Last updated: May 2026. Regulatory information current as of May 2026.
A qualified electronic signature (QES) is the highest level of electronic signature defined under EU Regulation No 910/2014 (eIDAS). Under Article 25(2) of eIDAS, a QES has the same legal effect as a handwritten signature and is automatically recognised by every EU member state court and public authority — no further proof required. This article is for compliance teams, legal professionals, and procurement officers evaluating whether a signature solution meets the QES standard. For a detailed look at what QES delivers in practice, see What are the benefits of a qualified electronic signature?
What makes a signature "qualified" under eIDAS
Three requirements separate a qualified electronic signature from every other type of e-signature, including advanced signatures.
First, the signature must be created using a Qualified Signature Creation Device (QSCD) — a hardware or software component that meets the specific security standards set out in Annex II of eIDAS. The cryptographic keys used to create the signature must be generated inside this device and cannot leave it. This is the technical control that ties the signature uniquely to one person.
Second, the signature must be based on a qualified certificate — a digital credential issued specifically by a Qualified Trust Service Provider (QTSP). Not every certificate qualifies. The issuing QTSP must appear on a national EU Trusted List and must be supervised by a national authority. In ZealiD's case, that supervisory authority is the Swedish Post and Telecom Agency (PTS).
Third, the signing process must include a verified identity check. The QTSP is responsible for confirming that the person receiving a qualified certificate is who they claim to be, using a method that meets the requirements of the applicable national legislation and ETSI standards — specifically ETSI EN 319 411-2, which defines the policy and security requirements for QTSPs issuing EU qualified certificates. This is what gives the signature its legal weight — the identity behind it is not self-asserted.
Electronic signature types compared under eIDAS
| Signature type |
Identity verification |
Legal equivalence to wet ink |
Cross-border recognition |
| Simple electronic signature |
None required |
No |
No |
| Advanced electronic signature (AES) |
Required, but method is not regulated |
No — must be proven in dispute |
Varies by member state |
| Qualified electronic signature (QES) |
Required, QTSP-regulated method only |
Yes — automatic under Article 25(2) |
Yes — all EU member states + UK |
Why the QTSP requirement matters
Most organisations evaluating e-signature tools miss this point: a qualified signature cannot be produced by just any technology vendor. Under eIDAS, only a QTSP listed on an EU national Trusted List has the legal right to issue qualified certificates and perform the identity verification required for QES.
This is not a commercial certification that can be purchased or self-declared. A QTSP must apply to a national supervisory authority, undergo a conformity assessment by an accredited body (in ZealiD's case, SRC Security Research & Consulting), and pass a technical audit before receiving qualified status. The supervisory authority then publishes the QTSP on the national Trusted List, which feeds into the EU's central list — the EUTL. According to the EUTL Dashboard, trust service providers are listed across all 27 EU member states, with the number of active qualified services growing year-on-year.
If a signing platform is not on the EUTL, or if it issues certificates through a QTSP it has partnered with but does not control, the legal accountability chain changes significantly. Procurement teams should ask any signing vendor to point to their specific entry on the EU Trusted List Browser before assuming QES compliance.
What QES means in practice
Using a QES means that a signed PDF can be validated by anyone using freely accessible software — without contacting the issuer. The signature is self-contained: it includes a qualified certificate, a timestamp from a qualified timestamping authority, and a cryptographic proof of document integrity. If the document is altered after signing, the signature shows as invalid.
This is the practical difference from advanced signatures, which in general cannot be easily validated by third parties. With an advanced signature, a court or counterparty may need to contact the issuer to verify the signature's validity. With a QES, the validation is built into the signature itself.
Under Article 27 of eIDAS, EU member states are prohibited from requiring a signature of a higher level than QES for public services. As the European Commission's eSignature FAQ confirms, QES is the highest-level signature type defined in eIDAS — if you have QES coverage, you meet the signature requirement for every regulated use case in the EU.
eIDAS 2.0 and what is changing
Regulation (EU) 2024/1183 — commonly called eIDAS 2.0 — entered into force on May 20, 2024. It does not replace the original eIDAS regulation but amends it. The core QES framework, including the QTSP requirement and Article 25(2) legal equivalence, remains unchanged.
The main addition is the European Digital Identity Wallet (EUDIW), which will allow EU citizens to create qualified electronic signatures directly from a smartphone wallet by 2026. QTSPs and existing QES methods continue operating alongside the EUDIW during and after the transition. For organisations currently using QES, no changes to existing workflows are required — but systems should be tested to accept signatures created via EUDIW once member states begin rolling them out.
What to check before choosing a QES provider
Before signing a contract with any e-signature vendor that claims to offer QES, confirm three things:
- The vendor or its certificate-issuing partner appears on the EU Trusted List with status "granted" for the QCert for ESig service type.
- The identity verification process used at registration complies with national legislation and has been conformity assessed — ask for the ETSI audit report.
- The qualified certificate issued to signers can be independently validated using standard PDF validation software (Adobe Acrobat Reader, for example, should show a green tick with the QTSP's name).
ZealiD is a Qualified Trust Service Provider listed on the EU Trusted List, supervised by the Swedish Post and Telecom Agency (PTS), with two active qualified services: ZealiD QeID Service (QCert for ESig, granted September 2020) and ZealiD TSA Service (qualified timestamping, granted October 2022). Identity verification is completed remotely via the ZealiD app in under three minutes, supporting over 150 identity documents across more than 50 nationalities.
References
Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS), Article 25. European Union, 2014.
Regulation (EU) 2024/1183 of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (eIDAS 2.0). European Union, 2024.
European Commission. "eSignature FAQ." European Commission Digital Building Blocks.
EU Trusted List Browser. European Commission.
ETSI EN 319 411-2. Electronic Signatures and Infrastructures (ESI) — Policy and security requirements for Trust Service Providers issuing EU qualified certificates. European Telecommunications Standards Institute (ETSI).
.svg "ZealiD Logo New (1)"){kind=small}
