A signed document is worthless if you cannot prove who signed it. Most organisations use e-signature platforms that capture an email address, a timestamp, and a click. When that signature is challenged in court, in an audit, or in a cross-border dispute, the question is not whether someone clicked a button. It is whether you can prove, to a regulator or a judge, that a specific identified person applied that signature with intent. For managing partners, compliance officers, and procurement leads at firms handling high-value agreements, this gap is where contracts fail.
Under eIDAS Regulation (EU) 910/2014, Article 3, an electronic signature is defined as data in electronic form which is attached to or logically associated with other data in electronic form, and which is used by the signatory to sign. The regulation establishes three levels: simple, advanced, and qualified. Most commercial e-signature platforms operate at the simple level. Some offer advanced signatures. Very few provide qualified electronic signatures.
A simple electronic signature, in practice, means the platform recorded that someone with access to an email account clicked "Sign." The platform knows which email address was associated with the action. It does not know who was holding the device. It does not verify the signer's identity against any authoritative source. It cannot prove the signer is the person they claim to be.
This distinction matters because eIDAS Article 25(1) states that an electronic signature shall not be denied legal effect solely on the grounds that it is in electronic form. That is a floor, not a ceiling. It means the signature is admissible as evidence. It does not mean the signature will survive challenge. When the reliability of a non-qualified signature is disputed, the burden of proof falls on the party relying on it. You must demonstrate that the signature was, in fact, applied by the person named.
| Signature level | What it proves | Burden of proof if challenged | Cross-border recognition |
|---|---|---|---|
| Simple (eIDAS Art. 3(10)) | Someone with access to an email account clicked a button | Relying party must prove identity and intent | Admissible but not presumed valid |
| Advanced (eIDAS Art. 3(11), Art. 26) | Signature is uniquely linked to the signatory and capable of identifying them | Relying party must prove the signature creation data was under sole control | Admissible, stronger evidence, but not presumed equivalent to handwritten |
| Qualified (eIDAS Art. 3(12), Art. 25(2)) | A verified, identified person signed using a qualified certificate from a QTSP | Challenging party bears the burden to disprove | Legally equivalent to a handwritten signature in all EU member states |
Working with qualified signatures is more than just a higher level of security. It is a fundamentally different approach. A qualified electronic signature binds verified identity to document content in a cryptographic format (PAdES, conforming to ETSI EN 319 142) that anyone can validate independently using publicly available tools.
This is the point that most organisations miss. The value of a qualified signature is not just that it satisfies a regulatory requirement. It is that the signed document itself contains all the proof needed to verify who signed it, when, and that the content has not been altered. The signing certificate, the timestamp, and the certificate chain are embedded directly in the PDF. Any recipient can verify the signature using Adobe Acrobat Reader or the EU Commission's validation service (DSS) without contacting the signing provider, without a subscription, and without any special software.
Standard e-signature platforms cannot offer this. Their audit trails are proprietary records held on the platform's servers. If the platform ceases to operate, changes its terms, or is unavailable during a dispute, the evidence chain breaks. The "proof" that someone signed exists only as a record in someone else's database.
The consequences are not theoretical. They surface in four predictable scenarios.
In regulated procurement, the gap can be disqualifying. In 2021, Stadler Rail submitted a bid for an Austrian Federal Railways (ÖBB) tender signed with a Swiss qualified electronic signature. The bid was challenged because Swiss and EU qualified signatures are not mutually recognised. The case went to court. While Stadler Rail ultimately prevailed, the dispute consumed months and introduced uncertainty into a contract worth hundreds of millions. Had the bid been signed with an EU-qualified signature from a provider on the EU Trusted List, the challenge would have had no basis.
In cross-border M&A and corporate transactions, signature validity determines whether closing conditions are met. A share purchase agreement signed with a simple electronic signature in a jurisdiction that requires qualified signatures for corporate acts creates a latent defect that may not surface until the transaction is contested.
In compliance audits, regulators increasingly expect firms to demonstrate not just that a document was signed, but that the signer was identified to a verifiable standard. The AMLR's emphasis on eIDAS-compliant identification applies not only to client onboarding but to the integrity of every compliance-relevant document in a firm's records. For law firms specifically, the gap between what firms currently do and what regulators expect is wider than most compliance leads realise.
In litigation, the party relying on a non-qualified signature must prove its authenticity. A qualified signature reverses this burden: under eIDAS Article 25(2), a qualified electronic signature has the equivalent legal effect of a handwritten signature. The party challenging it must prove it is not valid, a significantly harder standard to meet.
A document signed with a qualified electronic signature in PAdES format is self-proving. The PDF contains the signer's qualified certificate, issued by a Qualified Trust Service Provider listed on the EU Trusted List. The certificate chain, the qualified timestamp, and the document hash are all embedded in the file.
Validation requires no proprietary software. Open Adobe Acrobat Reader, and the signature panel displays the signer's identity, the issuing QTSP, the timestamp, and whether the document has been modified. For formal validation, the EU Commission's Digital Signature Service (DSS) at ec.europa.eu/digital-building-blocks/DSS provides a free, standards-based validation tool that checks the certificate against the Trusted List.
This is the operational difference. A document signed with a standard e-signature platform requires you to log into that platform, locate the audit trail, and hope the record is still available. A document signed with a qualified signature proves itself. The evidence travels with the document, permanently. The practical implications of this are explored further in our overview of what qualified electronic signatures actually provide compared to standard alternatives.
| Validation question | Standard e-signature | Qualified electronic signature (PAdES) |
|---|---|---|
| Can I verify who signed without the platform? | No. Audit trail is proprietary and platform-dependent. | Yes. Certificate and identity embedded in the PDF. |
| Can I verify the document has not been altered? | Platform may record a hash, but verification requires platform access. | Yes. Cryptographic hash embedded; any modification breaks the signature. |
| Can a third party independently validate? | Only if they have platform access or the platform provides a verification URL. | Yes. Anyone with Adobe Reader or the EU DSS tool can validate. |
| What happens if the signing provider ceases to operate? | Audit trail may become inaccessible. | Document remains self-validating. Certificate chain is embedded. |
| Is the signature recognised across all EU member states? | Depends on contractual terms and platform reputation. | Yes. Mandatory mutual recognition under eIDAS Art. 25(2). |
Firms that sign contracts, board resolutions, compliance declarations, or procurement bids using simple electronic signatures are accepting a risk that most have not quantified. The risk is not that the signature is invalid on the day it is applied. It is that the signature cannot be proven valid on the day it is challenged.
For any document where the identity of the signer matters, where the content must be provably unaltered, or where the document may need to be validated years after signing, qualified electronic signatures are not a premium option. They are the baseline.
Trust Circle delivers qualified electronic signatures backed by ZealiD's status as a Qualified Trust Service Provider on the EU Trusted List. Every signature is applied by a biometrically verified individual using Face ID or Touch ID, embedded in PAdES format, and independently validatable by anyone, anywhere, without contacting ZealiD.
Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS), Articles 3, 25, 26, 27. European Union, 2014. https://eur-lex.europa.eu/eli/reg/2014/910/oj
ETSI EN 319 142-1: Electronic Signatures and Infrastructures (ESI); PAdES digital signatures. European Telecommunications Standards Institute. https://www.etsi.org/deliver/etsi_en/319100_319199/31914201/
European Commission. "EU Trusted List Browser." https://eidas.ec.europa.eu/efda/tl-browser/
European Commission. "Digital Signature Service (DSS) — Validation Tool." https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/Digital+Signature+Service+-++DSS