The adoption of eSignature worldwide is shaping the future of modern business workflows. Enterprises embrace eSignature for a host of reasons. It can be for process improvements, compliance, to increase productivity, or to save costs, but the most crucial reason eSignature is becoming popular is security.
Most eSignature vendors offer standard eSignature, which provides basic security measures. To overcome the shortcomings of Standard eSignatures and to meet the compliance requirements, Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES) were introduced. AES and QES offer advanced security measures to ensure the authenticity and integrity of documents signed electronically.
Between AES and QES, QES is considered to be more secure. Under the eIDAS Regulation, QES is regarded as a legal alternative to “wet” or paper-based signatures in the European Union. Why is QES a more secure alternative to AES, and How do they work?
In this blog, we’ll answer this question and help you understand QES and the technology behind it.
What are Qualified Electronic Signatures or QES?
A Qualified Electronic Signature is a type of electronic signature that provides a higher level of security and is considered equivalent to handwritten signatures. QES is created using a qualified certificate and a Qualified Signature Creation Device or QSCD. Like the AES, QES is also based on Public Key Infrastructure (PKI). It certificates to ensure authenticity and checks for any changes to the document to ensure integrity.
The global market size for qualified electronic signatures was valued at approximately USD 2.32 billion in 2024. It is projected to grow at a very high compound annual growth rate (CAGR) of 42% from 2024 to 2030, reaching an estimated USD 18.07 billion by 2030
Choosing between AES and QES depends on the signature level you need to meet legal and regulatory compliance. For instance, under the eIDAS, QES is considered an equivalent of handwritten signatures all over the European Union. Therefore, QES may be a better alternative to Standard eSignatures to ensure high security and legal enforceability. While both AES and QES use certificates, why is using a signature creation device unique to QES?
Difference Between Advances Electronic Signature (AES) and Qualified Electronic Signature (QES)
| Feature / Aspect | AES (Advanced Electronic Signature) | QES (Qualified Electronic Signature) |
|---|---|---|
| Legal Validity (EU) | Legally admissible if linked to the signer and tamper-evident | Equivalent to handwritten signature under eIDAS |
| Identification Requirement | Requires identification, but method is flexible | Requires qualified digital certificate issued by a trusted provider |
| Security Level | High – ensures integrity and signer authentication | Very High – backed by certified hardware/software and strict issuance |
| Binding to Signer | Linked to the signer using digital methods | Uniquely linked and verified to the signer through a qualified certificate |
| Technology Used | Cryptographic keys, audit trails, and secure servers | Same as AES, but with certified devices (QSCD) and processes |
| Regulation | Recognized under eIDAS, but not mandated to use certified providers | Must comply with eIDAS Article 25.2 and use Qualified Trust Service |
| Use Cases | Internal approvals, NDAs, consent forms, HR docs | High-risk legal agreements (e.g., notarizations, cross-border transactions) |
| Implementation Complexity | Easier to deploy, flexible tools and identity verification methods | More complex, requires formal issuance and compliance with EU standards |
| Presumption of Authenticity | Must be proven in court if challenged | Presumed authentic unless proven otherwise |
| Cost & Time | Lower cost, quicker to deploy | Higher cost due to identity checks and hardware requirements |
Role of Qualified Signature Creation Device or QSCD in QES
Both AES and QES use certificates for signing. Qualified Electronic Signatures or QES is an AES that uses a qualified certificate issued by a Qualified Trust Service Provider (QTSP). A Trust Service Provider (TSP) authenticates the identity of a signatory and gives a digital certificate. A TSP accredited by a national body becomes a Qualified Trust Service Provider (QTSP).
The use of electronic signature creation devices is unique to QES. A Qualified Signature Creation Device or QSCD can be a USB Key, Smart Card or Badge.
Here’s an overview of how they work:
1. Secure Key Generation and Storage: QSCDs typically generate a pair of cryptographic keys: a private key and a corresponding public key. The private key is securely stored within the QSCD’s hardware or software, making it extremely difficult for unauthorized parties to access or copy.
2. User Authentication: Before using a QSCD, the authorized user must authenticate themselves using a robust authentication method, such as a PIN code, biometric data (e.g., fingerprint), or a smart card. Authentication ensures that only the authorized person can use the QSCD to create electronic signatures.
3. Signing Process: The QSCD takes the calculated document hash and signs documents the signer’s private key. This process generates a digital signature. The digital signature is unique to the document and the private key, ensuring the document’s integrity and the signer’s identity.
4. Binding Signature to Document: The digital signature, along with the document hash, is attached to the electronic document, creating a signed electronic record, and this ensures that any subsequent changes to the document will invalidate the signature.
5. Qualified Certificate: QSCDs often require a qualified digital certificate from a QTSP. The qualified certificate links the public key of the QSCD to the signer’s identity, providing proof of the signer’s identity.
6. Verification: To verify the validity of a qualified electronic signature, the recipient or a third party can use the signer’s public key to verify the digital signature. The recipient can also verify the signer’s identity with the qualified certificate.
Benefits of using a Qualified Signature Creation Device or QSCD
Ensuring the security and authenticity of these digital signatures is of paramount importance. Qualified electronic signatures, backed by Qualified Secure Signature Creation Devices (QSCDs), offer a robust solution to address these concerns. Here are a few benefits of using QSCD:
1. Secure Storage of Private Keys: QSCDs securely store private keys in a tamper-proof and tamper evident environment. These devices are designed with hardware-based security mechanisms that safeguard the keys from unauthorized access and potential breaches.
2. Tamper-Proof and Tamper-Evident Features: QSCDs are equipped with tamper-proof and tamper-evident features that detect unauthorized attempts to access or modify private keys. This property ensures that the private keys remain intact and secure throughout their lifecycle.
3. Identity Verification: QSCDs verify the identity of the signer rigorously. This authentication process ensures that only authorized individuals can use the device to generate digital signatures, adding an extra layer of security to the signing process.
4. Use of PINs and Authentication Methods: QSCDs often require the use of Personal Identification Numbers (PINs) or other robust authentication methods to access and use the device. This adds a layer of protection, making it more challenging for unauthorized individuals to misuse the device.
5. Contributing to Legal Admissibility: QSCDs contribute to the legal admissibility of digital signatures by providing a secure and trusted means of creating these signatures. Courts and regulatory bodies often recognize QSCDs as reliable tools for verifying the authenticity and integrity of signed documents.
Industry-Specific Applications of Qualified Electronic Signatures (QES)
Qualified Electronic Signatures (QES) are not just a legal formality—they are essential in industries where the stakes of identity verification, regulatory compliance, and document authenticity are high. Below are several key sectors where QES plays a critical role.
1. Banking and Financial Services
In finance, trust and compliance are everything. QES is used to securely execute high-value transactions, onboard customers under strict KYC and AML regulations, and sign cross-border contracts with full legal validity. Banks also rely on QES for regulatory filings and disclosures, ensuring that digital processes meet the standards of PSD2 and eIDAS.
2. Legal and Notary Services
Law firms and notaries increasingly depend on QES for executing digital contracts, filing court documents, and managing notarized agreements such as powers of attorney and wills. Because QES carries the same legal standing as a handwritten signature in the EU, it provides strong non-repudiation and is admissible as evidence in court without additional proof.
3. Healthcare and Life Sciences
In healthcare, patient safety and data integrity are paramount. QES is used for obtaining informed consent in clinical trials, authorizing cross-border treatments, and granting data access under GDPR. It ensures that patients understand what they’re agreeing to—and that providers can prove it when challenged.
4. Pharmaceuticals
The pharmaceutical industry uses QES in regulatory submissions to authorities like the EMA and FDA. It also supports digital batch release documentation under GxP compliance and product registration workflows. QES helps meet the strict requirements of Annex 11 and 21 CFR Part 11, ensuring the integrity and traceability of sensitive data.
5. Government and Public Sector
Many government agencies require QES for digital citizen services. This includes submitting tax declarations, applying for permits, accessing benefits, and participating in public procurement. QES ensures secure, compliant interactions with eGovernment platforms, particularly across EU member states.
6. Real Estate and Construction
QES facilitates the signing of remote purchase agreements, lease contracts, and deeds involving multiple jurisdictions. It reduces delays and enhances legal enforceability in transactions that would otherwise require in-person notarization, especially in commercial real estate.
Conclusion:
When evaluating an eSignature solution, choose the one which offers flexibility in terms of level of eSignature, security, compliance, and pricing. QES are equivalent to wet ink signatures, but the technology behind qualified electronic signatures is sophisticated due to the use of hardware devices for signature creation. The higher level of security that QES offers comes with legal and regulatory compliance requirements.
Certinal eSignature offers three levels of eSignatures as eIDAS requires: standard, advanced and qualified. For Certinal QES users, the signer is handed a “token” or QSCD that allows the certifying authority to validate their identity before signing their documents after entering a personal PIN.
Informed decision-making is vital at the evaluation stage. Click here to read the analyst brief by Holly Muscolino, Group Vice President, Content Strategies, and the Future of Work at IDC, which covers the benefits, challenges, stakeholders, and considerations when evaluating eSignature solutions.
Request a demo to witness how Certinal Qualified eSignature can help your signing process be compliant and secure.
Frequently Asked Questions
1. Is a QES mandatory for all digital transactions under eIDAS?
No. While QES offers the highest level of assurance under eIDAS, it is only mandatory in specific regulated use cases—such as certain interactions with public authorities, notarized contracts, or cross-border legal agreements. In many B2B and internal scenarios, an Advanced Electronic Signature (AES) may be legally sufficient.
2. How is the identity of the signer verified during a QES process?
The signer must undergo strong identity verification, typically including face-to-face video verification, eID (electronic ID), or government-issued documents validated by a Qualified Trust Service Provider (QTSP). This is a core distinction between QES and other signature types—it’s not just about the signature, but how the identity was proven before it.
3. Can a QES be used outside of the European Union?
QES is legally binding and enforceable within the EU under eIDAS. However, recognition outside the EU varies. Some countries may accept QES as a strong form of digital signature, but others may require local trust frameworks. For global use, businesses often layer QES with region-specific compliance tools or fallback to AES/SES where appropriate.
4. What industries are required or strongly recommended to use QES instead of AES?
Industries like legal, healthcare, banking, public sector, and pharmaceuticals often require QES in specific workflows—such as clinical trial consent, notarizations, digital onboarding, or regulatory submissions. These scenarios demand a high degree of signer authentication, non-repudiation, and legal admissibility that only QES can guarantee.
5. What happens if a document signed with QES is challenged in court?
A document signed with QES carries a legal presumption of authenticity under eIDAS. This means the burden of proof shifts to the challenger, not the signer. In contrast, AES or SES signatures must be validated case-by-case. This presumption makes QES especially valuable for high-risk, high-stakes agreements.
