As a Qualified Trust Service Provider (QTSP), Penneo is authorized to offer qualified electronic signatures (QES). Qualified electronic signatures are the most secure type of digital signatures and have the same legal effect as handwritten signatures.

But what is a qualified electronic signature, exactly? And how is it different from an advanced e-signature?


What are the 3 types of e-signatures?

While all types of electronic signatures can be used to sign documents online, not all of them have the same probative value. An electronic signature’s probative value varies based on the level of security it provides.

In the European Union, the eIDAS Regulation defines the following three types of electronic signatures:

  • Simple/Standard electronic signatures (SES)
  • Advanced electronic signatures (AES)
  • Qualified electronic signatures (QES)
Differences between standard electronic signatures, advanced electronic signatures, and qualified electronic signatures
Signature type Level of security Signer authentication Content integrity Non-repudiation Based on a qualified certificate issued by a QTSP Created by a qualified electronic signature creation device Legal effect
Standard electronic signatures (SES) Low No No No No No Yes, but only in some cases
Advanced electronic signatures (AES) Medium Yes Yes Yes No No Yes, in most cases
Qualified electronic signatures (QES) High Yes Yes Yes Yes Yes Yes, in all cases


What is a qualified electronic signature (QES)?

According to eIDAS, a qualified electronic signature is an advanced electronic signature that is:

  • generated by a qualified signature creation device and;
  • based on a qualified certificate for electronic signatures issued by a qualified trust service provider.

Due to the high level of security they provide, qualified e-signatures have the same legal effect as handwritten signatures.


What is a qualified certificate?

A qualified certificate is a digital certificate issued by a qualified trust service provider (QTSP) that contains the following:

  1. an indication that it is a qualified certificate for electronic signature;
  2. an indication of the qualified trust service provider issuing the certificate and the Member state where the QTSP is established;
  3. the name of the signatory, or a pseudonym;
  4. electronic signature validation data that corresponds to the electronic signature creation data;
  5. details of the beginning and end of the certificate’s period of validity;
  6. the certificate identity code, which must be unique for the qualified trust service provider;
  7. the advanced e-signatures or e-seal of the issuing qualified trust service provider and location.
Qualified certificate for electronic signature
Subject name John Doe
Certificate serial number 01946783
Public key info
  • Algorithm identifier
  • Public key value
  • Key size
  • Exponent
  • Modulus
EE:GE:69:7A:32:A l:D6:4E:F8:Q2…
Validity period 2 years
  • Not before
  • Not after
Issuer Name
  • Country
  • Organization
Let’s encrypt
  • Issuer identifier
  • Algorithm identifier
Certificate Authority’s digital signature 10904J871N7903MH82G43KO…


What is a qualified electronic signature creation device (QESCD)?

A qualified electronic signature creation device (QESCD) is the hardware or software used to create qualified electronic signatures. A signature creation device is ”qualified” when it meets the requirements laid down in the eIDAS Regulation, and it’s managed by a Qualified Trust Service Provider (QTSP) such as Penneo.

Using a qualified electronic signature creation device better protects the digital certificates – mitigating any risk of replication or forgery. It also provides higher legal certainty for the qualified e-signature created with it.

A creation device can be a material object (like a smartcard or a USB token) in the signer’s possession and used together with a PIN code to sign. Think of a one-time code viewer used to access online banking services, for example.

The creation device can also be an electronic, immaterial object that is not necessarily in the physical possession of the signer but can be remotely managed by a qualified trust service provider. Such immaterial creation devices, known as remote qualified e-signature creation devices, improve the user experience while maintaining high legal certainty on the qualified e-signatures created with them.

At Penneo, we use physical qualified electronic signature creation devices which are securely stored and can be interacted with remotely through our servers. These devices, in combination with qualified digital certificates, allow us to create qualified electronic signatures.


How to create a qualified electronic signature

To create a qualified electronic signature, the signer must use an eID based on a qualified digital certificate.

Create a qualified electronic signature
The signer then proceeds to the authentication following the steps of the corresponding eID chosen – usually using their national identification number and passcodes or biometric identification.

At this point, the digital signing software takes over in enabling the creation of a qualified electronic signature through a series of steps:

  • The software uses a qualified electronic signature creation device to interact with the signer’s private key
  • The signer’s private key is used to sign the document
  • The signing software (QTSP) acts as a Certificate Authority (CA) and issues a qualified electronic signature certificate

The software attaches the newly created signature, the signer’s digital certificate (eID), and the qualified electronic signature certificate to the document (via PKI). They become part of the signed PDF and cannot be separated from it.

As a final step, Penneo adds its own qualified seal to the document.

QES workflow

The signed document is then finalized and ready to be stored, downloaded, and distributed electronically.


How can you tell that a document has been signed with a qualified electronic signature?

When looking at the signed PDF, you won’t normally see any reference to the type of e-signature used to sign it. In other words, the signing software does not usually add any details on whether that e-signature is simple, advanced, or qualified.

Although that information is not visible on the document itself, it can still be found when opening it on a PDF reader or through a validator (like Penneo’s or the EU Commission’s validators).

Read more on how to verify the validity of a digital signature.


Create qualified electronic signatures via Penneo

Qualified electronic signatures are legally binding and court-admissible in nearly all possible cases where a document needs to be signed.

Penneo has been granted the status of Qualified Trust Service Provider (QTSP). Thus, in addition to advanced e-signatures, we have been authorized to provide qualified electronic signatures – the most secure type of e-signatures, which carry the highest probative value.

The type of signature you can create (qualified or advanced) will differ based on the Level of Assurance of your electronic ID.

Nonetheless, our strict compliance requirements as a QTSP consistently ensure an extra layer of security to your document transactions.



If you're looking to learn more, we have a few suggestions for you

KYC verification

KYC Verification in the Digital Age

How to Sign a Word Document Digitally

How to Sign a Word Document Digitally

Electronic document signing

The Ultimate Guide to Electronic Document Signing