Last updated: May 2026. Regulatory information current as of May 2026.
A qualified electronic signature (QES) is the only type of electronic signature that carries the legal presumption of a handwritten signature under EU law, as defined in Article 25(2) of the eIDAS Regulation (EU) No 910/2014. If you are evaluating electronic signature providers for a regulated business, this distinction determines whether your signed documents hold up under legal challenge across all 27 EU member states. Most generic signing platforms do not produce QES at their standard subscription tiers. For a full explanation of what QES is and how it works, see What is an eIDAS qualified electronic signature?
Article 3 of the eIDAS Regulation defines three levels. They are not interchangeable, and the legal consequences of choosing the wrong one are significant.
The key difference between the three levels is that only QES carries automatic legal equivalence to a handwritten signature under Article 25(2) of eIDAS — SES and AES do not, regardless of how they are marketed.
| Simple Electronic Signature (SES) | Advanced Electronic Signature (AES) | Qualified Electronic Signature (QES) | |
|---|---|---|---|
| Legal basis | eIDAS Article 3(10) | eIDAS Article 3(11), Article 26 | eIDAS Article 3(12), Article 25(2) |
| Definition | Any data in electronic form attached to or associated with other electronic data, used to sign | Uniquely linked to signatory, capable of identifying them, under their sole control, detects subsequent changes | Advanced signature created by a qualified signature creation device, based on a qualified certificate from a QTSP |
| Identity verification | None required | Some form of identity link required | Face-to-face equivalent identity proofing under ETSI TS 119 461 |
| Legal presumption of handwritten signature | No | No | Yes, in all EU member states |
| Issued by | Anyone | Anyone | Only a Qualified Trust Service Provider listed on the EU Trusted List |
| Typical provider examples | Most e-signature tools at default settings | Most generic signing platforms at standard tiers, BankID (Sweden) | ZealiD, D-Trust, Swisscom Trust Services |
The gap between AES and QES is not incremental. It is structural. QES requires a regulated identity verification process, a supervised trust service, cryptographic infrastructure meeting European standards, and ongoing audits by an accredited conformity assessment body. It cannot be achieved by changing settings on an existing SES or AES platform.
Almost certainly not at standard subscription levels. Most generic signing platforms produce simple or advanced electronic signatures depending on workflow configuration. Some offer identity verification add-ons that strengthen the identity layer, but the resulting signature typically remains an AES, not a QES under eIDAS.
The practical reality that most procurement teams encounter is that buying QES through a generic signing platform is difficult. These platforms do not themselves perform the identity verification required for QES. They rely on third-party QTSPs in certain European markets, available only at enterprise pricing tiers and through separate integration workflows. The standard product that most firms use daily does not produce qualified electronic signatures.
Because QES is not a feature toggle. It requires a Qualified Trust Service Provider to issue a qualified certificate to each signatory after performing identity verification that meets ETSI TS 119 461 standards. Your signing platform can facilitate the workflow, but the qualified component must come from a supervised QTSP listed on the EU Trusted List. If your platform offers QES at all, it does so through a third-party QTSP partnership, typically at enterprise pricing, not through its own infrastructure.
This is the misconception that catches most procurement teams. The standard assumption is that the company buying QES services is the data controller and the QTSP is a data processor acting on their instructions. This is wrong, and getting it wrong creates problems in vendor assessment, DPA negotiations, and compliance documentation.
Under the eIDAS framework, a QTSP has a direct legal relationship with each natural person whose identity it verifies and whose qualified certificate it issues. The QTSP determines the purposes and means of processing that person's identity data in accordance with its regulatory obligations under eIDAS Article 24 and the applicable ETSI standards. This makes the QTSP a data controller in its own right for the identity verification and certificate issuance process, not a processor acting on behalf of the company that initiated the signing workflow.
This matters for procurement because it means the QTSP's data protection obligations are set by regulation, not by the customer's instructions. The company does not "own" the employee's qualified certificate. The employee, as a natural person, has a direct relationship with the QTSP. Procurement teams that treat the QTSP as just another SaaS vendor processing data on their behalf will produce incorrect Data Protection Impact Assessments and non-compliant contractual frameworks.
Not every signature requires QES. For routine internal approvals, standard NDAs, and many commercial contracts, AES or SES may be adequate depending on jurisdiction and risk appetite.
QES becomes essential when the stakes are high enough that a signatory could later dispute the validity of their signature: real estate transactions, powers of attorney, certain financial services documents, regulatory filings, and cross-border contracts where enforceability in multiple EU jurisdictions matters.
The regulatory direction makes QES increasingly relevant. DORA (Regulation (EU) 2022/2554) requires financial institutions to demonstrate digital operational resilience in their documentation processes. NIS2 raises the bar for identity assurance across critical infrastructure. The EU AI Act introduces human-in-the-loop requirements that may require qualified sign-off. And eIDAS 2.0 (Regulation (EU) 2024/1183), with the European Digital Identity Wallet rollout expected between 2026 and 2027, will make QES the standard for citizen-to-government interactions and many business-to-government processes.
The direction is toward more transactions requiring qualified signatures, not fewer. For a detailed breakdown of the benefits QES provides over other signature types, see What are the benefits of a qualified electronic signature?
Three scenarios that firms discover too late.
First, a counterparty challenges a signed document in a cross-border dispute. The firm assumed their signing platform provided QES. It did not. The signature carries no legal presumption of authenticity under eIDAS Article 25(2), and the burden of proof shifts to the party relying on the signature. This is not a theoretical risk. It is the specific scenario that Article 25(2) was designed to resolve for QES and that it explicitly does not resolve for AES or SES.
Second, a regulator asks for evidence that signatories were identity-verified to a qualified standard. The firm produces audit trails from their signing platform showing email-based authentication. This does not meet the ETSI TS 119 461 identity proofing standard required for QES. The gap between "we verified they had access to an email address" and "we verified their identity against a government-issued document with liveness detection" is the entire distance between AES and QES.
Third, a procurement team negotiates a DPA with the QTSP as if it were a standard data processor, then discovers during audit that the contractual framework is incorrect because the QTSP is a controller for identity data. The resulting remediation requires renegotiation, updated DPIAs, and reissued privacy notices.
Check whether your provider appears on the EU Trusted List. If it does not, it is not a QTSP and cannot issue qualified electronic signatures regardless of marketing claims. Then check your specific contract tier: even if your provider partners with a QTSP, QES may not be included in your current subscription.
As a Qualified Trust Service Provider listed on the EU Trusted List and supervised by the Swedish Post and Telecom Authority, ZealiD provides QES by default through every signature. Identity verification to ETSI TS 119 461 standards is built into the onboarding process, not bolted on as an enterprise add-on. Every signatory gets a qualified certificate through a direct relationship with ZealiD as the QTSP, and every signature meets Article 25(2) requirements across all 27 EU member states.
Can I get QES without changing my signing platform? In many cases, yes. ZealiD integrates with major signing platforms including Adobe Acrobat Sign and others. The QES component comes from ZealiD as the QTSP. Your existing platform handles the workflow; ZealiD provides the qualified identity and signature.
What is the difference between AES and QES? An advanced electronic signature must be uniquely linked to the signatory and detect changes to signed data, but does not require a qualified certificate or QTSP. A qualified electronic signature requires both, plus identity verification to regulated ETSI standards. Only QES carries the legal presumption of a handwritten signature under eIDAS Article 25(2).
How do I check if my provider is a QTSP? Search the EU Trusted List at eidas.ec.europa.eu/efda/tl-browser. Every QTSP is publicly listed with its supervised services and national supervisory authority.