E-Signature Service Provider Obligations in Australia

Introduction

Deploying an e-signature solution in Australia requires careful planning. Behind every qualified or advanced signature lie dozens of legal obligations incumbent upon the trust service provider (TSP). eIDAS Regulation, GDPR, general security frameworks, ETSI standards… the regulatory landscape is both extensive and evolving. For user organisations, understanding these legal obligations for e-signature service providers is essential to selecting a compliant partner and avoiding any legal risk. This article details, section by section, all the requirements applicable to TSPs operating in the Australian territory.

---

The status of a qualified trust service provider

What is a TSP under eIDAS?

Regulation eIDAS No. 910/2014 distinguishes between two categories of providers: non-qualified trust service providers and qualified providers (QTSPs). The former may offer simple or advanced e-signature services without mandatory third-party audit. The latter — alone authorised to deliver qualified signatures within the meaning of Article 3(15) of eIDAS — must satisfy considerably stricter requirements.

In Australia, the role of supervising authority (as provided for in Article 17 of eIDAS) is fulfilled by the relevant national competent authority. It publishes and maintains the trust service list (TSL), accessible on its official website, listing qualified providers and their services.

The qualification procedure: audit and compliance

To obtain qualified status, a TSP must mandatorily:

• Have its services audited by a conformity assessment body (CAB) accredited according to EN ISO/IEC 17065 standards.

• Submit the audit report to the competent supervising authority, which decides on the grant of qualified status. This status is re-evaluated at least every 24 months (Article 20 §1 eIDAS).

• Notify the supervising authority of any material change to its services within 3 months before the planned modification (Article 21 eIDAS).

Failure to comply with these steps exposes the provider to removal from the TSL and loss of the legal presumptions attached to qualified signatures. For client organisations, using a TSP not listed on the TSL means forgoing any legal presumption of reliability.

> To learn more about the different signature levels and their legal effects, consult our resource centre.

---

Technical and security obligations imposed on TSPs

Compliance with ETSI standards

Qualified providers must comply with a set of European standards published by the European Telecommunications Standards Institute (ETSI). The main ones are:

• ETSI EN 319 401: general security requirements applicable to all TSPs.

• ETSI EN 319 411-1 and 411-2: policies and practices of certification authorities issuing qualified signature certificates.

• ETSI EN 319 132: advanced electronic signature formats (XAdES for XML, PAdES for PDF, CAdES for CMS).

• ETSI EN 319 122: CAdES format for qualified signatures.

• ETSI TS 119 431: requirements for remote signature creation services (remote QSCD).

These standards are not optional: the eIDAS Regulation (Annexes II, III and IV) explicitly refers to them to define the minimum requirements for qualified certificates and signature creation devices.

Management of qualified signature creation devices (QSCD)

One of the pillars of qualified signatures is the use of a qualified signature creation device (QSCD) compliant with Annex II of eIDAS. The provider must ensure that:

• The signatory's private key cannot be generated, stored or copied outside the QSCD.

• Key generation occurs exclusively in a certified environment (Common Criteria certification EAL 4+ or equivalent).

• Signatory authentication prior to any signing act is based on at least two authentication factors.

In a remote signature context — increasingly common in SaaS environments — these requirements apply to the HSM (Hardware Security Module) server hosting the keys. Supervising authorities have published specific protection profiles defining the security criteria to be achieved.

Business continuity policy and incident notification

Article 19 of eIDAS requires every trust service provider (qualified or not) to:

• Notify the supervising authority and, where applicable, the data protection authority, within 24 hours of detecting a security breach likely to impact the reliability of the service.

• Maintain a documented and regularly tested business continuity plan.

• Have a formalised information security policy, covering in particular risk management, incident management and backup policy.

These requirements overlap partially with those of the NIS2 Directive (2022/2555/EU), which classifies TSPs of significant size among important or essential entities subject to enhanced cybersecurity obligations.

> Discover how organisations must integrate these constraints into their document workflows.

---

GDPR-specific obligations for TSPs

Is the TSP a data controller or processor?

The GDPR qualification of the provider depends on the nature of the service provided:

• When the TSP directly issues qualified certificates in the signatory's name and determines the purposes of personal data processing (identity, biometric authentication data), it acts as a data controller within the meaning of Article 4(7) GDPR.

• When it integrates its API into a B2B client's platform and processes personal data solely on that client's instructions, it assumes the status of data processor (Article 4(8) GDPR) and must mandatorily conclude a DPA (Data Processing Agreement) compliant with Article 28 GDPR.

In practice, most SaaS TSPs combine both roles: controller for managing their own certification infrastructure, processor for processing signatories' documents and metadata.

Specific obligations relating to biometric and identity data

Identifying and authenticating the signatory — a mandatory step to issue a qualified certificate — often involves processing sensitive data: identity document scan, video selfie, facial recognition biometric data. Such data constitutes personal data subject to GDPR, or even biometric data falling under Article 9 GDPR (special categories).

The TSP's obligations include:

• Legal basis: explicit consent (Article 9§2a) or, in certain cases, legal obligation (Article 9§2b) for processing biometric data.

• Limited retention period: in accordance with data protection guidelines, identification data must be retained only as long as necessary, generally aligned with the certificate validity period plus legal evidence duration (often 10 years for private documents).

• Mandatory impact assessment (DPIA) (Article 35 GDPR) whenever processing is likely to pose a high risk — which is systematically the case for biometrics.

• Processing register (Article 30 GDPR) maintained up-to-date and documenting each processing category.

International data transfers

Many TSPs host all or part of their infrastructure outside the European Economic Area (EEA). In such cases, the appropriate safeguards required by GDPR Chapter V apply: adequacy decision, standard contractual clauses (SCCs) from the European Commission, or binding corporate rules (BCRs). The Schrems II judgment (CJEU, C-311/18, 16 July 2020) reminded that transfers to the United States require prior country-risk analysis.

> To understand the impact of these rules on your organisation, consult our resource centre.

---

Transparency and user information obligations

Certification policy (CP) and certification practice statement (CPS)

Every TSP issuing certificates must publish a Certification Policy (CP) and Certification Practice Statement (CPS), in accordance with ETSI EN 319 411 standard. These publicly accessible documents detail:

• Procedures for signatory identification and registration.

• Physical and logical security measures deployed.

• Certificate revocation conditions and associated timelines.

• TSP responsibilities and limitations of liability.

The absence or incompleteness of these documents constitutes non-compliance likely to be identified during re-qualification audit by the accredited body.

Pre-contractual and contractual information to clients

Beyond purely technical obligations, Article 13 GDPR requires the TSP to provide each person whose data is collected with clear and accessible information on:

• The controller's identity and the data protection officer's contact details (mandatory for TSPs processing sensitive data at large scale, Article 37 GDPR).

• The purposes and legal basis of each processing activity.

• Individuals' rights (access, rectification, erasure, portability, objection).

• Possible data recipients (sub-processors, authorities).

This information must appear in the service's privacy policy, in the terms and conditions and, where applicable, in the DPA concluded with professional clients.

Qualified time-stamping and audit trail

To guarantee the long-term probative value of signatures, serious TSPs systematically associate a qualified electronic time-stamp (Article 42 eIDAS) with each signed act. This time-stamp constitutes legally presumed proof of the data's existence at the indicated date. Maintaining the audit trail (identification logs, document fingerprint, signature data) is a practical obligation to enable any future judicial verification.

> Compare solutions on the market according to these criteria in our comparison guide.

---

eIDAS 2.0: new obligations on the horizon to 2026-2027

Regulation eIDAS 2.0 (EU) 2024/1183

Published in the EU Official Journal on 30 April 2024, Regulation (EU) 2024/1183 called "eIDAS 2.0" significantly strengthens TSP obligations around three axes:

• The European Digital Identity Wallet (EUDI Wallet): member states must make available a certified digital identity wallet by 2 November 2026. TSPs will need to integrate their service with this wallet to offer qualified signatures via eIDAS 2.0 identity.

• Management of attribute attestations: eIDAS 2.0 introduces qualified attribute attestations (QEAAs), issued by qualified attestation providers. New audit and qualification procedures will apply.

• Enhanced supervision: national supervising authorities see their powers expanded, notably the capacity to conduct unannounced audits and impose binding corrective measures within shortened timelines.

Practical implications for current providers

TSPs already qualified under eIDAS 1.0 will need to undertake progressive compliance updates before the deadlines set by Commission implementing acts (published or forthcoming). The main adaptations concern:

• Overhaul of the identification infrastructure to support the EUDI Wallet as an authentication method.

• Update of CP/CPS to integrate new certificate and attestation types.

• Strengthening of remote QSCD security requirements, with new protection profiles to come.

For client organisations, this means verifying now that their provider has a documented and verifiable eIDAS 2.0 compliance roadmap.

Legal framework applicable to e-signature service provider obligations

The normative chain applicable to e-signature service providers operating in Australia is based on several complementary hierarchical levels.

Australian Contract Law and Electronic Transactions Acts

Electronic documents are recognised as equivalent to paper documents for evidentiary purposes, provided the person from whom they emanate can be duly identified and they are established and preserved in conditions guaranteeing their integrity. Electronic signatures must consist of reliable identification processes guaranteeing their link to the act they accompany. Presumptions of reliability benefit qualified signatures under eIDAS standards, reversing the burden of proof in the signatory's favour.

Regulation eIDAS No. 910/2014/EU

This regulation, directly applicable in all member states, establishes the legal framework for trust services. Article 26 defines the conditions for advanced electronic signatures; Article 28 the requirements for qualified certificates; Annex I details their mandatory content. Qualified TSPs benefit from a presumption of compliance with the regulation's technical and legal requirements (Article 19§2), which constitutes a major advantage in case of dispute.

Regulation eIDAS 2.0 — (EU) 2024/1183

Published on 30 April 2024, this amending regulation introduces new categories of trust services (qualified attribute attestations, qualified archival services) and strengthens supervision obligations. It repeals and partially replaces Regulation 910/2014, with progressive application according to Commission implementing acts.

GDPR — Regulation (EU) 2016/679

The GDPR applies to all personal data processing carried out in the context of an e-signature service. Articles 5 (data processing principles), 6 (legal basis), 9 (special categories), 13-14 (transparency), 28 (processor), 32 (security), 33-34 (breach notification), 35 (DPIA) and 37 (DPO) are the most frequently applicable provisions. The relevant data protection authority is competent to enforce GDPR and may impose fines up to 20 million euros or 4% of global annual turnover (Article 83§5 GDPR).

NIS2 Directive — (EU) 2022/2555

NIS2 classifies significant TSPs among important or essential entities subject to cybersecurity risk management obligations and incident notification requirements to the competent authority within 24 hours (early warning) then 72 hours (complete notification).

ETSI Standards

The complete set of standards EN 319 401, EN 319 411-1/2, EN 319 132, EN 319 122 and TS 119 431 constitutes the mandatory technical reference for qualification audit. Non-compliance prevents obtaining or maintaining qualified status.

Legal risks arising from non-compliance

A non-compliant provider faces: removal from the trust service list, contractual and tort liability exposure, data protection authority administrative sanctions, NIS2 fines up to 20 million euros or 4% of global annual turnover for essential entities, and judicial claims from clients who suffered loss due to legally invalid signatures.

Usage scenarios: how organisations verify their TSP's compliance

Scenario 1 — An industrial group managing 3,000 supplier contracts annually

A mid-sized manufacturing group, active in mechanical equipment production, dematerialises all its supplier contracts via an SaaS e-signature platform. During an internal audit triggered by regulatory changes, the legal department discovers that the selected provider — initially chosen on cost grounds — is listed neither on the relevant trust service list nor on any other equivalent list. The signatures delivered are of "simple" type without robust signatory identification mechanisms.

Facing legal risk — all signed contracts could have their probative value contested in case of dispute — the company undertakes migration to a qualified TSP. The new solution integrates advanced signature with qualified certificate, qualified time-stamping and exportable audit trail. The migration project, completed in under 8 weeks, enables retrospective security of new acts and establishes a compliant document policy. Legal teams estimate that litigation risk linked to former contracts remains marginal due to their execution without challenge, but all new signatures are now covered.

Observed gains: 60% reduction in potential disputes relating to signature authenticity, and 3.5-day average gain in signature timelines for complex contracts thanks to workflow automation.

Scenario 2 — A 25-person law firm specialising in business law

A law firm wishing to digitalise the signature of retainers, legal opinions and procedural documents evaluates several providers. Its assessment grid incorporates the following criteria: presence on trust service lists, publication of accessible CP/CPS, existence of GDPR-compliant DPA, availability of reachable data protection officer and certification of remote QSCDs.

Of five evaluated providers, only two satisfy all criteria. The firm ultimately selects a TSP natively offering qualified signature via remote QSCD, guaranteeing the presumption of reliability. Implementation takes 3 weeks, including training. Result: 75% of retainers are now signed within 24 hours versus 5-7 days previously (postal dispatch), and the firm can justify to its clients the legal security level offered by the solution — a differentiating argument in its commercial proposals.

Scenario 3 — A hospital group with approximately 1,200 beds

A public hospital group wishes to dematerialise employment contracts, internship agreements and partnership conventions with partner care facilities. The sensitivity of data processed (healthcare data, HR data) requires particular vigilance regarding the TSP's GDPR obligations.

The IT department and data protection officer require: data hosting in a certified secure facility, absence of transfers outside the EEA, documented impact assessment for signatory identification processing, and signed DPA before any production deployment.

Following selection of a TSP meeting these criteria, deployment focuses initially on HR contracts (approximately 800 acts annually). The average contract signature timeline falls from 9 days to under 48 hours, freeing significant capacity for HR teams. The institution also has complete traceability of collected consents, audited annually by its data protection officer.

Conclusion

The legal obligations weighing on e-signature service providers constitute a demanding normative corpus: eIDAS qualification, GDPR compliance, respect for ETSI standards, NIS2 obligations and imminent adaptation to eIDAS 2.0. For user organisations, ensuring TSP compliance is not an optional exercise — it is a sine qua non condition for the probative value of signed acts and protection of signatories' personal data.

Certyneo is an e-signature service provider designed to meet all these requirements: eIDAS compliance, GDPR by design, secure hosting and documented eIDAS 2.0 roadmap. Ready to secure your signatures in full compliance? Contact us today and benefit from personalised support from day one.