Electronic Signature Provider Obligations in France

Introduction

Deploying an electronic signature solution in France is not something to improvise. Behind every qualified or advanced signature lie dozens of legal obligations incumbent on the trust service provider (TSP). eIDAS Regulation, GDPR, general security framework, ETSI standards… the regulatory framework is both dense and evolving. For user enterprises, understanding these legal obligations for electronic signature providers in France, eIDAS and GDPR is essential in order to choose a compliant partner and avoid any legal risk. This article details, section by section, all the requirements applicable to TSPs operating on French territory.

---

The status of a qualified trust service provider

What is a TSP under eIDAS?

Regulation eIDAS No 910/2014 distinguishes two categories of providers: non-qualified trust service providers and qualified providers (QTSP). The former may offer simple or advanced electronic signature services without mandatory third-party audit. The latter — alone authorised to deliver qualified signatures within the meaning of Article 3(15) of eIDAS — must satisfy considerably stricter requirements.

In France, it is the National Cybersecurity Agency (Agence nationale de la sécurité des systèmes d'information — ANSSI) that fulfils the role of supervisory authority (« Supervisory Body ») provided for in Article 17 of eIDAS. It publishes and maintains the French Trust List (TSL — Trust Service List), accessible on its official website, listing qualified providers and their services.

The qualification procedure: audit and compliance

To obtain qualified status, a TSP must mandatorily:

• Have its services audited by a conformity assessment body (CAB — Conformity Assessment Body) accredited by COFRAC in accordance with standard EN ISO/IEC 17065.

• Submit the audit report to ANSSI, which determines whether to grant qualified status. This status is re-evaluated at least every 24 months (Article 20 §1 eIDAS).

• Notify ANSSI of any substantial change to its services within 3 months before the planned modification (Article 21 eIDAS).

Failure to follow these steps exposes the provider to delisting from the TSL and loss of the legal presumptions attached to qualified signature. For customer enterprises, using a TSP not listed on the TSL amounts to receiving no legal presumption of reliability.

> For further information on the different levels of signature and their legal effects, consult our comprehensive guide to eIDAS 2.0 Regulation.

---

Technical and security obligations imposed on TSPs

Compliance with ETSI standards

Qualified providers must comply with a set of European standards published by the European Telecommunications Standards Institute (ETSI). The main ones are:

• ETSI EN 319 401: general security requirements applicable to all TSPs.

• ETSI EN 319 411-1 and 411-2: policies and practices of certification authorities issuing qualified signature certificates.

• ETSI EN 319 132: advanced electronic signature formats (XAdES for XML, PAdES for PDF, CAdES for CMS).

• ETSI EN 319 122: CAdES format for qualified signatures.

• ETSI TS 119 431: requirements for remote signature creation services (remote QSCD).

These standards are not optional: the eIDAS Regulation (Annex II, III and IV) explicitly refers to them to define the minimum requirements for qualified certificates and signature creation devices.

Management of qualified signature creation devices (QSCD)

One of the pillars of qualified signature is the use of a qualified signature creation device (QSCD — Qualified Signature Creation Device) compliant with Annex II of eIDAS. The provider must guarantee that:

• The private key of the signer cannot be generated, stored or copied outside the QSCD.

• Key generation takes place exclusively in a certified environment (Common Criteria certification EAL 4+ or equivalent).

• Signer authentication preceding any signing act relies on at least two authentication factors.

In a remote signature context — increasingly common in SaaS environments — these requirements apply to the HSM server (Hardware Security Module) hosting the keys. ANSSI has published specific protection profiles (PP-0075, PP-0076) defining the security criteria to be met.

Business continuity policy and incident notification

Article 19 of eIDAS requires every trust service provider (qualified or non-qualified) to:

• Notify the supervisory authority (ANSSI) and, where applicable, the data protection authority (CNIL), within 24 hours of detecting a security breach liable to impact the reliability of the service.

• Maintain a documented and regularly tested business continuity plan.

• Have an information security policy in place, covering in particular risk management, incident management and backup policy.

These requirements partly overlap with those of the NIS2 Directive (2022/2555/EU), transposed into French law by law No 2023-703 of 1 August 2023, which classifies TSPs of significant size among important or essential entities subject to enhanced cybersecurity obligations.

> Discover how electronic signature for law firms must integrate these constraints into their documentary workflows.

---

GDPR obligations specific to TSPs

Is the TSP a data controller or processor?

The GDPR classification of the provider depends on the nature of the service provided:

• When the TSP directly delivers qualified certificates on behalf of the signer and determines the purposes of personal data processing (identity, authentication biometric data), it acts as a data controller within the meaning of Article 4(7) GDPR.

• When it integrates its API into a B2B client's platform and processes personal data solely according to that client's instructions, it assumes the status of processor (Article 4(8) GDPR) and must mandatorily conclude a DPA (Data Processing Agreement) compliant with Article 28 GDPR.

In practice, most SaaS TSPs combine both roles: controller for management of their own certification infrastructure, processor for processing of documents and metadata of signers.

Specific obligations related to biometric and identity data

Signer identification and authentication — a mandatory step to issue a qualified certificate — often involves processing sensitive data: scan of identity document, video selfie, biometric facial recognition data. This data constitutes personal data subject to GDPR, or even biometric data falling under Article 9 GDPR (special categories).

The obligations of the TSP include:

• Legal basis: explicit consent (Article 9§2a) or, in certain cases, legal obligation (Article 9§2b) for processing of biometric data.

• Limited retention period: according to CNIL guidelines, identification data must be retained only as long as necessary, generally aligned with certificate validity period + legal proof period (often 10 years for documents signed between private parties, Article 2224 of the French Civil Code).

• Impact assessment (DPIA) mandatory (Article 35 GDPR) where processing is liable to entail a high risk — which is systematically the case for biometrics.

• Processing register (Article 30 GDPR) kept up-to-date and documenting each processing category.

International data transfers

Many TSPs host all or part of their infrastructure outside the European Economic Area (EEA). In this case, the appropriate safeguards required by Chapter V GDPR apply: adequacy decision, European Commission standard contractual clauses (SCCs) or binding corporate rules (BCR). The Schrems II ruling (CJEU, C-311/18, 16 July 2020) recalled that transfers to the United States require prior country risk analysis.

> To understand the impact of these rules on your organisation, consult our guide on electronic signature in the enterprise.

---

Obligations of transparency and information to users

Certification Policy (CP) and Certification Practice Statement (CPS)

Every TSP issuing certificates is required to publish a Certification Policy (CP) and a Certification Practice Statement (CPS), in accordance with standard ETSI EN 319 411. These documents, freely accessible, detail:

• Procedures for signer identification and registration.

• Physical and logical security measures deployed.

• Certificate revocation conditions and associated timeframes.

• TSP responsibilities and warranty limitations.

The absence or incompleteness of these documents constitutes non-compliance liable to be identified during the audit for re-qualification by the accredited body.

Contractual and pre-contractual information to clients

Beyond purely technical obligations, Article 13 GDPR requires the TSP to provide to every person whose data is collected with clear and accessible information on:

• The identity of the data controller and the contact details of the DPO (mandatory for TSPs processing sensitive data on a large scale, Article 37 GDPR).

• The purposes and legal bases of each processing activity.

• The rights of individuals (access, rectification, erasure, portability, opposition).

• Any possible recipients of the data (processors, authorities).

This information must appear in the privacy policy of the service, in the terms and conditions and, where applicable, in the DPA concluded with professional clients.

Qualified timestamp and audit trail

To guarantee the long-term probative value of signatures, serious TSPs systematically associate a qualified electronic timestamp (Article 42 eIDAS) with each signed deed. This timestamp legally constitutes presumed proof of the existence of the data at the indicated date. Preservation of the audit trail (identification logs, document fingerprint, signature data) is a practical obligation to enable any subsequent judicial verification.

> Compare market solutions against these criteria in our comparison of electronic signature solutions.

---

eIDAS 2.0: new obligations on the horizon for 2026-2027

Regulation eIDAS 2.0 (EU) 2024/1183

Published in the EU Official Journal on 30 April 2024, Regulation (EU) 2024/1183 termed "eIDAS 2.0" significantly strengthens TSP obligations around three axes:

• The European Digital Identity Wallet (EUDI Wallet): Member States must make a certified digital identity wallet available by 2 November 2026. TSPs will be required to integrate their service with this wallet to offer qualified signatures via eIDAS 2.0 identity.

• Management of attribute attestations: eIDAS 2.0 introduces qualified attribute attestations (QEAAs), issued by qualified attestation providers. New audit and qualification procedures will apply.

• Strengthened supervision: national supervisory authorities (ANSSI for France) see their powers expanded, notably the ability to conduct unannounced audits and impose binding corrective measures within shortened timeframes.

Practical implications for current providers

TSPs already qualified under eIDAS 1.0 will need to proceed with progressive compliance before the deadlines set by European Commission implementing acts (published or in preparation). The main adaptations concern:

• Refactoring of identification infrastructure to support the EUDI Wallet as an authentication means.

• Updating CP/CPS to integrate new types of certificates and attestations.

• Strengthening security requirements for remote QSCDs, with new protection profiles forthcoming.

For customer enterprises, this means verifying now that their provider has a documented eIDAS 2.0 compliance roadmap that can be verified.

Legal framework applicable to the obligations of electronic signature providers

The normative chain applicable to electronic signature providers operating in France is articulated on several complementary hierarchical levels.

French Civil Code — Articles 1366 and 1367

Article 1366 of the French Civil Code recognises electronic writing as a mode of proof equivalent to paper writing, provided that "the person from whom it emanates can be duly identified and it is drawn up and preserved in conditions such as to guarantee its integrity". Article 1367 specifies that electronic signature "consists in the use of a reliable process of identification guaranteeing its link with the deed to which it is attached". The presumption of reliability benefits qualified signatures within the meaning of eIDAS, reversing the burden of proof in favour of the signer.

Regulation eIDAS No 910/2014/EU

This regulation, directly applicable in all Member States, establishes the legal framework for trust services. Its Article 26 defines the conditions for advanced electronic signature; its Article 28 the requirements for qualified certificates; its Annex I details the mandatory content of these certificates. Qualified TSPs benefit from a presumption of compliance with the technical and legal requirements of the Regulation (Article 19§2), which constitutes a major advantage in the event of dispute.

Regulation eIDAS 2.0 — (EU) 2024/1183

Published on 30 April 2024, this amending regulation introduces new categories of trust services (qualified attribute attestations, qualified archiving services) and strengthens supervisory obligations. It repeals and partially replaces Regulation 910/2014, with progressive applicability according to European Commission implementing acts.

GDPR — Regulation (EU) 2016/679

The GDPR applies to any processing of personal data carried out in the course of an electronic signature service. Articles 5 (principles of lawfulness), 6 (legal basis), 9 (sensitive data), 13-14 (information), 28 (subcontracting), 32 (security), 33-34 (breach notification), 35 (DPIA) and 37 (DPO) constitute the most frequently applicable provisions. The CNIL is the competent supervisory authority in France and may impose fines of up to 20 million euros or 4% of annual global turnover (Article 83§5 GDPR).

NIS2 Directive — (EU) 2022/2555

Transposed into French law by law No 2023-703 of 1 August 2023, NIS2 classifies significant TSPs among important or essential entities subject to cyber risk management obligations and incident notification to ANSSI within 24 hours (early warning) then 72 hours (complete notification).

ETSI Standards

All standards EN 319 401, EN 319 411-1/2, EN 319 132, EN 319 122 and TS 119 431 constitute the mandatory technical reference for qualification audit. Non-compliance with them results in inability to obtain or maintain qualified status.

Legal risks in case of non-compliance

A non-compliant provider faces: delisting from the French TSL, engagement of its contractual and non-contractual liability, CNIL administrative sanctions, NIS2 fines which can reach 10 million euros or 2% of global turnover for important entities and 20 million or 4% of turnover for essential entities, as well as legal recourse by clients who have suffered loss due to signatures not being legally valid.

Usage scenarios: how enterprises verify the compliance of their TSP

Scenario 1 — An industrial group managing 3,000 supplier contracts per year

A mid-sized industrial group (SME), active in the manufacture of mechanical equipment, dematerialises all its supplier contracts via a SaaS electronic signature platform. During an internal audit triggered by regulatory change, the legal department discovers that the chosen provider — initially selected on cost grounds — is listed neither on the French TSL, nor on any European TSL. The signatures delivered are of "simple" type without robust signer identification mechanism.

Facing legal risk — the entire portfolio of signed contracts could see their probative value challenged in the event of dispute — the company initiates a migration to an ANSSI-qualified TSP. The new solution integrates advanced signature with qualified certificate, qualified timestamp and exportable audit trail. The migration project, completed in less than 8 weeks, allows retrospective security of new deeds and establishes a compliant documentary policy. The legal teams estimate that the litigation risk related to old contracts remains marginal due to their performance without dispute, but any new signature is now covered.

Observed gains: 60% reduction in potential disputes related to signature authenticity, and 3.5 days average saving in signature time on complex contracts thanks to workflow validation automation.

Scenario 2 — A law firm of 25 professionals specialising in corporate law

A law firm wishing to digitalise signature of engagement letters, consultations and legal proceedings documents evaluates several providers. Its assessment criteria include: presence on the TSL, publication of an accessible CP/CPS, existence of a GDPR-compliant DPA, availability of a reachable DPO and certification of remote QSCDs.

Of five providers evaluated, only two meet all criteria. The firm ultimately selects a TSP offering natively a qualified signature via remote QSCD, guaranteeing the presumption of reliability of Article 1367 of the French Civil Code. Implementation takes 3 weeks, training included. Result: 75% of engagement letters are now signed in less than 24 hours compared to 5 to 7 days previously (postal sending), and the firm can justify to its clients the level of legal security offered by the solution — a differentiating argument in its commercial proposals.

Scenario 3 — A hospital group with approximately 1,200 beds

A public hospital group wishes to dematerialise employment contracts, internship agreements and partnership agreements with partner care facilities. The sensitivity of processed data (healthcare data of nursing staff, HR data) imposes particular vigilance on TSP GDPR obligations.

The IT department and Data Protection Officer of the facility require: data hosting in France with a certified healthcare data provider (HDS — Hébergeur de Données de Santé, certification required by Article L.1111-8 of the French Public Health Code), no transfer outside the EEA, documented DPIA for signer identification processing, and DPA signed before any production deployment.

After selecting a TSP meeting these criteria, deployment prioritises HR contracts (approximately 800 deeds per year). The average time for fixed-term contract signature drops from 9 days to less than 48 hours, freeing significant capacity for human resources teams. The facility further disposes of complete traceability of collected consents, audited annually by its Data Protection Officer.

Conclusion

The legal obligations weighing on electronic signature providers in France form a demanding corpus of standards: eIDAS qualification, GDPR compliance, respect for ETSI standards, NIS2 obligations and imminent adaptation to eIDAS 2.0. For user enterprises, ensuring the compliance of one's TSP is not an optional undertaking — it is a sine qua non condition for the probative value of signed deeds and the protection of personal data of signers.

Certyneo is an electronic signature provider designed to meet all these requirements: eIDAS compliance, GDPR by design, sovereign hosting and documented eIDAS 2.0 roadmap. Ready to secure your signatures in full compliance? Request a demonstration or create your account on Certyneo and benefit from personalised support from day one.