Penneo has been audited and granted the status of Qualified Trust Service Provider (QTSP), meeting high-security standards laid down in the EU eIDAS Regulation. As a result, we can create Qualified Certificates for Electronic Seals and Qualified Time Validations, and we are authorized to offer Qualified Electronic Signatures (QES).
Read on to find out what being a Qualified Trust Service Provider (QTSP) entails, what makes qualified electronic signatures more secure, and how our qualified trust services can provide you with the highest level of security.
E-signatures FAQs |
Qualified electronic signatures FAQs |
Use cases per country |
Qualified Trust Service Providers (QTSP) FAQs |
Penneo as a QTSP |
Under the eIDAS Regulation, an electronic signature (or e-signature) is defined as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
Electronic signatures can be as simple as a text, an image, or a symbol placed on a document digitally with the intent to sign. But they can also be based on more complex creation processes involving PKI and electronic IDs – in which case, they are known as digital signatures.
People often use the terms electronic signatures and digital signatures interchangeably, unaware of the differences between the two. While all digital signatures are electronic signatures, the opposite does not apply, and digital signatures provide a higher level of security than simple electronic signatures.
Signature type | Level of security | Signer authentication | Content integrity | Non-repudiation | Based on a qualified certificate issued by a QTSP | Created by a qualified electronic signature creation device | Legal effect |
---|---|---|---|---|---|---|---|
Standard electronic signatures (SES) | Low | No | No | No | No | No | Yes, but only in some cases |
Advanced electronic signatures (AES) | Medium | Yes | Yes | Yes | No | No | Yes, in most cases |
Qualified electronic signatures (QES) | High | Yes | Yes | Yes | Yes | Yes | Yes, in all cases |
A simple/standard electronic signature is any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
Examples of standard electronic signatures are adding a picture of your signature to a document or drawing/typing your name via an online signature maker.
Simple e-signatures are the least secure type of e-signatures and can be created without official electronic IDs.
Advanced electronic signatures are the ones that meet the requirements laid down under article 26 of the eIDAS Regulations, which requires such e-signatures to be:
Advanced electronic signatures are much more secure than standard ones as they rely on PKI and digital certificates. They can be created using certificate-based digital IDs such as NemID and BankID and they are much safer than simple e-signatures. However, there are a few situations where advanced electronic signatures are not enough, and qualified e-signatures are required by law.
Qualified electronic signatures are advanced electronic signatures that are:
In other words, a qualified electronic signature is an advanced e-signature that has reached a higher probative value by meeting those two additional requirements.
Just like advanced e-signatures, qualified e-signatures rely on digital certificates and PKI. However, to create a qualified e-signature, the digital certificate must be qualified and encrypted by a qualified signature creation device.
Under eIDAS, qualified electronic signatures have the same legal standing as handwritten signatures in all EU countries. What’s more, it is illegal for the Member States to request e-signatures with a higher security level than qualified electronic signatures.
Both advanced and qualified electronic signatures are commonly known as digital signatures.
An electronic seal is data in electronic form, which is attached to other data in electronic form (such as a document) to ensure the latter’s origin and integrity.
You can see what the seal of the document looks like by opening a PDF signed via Penneo on a PDF reader.
As a Qualified Trust Service Provider (QTSP), Penneo creates qualified certificates for electronic seals to secure documents in compliance with the eIDAS Regulation.
The term time stamp refers to data in electronic form which binds other data in electronic form (such as a document) to a particular time, establishing evidence that the latter data existed at that time.
When signing a document via Penneo, the signature is timestamped to the document (UTC), and you can see the time of the signature next to the signatory’s data on its final page. Besides, timestamps are cryptographically bound to the document. They can be seen in the audit log, as well as among the other details readable when opening the document with a PDF reader.
As a Qualified Trust Service Provider (QTSP), Penneo generates qualified time stamps to protect the signed documents against tampering in compliance with the eIDAS Regulation.
Digital certificates can be compared to identity cards as they too work as a means of identification. But, unlike common passports, digital certificates can authenticate devices and servers besides users (people).
Simply put, we could say that digital certificates are the digital version of ID cards to identify actors online – be they computers or individuals operating on the Internet. Here are examples of their similarities:
Penneo enables users to log into the system, access documents, and sign them after certificate-based authentication.
Identities are verified using certificate-based digital IDs, such as:
A Certificate Authority (CA) is an entity issuing digital certificates. A CA is typically a company that has been authorized to issue certificates to subjects (people or organizations) after being audited for compliance with a set of official standards.
In the EU, under the eIDAS Regulation, Certificate Authorities are Trust Service Providers (TPSs). When meeting the requirements set under the Regulation, they can be audited to obtain the “qualified” status and act as Qualified Trust Service Providers (QTSP) – issuing qualified certificates.
Certificate Authorities issue digital certificates after verifying the requesters’ identity. The trust placed on identification via digital certificates is based on the trust put into the Certificate Authority (CA) that issued the certificate. In other words, digital certificates are trusted because they are granted by a CA acting as a trusted third party.
As a Qualified Trust Service Provider (QTSP), Penneo acts as a Certificate Authority (CA) issuing qualified certificates for electronic seals and electronic signatures.
A certificate for electronic signature is an electronic attestation that links electronic signature validation data to a natural person and confirms at least their name or pseudonym.
Penneo, as a Qualified Trust Service Provider (QTSP), can create qualified certificates for electronic signatures.
A certificate for electronic seal is an electronic attestation that links electronic seal validation data to a legal person and confirms that person’s name.
As a Qualified Trust Service Provider (QTSP), Penneo creates qualified certificates for electronic seals to secure documents in compliance with the eIDAS Regulation.
You can see what the seal of the document looks like by opening a PDF signed via Penneo on a PDF reader. In Adobe Reader, the seal appears as a blue bar at the top and guarantees the probative value of the document:
If the document is valid, the seal will present the following text “Certified by Penneo A/S, certificate issued by Intesi Group EU Qualified Electronic Seal CA G2”.
If the document is not valid, the bar will show the following text instead: “Certification by Penneo A/S is invalid”.
A certificate for electronic signature/seal is defined as qualified when it meets the requirements laid down in the eIDAS Regulation and is issued by a Certificate Authority (CA), like Penneo.
Yes. A qualified certificate issued in any Member State is recognized as valid in every Member State.
That aligns with eIDAS’s aim to achieve cross-border interoperability and recognition of qualified certificates.
eIDAS is the acronym for electronic IDentification, Authentication, and trust Services and refers to the EU Regulation 910/2014 regulating electronic transactions.
Since eIDAS is of EEA relevance, the Regulation also applies to Norway, Liechtenstein, and Iceland, but only after national incorporation (i.e., after the adoption of an internal law that implements its provisions). Norway implemented eIDAS with the Lov om elektroniske tillitstjenester of 2018.
The goal of the eIDAS Regulation is to create a legal framework for digital transactions to develop a modern European Market where people, businesses, and public authorities can interact safely online.
To this end, eIDAS created standards granting electronic signatures and e-identities the same legal standing as their physical counterparts. As a result, people can now conduct business electronically – which means no need for in-person meetings but the same binding effect.
More generally, eIDAS regulated trust services, which are electronic services providing electronic signatures, seals, time stamps, etc.
That aligns with eIDAS’s aim to achieve cross-border interoperability and recognition of qualified certificates.
ETSI is an independent, not-for-profit, standardization organization in the field of information and communications supporting the development and testing of global technical standards for (information and communications technology) ICT-enabled systems, applications, and services.
ETSI activity on digital signatures is coordinated by the technical committee Electronic Signatures and Infrastructures (ESI).
ETSI ESI is the committee dealing with digital signatures (signature format, certificates), trust service providers, and ancillary trust services (Remote signature creation and validation, Registered email, Registered e-delivery, Timestamping, Long-term data preservation).
Their activity covers signature creation and verification based on:
ETSI ESI also defines technical profiles and policy requirements for trust service providers for a range of services, including services supporting signature (e.g., certification authorities, Timestamping authorities), remote signature creation or validation functions, registered e-delivery, Registered Emails (REM), and information preservation.
ESI also recommends cryptographic suites for digital signatures. The committee’s work supports the eIDAS (electronic ID, authentication, and signature) regulation as well as general requirements of the international community to provide confidence in electronic transactions.
ETSI standards assure the confidence of parties relying on certificates or other services related to digital signatures with conformance assessment requirements for auditing schemes and a trust service status list (called Trusted List under the EU regulatory framework) to indicate the results of the audit and related supervision of the trust service provider. This provides information that will allow relying parties to know whether a given Trust Service Provider was operating under the approval through a recognized audit and supervisory scheme.
AdES is the acronym for either an advanced electronic signature or an advanced electronic seal. It is the second level of electronic signatures/seals defined in eIDAS.
CAdES, XAdES, and PAdES are advanced e-signatures standards published by the ETSI.
The EU Commission takes into account the standards and technical specifications drawn up by European and international standardization organizations and bodies like the ETSI to ensure a high level of security and interoperability of electronic identification and trust services.
To ensure that electronic signatures can be created and validated anywhere in Europe, the eIDAS Regulation, through Implementing Decision 2015/1506/EU, has defined a number of baseline profiles, that correspond to:
Penneo’s digital signatures are built on the PAdES standard.
PAdES (Advanced Electronic Signatures for PDF documents) is the best-defined standard for implementing digitally signed documents through cryptographically secured electronic signatures in compliance with the eIDAS regulation.
The standard includes a series of adaptations and extensions to PDF to satisfy the requirements established by the EU legislation for the creation, validation, and legal admissibility of electronic signatures anywhere in the EU.
The main benefit of PAdES is most likely a feature called Long Term Validation (LTV).
Long Term Validation (LTV) is a signed document’s ability to stay valid long after signing, even after the platform that created the document has become inaccessible. At any time in the future, despite technological and other advances, it should be possible to validate the document to confirm that the signature was valid at the time it was made.
Penneo’s digital signatures are technically implemented according to ETSI PAdES standards. To ensure that the document never loses its legal reliability, the signature data is incorporated directly within the signed PDF – as much as an ink signature becomes an integral part of a paper document. This means that the complete self-contained PDF file contains everything you need to verify the signature’s validity and remain valid for long periods, even if underlying cryptographic algorithms are broken. At the same time, the PDF file can be copied, stored, and distributed as a simple electronic file.
The validity of documents signed via Penneo can be verified through Penneo’s Validator as a PAdES-compliant validation platform. Additionally, users can now upload their documents on the EU validator to get information on the signature’s status, scope, and time, as well as on the certificate chain, timestamps, and LTV (Long Term Validation).
Both advanced and qualified e-signatures are built on digital certificates and PKI, and are commonly known as digital signatures.
A qualified electronic signature is an advanced e-signature that has reached a higher probative value by meeting two additional requirements:
So the difference between AES and QES is that for QES the digital certificate must be qualified and encrypted by a qualified signature creation device.
A qualified digital certificate is a digital certificate issued by a Qualified Trust Service Provider (QTSP) and contains:
A qualified electronic signature creation device (QESCD) is the hardware or software used to create qualified electronic signatures. It’s defined as “qualified” when it meets the requirements laid down in the eIDAS Regulation, and it’s managed by a Qualified Trust Service Provider (QTSP) – like Penneo.
Using a qualified electronic signature creation device better protects the digital certificates – mitigating any risk of replication or forgery. It also provides higher legal certainty for the qualified e-signature created with it.
A creation device can be a material object (like a smartcard or a USB token) in the signer’s possession and used together with a PIN code to sign. Think of a one-time code viewer used to access online banking services, for example.
The creation device can also be an electronic-immaterial object that is not necessarily in the physical possession of the signer but can be remotely managed by a qualified trust service provider. Such immaterial creation devices (known as “remote qualified e-signature creation devices”, QSCD) improve the user experience while maintaining high legal certainty on the qualified e-signatures created with them.
At Penneo, we use physical qualified electronic signature creation devices which are securely stored and can be interacted with remotely through our servers. These devices, in combination with qualified digital certificates, allow us to create qualified electronic signatures.
To create a qualified electronic signature, the signer must use a qualified digital certificate.
The signer then proceeds to the authentication following the steps of the corresponding eID chosen – usually using their national identification number and passcodes or biometric identification.
At this point, the signing software takes over in enabling the creation of a qualified electronic signature through a series of steps:
As a final step, Penneo adds its own qualified certificate for electronic seals to the document.
The signed document is then finalized and ready to be stored, downloaded, and distributed electronically.
When looking at the signed PDF, you won’t normally see any reference to the type of e-signature used to sign it. In other words, the signing software does not usually add any details on whether that e-signature is simple, advanced, or qualified.
Although that information is not visible on the document itself, it can still be found when opening it on a PDF reader or through a validator (like Penneo’s or the EU Commission’s validator).
Read more on how to verify the validity of a digital signature.
If you want to check the validity of PDF documents signed via Penneo, you can do so in several ways:
You can download a document signed via Penneo to try out these methods yourself and read more about the technical characteristics that prove the validity of the document.
Yes! Electronically signed documents are legally binding, except for cases where the law requires a handwritten signature.
All e-signatures can be used to sign documents online, and the law prohibits discrimination against a signature on the sole grounds that it is in electronic form.
In other words, whatever method is used to sign electronically, it will always be up to the judge to decide whether the signature should be considered valid or not in the specific case.
While all e-signatures are potentially court-admissible, not all of them have the same legal effect as a handwritten signature.
Based on their security level (and consequent legal validity), eIDAS defines three types of e-signatures – SES, AES, and QES. Only qualified e-signatures (QES) have the same legal effect as handwritten signatures.
Simple E-Signatures (SES) are the least safe type of e-signatures and can be used in all the cases where a signature needs to be applied to a document, except for the situations where the law requires an advanced or qualified e-signature.
Common use cases where a simple e-signature is considered valid throughout the EU are:
Read more about the specific use cases in your country in our Legality guide.
Advanced E-Signatures (AES) are safer than simple e-signatures, and they are to be preferred to simple e-signatures. Advanced e-signatures can be used for signing documents in most situations. In the cases where both AES and QES can be used to sign documents, a QES is to be preferred over an AES for the higher security it provides.
Common use cases where an advanced e-signature is typically required across the EU are:
Read more about the specific use cases in your country in our Legality guide.
Qualified E-Signatures (QES) are the most secure type of e-signatures and carry the highest probative value. Therefore, they have the same legal effect as handwritten signatures. Moreover, Member States cannot request an electronic signature at a higher security level than the qualified electronic signature.
Common use cases where a qualified e-signature is typically required across the EU are:
Read more about the specific use cases in your country in our Legality guide.
If you operate in the EU, the eIDAS Regulation is enforced in your country. Being a regulation and not a directive, eIDAS has come into effect throughout the 27 Member States without them needing to transpose it into national laws for internal implementation – and overrides national law in case of conflict. Moreover, since eIDAS is of EEA relevance, the Regulation also applies to Norway, Liechtenstein, and Iceland, which adopted internal laws implementing eIDAS provisions.
However, the eIDAS Regulation is not the only legislation you should consider.
Each Member State can define use cases where documents can be signed with a simple e-signature and situations when advanced or qualified e-signatures are instead required for the validity of the transaction. Moreover, each country can define situations where an electronic signature is not admitted, and you are required to use a traditional wet signature. Therefore, you should always consider the provisions of your national legislation on the topic.
Read more about the specific use cases in your country in our Legality guide.
Finally, all parties involved should agree on the signing method to be used – therefore, be aware that individuals or companies may have specific preferences to be taken into account.
Under eIDAS, e-signatures can be used instead of handwritten signatures any time a document needs to be signed – and the law prohibits discrimination against a signature on the sole grounds that it is in electronic form. In other words, whatever method is used to sign electronically, it will always be up to the judge to decide whether the signature should be considered valid or not in the specific case.
However, the Regulation allows each Member state to define through national law situations where manual signatures are required, and electronic signatures are not legally admissible.
Common use cases where a handwritten signature is still required across the EU are:
Read more about the specific use cases in your country in our Legality guide.
According to the eIDAS EU Regulation, a Trust Service Provider (TSP) is a person or business that provides one or more trust services.
A trust service is an electronic service for creating, verifying, validating, or preserving electronic signatures, seals, timestamps, documents, and more. A trust service is defined as qualified when it meets certain requirements established under eIDAS and has been audited by a conformity assessment body that certified its compliance.
Therefore, any signing software provider in the EU can be defined as a trust service provider, but only a few of them are qualified trust service providers (like Penneo).
A Qualified Trust Service Provider (QTSP) is a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body.
Put simply, it’s a TSP whose high level of security, data protection, and compliance have been audited and certified. As a result, there is greater assurance of the legal validity of its services.
As our compliance to eIDAS requirements is audited and certified, Penneo is a qualified trust service provider offering qualified time validations and qualified certificates for electronic seals and signatures
Being a QTSP implies ensuring ongoing compliance with a number of requirements and responsibilities, such as:
A trust service provider can become qualified only after being audited by a conformity assessment body.
The audit aims to assess and confirm that the TSP – and the trust services it provides – fulfill the requirements laid down in the eIDAS Regulation. The on-site audit covers the design and effectiveness of internal processes and their technical implementation.
After being audited, the TSP must submit the resulting conformity assessment report to the supervisory body appointed in their Member State (for example, in Denmark, this function is assigned to Agency for Digitization under the Ministry of Finance – Digitaliseringsstyrelsen). The supervisory body will then decide whether to grant the qualified status to the TSP. If the qualified status is granted, the supervisory body informs the EU Commission, which updates the relevant Trusted list.
After that, the QTSP can start providing qualified trust services and use the EU trust mark on their website.
Yes. Being recognized as a QTSP is not a one-time thing. QTSPs must be audited at least every 2 years to confirm ongoing compliance.
Moreover, the supervisory body may request an audit or a conformity assessment of the QTSP at any time to ensure eIDAS requirements are met continuously and in full. In case of non-compliance, their qualified status can be withdrawn.
The trusted lists (TLs) are lists of QTSPs published and maintained by each Member State. On each national trusted list, you can find information related to the QTSPs established in that country and the qualified trust services they provide.
The trusted lists are available on the EU Commission website, where you can navigate the Trusted List Browser to access national trusted lists or search for a QTSP by type, name, or through a signed document.
After the qualified status has been indicated in the trusted list, QTSPs can use the EU trust mark for qualified trust services.
The EU trust mark is represented by the logo below and indicates in a simple, recognizable, and clear manner that the service provider is a Qualified Trust Service Provider.
The Trusted List Browser is a publicly available tool provided by the EU Commission to make it easier to browse national Trusted Lists (TLs) of Member States.
Thanks to its user-friendly interface, it’s a helpful research tool to navigate national Trusted Lists (TLs) or search for a QTSP by type, name, or through a signed document.
The Trusted Lists and the EU trust mark are indicators of the qualified status of a TSP. You can use the Trust List Browser to verify that your provider is currently granted qualified status, and you can look for the EU trust mark logo on their website.
Besides those means, you can also find this information when checking the validity of e-signatures on a document through the EU Commission’s Validator or by opening the document on a PDF reader.
The Trusted List Browser allows you to find:
Being listed in a Trusted List (and consequently being discoverable through the Trust List Browser) is only mandatory for QTSPs, not for all TSPs. Therefore, while you should always be able to find a Qualified Trust Service Providers (QTSPs) in the Browser, the same might not be true for Trust Service Providers (TSPs) who don’t have qualified status.
If you see a Qualified Trust Service Provider (QTSP) tagged with non-qualified trust services, it means that said QTSP also provides non-qualified trust services.
A QTSP must provide at least one qualified trust service but may also provide non-qualified trust services.
Being listed in a Trusted List (and consequently being discoverable through the Trust List Browser) is only mandatory for QTSPs, not all TSPs.
Therefore, while you should always be able to find a Qualified Trust Service Providers (QTSPs) in the Browser, the same might not be true for Trust Service Providers (TSPs) who don’t have qualified status.
Yes. A qualified trust service under a Qualified Trust Service Provider (QTSP) based in any Member State will be considered as qualified in every Member state.
That aligns with eIDAS’s aim to achieve cross-border interoperability and recognition of qualified trust services.
From a legal point of view, all trust services (electronic signatures, seals, etc.) benefit from a non-discrimination clause as evidence in courts. In other words, it’s against the law to dismiss them as evidence in court solely because it is in electronic form. Whether you rely on a TSP or a QTSP, it will always be up to the judge to decide whether that trust service should be considered valid or not in the specific case.
However, because of the more stringent requirements applicable to Qualified Trust Service Providers, qualified trust services provide a stronger specific legal effect than non-qualified ones as well as higher technical security. Therefore, qualified trust services provide higher legal certainty and security on electronic transactions.
Yes! Penneo’s systems have undergone the audit process required by law to assess and confirm compliance with eIDAS requirements for qualified electronic signatures as a qualified trust service.
Being based in Denmark, Penneo’s conformity assessment has been submitted to the Digitaliseringsstyrelsen (Agency for Digitization under the Ministry of Finance), which granted us the status of Qualified Trust Service Provider (QTSP).
Consequently, Penneo can be found in the relevant Trust list, and you can see our EU trust mark throughout our website.
As a Qualified Trust Service Provider (QTSP), Penneo offers:
The complex process that TSPs must undergo to become QTSPs – and the severe responsibilities placed on them to obtain and maintain this status – make QTSPs more reliable, trustworthy, and generally a safer choice when it comes to choosing a provider.
Qualified Trust Service Providers ensure a higher level of security in terms of:
For all these reasons, QTSPs are to be preferred to simple TSPs.
Moreover, if your business operates across borders, with QTSPs you can be 100% sure of the validity of your transactions throughout the EU. That’s because QTSPs are mutually recognized in all Member States; in other words, a QTSP established in your country is recognized as legally equivalent to QTSPs based in the other Member States (as well as in the third countries or international organizations which implemented eIDAS – like EEA countries).
Being a Qualified Trust Service Provider, Penneo enables the creation of both Advanced & Qualified Electronic Signatures.
Creating e-signatures using a Qualified Trust Service Provider like Penneo offers higher assurance on the validity and security of the signatures compared to a TSP that has not been audited and granted the qualified status on the EU Trust List.
If you don’t have any eID, you can use Penneo’s Touch signature to create a simple e-signature (SES) by drawing it, typing your name, or uploading a picture of your signature.
Yes! Penneo’s digital signatures meet the requirements laid down in the EU eIDAS Regulation and are therefore legally valid and enforceable throughout the EU.
Qualified electronic signatures created via Penneo have the same legal effect as handwritten signatures.
Unfortunately, that’s not possible.
If you don’t have any eID, you can use Penneo’s Touch signature to create a simple e-signature (SES) by drawing it, typing your name, or uploading a picture of your signature.
Signing digitally via Penneo is easy and secure. It only takes a few minutes and can be done with any device, as long as you have an Internet connection.
Once the signer has selected the signing method they want to use, they will be asked to authenticate themselves following the steps of the corresponding method chosen. If that method is an eID, the authentication usually requires them to type their national identification number and passcodes in the relevant field or to perform biometric identification.
Check out this guide for more information on how to sign a document.
At this point, Penneo’s signing software takes over in enabling the creation of the electronic signature, and the process ends with a confirmation message informing that the document was successfully signed.
Once all parties have signed the document, each signer will receive an email that will include the signed document as an attachment (that can be downloaded directly from the email) or a link to access the signed document in the free Penneo archive created for each signer. Check out this guide for more information on how to get the signed document.