Penneo

Penneo is now a Qualified Trust Service Provider on the European Trust List

Penneo has been audited and granted the status of Qualified Trust Service Provider (QTSP), meeting high-security standards laid down in the EU eIDAS Regulation. As a result, we can create Qualified Certificates for Electronic Seals and Qualified Time Validations. Depending on the identification method used, Qualified Electronic Signatures (QES) can also be created.

Read on to find out what being a Qualified Trust Service Provider (QTSP) entails, which signatures are the most secure, and how our qualified trust services can provide you with the highest level of security.

E-signatures FAQs
Qualified electronic signatures FAQs
Use cases per country
Qualified Trust Service Providers (QTSP) FAQs
Penneo as a QTSP

E-signatures

Under the eIDAS Regulation, an electronic signature (or e-signature) is defined as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

Read more about e-signatures and their benefits.

Electronic signatures can be as simple as a text, an image, or a symbol placed on a document digitally with the intent to sign. But they can also be based on more complex creation processes involving PKI and electronic IDs – in which case, they are known as digital signatures.

People often use the terms electronic signatures and digital signatures interchangeably, unaware of the differences between the two. While all digital signatures are electronic signatures, the opposite does not apply, and digital signatures provide a higher level of security than simple electronic signatures.

Based on their legal effect, eIDAS defines three types of e-signatures:
  • Simple/Standard electronic signatures (SES)
  • Advanced electronic signatures (AES)
  • Qualified electronic signatures (QES)
Below is an overview showing their differences:
Differences between standard electronic signatures, advanced electronic signatures, and qualified electronic signatures
Signature type Signer authentication Content integrity Non-repudiation Based on a qualified certificate issued by a QTSP Created by a qualified electronic signature creation device Legal effect Based on ETSI Standards Sealed under PAdES Standard (by Penneo)
Standard electronic signatures (SES) No No No No No Yes, but only in some cases No Yes
Advanced electronic signatures (AES) Yes Yes Yes No No Yes, in most cases Yes Yes
Qualified electronic signatures (QES) Yes Yes Yes Yes Yes Yes, in all cases Yes Yes

A simple/standard electronic signature is any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.

Examples of standard electronic signatures are adding a picture of your signature to a document or drawing/typing your name via an online signature maker.

Simple e-signatures are the least secure type of e-signatures and can be created without official electronic IDs.

Nonetheless, even for documents signed via SES, Penneo applies a qualified electronic seal based on PAdES standard at the end of the signing process, therefore ensuring its LTV and tamper proofness.

Advanced electronic signatures are the ones that meet the requirements laid down under article 26 of the eIDAS Regulations, which requires such e-signatures to be:
  • uniquely linked to the signer,
  • capable of identifying the signer,
  • created with means that the signer can use under their sole control
  • linked to the data signed so that any later change in the data is detectable.
  • Moreover, advanced electronic signatures must be based on one of the three ETSI standards according to the EU Commission’s Implementing Decision 2015/1506 – i.e., PAdES, XAdES, CAdES.
Advanced electronic signatures are much more secure than standard ones as they rely on PKI and digital certificates. They can be created using certificate-based digital IDs such as NemID and BankID and they are much safer than simple e-signatures. However, there are a few situations where advanced electronic signatures are not enough, and qualified e-signatures are required by law.

Qualified electronic signatures are advanced electronic signatures that are:

  • created using a qualified electronic signature creation device (QESCD) such as USB tokens, smartcards, or remote creation devices
  • based on a qualified digital certificate issued by a qualified trust service provider (QTSP).

In other words, a qualified electronic signature is an advanced e-signature that has reached a higher probative value by meeting those two additional requirements.

Just like advanced e-signatures, qualified e-signatures rely on digital certificates and PKI. However, to create a qualified e-signature, the digital certificate must be qualified and encrypted by a qualified signature creation device.

Under eIDAS, qualified electronic signatures have the same legal standing as handwritten signatures in all EU countries. What’s more, it is illegal for the Member States to request e-signatures with a higher security level than qualified electronic signatures.


Both advanced and qualified electronic signatures are commonly known as digital signatures.

An electronic seal is data in electronic form, which is attached to other data in electronic form (such as a document) to ensure the latter’s origin and integrity. Penneo applies a qualified electronic seal based on PAdES standard at the end of the signing process, therefore ensuring its LTV and tamper proofness.

As a Qualified Trust Service Provider (QTSP), Penneo creates qualified certificates for electronic seals to secure documents in compliance with the eIDAS Regulation.

The term time stamp refers to data in electronic form which binds other data in electronic form (such as a document) to a particular time, establishing evidence that the latter data existed at that time.

When signing a document via Penneo, the signature is timestamped to the document (UTC), and you can see the time of the signature next to the signatory’s data on its final page. Besides, timestamps are cryptographically bound to the document. They can be seen in the audit log, as well as among the other details readable when opening the document with a PDF reader.

As a Qualified Trust Service Provider (QTSP), Penneo generates qualified time stamps to protect the signed documents against tampering in compliance with the eIDAS Regulation.

Digital certificates can be compared to identity cards as they too work as a means of identification. But, unlike common passports, digital certificates can authenticate devices and servers besides users (people).

Simply put, we could say that digital certificates are the digital version of ID cards to identify actors online – be they computers or individuals operating on the Internet. Here are examples of their similarities:

  • Just like IDs, digital certificates are issued by recognized authorities – which are called Certificate Authorities (CA).
  • Just as when applying for an identity card, when requesting a digital certificate, the CA verifies the identity of the requester and then issues the certificate.
  • Just like you would present your passport to identify yourself in real life, digital certificates can be used to prove your identity online.

Penneo enables users to log into the system, access documents, and sign them after certificate-based authentication.

Identities are verified using certificate-based digital IDs, such as:

  • NemID & MitID in Denmark
  • BankID in Sweden
  • BankID in Norway
  • itsme® in Belgium
  • Mobiilivarmenne & Bank IDs in Finland

A Certificate Authority (CA) is an entity issuing digital certificates. A CA is typically a company that has been authorized to issue certificates to subjects (people or organizations) after being audited for compliance with a set of official standards.

In the EU, under the eIDAS Regulation, Certificate Authorities are Trust Service Providers (TPSs). When meeting the requirements set under the Regulation, they can be audited to obtain the “qualified” status and act as Qualified Trust Service Providers (QTSP) – issuing qualified certificates.

Certificate Authorities issue digital certificates after verifying the requesters’ identity. The trust placed on identification via digital certificates is based on the trust put into the Certificate Authority (CA) that issued the certificate. In other words, digital certificates are trusted because they are granted by a CA acting as a trusted third party.

As a Qualified Trust Service Provider (QTSP), Penneo acts as a Certificate Authority (CA) issuing qualified certificates for electronic seals and electronic signatures.

A certificate for electronic signature is an electronic attestation that links electronic signature validation data to a natural person and confirms at least their name or pseudonym.

Penneo, as a Qualified Trust Service Provider (QTSP), can create qualified certificates for electronic signatures.

A certificate for electronic seal is an electronic attestation that links electronic seal validation data to a legal person and confirms that person’s name.

As a Qualified Trust Service Provider (QTSP), Penneo creates qualified certificates for electronic seals to secure documents in compliance with the eIDAS Regulation. 

You can see what the seal of the document looks like by opening a PDF signed via Penneo on a PDF reader. In Adobe Reader, the seal appears as a blue bar at the top and guarantees the probative value of the document:

If the document is valid, the seal will present the following text “Certified by Penneo A/S, certificate issued by Intesi Group EU Qualified Electronic Seal CA G2”.
If the document is not valid, the bar will show the following text instead: “Certification by Penneo A/S is invalid”.

A certificate for electronic signature/seal is defined as qualified when it meets the requirements laid down in the eIDAS Regulation and is issued by a Certificate Authority (CA), like Penneo.

Yes. A qualified certificate issued in any Member State is recognized as valid in every Member State.

That aligns with eIDAS’s aim to achieve cross-border interoperability and recognition of qualified certificates.

eIDAS is the acronym for electronic IDentification, Authentication, and trust Services and refers to the EU Regulation 910/2014 regulating electronic transactions.

Since eIDAS is of EEA relevance, the Regulation also applies to Norway, Liechtenstein, and Iceland, but only after national incorporation (i.e., after the adoption of an internal law that implements its provisions). Norway implemented eIDAS with the Lov om elektroniske tillitstjenester of 2018.

The goal of the eIDAS Regulation is to create a legal framework for digital transactions to develop a modern European Market where people, businesses, and public authorities can interact safely online.

To this end, eIDAS created standards granting electronic signatures and e-identities the same legal standing as their physical counterparts. As a result, people can now conduct business electronically – which means no need for in-person meetings but the same binding effect.

More generally, eIDAS regulated trust services, which are electronic services providing electronic signatures, seals, time stamps, etc.

That aligns with eIDAS’s aim to achieve cross-border interoperability and recognition of qualified certificates.

ETSI is an independent, not-for-profit, standardization organization in the field of information and communications supporting the development and testing of global technical standards for (information and communications technology) ICT-enabled systems, applications, and services.

ETSI activity on digital signatures is coordinated by the technical committee Electronic Signatures and Infrastructures (ESI).

ETSI ESI is the committee dealing with digital signatures (signature format, certificates), trust service providers, and ancillary trust services (Remote signature creation and validation, Registered email, Registered e-delivery, Timestamping, Long-term data preservation).
Their activity covers signature creation and verification based on:

  • CAdES (CMS digital signatures)
  • XAdES (XML digital Signatures)
  • PAdES (PDF digital Signatures)

ETSI ESI also defines technical profiles and policy requirements for trust service providers for a range of services, including services supporting signature (e.g., certification authorities, Timestamping authorities), remote signature creation or validation functions, registered e-delivery, Registered Emails (REM), and information preservation.

ESI also recommends cryptographic suites for digital signatures. The committee’s work supports the eIDAS (electronic ID, authentication, and signature) regulation as well as general requirements of the international community to provide confidence in electronic transactions.

ETSI standards assure the confidence of parties relying on certificates or other services related to digital signatures with conformance assessment requirements for auditing schemes and a trust service status list (called Trusted List under the EU regulatory framework) to indicate the results of the audit and related supervision of the trust service provider. This provides information that will allow relying parties to know whether a given Trust Service Provider was operating under the approval through a recognized audit and supervisory scheme.

AdES is the acronym for either an advanced electronic signature or an advanced electronic seal. It is the second level of electronic signatures/seals defined in eIDAS.

CAdES, XAdES, and PAdES are advanced e-signatures standards published by the ETSI.

The EU Commission takes into account the standards and technical specifications drawn up by European and international standardization organizations and bodies like the ETSI to ensure a high level of security and interoperability of electronic identification and trust services.

To ensure that electronic signatures can be created and validated anywhere in Europe, the eIDAS Regulation, through Implementing Decision 2015/1506/EU, has defined a number of baseline profiles, that correspond to:

  • CAdES (CMS digital signatures)
  • XAdES (XML digital Signatures)
  • PAdES (PDF digital Signatures)

Penneo’s electronic signatures and seals are based on XAdES and PAdES standards. You can read more about it here.

Penneo’s electronic signatures and seals are based on XAdES and PAdES standards. You can read more about how the process works here.

Long Term Validation (LTV) is a feature supported by ETSI CAdES, XAdES, and PAdES standards – i.e., the baseline profiles according to which advanced electronic signatures and seals need to be built to be valid and recognized across borders. LTV is a signed document’s ability to stay valid for years or even decades after signing – even after the platform that created the document has become inaccessible. Documents signed using one of the above-mentioned ETSI standards contain records of the certificates used for signing and their validity at the time of signature. At any time in the future, despite technological and other advances, it will be possible to verify that the signature was valid at the time it was made. You can read more about it here.

 

 

Qualified electronic signatures

Both advanced and qualified e-signatures are built on digital certificates and PKI, and are commonly known as digital signatures.

A qualified electronic signature is an advanced e-signature that has reached a higher probative value by meeting two additional requirements:

  • It has to be created using a qualified electronic signature creation device (QESCD) such as USB tokens, smartcards, or remote creation devices
  • It has to be based on a qualified digital certificate issued by a qualified trust service provider (QTSP).

So the difference between AES and QES is that for QES the digital certificate must be qualified and encrypted by a qualified signature creation device.

A qualified digital certificate is a digital certificate issued by a Qualified Trust Service Provider (QTSP) and contains:

  1. An indication that it is a qualified certificate for electronic signature;
  2. An indication of the qualified trust service provider issuing the certificate and the Member state where the QTSP is established;
  3. The name of the signatory, or a pseudonym;
  4. Electronic signature validation data that corresponds to the electronic signature creation data;
  5. Details of the beginning and end of the certificate’s period of validity;
  6. The certificate identity code, which must be unique for the qualified trust service provider;
  7. The advanced e-signatures or e-seal of the issuing qualified trust service provider and location.

A qualified electronic signature creation device (QESCD) is the hardware or software used to create qualified electronic signatures. It’s defined as “qualified” when it meets the requirements laid down in the eIDAS Regulation, and it’s managed by a Qualified Trust Service Provider (QTSP) – like Penneo.

Using a qualified electronic signature creation device better protects the digital certificates – mitigating any risk of replication or forgery. It also provides higher legal certainty for the qualified e-signature created with it.

A creation device can be a material object (like a smartcard or a USB token) in the signer’s possession and used together with a PIN code to sign. Think of a one-time code viewer used to access online banking services, for example.

The creation device can also be an electronic-immaterial object that is not necessarily in the physical possession of the signer but can be remotely managed by a qualified trust service provider. Such immaterial creation devices (known as “remote qualified e-signature creation devices”, QSCD) improve the user experience while maintaining high legal certainty on the qualified e-signatures created with them.

At Penneo, we use physical qualified electronic signature creation devices which are securely stored and can be interacted with remotely through our servers. These devices, in combination with qualified digital certificates, allow us to create qualified electronic signatures.

To create a qualified electronic signature, the signer must use a qualified digital certificate.

The signer then proceeds to the authentication following the steps of the corresponding eID chosen – usually using their national identification number and passcodes or biometric identification.

At this point, the signing software takes over in enabling the creation of a qualified electronic signature through a series of steps:

  • The software uses a qualified electronic signature creation device to interact with the signer’s private key.
  • The signer’s private key is used to sign the document.
  • The signing software (QTSP) acts as a Certificate Authority (CA) and issues a qualified certificate for electronic signature.
  • The software attaches the newly created signature and the qualified electronic signature certificate (which is the signer’s digital certificate) to the document. The CA’s certificates and the Trusted Timestamps are also added to the document. All these elements become part of the signed PDF and cannot be separated from it.

As a final step, Penneo adds its own qualified certificate for electronic seals to the document.

The signed document is then finalized and ready to be stored, downloaded, and distributed electronically.

QES workflow

When looking at the signed PDF, you won’t normally see any reference to the type of e-signature used to sign it. In other words, the signing software does not usually add any details on whether that e-signature is simple, advanced, or qualified.

Although that information is not visible on the document itself, it can still be found when opening it on a PDF reader or through a validator (like Penneo’s or the EU Commission’s validator).

Read more on how to verify the validity of a digital signature.

If you want to check the validity of PDF documents signed via Penneo, you can do so in several ways:

  • You can use a PDF Reader (like Adobe PDF Reader, for example) to see a series of evidentiary elements on the signed PDF, such as:
    • the seal of the document
    • the encrypted algorithms of the signatures
    • the timestamps showing when each signature was applied
    • the audit log
    • the Signature Panel.
  • You can upload the PDF on Penneo’s Validator to get a complete overview of the document’s validity, including:
    • key algorithm
    • timestamps
    • eID authentication
    • confirmation of the validity of signatures
    • proof of non-alteration of the document
  • You can upload the PDF to the EU’s Validation platform to get information on:
    • the signature’s status, scope, and time
    • the certificate chain
      timestamps
    • LTV (Long Term Validation).

You can download a document signed via Penneo to try out these methods yourself and read more about the technical characteristics that prove the validity of the document.

You can read more about it here.

 

Use cases per country

Yes! Electronically signed documents are legally binding, except for cases where the law requires a handwritten signature.

All e-signatures can be used to sign documents online, and the law prohibits discrimination against a signature on the sole grounds that it is in electronic form.

In other words, whatever method is used to sign electronically, it will always be up to the judge to decide whether the signature should be considered valid or not in the specific case.

While all e-signatures are potentially court-admissible, not all of them have the same legal effect as a handwritten signature.

Based on their security level (and consequent legal validity), eIDAS defines three types of e-signatures – SES, AES, and QES. Only qualified e-signatures (QES) have the same legal effect as handwritten signatures.

Simple E-Signatures (SES) are the least safe type of e-signatures and can be used in all the cases where a signature needs to be applied to a document, except for the situations where the law requires an advanced or qualified e-signature.

Common use cases where a simple e-signature is considered valid throughout the EU are:

  • HR documents, including onboarding documents, benefits paperwork, NDAs, etc. (in some countries, termination notices are excepted)
  • Commercial agreements, including purchase orders, procurement documents, sales agreements, software licenses, invoices
  • Consumer agreements, including new retail account opening documents, sales terms, services terms, software licenses, order confirmations, shipment documentation
  • Some residential and commercial real estate documents, rental and lease agreements (in some countries, termination notices under residential leases are excepted)
  • Certain intellectual property licenses, such as patent, copyright, trademark, and other intangible property transfers

Read more about the specific use cases in your country in our Legality guide.

Even for documents signed via SES, Penneo applies a qualified electronic seal based on PAdES standard at the end of the signing process, therefore ensuring its LTV and tamper proofness.

Advanced E-Signatures (AES) are safer than simple e-signatures, and they are to be preferred to simple e-signatures. Advanced e-signatures can be used for signing documents in most situations. In the cases where both AES and QES can be used to sign documents, a QES is to be preferred over an AES for the higher security it provides.

Common use cases where an advanced e-signature is typically required across the EU are:

  • Some corporate documents, such as annual reports, minutes and resolutions of annual general meetings, board meetings, and shareholder meetings, memoranda of association, and the assignment of share certificates
  • Certain forms, including tax returns and applications, filed with public authorities
  • Some applications for registration, financial statements, tax returns, and other documents filed with public authorities
  • Some real estate documents, certain loan agreements
  • Certificates created in electronic form
  • Some contracts requiring by law the involvement of the courts, government/public authorities, or professions exercising a public service (e.g., a notary)
  • Some documents that would need to be filed with official instances such as the clerk’s office, notary public, bank, government e-services
  • Some official documents and contracts with the Public Sector

Read more about the specific use cases in your country in our Legality guide.

Qualified E-Signatures (QES) are the most secure type of e-signatures and carry the highest probative value. Therefore, they have the same legal effect as handwritten signatures. Moreover, Member States cannot request an electronic signature at a higher security level than the qualified electronic signature.

Common use cases where a qualified e-signature is typically required across the EU are:

  • Certain contracts governed by family law, such as marriage contracts and cohabitant contracts
  • Some documents that relate to real property – where the AES is not admitted
  • Documents that relate to mortgage applications or the submission of public tenders
  • Some contracts requiring by law the involvement of the courts, government/public authorities, or professions exercising a public service (e.g., a notary) – where the AES is not admitted
  • Some documents that would need to be filed with official instances such as the clerk’s office, notary public, bank, government e-services – where the AES is not admitted
  • Some official documents and contracts with the Public Sector – where the AES is not admitted

Read more about the specific use cases in your country in our Legality guide.

If you operate in the EU, the eIDAS Regulation is enforced in your country. Being a regulation and not a directive, eIDAS has come into effect throughout the 27 Member States without them needing to transpose it into national laws for internal implementation – and overrides national law in case of conflict. Moreover, since eIDAS is of EEA relevance, the Regulation also applies to Norway, Liechtenstein, and Iceland, which adopted internal laws implementing eIDAS provisions.

However, the eIDAS Regulation is not the only legislation you should consider.

Each Member State can define use cases where documents can be signed with a simple e-signature and situations when advanced or qualified e-signatures are instead required for the validity of the transaction. Moreover, each country can define situations where an electronic signature is not admitted, and you are required to use a traditional wet signature. Therefore, you should always consider the provisions of your national legislation on the topic.

Read more about the specific use cases in your country in our Legality guide.

Finally, all parties involved should agree on the signing method to be used – therefore, be aware that individuals or companies may have specific preferences to be taken into account.

Under eIDAS, e-signatures can be used instead of handwritten signatures any time a document needs to be signed – and the law prohibits discrimination against a signature on the sole grounds that it is in electronic form. In other words, whatever method is used to sign electronically, it will always be up to the judge to decide whether the signature should be considered valid or not in the specific case.

However, the Regulation allows each Member state to define through national law situations where manual signatures are required, and electronic signatures are not legally admissible.

Common use cases where a handwritten signature is still required across the EU are:

  • Contracts governed by family law, such as prenuptial agreements, marriage and pre-marital agreements, and marriage settlements, deeds of adoption, divorce agreements – for which handwritten signatures, witnesses, court or formal notarial process are explicitly required
  • Contracts governed by inheritance law, such as notarial will and witness testament, or springing power of attorney to manage a person’s financial affairs if they become incapacitated – for which handwritten signatures, witnesses, or formal notarial process are explicitly required
  • Contracts that explicitly require notarization, such as real property transfer contracts, estate distribution, partition of property, and deeds
  • Contracts which create or transfer rights the rights to a real estate property or an asset
  • Certain lease agreement and other agreements on the leased property that must be drawn up in writing or cannot be submitted as digital documents
  • Contracts for personal and real guarantees, contracts of suretyship granted and involving collateral securities furnished by persons acting for purposes outside their trade, business or profession
  • Some share certificates, issue certificates, convertible instruments issued in the form of debentures, and warrant certificates
  • Other documents that the law requires to always be hand-signed and submitted in original, physical copy.

Read more about the specific use cases in your country in our Legality guide.

 

Qualified Trust Service Providers (QTSP)

According to the eIDAS EU Regulation, a Trust Service Provider (TSP) is a person or business that provides one or more trust services.

A trust service is an electronic service for creating, verifying, validating, or preserving electronic signatures, seals, timestamps, documents, and more. A trust service is defined as qualified when it meets certain requirements established under eIDAS and has been audited by a conformity assessment body that certified its compliance.

Therefore, any signing software provider in the EU can be defined as a trust service provider, but only a few of them are qualified trust service providers (like Penneo).

A Qualified Trust Service Provider (QTSP) is a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body.

Put simply, it’s a TSP whose high level of security, data protection, and compliance have been audited and certified. As a result, there is greater assurance of the legal validity of its services.

As our compliance to eIDAS requirements is audited and certified, Penneo is a qualified trust service provider offering qualified time validations and qualified certificates for electronic seals and signatures

Being a QTSP implies ensuring ongoing compliance with a number of requirements and responsibilities, such as:

  • High technical security and reliability of the services provided through the use of trustworthy systems and products and the employment of staff who possess the necessary expertise, experience, and qualifications.
  • Safe and lawful data processing and storage through the use of trustworthy systems where the data can be checked for authenticity, only retrieved after the consent of the person, and only added or changed by authorized persons.
  • Service reliability based on crisis management and business continuity plans and the existence of sufficient financial resources to face potential risks of liability for damages.
  • In the case of QTSPs issuing qualified certificates for a qualified trust service, the QTSP should establish a certificate database and keep it updated. Penneo, for example, is a QTSP issuing qualified certificates for electronic signatures and seals (and acting as a Certificate Authority, CA) – therefore, it’s obliged to maintain a database of the certificates issued.

A trust service provider can become qualified only after being audited by a conformity assessment body.

The audit aims to assess and confirm that the TSP – and the trust services it provides – fulfill the requirements laid down in the eIDAS Regulation. The on-site audit covers the design and effectiveness of internal processes and their technical implementation.

After being audited, the TSP must submit the resulting conformity assessment report to the supervisory body appointed in their Member State (for example, in Denmark, this function is assigned to Agency for Digitization under the Ministry of Finance – Digitaliseringsstyrelsen). The supervisory body will then decide whether to grant the qualified status to the TSP. If the qualified status is granted, the supervisory body informs the EU Commission, which updates the relevant Trusted list.

After that, the QTSP can start providing qualified trust services and use the EU trust mark on their website.

Yes. Being recognized as a QTSP is not a one-time thing. QTSPs must be audited at least every 2 years to confirm ongoing compliance.

Moreover, the supervisory body may request an audit or a conformity assessment of the QTSP at any time to ensure eIDAS requirements are met continuously and in full. In case of non-compliance, their qualified status can be withdrawn.

The trusted lists (TLs) are lists of QTSPs published and maintained by each Member State. On each national trusted list, you can find information related to the QTSPs established in that country and the qualified trust services they provide.

The trusted lists are available on the EU Commission website, where you can navigate the Trusted List Browser to access national trusted lists or search for a QTSP by type, name, or through a signed document.

After the qualified status has been indicated in the trusted list, QTSPs can use the EU trust mark for qualified trust services.

The EU trust mark is represented by the logo below and indicates in a simple, recognizable, and clear manner that the service provider is a Qualified Trust Service Provider.

EU trust mark

The Trusted List Browser is a publicly available tool provided by the EU Commission to make it easier to browse national Trusted Lists (TLs) of Member States.

Thanks to its user-friendly interface, it’s a helpful research tool to navigate national Trusted Lists (TLs) or search for a QTSP by type, name, or through a signed document.

The Trusted Lists and the EU trust mark are indicators of the qualified status of a TSP. You can use the Trust List Browser to verify that your provider is currently granted qualified status, and you can look for the EU trust mark logo on their website.

Besides those means, you can also find this information when checking the validity of e-signatures on a document through the EU Commission’s Validator or by opening the document on a PDF reader.

The Trusted List Browser allows you to find:

  • any Trust Service Provider (TSP) listed in a Member State national Trusted List
  • any Qualified Trust Service Providers (QTSPs) and the qualified trust services it provides

Being listed in a Trusted List (and consequently being discoverable through the Trust List Browser) is only mandatory for QTSPs, not for all TSPs. Therefore, while you should always be able to find a Qualified Trust Service Providers (QTSPs) in the Browser, the same might not be true for Trust Service Providers (TSPs) who don’t have qualified status.

If you see a Qualified Trust Service Provider (QTSP) tagged with non-qualified trust services, it means that said QTSP also provides non-qualified trust services.

A QTSP must provide at least one qualified trust service but may also provide non-qualified trust services.

Being listed in a Trusted List (and consequently being discoverable through the Trust List Browser) is only mandatory for QTSPs, not all TSPs.

Therefore, while you should always be able to find a Qualified Trust Service Providers (QTSPs) in the Browser, the same might not be true for Trust Service Providers (TSPs) who don’t have qualified status.

Yes. A qualified trust service under a Qualified Trust Service Provider (QTSP) based in any Member State will be considered as qualified in every Member state.

That aligns with eIDAS’s aim to achieve cross-border interoperability and recognition of qualified trust services.

From a legal point of view, all trust services (electronic signatures, seals, etc.) benefit from a non-discrimination clause as evidence in courts. In other words, it’s against the law to dismiss them as evidence in court solely because it is in electronic form. Whether you rely on a TSP or a QTSP, it will always be up to the judge to decide whether that trust service should be considered valid or not in the specific case.

However, because of the more stringent requirements applicable to Qualified Trust Service Providers, qualified trust services provide a stronger specific legal effect than non-qualified ones as well as higher technical security. Therefore, qualified trust services provide higher legal certainty and security on electronic transactions.

 

Penneo as a QTSP

Yes! Penneo’s systems have undergone the audit process required by law to assess and confirm compliance with eIDAS requirements for qualified electronic signatures as a qualified trust service.

Being based in Denmark, Penneo’s conformity assessment has been submitted to the Digitaliseringsstyrelsen (Agency for Digitization under the Ministry of Finance), which granted us the status of Qualified Trust Service Provider (QTSP).

Consequently, Penneo can be found in the relevant Trust list, and you can see our EU trust mark throughout our website.

As a Qualified Trust Service Provider (QTSP), Penneo offers:

  • Qualified Certificates for Electronic Seals, which guarantee the origin and integrity of an electronic document.
  • Qualified Time Stamps, which guarantee the existence of an electronic document at a certain date and time, as well as provide proof that it hasn’t been modified.
  • Depending on the identification method, Qualified Certificates for Electronic Signatures, which enable the creation of qualified electronic signatures that are as legally valid as handwritten signatures.

The complex process that TSPs must undergo to become QTSPs – and the severe responsibilities placed on them to obtain and maintain this status – make QTSPs more reliable, trustworthy, and generally a safer choice when it comes to choosing a provider.

Qualified Trust Service Providers ensure a higher level of security in terms of:

  • Data protection
  • Continuity and good performance of services
  • Certainty and legal enforceability of the transactions carried out through them.

For all these reasons, QTSPs are to be preferred to simple TSPs.

Moreover, if your business operates across borders, with QTSPs you can be 100% sure of the validity of your transactions throughout the EU. That’s because QTSPs are mutually recognized in all Member States; in other words, a QTSP established in your country is recognized as legally equivalent to QTSPs based in the other Member States (as well as in the third countries or international organizations which implemented eIDAS – like EEA countries).

Penneo enables the creation of Advanced Electronic Signatures. Additionally, being a Qualified Trust Service Provider, Penneo has been authorized to offer Qualified Electronic Signatures, Seals, and Timestamps. If you don’t have any eID, you can use Penneo’s Touch signature to create a simple e-signature (SES) by drawing it, typing your name, or uploading a picture of your signature. Even for documents signed via SES, Penneo applies a qualified electronic seal based on PAdES standard at the end of the signing process, therefore ensuring its LTV and tamper proofness.

Yes! Penneo’s digital signatures meet the requirements laid down in the EU eIDAS Regulation and are therefore legally valid and enforceable throughout the EU.

Qualified electronic signatures created via Penneo have the same legal effect as handwritten signatures.

Unfortunately, that’s not possible.

If you don’t have any eID, you can use Penneo’s Touch signature to create a simple e-signature (SES) by drawing it, typing your name, or uploading a picture of your signature.

Even for documents signed via SES, Penneo applies a qualified electronic seal based on PAdES standard at the end of the signing process, therefore ensuring its LTV and tamper proofness.

Signing digitally via Penneo is easy and secure. It only takes a few minutes and can be done with any device, as long as you have an Internet connection.

Once the signer has selected the signing method they want to use, they will be asked to authenticate themselves following the steps of the corresponding method chosen. If that method is an eID, the authentication usually requires them to type their national identification number and passcodes in the relevant field or to perform biometric identification.

Check out this guide for more information on how to sign a document.

At this point, Penneo’s signing software takes over in enabling the creation of the electronic signature, and the process ends with a confirmation message informing that the document was successfully signed.

Once all parties have signed the document, each signer will receive an email that will include the signed document as an attachment (that can be downloaded directly from the email) or a link to access the signed document in the free Penneo archive created for each signer. Check out this guide for more information on how to get the signed document.

Back to top

Penneo Sign

Faites signer vos documents plus rapidement. Recueillez les informations dont vous avez besoin et gérez vos flux de documents de manière simple et conforme.

Penneo KYC

Automatisez l’intégration de nouveaux clients et la mise en conformité en accord avec les normes AML/ PBC. Effectuez des évaluations de risques et collectez les informations de vos clients de manière sûre et conforme.