verifying identity and issuing the associated qualified certificate.

However, with a qualified electronic signature, this dynamic is reversed.

The eIDAS regulation stipulates that it has a presumption of validity, meaning that a document signed with a qualified electronic signature is automatically considered authentic and of guaranteed integrity, unless proven otherwise. This means that if an actor challenges the validity of your qualified signature before a court of law, it is up to them to provide proof that it is invalid: this is the principle of reversal of the burden of proof. In other words, the burden of proof is reversed compared to a lower-level electronic signature, where it is up to the signatory to demonstrate the reliability of his signature.



Find out more by downloading our free white paper entitled “Qualified Electronic Signature: combining compliance and user experience”

How do I obtain a qualified electronic signature?

To obtain your own Qualified Electronic Signature, you need to follow a well-defined procedure that complies with the strict requirements laid down by the eIDAS regulation. Here are the essential steps for making a QES:

  1. Choose a Qualified Trusted Service Provider (QTSP): You must use a recognized QTSP, i.e. an entity that has been assessed and holds the necessary certification to deliver qualified electronic signature creation services. The list of qualified service providers is available on the eIDAS website.
  2. Verify your identity: The eIDAS regulation requires thorough identity verification to ensure the authenticity of the signature. This step is performed by the QTSP you have chosen, and includes the use of a secure remote identity verification solution such as Netheos ID FAST. In addition to presenting valid proof of identity, AI facial recognition tools will compare your passport photo with your face, ensuring that you are indeed the person holding the CNI.
  3. Obtain the Qualified Certificate: Once your identity has been confirmed, the service provider will issue you with a qualified electronic signature certificate, which he will deposit in a QSCD: the QES creation device. This digital document links your identification data to your signature creation data, confirming the origin and integrity of signed documents.
  4. Sign: You can now sign your contract. This step varies from one service provider to another, but generally works thanks to a 6-digit code called OTP (One Time Password) received by SMS or email.

Qualified electronic signatures for INPI formalities

The Institut National de la Propriété Industrielle (INPI), the official French body responsible for registering intellectual property such as patents, trademarks and designs, now offers a wide range of online formalities. To guarantee the security and veracity of these processes, the Qualified Electronic Signature is a valuable and sometimes necessary tool.

The use of the QES meets a twofold challenge for your formalities with INPI: to ensure the integrity of the document transmitted and to guarantee the certain identification of the signatory, who may be the inventor, the creator or any agent acting on his behalf.

The implementation of QES for INPI formalities follows the legal framework imposed by the eIDAS regulation and requires the following steps:

  1. Obtain a qualified certificate: As previously mentioned, you need to acquire a qualified certificate from a Qualified Trusted Service Provider (QTSP) certified by ANSSI, who will verify your identity.
  2. Prepare your formality: Prepare the document relating to your INPI formality (application, opposition, renewal, etc.) following the guidelines provided by INPI for compliance with filing formats and conditions.
  3. Signing: Sign your document electronically using the QSCD (physical or remote) provided by the Trusted Service Provider of your choice.
  4. Transmission in electronic format: Once the document has been signed, transmit it electronically via INPI’s online platform.
Important note

Netheos does not offer qualified electronic signatures per unit, as required for INPI formalities. Our solution, based on an API platform, can handle large volumes of qualified signatures, making it more suitable for highly regulated companies than for private individuals.

Get a free qualified electronic signature

There is no free solution for qualified electronic signatures. While most French and international players (Yousign, Docusign, Universign, Eversign and PandaDoc) offer several days’ free trial, this only applies to simple electronic signatures, i.e. the first level of security and legal recognition under the eIDAS regulation. Even so, this procedure is still by far the most widely used in the world today!

The reason is logical: the simple signature is not legally or technically constrained. This means you can sign without having to verify your identity, and no certificate is issued. In the event of a dispute, the signatory can therefore deny having signed.

In contrast, the qualified version corresponds to the most regulated and technically demanding eIDAS level, requiring the use of advanced, ultra-secure technological solutions. The additional costs incurred by trusted service providers make it impossible for them to offer free solutions.

What are the criteria for choosing a Qualified Trusted Service Provider (QTSP)?

Choosing the right service provider is crucial to guaranteeing the integrity, security and legal recognition of your electronic signatures. Here are the elements to consider:

  • eIDAS compliance: Make sure your QTSP is listed on the European Union’s Trusted List. This list enables you to check that the service provider complies with the strict requirements of the eIDAS regulation and is authorized to provide qualified electronic signature services. The Namirial group, of which Netheos is a product, is a QTSP certified by eIDAD. Our signatures are legally valid in France and throughout the European Union.
  • Reliability and reputation: A reliable QTSP is often recognized by its track record and reputation in the field of digital security. Customer reviews, case studies and certifications are trust indicators not to be overlooked. Namirial and its Netheos product are among the European leaders , with prestigious customers such as La Banque Postale, Floa Banque, CDC Habitat, Préfon, Xpollens, Yves Rocher and many others.
  • Ease of integration: Your QTSP must be able to offer you solutions that integrate easily with your existing IT system. Interoperability with your current applications and tools is a practical aspect to consider, to avoid any additional costs associated with software adaptations. At Netheos, our solutions connect to your system via an API platform. Identity verification is carried out entirely remotely, and our QSCD is in the cloud.
  • Service availability: Ensure the high availability of the services offered by the service provider. Your business should not be affected by possible service interruptions. In 2022, Netheos service availability will reach 99.985%, guaranteeing you access at all times.
  • A smooth process: As the qualified signature is highly regulated by eIDAS, obtaining it necessarily requires a number of steps, which can make the process tedious. Make sure that the user experience is at the heart of QTSP’s priorities. At Netheos, we’re proud to announce that our solution is the fastest and most fluid on the market. Thanks to it, your abandonment rates drop drastically, just as your conversion rates do.
Did you know that?

In 2023, the Namirial group is named leader in the electronic signature software supplier category in the IDC MarketScape Worldwide 2023 report, alongside Adobe and Docusign.

Netheos qualified electronic signature solution

The Netheos solution is :

Do you have any questions?

Make an appointment with one of our experts to find out how Netheos solutions can help you verify the identity of your users, securely and without loss of conversion.

Our solution is accessible via all media (computers, mobiles, tablets). The entire process is carried out online, in 5 quick and easy steps:

  1. Video capture of identity document

    Capture is live: the user frames his document, which he must have in his possession.

  2. Passive facial recognition

    At this stage, live detection is passive and transparent for the user: no action is required. This step ensures that the user is the legitimate holder of the identity document.

  3. Sent for analysis

    To guarantee the highest level of security, final verification is carried out by our expert anti-fraud department. Based in France and available 24/7, our team complements the results obtained by Artificial Intelligence.

Netheos Qualified Electronic Signature
  1. The user consults his contract

    After reading the contract in full, the signatory can accept its clauses and then proceed to sign it by receiving a secret code by SMS OTP on their cell phone.

  2. User signs contract

    The 6-digit code received by SMS OTP enables the user to electronically sign the contract, making the signature legally valid throughout the European Union.

Contact us!

Fill in the form and we will contact you as soon as possible.

You can discover :

  • How we can meet your specific needs and expectations
  • A personalized demo, allowing you to appreciate the fluid experience we offer
  • Customer feedback and case studies of similar companies that have integrated our solutions
  • Advantages, benefits and value according to your use case