There are several levels of electronic signatures that are more or less secure and it is not always easy to understand the subtleties and use cases.

First, we need to understand how electronic signatures are regulated.

Since 2014, the European Union has governed electronic signatures thanks to eID.as (for Electronic Identification And Trust Services). The aim is to establish a European framework in order to distinguish between qualified and unqualified trust services. To enter the first case, service providers must meet specific requirements and are subject to regular audits by national bodies. In France, this organization is called ANSSI (National Agency for Information System Security).

Among the requirements, we can find:

  • The issuance of qualified certificates
  • Qualified validation of qualified electronic signatures and stamps in order to guarantee legal security by providing proof of validation by a qualified third party.
  • Qualified preservation of qualified electronic signatures and stamps to extend their reliability beyond their technological validity period.
  • Electronic timestamp qualified to attest that data in electronic form existed at a given point in time.
  • Qualified electronic registered mail in order to transmit data between third parties electronically while protecting this data against the risks of loss, theft, alteration or modification.

The European Union has also set up a list of trusted third parties, which includes qualified European certification authorities, to be found on This site.

There are three types of electronic signatures with different levels of requirements and security. It is natural to go for the type of signature that offers the highest level of security, but is it always useful to impose long and restrictive processes on our customers and ourselves when it is not mandatory?

In order to be able to choose which level is the most suitable for our situation, we need to understand these different levels.

#1 The simple electronic signature

The term “simple” electronic signature is not actually used in the ei.DAS regulations but is used by the vast majority of suppliers. Behind this name, we find all electronic signature systems that do not have an advanced or qualified level.

The simple signature is the most used on the market because it is the fastest and most fluid.

There are no lists of requirements for these types of signatures. A scanned or digital signature on a terminal, for example, can be a so-called simple signature. However, these are signatures that have no legal value.

Let's then look at how to create a simple electronic signature that is still recognized by the courts in the event of disputes, because that is what interests us: to be legally protected.

First of all, this is what the Ei.das regulation concerning electronic signatures tells us: they are” data in electronic form, which is attached or logically combined with other data in electronic form and which the signatory uses to sign.”

For the electronic signature to be legally accepted, it is therefore necessary to be able to prove that the signatory has agreed to sign these documents. To do this, the trusted third party that offers its electronic signature services constitutes an evidence file in which there are several essential elements:

  • The electronic identity card, also called a single-use certificate, which allows the signatory to be identified.
  • The signature timestamp
  • Identifying elements of the signatory (email address, telephone number, IP address of the computer used to sign the document,...)

This path or evidence file must then be stored in a digital safe in order to ensure the sustainability of the integrity of the document.

These electronic signatures can be used for routine acts or actions involving limited legal or financial risks such as:

  • Contracts (membership, suppliers, leases, work, etc.)
  • Devis
  • Inventory of a home
  • Invoice
  • SEPA Direct Debit Mandate
  • Etc.

#2 The advanced electronic signature

The advanced electronic signature must meet more advanced identity verification criteria, so it allows for higher levels of security. It must be linked unequivocally to the signatory and allow the signatory to be identified very precisely. The advanced electronic signature must therefore:

  • Be linked to your signatory in a unique and clear way
  • Allow the signatory to be formally identified
  • Be created by means under the exclusive control of the signatory (telephone or personal computer for example)
  • Guarantee that the document cannot be changed later

With this type of signatures, one may therefore have to download an identity document before being able to sign the document which will then be added to the evidence file. A box to be checked, or a text to be copied can accompany the document in order to reinforce the proof of consent of the signatory.

Advanced electronic signatures are recommended in large financial transactions or in documents presenting important legal issues such as:

  • Real estate sales agreement
  • Credit contracts
  • Contracts for certain banking and insurance products (savings, life insurance, pension plans known as the “Madelin law”)

An intermediate solution between advanced signature and qualified signature consists in adding a step of face-to-face verification (physical or remote) of the identity of the signatory in order to obtain a qualified certificate. This type of solution can be used for tenders for public contracts, for example.

#3 The qualified electronic signature

From a legal point of view, the difference between simple or advanced signatures and qualified signatures is important. This signature level is mandatory in terms of verifying the identity of the signatory and protecting the signature key. However, it makes it possible to have a legal value equivalent to a handwritten signature while the other levels of electronic signatures have evidentiary value.

The qualified signature uses the same security criteria as the advanced signature, but with some subtleties:

  • The identity of the signatory must be validated prior to the signature
  • The signature key is found in a qualified electronic signature creation device, also called QSCD.

A qualified electronic signature is the most advanced level of security. It is only used in very specific cases, because it is often very restrictive:

  • Lawyer acts (cohabitation agreements, PACS, company statutes, contracts for the transfer of business, shares or shares, etc.)
  • Acts having effects outside France, but in the European Union (subscriptions to European financial products, intra-EU banking transactions)
  • Acts with public bodies requiring high levels of security (public procurement, invoices sent in electronic format, etc.)

The choice of electronic signature mode must therefore be a good compromise between user experience and security. Qualified electronic signatures have very specific use cases. When we get out of it, we must therefore position ourselves between advanced or simple signatures. The areas of reflection must then be based on the legal context of our use of electronic signatures, but also the analysis of risks and opportunities (financial challenges, impact on productivity, user experience, etc.).

The Gonexa team can advise and support you in the search for the most suitable solution for your use and your business. Contact us.