top of page
Man ondertekening

Electronic signature (QES)

Discover how you can legally sign documents digitally with an electronic signature.

What is an electronic signature?

An electronic signature is a digital way to sign a document (such as a contract or agreement) or confirm a transaction. It has the same legal value as a handwritten signature, provided that certain conditions are met. The purpose is to verify the identity of the signer and ensure the integrity of the document.

​​

What electronic signatures do exist?

An electronic signature comes in three forms.

​​

1. Simple electronic signature (EHS)

  • This is the basic form, such as typing a name under an email or clicking an "agree" button.

  •  Less secure, because it is easier to forge.

​​​

2. Advanced electronic signature (AHS)

  • Uses encryption technology to make the signature unique and linked to the signer.

  • Can be validated and ensures that the document has not been modified after signing.

​​

3. Qualified electronic signature (QES)

  • ​The highest level of security.

  • Requires a Qualified Certificate and a Licensed Signature Provider (QTSP).

  • Legally equivalent to a handwritten signature.

​​​​​

What are the main befenits of electronic signatures?

  • Efficiency: No paperwork or physical presence of the signer required.

  • Security: More difficult to forge than handwritten signatures, especially advanced and qualified signatures.

  • Cost savings: Less paper, printing and postage.

  • Legal validity: Electronic signatures are recognized in many jurisdictions, including the EU (via the eIDAS regulation) and the US (via the ESIGN Act).

What does the eIDAS trust service qualified signature (QES) look like?

The eIDAS Regulation regulates electronic identification and trust services within the European Union. A QES (Qualified Electronic Signature) according to eIDAS is the highest form of an electronic signature, with strict requirements and a specific structure.

​

The basis of a qualified signature (QES)

  • Linked to a person: A QES is unique to the signatory and contains a digital certificate that confirms the identity of that person.

  • Authentication via a certificate: It requires a qualified certificate issued by a qualified trust service provider (TSP).

  • Use of a secure signature creation device (QSCD): This is a secure device that enables the creation and storage of the signature, such as a smart card, USB token or mobile app.

​​

The components of a qualified signature (QES)

  • Digital Certificates: The qualified certificate contains the following information:

    • ​The name of the trust service provider.

    • ​The identity of the signatory (e.g. name and identification data).

    • ​Validity of the certificate (start and expiration date).

    • ​A public key linked to the signatory.

  • Secure Signing Technology: When using a QES, cryptographic technology is applied, such as:

    • ​Asymmetric encryption: With a private and public key to secure the signature.

    • ​Hashing algorithms: To ensure the integrity of the document.

  • ​​Trust Service Provider (TSP): Only eIDAS qualified TSPs are allowed to issue certificates for a QES. These providers are regularly checked by supervisory authorities in the EU Member States.

​​

How the qualified signature (QES) works in practice

  1. Identity verification: The user must first identify themselves via an officially recognized method, such as a passport, ID card or a digital identification (e.g. eID).

  2. Certificate issuance: A qualified TSP issues a personal certificate to the user. This certificate contains all the necessary data to create a QES.

  3. Signing the document:

    • The signer uses a QSCD to create the signature.

    • ​This can be done via a physical tool (such as a smart card, USB token) or a cloud-based solution (such as a secure mobile app).

  4. Verification: A third party can verify the QES by checking the associated public key and the certificate. This guarantees:

    • The authenticity of the signer. 

    • That the document has not been modified after signing.

Which ETSI standards must the eIDAS trust service QES comply with?

​The eIDAS Regulation refers to specific standards developed by the European Telecommunications Standards Institute (ETSI) to ensure that trust services, such as the qualified electronic signature (QES), are secure and interoperable within the EU.  â€‹â€‹Why are these standards important?

  • Interoperability: The standards ensure that QES systems can be used throughout the EU.

  • Legal certainty: They ensure that the QES complies with the legal requirements of eIDAS.

  • Security: They impose strict requirements on systems and processes to prevent misuse or forgery.

​Below you will find an overview of the most important ETSI standards that an eIDAS-compliant qualified electronic signature (QES) must comply with.

​

1. General standard for eIDAS trust services

  • ETSI EN 319 401: “General Policy Requirements for Trust Service Providers”

    • Defines the general requirements that a Trust Service Provider (TSP) must meet.

    • Includes security management requirements, operational procedures, and audit requirements.

​​​​

2. Standards for certificates and TSP's

  • ETSI EN 319 411-1: “Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements”

    • Provides the basic requirements for issuing digital certificates.

    • Focuses on the reliability and security of certificate management.

  • ETSI EN 319 411-2: “Policy and security requirements for Trust Service Providers issuing certificates - Part 2: Requirements for qualified certificates”

    • Specifies additional requirements for TSPs issuing qualified certificates, as required by QES.

    • Requires signer identity verification and use of secure certificate management mechanisms.

  • ETSI EN 319 412: “Certificate profiles".

    • Specifies the requirements for certificate profiles:

      • Part1: "Overview and common data structures"

      • Part 2: "Certificate profile for certificates issued to natural persons"

      • Part 3: "Certificate profile for certificates issued to legal persons"

      • Part 4: "Certificate profile for web site certificates"

      • Part 5: "QC statements"

​​​

3. Standard for creation and validation of electronic signatures

  • ETSI EN 319 102-1: “Procedures for Creation and Validation of AdES Digital Signatures”

    • Describes how to create and validate Advanced Electronic Signatures (AdES).

​​​​

4. Additional standards for formats of electronic signatures

  • ETSI EN 319 122-1: "Part 1: Building blocks and CAdES baseline signatures"

    • Focuses on Cryptographic Message Syntax Advanced Electronic Signatures (CAdES) for digital documents.

  • ETSI EN 319 122-2: "Part 2: Extended CAdES signatures"

    • Focuses on extended CAdES elektronic signatures.

  • ETSI EN 319 132-1: "Part 1: Building blocks and XAdES baseline signatures"

    • Focuses on XAdES (XML) elektronic signatures.

  • ETSI EN 319 132-2: "Part 2: Extended XAdES signatures"

    • Focuses on extended XAdES elektronic signatures.

  • ETSI EN 319 142-1: "Part 1: Building blocks and PAdES baseline signatures"

    • Focuses on PAdES (PDF) elektronic signatures.​

  • ETSI EN 319 142-2: "Part 2: Additional PAdES signature profiles"

    • Focuses on additional PAdES profiles for electronic signatures.

  • ETSI EN 319 162-1: "Associated Signature Containers (ASiC) - Part 1: Building blocks and ASiC Baseline containers".​​

    • Focuses on ASiC data containers including a set of file objects and associated elektronic signatures and/or timestamps in a ZIP-file.​

  • ETSI EN 319 162-2: "Associated Signature Containers (ASiC) - Part 2: Additional ASiC containers"

    • Focuses on additional ASiC containers.​

A further standard for JAdES (JSON Web Signatures) is under development.​

​​​

Additional specifications and security measures

Depending on the design and setup of the trust service, reference will be made from the above standards to various technical specifications and/or additional security requirements. Examples of these are:

  • CEN EN 419 241-1: “Security Requirements for Trustworthy Systems Supporting Server Signing - Part 1: General System Requirements”

    • Contains general security requirements for systems that support server-side signatures.

  • CEN EN 419 241-2: “Security Requirements for Trustworthy Systems Supporting Server Signing - Part 2: Protection Profiles”

    • Describes specific security profiles for QSCDs, including hardware and software.

  • ETSI TS 119 431-1: "Policy and security requirements for trust service providers - Part 1: TSP service components operating
    a remote QSCD / SCDev"

    • ​Specifies the requirements for managing a remote signature creation device (QSCD/SCDev).

  • ETSI TS 119 431-2: "Policy and security requirements for trust service providers - Part 2: TSP service components supporting AdES digital signature creation"

    • ​Specifies the requirements for components to create an advanced digital signature.

  • ETSI TS 119 461: "Policy and security requirements for trust service components providing identity proofing of trust service subjects"

    • ​Specifies the identity verification requirements that must be met.

 

Requirements for long term preservation of electronic signatures

  • ETSI TS 119 511: "Policy and security requirements for trust service providers providing long-term preservation of digital signatures or general data using digital signature techniques"

    • Contains the requirements for the long-term retention of electronic signatures.

  • ETSI TS 119 512: "Protocols for trust service providers providing long-term data preservation services"

    • Includes additional protocols for long-term preservation of electronic signatures.

bottom of page