Simple, Advanced, and Qualified Electronic Signatures in the EU (2026)
If you've ever sent a signed contract to a European counterparty and gotten a polite but firm "this doesn't meet our internal standards" reply, you've run into eIDAS. The EU's approach to electronic signatures is more formal than the U.S.'s — and the three-tier structure it uses matters enormously for any business doing cross-border work.
The good news: once you understand the three tiers and the one decision tree that maps documents to tiers, eIDAS stops being mysterious and becomes a clear operational framework. It's also surprisingly easy to comply with from outside the EU, if you use the right signing platform.
This guide walks through what eIDAS is, the three tiers in plain English, which tier you need for which document, how non-EU businesses comply, and the common mistakes that cause U.S. e-signatures to be rejected in Europe.
eIDAS (Electronic Identification, Authentication and Trust Services) is the EU regulation governing electronic signatures, seals, timestamps, and identity across all 27 member states. It entered into force in 2016 and was updated to "eIDAS 2.0" in 2024.
Simple Electronic Signature (SES) — any electronic signature meeting minimum legal requirements. Roughly equivalent to a U.S. ESIGN signature.
Advanced Electronic Signature (AdES) — must be uniquely linked to the signer, capable of identifying them, under their sole control, and linked to the signed data so tampering is detectable. In practice, this means a cryptographic digital signature backed by identity verification.
Qualified Electronic Signature (QES) — an AdES created using a qualified signature creation device (QSCD) and backed by a qualified certificate from a qualified trust service provider (QTSP) on the EU Trust List. Legally equivalent to a handwritten signature across all 27 member states.
The higher the tier, the stronger the legal presumption. For most day-to-day commercial documents, SES is sufficient. For regulated or high-stakes documents, AdES or QES is required. If you're signing from outside the EU with an EU counterparty, defaulting to at least AdES is the safer choice.
Before eIDAS, every EU member state had its own e-signature law. A contract signed in Germany might not be enforceable in France. A tender submitted to a Dutch government agency required different technology than one submitted to a Spanish one. The fragmentation was bad for business and worse for the single market.
eIDAS solved this by creating one harmonized regulation across all member states. It did two big things at once:
1. Recognition. An electronic signature that meets eIDAS's requirements in one member state is automatically valid in all 27.
2. Tiering. The regulation explicitly distinguishes between different levels of signature strength, so parties can choose the appropriate level for their use case, and regulators can specify which tier is required for which document type.
The tiering is the key design insight. eIDAS doesn't say "all e-signatures are equal" (as the U.S. laws do). It says: choose the right tier for the risk level. This makes it more complicated than ESIGN/UETA — but also more precise.
The broadest tier. Any data in electronic form that is "attached to or logically associated with other electronic data, and used by the signatory to sign" qualifies. Practically, this covers:
SES has the lowest evidentiary weight under eIDAS. It's legally valid, and can be used as evidence in court, but the burden of proving the signer's intent and the document's integrity falls on whoever is relying on the signature.
SES is appropriate for: routine internal approvals, low-value B2B transactions, clickwrap agreements, standard NDAs with well-known counterparties.
SES is not appropriate for: regulated documents, high-value contracts, cross-border formal agreements, or anything where a counterparty might later dispute the signer's identity.
Uniquely linked to the signatory. The signature must be tied to one specific person, not shared or generic.
Capable of identifying the signatory. The signature mechanism must provide evidence of who the signer is — typically via identity verification during signing.
Created under the signatory's sole control. The private key or signing mechanism must be something only the signer can use.
Linked to the signed data such that any subsequent change is detectable. This is the cryptographic requirement — a digital signature with a hash that fails verification if the document is altered.
In practice, an AdES is an electronic signature with a digital signature layer underneath, backed by identity verification of the signer.
AdES carries significantly more evidentiary weight than SES. In many EU courts, an AdES creates a strong presumption that the signer actually signed the document; the burden of disproving it falls on whoever is challenging the signature.
AdES is appropriate for: most commercial contracts, employment agreements, higher-value B2B transactions, cross-border agreements, and any document where you want protection against repudiation.
Created using a Qualified Signature Creation Device (QSCD). A hardware device or software module that has been certified against strict security standards.
Backed by a qualified certificate. The certificate must be issued by a Qualified Trust Service Provider (QTSP) on the EU Trust List — a public register of providers that have been audited and certified under eIDAS.
A QES has the highest legal status of any e-signature under eIDAS: it is legally equivalent to a handwritten signature, automatically, across all 27 member states. No further evidence is required to establish validity.
QES is required for: specific regulated documents in various EU jurisdictions — certain notarial acts, specific court submissions, some financial instruments, certain public-sector documents. QES is also often contractually required in high-value B2B agreements where the parties want maximum enforceability.
SESAdESQESLegal statusValid e-signatureValid e-signature with stronger evidenceLegally equivalent to wet signatureIdentity verificationNot requiredRequiredRequired, via qualified certificateCryptographic hashNot requiredRequiredRequiredHardware requirementsNoneNoneQualified device (QSCD)Certificate authorityNone requiredAny reputable CAQualified Trust Service ProviderUse casesClickwrap, low-value NDAsMost commercial contractsRegulated documents, notarial actsBurden of proof in disputeOn party relying on signaturePresumption favors validityAutomatic validity, no further proof needed
For most documents, the decision is straightforward.
Use SES if: the document is low-value, the counterparty is known and trusted, the regulation doesn't specify a tier, and repudiation risk is minimal.
Use AdES if: the document is a standard commercial contract, cross-border, of moderate-to-high value, or any case where you want a strong evidentiary backstop against later disputes.
Use QES if: a regulation specifically requires it, a counterparty contractually requires it, or you're executing documents that historically required a notary (certain real estate transfers, specific financial instruments, some court filings).
The safe default for any non-trivial document is AdES. Most modern e-signature platforms can produce AdES-compliant signatures automatically, with no additional user friction. Choosing AdES by default aligns you with both eIDAS and — notably — with the evidentiary expectations U.S. courts increasingly apply to electronic signatures under ESIGN and UETA as well.
The list varies by member state, but the common categories include:
If you're working with a European counterparty and they specify QES, take it at face value — the regulation or internal policy driving their request is probably strict, and substituting AdES is likely to create problems at their audit stage.
You don't have to be based in the EU to issue eIDAS-compliant signatures. But you do need a signing platform that supports the required tier.
For SES: any e-signature platform works.
For AdES: choose a platform that supports digital signatures (PAdES, PKCS#7) with identity verification of the signer. Most modern platforms — including VerifyDoc.ai — do this out of the box. The platform should be able to produce a signed PDF with an embedded digital signature that verifies cryptographically in any PDF reader.
For QES: your platform must either be a Qualified Trust Service Provider itself or partner with one. Check the EU Trust List for certified providers. Signing with QES from outside the EU is entirely possible; the signer typically authenticates via a qualified mechanism (a smart card, a remote signing service, or a qualified ID app) during the signing session.
The practical implication: if your business might ever need to sign QES documents with EU counterparties, pick a platform that supports all three tiers so you can upgrade on demand without switching systems.
Mistake 1: Assuming ESIGN "covers" eIDAS. It doesn't. An electronic signature valid under ESIGN may not satisfy the AdES or QES requirements in eIDAS. For EU-involved documents, check the tier requirement explicitly.
Mistake 2: Defaulting to SES because "a signature is a signature." This is the single most common failure mode. A typed name satisfies SES but will not satisfy counterparties, auditors, or regulators expecting AdES. Upgrade your default to AdES for any document with EU involvement.
Mistake 3: Using a non-EU CA for QES. QES specifically requires a Qualified Trust Service Provider on the EU Trust List. A U.S. certificate authority, even a very reputable one, cannot issue QES-grade certificates.
Mistake 4: Not preserving the audit trail long enough. eIDAS expects long-term preservation of signature validity, often for 10+ years. Your retention policy must preserve both the signed document and the full cryptographic audit trail for the full period.
Mistake 5: Hand-waving about "identity verification." AdES and QES both require that the signer be identified. "We emailed them a link" is not identity verification. Use a platform that captures at minimum email + SMS or a comparable two-factor check; use platforms that support government ID verification for higher-risk signatures.
Mistake 6: Ignoring eIDAS 2.0 and the European Digital Identity Wallet. The 2024 update to eIDAS introduced the European Digital Identity Wallet framework, which will gradually become the standard mechanism for AdES and QES authentication across the EU. Platforms that support EUDI Wallet integration will be easier to work with long-term.
The 2024 eIDAS update (commonly called "eIDAS 2.0") is the most significant change to EU e-signature law in a decade. The headline feature is the European Digital Identity Wallet (EUDI Wallet), a member-state-provided mobile identity wallet every EU citizen is entitled to.
Over the next few years, the EUDI Wallet will become the default mechanism for:
For businesses, this means: the barriers to issuing and verifying AdES/QES signatures will drop significantly. EU counterparties will increasingly expect to use their EUDI Wallet to sign and receive documents. Non-EU platforms that integrate with the EUDI Wallet ecosystem will have a meaningful competitive advantage.
If you're picking a signing platform in 2026 and EU compliance matters to you, ask about EUDI Wallet support on your roadmap conversation.
A common question: if a U.S. business signs an eIDAS-compliant electronic signature, is it valid in the U.S.? And vice versa?
eIDAS → U.S.: an AdES or QES signature applied by an EU counterparty easily satisfies ESIGN and UETA requirements. In fact, AdES carries stronger evidence than most U.S. e-signatures typically produce. Courts in the U.S. generally accept eIDAS signatures without issue, provided the four ESIGN/UETA conditions (intent, consent, association, retention) are otherwise satisfied.
U.S. → eIDAS: a U.S. ESIGN-compliant signature that doesn't meet AdES requirements will be treated as SES by eIDAS. This is fine for low-tier use cases but may be rejected for higher-tier ones. If your U.S. signature has an embedded cryptographic digital signature and identity verification, it can often be evaluated as AdES-equivalent.
Practical rule for cross-border transactions: default to AdES. It satisfies both legal frameworks simultaneously without requiring separate signing workflows.
No. eIDAS governs electronic signatures, seals, and trust services. GDPR governs personal data protection. They're independent regulations, though they interact — any personal data collected during e-signing is subject to GDPR.
No. Any business, anywhere, can issue SES or AdES signatures for EU counterparties. QES typically requires the signer to authenticate through a Qualified Trust Service Provider, but most QTSPs accept signers from outside the EU.
Your signing platform partners with a QTSP, or you switch to a platform that does. Most modern enterprise signing platforms — DocuSign, Adobe, and verification-native platforms like VerifyDoc.ai — support QES through QTSP partnerships.
Ask them explicitly, and refer the question to their legal team. Ambiguity here causes expensive rework. If they can't answer, default to AdES.
Typically negligible difference in platform cost. The main cost is identity verification, which is usually just a few cents per signer for email + SMS.
No. eIDAS applies to signatures created after its effective date. Older signatures are governed by the national laws in place at the time.
An organization that provides eIDAS-regulated services — issuing qualified certificates, timestamping, preservation, delivery, etc. Qualified TSPs are on the EU Trust List after passing strict audits.
Technically yes, but practically difficult — especially for QES, which requires certified hardware (QSCDs). For most businesses, using a platform that's already compliant is far simpler and cheaper.
The eIDAS framework is more complex than U.S. law, but it rewards understanding. Once you grasp the three tiers and their use cases, you can make signing decisions with confidence across any EU-involving transaction.
The simplest operational rule: default to AdES for any document involving EU parties, and escalate to QES when a specific regulation or contract demands it. This covers 95% of use cases and makes the remaining 5% a well-scoped special case rather than a panic.
For the full picture of how eIDAS fits into the modern document trust stack — alongside electronic signatures, digital signatures, QR codes, and certificates of authenticity — start with our pillar guide: How to Verify Document Authenticity in 2026. If you want to contrast with the U.S. framework, read ESIGN Act vs. UETA.
Need to issue documents that satisfy eIDAS AdES or QES from outside the EU? Try VerifyDoc.ai free — our signing stack supports all three eIDAS tiers, plus U.S. ESIGN/UETA, from one platform.