Qualified Electronic Signature (QES)

What is a Qualified Electronic Signature (QES)?

The qualified electronic signature has the highest security level of all e-signatures. In addition to the requirements for an advanced electronic signature, it is created by a qualified signature creation device, and it is based on a qualified certificate for electronic signatures.

Different standards for electronic signatures are defined by regulations in Europe and in the UK. The highest level of electronic signature is the qualified electronic signature (QES), offering the greatest security. Below this is the advanced electronic signature and then the simple electronic signature.

A QES should reliably identify the signer and protect against forgery or tampering – as with an AES. It takes security further, though, by using a qualified certificate issued by a trusted and certified provider.

With this enhanced level of security, it provides the strongest legal protection. Under EU and UK law, the QES has the same legal power as a traditional signature. The signer is protected, with the burden of proof is with the disputer.

What are the requirements for a qualified electronic signature?

The qualified electronic signature follows the same protocols as the advanced digital signature (AES) but takes protection further and offers additional security. As such, it should reliably identify the signer of the documents and protect against forgery or changes made after signing.

But for extra security, a QES must be created using a Qualified Signature Creation Device (QSCD) and use a qualified certificate to generate signatures.

How is a qualified electronic signature implemented?

The creation of a qualified electronic signature uses the same method as advanced electronic signatures. A Public Key Infrastructure (PKI) is used to create a private and public key. The signer keeps the private key, and the public key is used to verify the signature is genuine and not altered.

With a QES, the main difference is the use of a qualified certificate. This must be issued by a qualified trust service provider (QTSP). Only some service providers are registered to do this, and the eIDAS regulations specify the criteria.

The signature itself must be created using a Qualified Signature Creation Device (QSCD). This QSCD is usually a specific software and hardware device that the signer has control of (such as a USB device or card reader). It can also be implemented as a software-only solution, and this is how IDnow eSign works.

In addition, a QES requires initial verification of the signer before they can sign their first document. A face-to-face meeting or video call is usually used for this. Multi-factor authentication is then carried out each time they sign.

How to become a qualified trust service provider

The qualified trust service provider (QTSP) is essential to the implementation and security of a QES. To become a QTSP, a service provider must meet strict criteria set out by governing authorities. Once approved, it will be included in a trusted list. In the EU, the eIDAS regulations include the following minimum criteria:

  • The service provider must provide a valid time and date for created certificates.
  • Signatures that have expired certificates must be revoked immediately.
  • Personnel employed by the qualified trust service provider must be appropriately trained.
  • Software and hardware used by the service provider must be trustworthy and capable of preventing certificate forgery.

What protection does QES offer?

Under EU and UK law, QES is the highest level of electronic signature. The additional steps over AES – including using a qualified certificate and a trusted service provider – give it enhanced legal standing.

A QES may not be denied admissibility as evidence or dismissed legally solely due to its electronic nature. It carries the same legal authority as a physical written signature. There is no higher form of digital signature - eIDAS regulations prohibit member states from requesting any form of higher-level signature. (specified in eIDAS Article 27).

When should you use a QES?

QES offers the highest level of signature protection and the highest enforceability under law. It is also the most technically difficult and likely expensive to implement. The burden of signer validation and multi-factor authentication may also make it cumbersome and unsuitable for simple uses.

As such, it is usually used for the highest value documents and contracts. This could include large commercial contracts, sales agreements, or property purchases.

Learn more about electronic signatures in our Quick Guide.