How Electronic Signatures Work in 2026

Introduction

Electronic signature is today at the heart of digital transformation in enterprises: in 2025, more than 70% of large European organisations have integrated it into at least one contractual process (source: Gartner, Digital Process Automation Survey 2025). Yet few decision-makers understand precisely the mechanisms that make it legally valid and technically unforgeable. Understanding how electronic signature works technically — cryptography, PKI, certificates — enables you to choose the right solution, reduce legal risks and accelerate internal adoption. This article guides you, step by step, through the technical architecture and standards governing electronic signature in 2026.

---

The Cryptographic Foundations of Electronic Signature

Electronic signature rests on proven cryptographic primitives. Understanding these mechanisms means understanding why it is more reliable than a scanned handwritten signature.

Asymmetric Encryption: Public and Private Keys

The fundamental principle is asymmetric cryptography, invented in the 1970s and standardised by algorithms such as RSA (Rivest–Shamir–Adleman) or elliptic curves (ECDSA). Each signatory has two mathematically linked keys:

• The private key: kept secret by the signatory, on a secure device (smart card, HSM token, or protected software module). It is used to create the signature.
• The public key: distributed freely, included in a digital certificate. It is used to verify the signature.

The security principle rests on computational asymmetry: it is mathematically trivial to verify a signature with the public key, but practically impossible to reconstruct the private key from the public key (discrete logarithm problem or factorisation of large integers).

Hash Functions: The Digital Fingerprint of the Document

Before signing, the system calculates a cryptographic fingerprint of the document using a hash function (SHA-256 or SHA-3 in 2026). This fingerprint, called a hash or digest, is a fixed-length character string (256 bits for SHA-256) that uniquely represents the document's content.

Essential property: modifying a single character of the document produces a radically different hash. This guarantees the integrity of the signed document: any alteration after signing is immediately detectable.

The electronic signature proper is therefore the encryption of this hash with the signatory's private key. When verifying, the recipient:

1. Decrypts the signature with the public key to recover the original hash;
2. Recalculates the hash of the received document themselves;
3. Compares the two: if identical, the signature is valid.

---

Public Key Infrastructure (PKI): The Chain of Trust

Cryptography alone is not enough: you must also prove that the public key belongs to the person claiming to use it. This is the role of the PKI (Public Key Infrastructure).

Certification Authorities (CAs)

A Certification Authority (CA) is an accredited trusted third party that issues digital certificates. A digital certificate is a standardised file (X.509 format) containing:

• The holder's identity (name, organisation, e-mail);
• Their public key;
• The period of validity;
• The CA's own digital signature.

In Europe, qualified CAs are listed in the Trusted Lists published by each EU Member State in accordance with the eIDAS regulation. In France, ANSSI publishes and maintains this list. Qualified trust service providers (QTSPs) — such as CertSign, Certigna, or Universign — are subject to regular audits under the ETSI EN 319 401 standard.

Certification Chain and Revocation

The PKI operates on a hierarchical model:

• A root CA (Root CA) that is self-signed, kept offline under maximum physical security conditions;
• Intermediate CAs that issue certificates for end users.

Revocation of certificates is a critical mechanism: if a private key is compromised, the CA publishes its invalidation via a CRL (Certificate Revocation List) or via the OCSP (Online Certificate Status Protocol) protocol, enabling real-time verification.

For qualified electronic signature under eIDAS, the private key must be generated and kept in a QSCD (Qualified Signature Creation Device) — equipment certified CC EAL4+ or higher, such as a smart card or HSM (Hardware Security Module).

---

The Three Levels of Signature According to eIDAS

The European regulation eIDAS No. 910/2014 (and its evolution eIDAS 2.0 currently being rolled out) defines three levels of signature, each based on increasing technical guarantees. To learn more about this regulatory framework, consult our comprehensive guide to eIDAS regulation.

Simple Electronic Signature (SES)

Simple signature is the least technically demanding form. It can be as basic as a checkbox, a one-time password (OTP) sent by SMS, or an image of a handwritten signature. It does not necessarily involve a qualified certificate.

Typical use: approval of quotations, marketing consents, low-stakes contracts.

Risk: limited evidential value in case of legal dispute. The burden of proof falls on the party invoking the signature.

Advanced Electronic Signature (AdES)

Advanced signature meets four precise technical requirements (Article 26 eIDAS):

1. It is linked to the signatory in a univocal manner;
2. It allows the signatory to be identified;
3. It is created from data under the exclusive control of the signatory;
4. It allows any subsequent modification of the document to be detected.

In practice, this involves the use of a personal digital certificate and a robust authentication mechanism. The standard formats are defined by ETSI: PAdES (for PDF), XAdES (XML), CAdES (binary data) and JAdES (JSON), all standardised in the ETSI EN 319 100 series.

Qualified Electronic Signature (QES)

Qualified signature is the highest level. It requires:

• A qualified certificate issued by an accredited eIDAS QTSP;
• A QSCD for signature creation.

It benefits from a legal presumption of reliability and legal equivalence with handwritten signature throughout the European Union (Article 25 eIDAS). This is the level required for electronic authentic acts, certain notarial acts, or sensitive public procurement.

Our comparison of electronic signature solutions analyses the practical differences between these levels to help you choose.

---

The Complete Electronic Signature Process Step by Step

Here is how an electronic signature transaction proceeds concretely on a SaaS platform like Certyneo:

Step 1: Document Preparation and Sending

The signature initiator uploads the document (contract, amendment, purchase order) to the platform. The system immediately generates a SHA-256 hash of the original file, timestamped and preserved immutably. This fingerprint will serve as the reference for all future verification.

Step 2: Signatory Authentication

Depending on the signature level chosen, authentication varies:

• SES: e-mail + signature link;
• AdES: strong authentication (SMS OTP, FIDO2 mobile application);
• QES: prior identity verification (face-to-face or video IDV), issuance of a qualified certificate for single or persistent use.

Step 3: Creation of Cryptographic Signature

The signatory triggers the signing act. The platform (or QSCD):

1. Calculates the document hash;
2. Encrypts this hash with the signatory's private key;
3. Integrates the signature and certificate into the document (PDF signed in PAdES-LTV format for long-term preservation).

Step 4: Qualified Timestamping

A qualified timestamping service (TSA) compliant with RFC 3161 aposes a cryptographic timestamp, proving the signature existed at a specific instant. This protects against date falsification and guarantees evidential value over time — even if the signatory's certificate expires later.

Step 5: Evidentiary Archiving

The signed document is archived with its complete audit trail: signatory identity, IP address, timestamp, document hash, certificates used. This proof file (audit trail) is essential in case of legal dispute. Solutions compliant with eIDAS maintain these proofs in a PAdES-LTV (Long-Term Validation) format that integrates validation data to enable verification years after signing.

To understand how to integrate this process into your HR workflows, discover our electronic signature solution for HR and our contract templates for download.

Legal Framework Applicable to Electronic Signature

Electronic signature falls within a multi-layered regulatory framework, articulating national civil law and harmonised European law.

French Civil Code

Article 1366 of the Civil Code establishes the fundamental principle: "Electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and preserved in conditions designed to guarantee its integrity." Article 1367 clarifies that electronic signature "consists in the use of a reliable identification process guaranteeing its link with the act to which it is attached."

Decree No. 2017-1416 of 28 September 2017 defines the presumption of reliability for qualified and advanced signatures compliant with eIDAS.

eIDAS Regulation No. 910/2014

The cornerstone of European digital trust law, the eIDAS (electronic IDentification, Authentication and trust Services) regulation establishes a unified legal framework for electronic signatures, electronic seals, qualified timestamping, registered delivery services and website authentication certificates. Its Article 25, paragraph 2, confers on qualified signature a legal presumption of equivalence with handwritten signature throughout the EU.

The eIDAS 2.0 regulation (currently being transposed in Q1 2026) strengthens these provisions with the European Digital Identity Wallet (EUDIW) and extends obligations to the financial and health services markets.

ETSI Standards

Signature formats are standardised by ETSI:

• ETSI EN 319 132 (XAdES), EN 319 122 (CAdES), EN 319 102 (PAdES) define the technical profiles of advanced and qualified signatures;
• ETSI EN 319 421 frames policies for qualified timestamping services.

GDPR and Data Protection

The processing of identity data in the context of electronic signature (name, e-mail, biometrics for identity verification) is subject to the GDPR No. 2016/679. Controllers must: have a legal basis (legitimate interest or contract performance), apply the data minimisation principle, and guarantee security through appropriate technical measures (encryption, pseudonymisation).

NIS2 Directive

The NIS2 Directive (2022/2555/EU), transposed into French law since October 2024, imposes enhanced obligations on operators of essential services and digital service providers (including electronic signature providers) in terms of cybersecurity, risk management and incident notification within 24 hours. Non-compliance is subject to penalties reaching €10 million or 2% of global turnover.

Concrete Use Scenarios for Electronic Signature

Scenario 1: A Corporate Law Firm Automates Signing of Mandates

A corporate law firm with about twelve practitioners processed an average of 120 representation mandates per month. The paper procedure involved printing, sending by post or hand delivery, then digitising returned documents — resulting in an average delay of 4.5 business days per file and an estimated document loss rate of 8%.

By deploying advanced electronic signature (AdES) with OTP authentication, the firm reduced the average signature delay to less than 4 hours, reduced the document anomaly rate to less than 1%, and saved approximately €2,200 per year in postage and printing costs. The automatically generated audit trail also simplified two mandate dispute procedures by providing incontestable timestamped evidence. Discover our solution dedicated to law firms.

Scenario 2: An SME Manufacturer Digitalises its Supplier Contracts

An SME manufacturer managing about 200 supplier contracts per year (general purchasing conditions, price amendments, NDAs) suffered signature delays that could exceed three weeks for cross-border contracts with German and Spanish partners. Differences in legal systems and lack of mutual recognition slowed negotiations.

By adopting qualified signature (QES) issued by an accredited eIDAS QTSP, recognised throughout the EU, the SME benefited from automatic legal recognition in all three countries without any further legalisation. The average cross-border signature delay fell from 18 days to 2.5 days. Electronic signature in enterprises details these benefits for procurement teams.

Scenario 3: A Hospital Group Secures Patient Informed Consent

A hospital group of about 800 beds had to obtain informed consent from patients for clinical research protocols. Paper management created GDPR compliance risks (poorly stored documents, untraceable dates) and mobilised nursing staff for administrative tasks.

By integrating simple electronic signature with SMS code identification — sufficient for acts not subject to the qualified requirement — the hospital group automated the collection, archiving and traceability of consents. Administrative time per patient fell from 12 minutes to less than 2 minutes, freeing up approximately 800 nursing hours per year. All documents are archived with qualified timestamping, fully satisfying CNIL requirements. Explore our signature solution for healthcare.

Conclusion

Understanding how electronic signature works technically — from asymmetric cryptography to PKI, from qualified certificates to probative timestamping — is essential for making informed choices regarding compliance and operational efficiency. The three eIDAS levels (simple, advanced, qualified) meet different needs, and the choice should always be guided by analysis of legal risk and expected probative value.

Certyneo supports you in this transition with an eIDAS-compliant SaaS platform, accredited QTSPs and simplified integration into your existing processes. Estimate the potential gains for your organisation with our electronic signature ROI calculator, or start directly by consulting our offers and pricing. Compliance and performance are no longer a trade-off.