Qualified Electronic Signature (QES)

The qualified electronic signature follows the same protocols as the advanced digital signature (AES) but takes protection further and offers additional security. As such, it should reliably identify the signer of the documents and protect against forgery or changes made after signing.

But for extra security, a QES must be created using a Qualified Signature Creation Device (QSCD) and use a qualified certificate to generate signatures.

The creation of a qualified electronic signature uses the same method as advanced electronic signatures. A Public Key Infrastructure (PKI) is used to create a private and public key. The signer keeps the private key, and the public key is used to verify the signature is genuine and not altered.

With a QES, the main difference is the use of a qualified certificate. This must be issued by a qualified trust service provider (QTSP). Only some service providers are registered to do this, and the eIDAS regulations specify the criteria.

The signature itself must be created using a Qualified Signature Creation Device (QSCD). This QSCD is usually a specific software and hardware device that the signer has control of (such as a USB device or card reader). It can also be implemented as a software-only solution, and this is how IDnow eSign works.

In addition, a QES requires initial verification of the signer before they can sign their first document. A face-to-face meeting or video call is usually used for this. Multi-factor authentication is then carried out each time they sign.

The qualified trust service provider (QTSP) is essential to the implementation and security of a QES. To become a QTSP, a service provider must meet strict criteria set out by governing authorities. Once approved, it will be included in a trusted list. In the EU, the eIDAS regulations include the following minimum criteria:

The service provider must provide a valid time and date for created certificates.
Signatures that have expired certificates must be revoked immediately.
Personnel employed by the qualified trust service provider must be appropriately trained.
Software and hardware used by the service provider must be trustworthy and capable of preventing certificate forgery.

Under EU and UK law, QES is the highest level of electronic signature. The additional steps over AES – including using a qualified certificate and a trusted service provider – give it enhanced legal standing.

A QES may not be denied admissibility as evidence or dismissed legally solely due to its electronic nature. It carries the same legal authority as a physical written signature. There is no higher form of digital signature - eIDAS regulations prohibit member states from requesting any form of higher-level signature. (specified in eIDAS Article 27).

QES offers the highest level of signature protection and the highest enforceability under law. It is also the most technically difficult and likely expensive to implement. The burden of signer validation and multi-factor authentication may also make it cumbersome and unsuitable for simple uses.

As such, it is usually used for the highest value documents and contracts. This could include large commercial contracts, sales agreements, or property purchases.