The qualified electronic signature: insights into processes, security and application

Imagine this: You only have a few hours left to conclude an important contract, but the law requires it to be in writing. The contractual partner is hundreds of kilometers away and the usual postal service is not an option. In an increasingly digitalized world, in which contracts are increasingly concluded online, the qualified electronic signature (QES) is the solution for legally compliant and fast action. It makes it possible to sign contracts in a legally valid manner and without being physically present - an indispensable tool for companies and private individuals in the digital age.

What exactly is a qualified electronic signature?

The qualified electronic signature (QES) is a signature option that allows contracts and documents to be signed digitally and in a legally secure manner. Among the various types of electronic signatures, the QES is the most secure and legally binding variant. It comes closest to a handwritten signature and meets the strictest legal requirements. The QES ensures that the signature is clearly assigned to a specific person and protects against subsequent changes to the document. This means that it is legally equivalent to a handwritten signature and is used for contracts with high liability or legally required written form. Its security standards offer maximum probative value in the event of legal disputes.

In comparison, the simple electronic signature (EES) does not offer secure identification of the signatory and is therefore more commonly used for documents without special formal requirements. Although the advanced electronic signature (FES) offers a certain level of security through two-factor authentication, it does not meet the strict legal requirements of the QES. While the EES and FES can be sufficient in certain situations, the QES is particularly needed when maximum legal certainty and probative value are required - for example, for contracts that require the written form. 

The exact requirements that the various signature types must meet are regulated in Europe by the eIDAS Regulation.

What does the eIDAS Regulation mean for the QES?

The eIDAS Regulation (electronic Identification, Authentication and Trust Services) regulates the legal framework for electronic signatures and trust services within the European Union. It sets out clear criteria as to when an electronic signature is considered a qualified electronic signature (QES). 

According to the eIDAS Regulation, a QES must fulfill several strict requirements:

  1. Unique assignment: The signature must be clearly assigned to a person.

  2. Unquestionable identification: The identity of the signatory must be proven beyond doubt.

  3. Use of a qualified signature creation device: The signature must be created with a special signature creation device that guarantees a high level of security.

  4. Immutability: Subsequent changes to the signed document must be recognizable.

  5. Qualified certificate: The signature must be based on a qualified certificate issued by a qualified trust service provider (QTSP).

The eIDAS Regulation aims to strengthen trust in electronic transactions and create a common basis for secure digital interaction in the EU. A central component of the QES is the qualified certificate, which is issued by a recognized trust service provider (QTSP). These providers are accredited by the state and ensure that the identity of the signatories is verified and the security of the signatures is guaranteed.

 

How does a Qualified Electronic Signature (QES) work?

The qualified electronic signature (QES) process follows clear steps that guarantee both security and integrity:

  1. Identity verification and certificate issuance
    First, the signatory must prove their identity to a qualified trust service provider (QTSP), for example by presenting an ID document. After successful verification, the QTSP issues a qualified certificate containing the signatory's public key.

  2. Creating the key pair
    A secure signature creation device (SSCD) such as a signature card is used to generate a key pair: a private and a public key. The private key remains securely in the SSCD and is not disclosed.

  3. Signature creation and hash value
    When signing a document, a unique hash value (a kind of digital fingerprint of the document) is first created. This hash value is then encrypted using the private key and forms the qualified electronic signature. This signature is sent together with the document.

Signature verification

The recipient decrypts the hash value using the public key contained in the qualified certificate. The recipient then creates a new hash value from the received document and compares it with the decrypted hash value. If both values match, the document is unchanged and the signature is authentic.

Cloud solution vs. signature card

  1. Cloud solution: The certificate is stored in the secure IT environment of the trust service provider. The signatory authenticates himself using a combination of user name, password and two-factor authentication (e.g. SMS-TAN). This solution is flexible and enables signing from any location. It is therefore often used as a remote signature.

  2. Signature card: The certificate and the private key are stored on a physical signature card. This requires a card reader and special software to create the signature. The physical card offers additional security, as the private key remains exclusively on the card.

If the card is lost or stolen, the cardholder can have it blocked immediately to prevent unauthorized persons from acting in a legally binding manner on behalf of the cardholder. Blocking is crucial, as every electronic signature generated with the card is legally assigned to the holder. Certification service providers are legally obliged to revoke the certificate immediately if this is requested by the cardholder or an authorized representative. The revocation of the qualified signature card is therefore an important security mechanism to prevent misuse.

Both options are secure, with the cloud solution offering flexibility above all and the signature card scoring points for physical security.

What is a hash function and how does it help with the security and integrity of digital signatures?

The hash value plays a central role in the security of the qualified electronic signature (QES), as it indicates whether a document has been subsequently changed. Without this function, the integrity of the signature would be seriously compromised.

A hash function is a mathematical algorithm that generates a unique numerical value from any data (e.g. a document) - the so-called hash value. This value serves as a digital fingerprint of the document. Even the smallest change to the document results in a completely different hash value. This is crucial for the security and integrity of digital signatures, as the hash value is used to verify that the document has remained unchanged after signing.

With the qualified electronic signature (QES), the hash value of the document is encrypted with the signatory's private key and thus forms the signature. The recipient can decrypt the hash value with the respective public key and compare it with the hash value of the received document. If both match, the signature is valid and the document is unchanged. This ensures the integrity and authenticity of the digital signature.

A hash function has several important properties:

  1. Uniqueness: It converts any input (e.g. files or texts) into a fixed, usually shorter value. Even the smallest changes to the document result in a completely different hash value.

  2. Deterministic: The same input always results in the same hash value. This ensures that consistency is maintained when checking the data.

  3. One-way function: It is impossible to deduce the original content from the hash value. This provides additional security, as the hash value cannot be decrypted.

  4. Collision protection: A good hash function prevents two different inputs from generating the same hash value. This ensures the integrity of the data and tampering can be reliably detected.

These properties make the hash function an indispensable component of digital signatures, as it verifies whether a document has remained unchanged after signing.

What is a qualified certificate and why is it so important for the QES?

A qualified certificate is a digital document that confirms the identity of the signatory and guarantees the security of the signature. It is issued by a qualified trust service provider (QTSP) who has previously verified the identity of the signatory. This certificate contains the public key of the person in question, which is used to verify the signature.

The qualified certificate is the central component of the QES, as it ensures that the signature is clearly assigned to a person and is legally binding. In order to obtain such a certificate, the signatory must identify themselves once to a QTSP, e.g. using the video identification procedure. Thanks to these strict verification processes, the QES is the most secure form of electronic signature that is recognized as legally binding in all EU countries.

What role does a qualified trust service provider play?

A qualified trust service provider (QTSP) is a provider that operates in accordance with the strict requirements of the eIDAS Regulation and provides trusted services such as qualified electronic signatures (QES). QTSPs play a central role in the security and binding nature of digital transactions by verifying the identity of the signatory and ensuring that signatures cannot be tampered with.

Main tasks of a QTSP:

  1. Issue of qualified certificates: Confirm the identity of the signatory and contain the public key.

  2. Security infrastructure: Implement secure signature creation devices (SSCD) and ensure the protection of signatures.

  3. Identity check: Carry out a thorough identity check, e.g. via Video-Ident.

  4. Trust services: Provide additional services such as qualified time stamps and electronic seals.

  5. Regular audits: Are reviewed by independent bodies to ensure that all safety standards are met.

With these functions, QTSPs guarantee the security, authenticity and legal validity of the QES.

When is a qualified electronic signature useful?

The Qualified Electronic Signature (QES) meets strict requirements and is therefore not necessary for every contract. However, the QES can be recommended for the following types of contract:

Financial law

  • Credit agreements: Contracts for the granting of loans, especially for large sums or special conditions.
  • Securities transactions: Purchase and management of shares, bonds or funds.
  • Guarantee agreements: Contracts for loan collateralization by third parties.
  • Financial advisory contracts: Legal support for financial services and products.

Insurance law

  • Insurance policies: Contracts for life, liability or occupational disability insurance.
  • Reinsurance contracts: Agreements between primary insurers and reinsurers on risk distribution.
  • Damage reports: Ensuring legally compliant documentation and submission.
  • Insurance claims: Formal entitlement to insurance benefits.

Corporate and civil law

  • Certificates of incorporation: Documents for the formation of companies such as limited liability companies or stock corporations.
  • Articles of association and agreements: Agreements on the internal structure and management of a company.
  • Company resolutions: Decisions on strategic or structural changes.
  • Wills and inheritance contracts: Legal documents for estate planning.

Commercial law

  • Commercial register entries: Registrations and changes to company formations and business transactions.
  • Balance sheets and annual financial statements: Financial reports with binding information.
  • Supply and distribution contracts: Legal agreements on delivery conditions and obligations.
  • Sales contracts: Contracts for the trade of goods and services.

Real estate law

  • Real estate purchase agreements: Contracts for the purchase or sale of real estate.
  • Land charge and mortgage agreements: Securing loans with real estate.
  • Rental agreements: Agreements with long-term legal protection for rental properties.
  • Notarial certifications: Legally valid certifications of documents.

Labor law

  • Employment contracts: Especially those with specific clauses and special remuneration agreements.
  • Termination agreements: Amicable regulation of the termination of employment relationships.
  • Warnings: Written notices with legal effect vis-à-vis employees.
  • Pay slips: Documents for legal clarification and securing payments.

In summary, the qualified electronic signature (QES) is the most secure form of digital signature, as it is subject to strict security and identity checks. It guarantees maximum integrity and legal validity, which makes it ideal for contracts with a legally required written form or a high liability risk. However, the creation of a QES is also more complex and time-consuming due to the required registration process and elaborate identity checks. It is therefore particularly useful for important contracts where maximum security and legal recognition are essential.

The QES at ContractHero

At ContractHero, we offer both the advanced electronic signature (FES) for contracts with less stringent regulations and the qualified electronic signature (QES) for particularly security-relevant documents. As an ISO 27001 and eIDAS-compliant company, we attach great importance to the security of your data. Contracts can be created directly with us, sent for signature and managed securely in ContractHero after signing - efficient, legally binding and easy to use.

Sebastian Wengryn
CEO

You may also be interested in...

Blog

Everything you need to know about termination agreements - A comprehensive guide

Find out what you should bear in mind when concluding a termination agreement.
Read the article
Blog

Termination of a software contract: sample & what to consider

Find out what you need to include in a termination notice for a software contract.
Read the article
Blog

Freelancer contract sample: structure, differences and important details

Find out what a freelance contract consists of and what differentiates it.
Read the article
Get started with ContractHero now
See ContractHero live in action! Register here for the 30-minute demonstration:
Book a demo