eIDAS Regulation — EU e-signature compliance

eIDAS Regulation (EU) 910/2014 is the European Union's e-signature and trust services law. Unlike a directive, it's directly applicable — same rules in all 27 member states, no national implementation needed.

The 3 eIDAS signature tiers

eIDAS formalizes a three-tier classification:

### Simple Electronic Signature (SES)

• Any electronic form of signature with intent to sign
• Typed name, clicked button, drawn signature image
• Legally valid but evidentiary weight depends on surrounding circumstances

### Advanced Electronic Signature (AES) eIDAS Article 26 defines AES as meeting four criteria: 1. Uniquely linked to the signatory 2. Capable of identifying the signatory 3. Created using electronic signature creation data the signatory can use with high confidence under their sole control 4. Linked to the data signed such that any subsequent change is detectable

This is what SignBolt produces by default.

### Qualified Electronic Signature (QES) An AES that additionally:

• Is created by a Qualified Signature Creation Device (QSCD) — typically a smart card or HSM
• Uses a qualified certificate issued by a Qualified Trust Service Provider (QTSP)

QES has the legal effect equivalent to a handwritten signature under Article 25(2) — the strongest possible legal position in the EU.

When you need QES

Most business contracts are fine with AES. QES is required or strongly preferred for:

• Some government/public-sector documents
• Cross-border contracts in regulated industries
• Documents subject to specific national law requiring "qualified" signatures
• Contracts where you want the equivalent-to-handwritten legal status

Qualified Trust Service Providers (QTSPs)

QES requires a certificate from a QTSP. The list is maintained by the European Commission (Trusted List). Notable QTSPs:

• Digidentity (Netherlands)
• Namirial (Italy)
• Certinomis (France)
• Uanataca (Spain)
• A-Trust (Austria)
• SwissSign (Switzerland, recognized via bilateral agreement)

SignBolt can produce QES signatures via Namirial integration on request (enterprise feature).

The trust service categories under eIDAS

eIDAS governs more than signatures. It also defines trust services for:

• Electronic seals (for legal entities, not individuals)
• Electronic timestamps
• Electronic registered delivery services
• Website authentication (qualified certificates for TLS)

Cross-border validity

A QES produced in France is automatically valid in Germany, Italy, Spain, and every other EU member state. No re-verification required. This is the "single market" benefit of eIDAS.

AES signatures are also cross-border valid but with caveats — member states may impose additional requirements for specific document types.

Post-Brexit UK

The UK enacted its own UK eIDAS post-Brexit (2020), which mirrors EU eIDAS substantively. Signatures produced in the UK under UK eIDAS are valid there, but cross-border EU recognition is no longer automatic — a UK QES may be accepted in the EU but is not guaranteed to have QES-level legal effect.

For contracts that must be valid in both UK and EU, use an EU-based QTSP or dual-certify.

Compliance checklist

For EU business contracts using SignBolt:

• [ ] AES as default (uniquely linked, signer-controlled, tamper-evident)
• [ ] Qualified timestamp (RFC 3161) — SignBolt default
• [ ] Audit trail retained per GDPR + national law
• [ ] Upgrade to QES for high-stakes or regulated transactions

Next

• GDPR and e-signatures
• PAdES explained
• Read the full Regulation at EUR-Lex