Qualified Electronic Certificate for Business: 2026 Guide

Why the qualified electronic certificate has become essential for businesses

At a time when the dematerialisation of contractual processes is accelerating across all sectors, the question of the qualified electronic certificate has become a strategic issue for legal departments, IT directors and general management. According to ANSSI's 2024 annual report, over 78% of French SMEs that have adopted qualified electronic signatures have reduced their contracting timelines by more than 60%. Yet many still confuse simple, advanced and qualified signatures — risking exposing their legal acts to challenge. This article guides you step by step to understand what a qualified electronic certificate is, how to obtain one in compliance with the RGS and eIDAS framework, and how to deploy it effectively within your organisation.

What is a qualified electronic certificate?

An electronic certificate is a digital file issued by a Certification Authority (CA) that links the identity of a natural or legal person to a public cryptographic key. It constitutes the cornerstone that allows a third party to verify the authenticity and integrity of a digital signature.

The qualifier "qualified" refers to a precise definition from the European regulation eIDAS (No. 910/2014, Article 28): the certificate must be issued by a Qualified Trust Service Provider (QTSP), listed on the national trust list (in France, published by ANSSI). It must also comply with the technical requirements of the ETSI EN 319 411-2 standard, which governs certification policies and practices.

In practice, a qualified certificate guarantees:

• Verified identity of the signatory (face-to-face document verification or equivalent approved means);
• Integrity of the signed document (any subsequent modification is detectable);
• Non-repudiation (the signatory cannot deny having affixed their signature).

Difference between simple, advanced and qualified signatures

The eIDAS regulation distinguishes three levels of electronic signature, each associated with a certificate level:

| Level | Certificate required | Probative value | Typical use | |---|---|---|---| | Simple | Not required | Low | Common purchase orders | | Advanced | Advanced certificate (QTSP) | Medium | B2B commercial contracts | | Qualified | Qualified certificate (Qualified QTSP) | Maximum, equivalent to handwritten | Notarial deeds, public contracts, sensitive HR |

For qualified signature — the only one benefiting from the legal presumption of equivalence to handwritten signature (Art. 1367 Civil Code) — a qualified certificate is imperative. To learn more about the differences between levels, consult our comprehensive electronic signature guide.

---

The RGS framework: French specificities to know

In France, the General Security Framework (RGS), established by Decree No. 2010-112 and regularly updated by ANSSI, defines the security requirements applicable to the information systems of administrations. For businesses that enter into contracts with public entities (public procurement, e-procedures), compliance with the RGS is often a contractual or regulatory obligation.

RGS levels applicable to certificates

The RGS defines three qualification stars for certificates:

• RGS* (one star): basic level, suitable for common uses of low sensitivity;
• RGS (two stars)**: intermediate level, required for most administrative e-procedures;
• RGS (three stars)*: high level, for acts with significant legal or financial stakes.

For dematerialised public procurement via the buyer portal, Decree No. 2016-360 (Articles 39 and 40) generally requires a minimum RGS level signature, which implies an equivalent qualification certificate.

Articulation of RGS and eIDAS

Since the implementation of the eIDAS regulation, the two frameworks coexist. A qualified certificate under eIDAS is deemed to satisfy RGS** requirements in the vast majority of cases. ANSSI has published correspondence tables to ensure compatibility. It is therefore advisable, for businesses working with both private and public partners, to favour a qualified eIDAS certificate issued by a QTSP listed on the French trust list — which simultaneously covers both frameworks.

To deepen your understanding of European regulation, our eIDAS 2.0 guide details the major changes planned and their impact on French businesses.

---

How to obtain a qualified electronic certificate: step-by-step process

Obtaining a qualified electronic certificate is not a trivial matter: it involves rigorous verification of the applicant's identity and, for a legal person, their legal representativeness. Here are the main steps.

Step 1: Identify the right qualified trust service provider

In France, the QTSPs authorised to issue qualified certificates are listed on the Trust Service Status List (TSL) published by ANSSI (available on the esignature.gouv.fr portal). Among the players on this list are notably CAs such as CertEurope, Certinomis (subsidiary of La Poste), Keynectis, and other European providers recognised under the eIDAS mutual recognition principle.

Selection criteria to examine:

• Effective presence on the French and/or European TSL;
• Format of the certificate offered (software, smart card, cloud HSM);
• Compatibility with your existing IT infrastructure;
• Pricing and validity period (generally 1 to 3 years);
• Level of support and enrolment timeline.

Step 2: Preparation of the enrolment file

For a business, the request for a qualified certificate requires the production of documents justifying both the identity of the bearer (natural person) and their capacity to represent the legal person. The documents generally required are:

• Official identity document of the bearer (passport, national ID card);
• Kbis extract less than 3 months old (or equivalent for associations, public institutions);
• Power of attorney if the bearer is not the statutory legal representative;
• Application form specific to the chosen QTSP.

Identity verification must be carried out face-to-face before a Registration Officer (RO) mandated by the QTSP, or by an approved remote verification process (video identification compliant with ETSI TS 119 461 standard).

Step 3: Delivery and activation of the certificate

Depending on the format chosen, the certificate is provided:

• On a qualified signature creation device (QSCD): encrypted USB key or smart card certified Common Criteria EAL 4+;
• Via a remote signature service (Remote Qualified Electronic Signature — RQES) managed by the QTSP, where the private key is hosted in a certified HSM (Hardware Security Module) according to ETSI EN 419 241 standard.

Deploying a RQES service is today the most widely adopted solution by businesses, as it avoids the physical management of cryptographic media whilst maintaining qualified compliance. Compare electronic signature solutions to identify the model best suited to your context.

Step 4: Integration into your business processes

Once the certificate is obtained, its integration into the company's document flows generally goes through a SaaS electronic signature platform. This must be compatible with ETSI standards (XAdES, PAdES, CAdES) to guarantee interoperability and the long-term preservation of digital evidence. Our dedicated article on electronic signature in business will help you structure this deployment.

---

Cost, validity and renewal: what businesses must anticipate

Price ranges in 2026

Qualified certificate fees vary significantly depending on the format and provider:

• Certificate on physical media (USB key/card): between €80 and €250 excl. VAT per holder per year;
• Cloud qualified certificate (RQES): between €40 and €150 excl. VAT per holder per year, depending on volumes;
• Business packages: significant discounts apply from 10 holders onwards, potentially reaching 30 to 40% of the unit rate.

These costs should be put in perspective with the savings generated: elimination of printing, postage, postal handling times and disputes related to contested signatures.

Validity period and renewal

A qualified certificate's validity period is generally set at 1, 2 or 3 years depending on the subscription offered. Upon expiration, previously signed documents remain valid (provided their integrity is preserved via a qualified time-stamping service), but new acts cannot be signed with the expired certificate. It is therefore essential to implement a process for monitoring and early renewal — ideally 60 days before expiration.

Revocation and incident management

In case of private key compromise (loss, theft of media, suspected disclosure), the certificate must be revoked immediately with the QTSP. The QTSP publishes the revocation in its Certificate Revocation List (CRL) or via the OCSP protocol, making any subsequent signature with this certificate invalid. Internal security policy must therefore provide for a dedicated contact point and an alert deadline of less than 24 hours.

---

Best practices for successful enterprise deployment

Governance and internal roles

Successful deployment is based on clear governance. It is recommended to designate:

• A PKI manager (Public Key Infrastructure) on the IT side, responsible for the relationship with the QTSP and monitoring renewals;
• A legal reference person who validates the use cases requiring a qualified signature (vs advanced);
• Delegated administrators by department for the operational management of holders.

Training and change management

Adopting a qualified certificate is not enough: employees must understand how to use their certificate, when to activate it, and how to respond to incidents. A short training plan (1 to 2 hours) and documented procedures significantly reduce usage errors and support tickets.

Audit and traceability

To satisfy proof obligations, maintain a time-stamped audit log of each signature performed: signatory identity, document fingerprint, certified date/time, certificate identifier. This data forms the basis of the evidence chain in case of dispute. The ETSI EN 319 132 standard (XAdES) provides for signature formats that natively include this information.

Legal framework applicable to qualified electronic certificates

Civil code and probative value

In French law, Article 1366 of the Civil Code establishes the principle of equivalence between electronic and paper writing, provided that "the identity of the person from whom it emanates is duly assured and that it is established and preserved in conditions apt to guarantee its integrity". Article 1367 paragraph 2 specifies that qualified electronic signature benefits from a presumption of reliability: it is for the party contesting the signature to provide proof to the contrary, thus reversing the burden of proof in favour of the signatory.

Regulation eIDAS No. 910/2014

The European regulation eIDAS (No. 910/2014), directly applicable in all Member States since 1 July 2016, constitutes the supranational foundation. Its Article 25(2) states that "a qualified electronic signature has a legal effect equivalent to that of a handwritten signature". Articles 28 and 29 define the requirements applicable to qualified certificates and qualified signature creation devices (QSCD). Annex I lists the mandatory statements of a qualified certificate (policy OID, identity of QTSP, public key, validity dates, etc.).

eIDAS 2.0 developments

The eIDAS 2.0 regulation (EU Regulation 2024/1183, which came into force on 20 May 2024) introduces the European digital identity wallet (EUDIW) and strengthens accessibility requirements for qualified trust services. Businesses will need to anticipate the integration of these new identification mechanisms by 2026-2027.

Applicable ETSI standards

• ETSI EN 319 411-2: policy and practices for QTSPs issuing qualified certificates;
• ETSI EN 319 132 (XAdES) and ETSI EN 319 122 (CAdES), ETSI EN 319 162 (PAdES): formats for advanced and qualified electronic signatures;
• ETSI EN 419 241: requirements for signature servers (RQES).

GDPR and data protection

The processing of personal data in the context of enrolment (identity verification, document collection) is subject to GDPR No. 2016/679. The QTSP and the client company are jointly responsible for processing or in a controller/processor relationship depending on the configuration. A DPA (Data Processing Agreement) compliant with Article 28 GDPR must be signed. Enrolment data must be retained for the lifetime of the certificate plus the applicable limitation period (5 years for contractual matters).

NIS2 Directive and infrastructure security

The NIS2 Directive (2022/2555/EU), transposed into French law by Law No. 2024-449, requires essential and important entities to implement risk management measures including digital supply chain security. Recourse to a qualified QTSP listed on the national TSL is a recognised best practice for partially satisfying these requirements.

Use scenarios: the qualified certificate in practice

Scenario 1: A law firm managing high-value deeds

A corporate law firm with about twenty partners and associates must regularly sign share transfer deeds, settlement agreements and power of attorney. Previously, each deed required printing, handwritten signature, scanning and postal dispatch — an average delay of 4 to 7 business days per signature cycle. After deploying cloud qualified certificates (RQES) for each partner, this delay is reduced to less than 4 hours for deeds not requiring notarial intervention. The firm estimates a 65% reduction in administrative time related to document management, and has not recorded any signature challenges in the first 18 months of use. Electronic signature solutions for law firms offered by Certyneo integrate natively into this type of workflow.

Scenario 2: An SME entering into contracts with public organisations

An SME in the metalworking sector, employing about 120 people, regularly responds to dematerialised public calls for tender on buyer portals. It is required to electronically sign its offers and commitment acts with a certificate at minimum RGS** level. After obtaining two qualified certificates (for the general director and an authorised commercial director), the SME was able to submit its offers within the set deadlines without travel or postal dispatch. Over a year, this represents approximately 35 calls for tender files, representing an estimated savings of 15 person-days per year on document management alone. The eIDAS compliance of the certificate also ensures the recognition of its signatures with German and Belgian public buyers, expanding its commercial scope. Use our ROI calculator to estimate the potential gains in your own context.

Scenario 3: A health network securing HR and supplier acts

A hospital group of approximately 1,200 beds, bringing together several establishments, faces an annual volume of nearly 3,000 employment contracts, amendments and supplier commitments. The human resources department and the procurement department jointly deployed a qualified signature solution, with certificates issued for authorised directors. In parallel, documents to be signed by staff are processed via an advanced signature workflow, reserving qualified signature for high-value management acts. Result: the average time to finalise an employment contract fell from 12 days to 2.5 days, and the rate of incomplete files (missing signature, wrong signed version) decreased by 78%. Electronic signature solutions in healthcare from Certyneo incorporate the regulatory specificities of the hospital sector.

Conclusion

Obtaining a qualified electronic certificate is today a necessary step for any business wishing to legally secure its digital acts, meet public procurement requirements and comply with the eIDAS regulatory framework. Far from being a constraint, it is a competitive lever: reduced signing timelines, an irrefutable chain of evidence and cross-border recognition across the European Union.

Key steps to remember: choose a QTSP listed on ANSSI's trust list, prepare a rigorous enrolment file, opt for a cloud format (RQES) to facilitate deployment, and integrate the certificate into a platform compliant with ETSI standards.

Certyneo accompanies you at every step: from selecting the right signature level to integration into your business processes. Request a free demo and discover how to deploy qualified signature in less than 48 hours in your organisation.