Qualified electronic signatures (QES) are the highest standard of electronic signature described in eIDAS, the Electronic Identification and Trust Services Regulation in the European Union. It’s worth knowing that since the UK has left the European Union in 2020, they have published their UK eIDAS regulation, which allows the legal effect of EU eIDAS qualified trust services to be recognised and used in the UK.
Legally, a QES holds the same weight as a handwritten signature and is used in the highest assurance use cases where it’s imperative to have a secure signature and proof of the signatory’s identity. Example industries that require this strong customer authentication are banks and other financial services who are typically required to conduct extensive KYC (know your customer) and CDD (Customer Due Diligence) processes as part of AML (anti-money laundering) and CFT (countering the financing of terrorism) compliance.
The use of QES is also increasing in notarial services, especially in the context of real estate transactions. To encourage this practice, the UK Land Registry notably accepts submissions signed using a QES.
Qualified electronic signatures are required to adhere to technical standards outlined by the independent standards body, ETSI (The European Telecommunications Standards Institute). Conforming to these standards requires an extensive audit that ensures the provider has robust support processes in place, and meets high standards of security, interoperability, and assurance. The relevant ETSI standards for identity verification and QES are:
- ETSI TS 119 461: describes standards for the management and operation of a solution, and identity proofing service requirements.
- ETSI EN 319 401: describes standards for electronic signatures and infrastructures to support the eIDAS regulation.
eIDAS regulation and qualified electronic signature
As stated by the European Commission, ‘eIDAS is a key enabler for secure cross-border transactions.' In other words, it seeks to make digital transactions safer and harmonize rules for doing so. It covers:
Electronic identification (eID) schemes
Ensuring that eID schemes in the EU are interoperable, secure, and accepted across Member States.
Trust services
Creating, verifying, and preserving electronic signatures, seals, electronic time stamps, electronic delivery services, electronic attestations of attributes and website authentication certificates.
Authentication
Promoting a high level of assurance and the use of strong authentication for eIDs, identity proofing methods and trust services.
Mutual recognition
Ensuring that solutions meeting eIDAS standards are accepted across all Member States.
However, eIDAS does not mandate a single, exclusive interoperable standard. In fact, it allows for three routes to compliance:
Using an eID (electronic identity)
eIDAS 2.0 mandates that Member States accept eIDs — however, it’s not expected they become widespread for a number of years.
Via nationally accredited schemes
Examples include PVID in France and the SEPBLAC Certification in Spain. These schemes are unique to each Member State and so create additional complexity for businesses operating across borders.
By requesting an eIDAS qualified electronic signature
Accepted across all Member States as having the same weight as a handwritten signature.
What’s the difference between advanced vs. qualified electronic signatures?
Although an advanced electronic signature (AES) may appear similar to a qualified electronic signature (QES) and may similarly require proof of identity via document and biometric verification — they don’t have the same requirements and are therefore not recognized in the same way.
The eIDAS definition of AES is technology-agnostic, it does not require the use of any specific standard, so it’s open to interpretation. QES are technically more complex because they follow specific standards that require a regulated ID verification, and the issuance of a qualified certificate in qualified hardware. For highly sensitive use cases, like banking, eIDAS only recognizes and oversees qualified electronic signatures.
To complete identity verification for qualified electronic signatures, providers must comply to the previously mentioned ETSI standards — allowing them to act as an Identity Proofing Service Provider (IPSP) for Qualified Trust Service Providers (QTSP), and support know your customer (KYC) for anti-money laundering (AML) regulated businesses.
There are also differences in how questions of validity are handled. For AES, the signatory is responsible for proving it’s valid. QES benefits from “reverse burden of proof”: whoever doubts validity must provide proof. This means QES has the highest legal enforceability and protections in court.
Looking for an end-to-end QES solution?
Entrust is a leading expert in QES, with a broad range of use-cases supported:
- Identity Verification Compliance with Entrust Studio Workflow combines ETSI-certified identity verification with qualified electronic signature — allowing regulated businesses to onboard customers across Europe remotely in a single platform.
- E-signature service for QES with Entrust Signhost leveraging multiple identity sources, including local eID schemes and our own QES-compliant Identity Verification service
- eIDAS Trust Service deployments with Entrust QSCD and Entrust Signing Engines for governments and public agencies looking to become Qualified Trust Service Providers (QTSP)
Contact us now to discuss your QES needs.
Entrust Identity Verification Compliance combines ETSI-certified identity verification with qualified electronic signature — allowing regulated businesses to onboard customers across Europe remotely in a single platform.
