Cloud or on-premise electronic signature: which choice in 2026?
Cloud SaaS or on-premise deployment: your electronic signature solution's hosting choice determines security, costs and eIDAS compliance. Discover our expert analysis.
Équipe éditoriale Certyneo
Editor — Certyneo · About Certyneo
Introduction
Choosing between cloud-based electronic signature and on-premise hosting is one of the most structurally significant strategic decisions for a CIO or legal department in 2026. Whilst SaaS has broadly appealed to SMEs through its simplicity of deployment, large enterprises and organisations subject to sector-specific regulatory constraints continue to question the relevance of internalised hosting. This in-depth comparison analyses both models across five key axes: data sovereignty, technical security, eIDAS compliance, total cost of ownership and business agility. By the end of this article, you will have an operational decision-making framework to choose the architecture suited to your context.
Understanding the two hosting models
Cloud-based electronic signature (SaaS)
In a cloud model, the publisher operates the entire infrastructure: servers, updates, availability, backup and data security. The client company accesses the solution via an API or web interface, with no local installation whatsoever. European market players — including Certyneo — generally rely on ISO 27001-certified datacentres located within the European Union (France, Germany, the Netherlands), guaranteeing GDPR compliance without additional effort on the client's side.
The advantages are well known: deployment within hours, immediate scalability, automatic updates incorporating regulatory developments (eIDAS 2.0, DSP3, NIS2), and consumption-based economic model (OPEX). According to the Markess by Exaegis 2025 report, 78% of French companies with fewer than 500 employees now prefer SaaS for their digitisation tools.
On-premise deployment
On-premise involves installing the electronic signature platform directly on the company's servers or in a private datacentre under its control. This model offers total control over data, workflows and security policies. It is historically adopted by banks, insurers, hospitals and public administrations processing sensitive data subject to specific frameworks (HDS, SecNumCloud, PGSSI-S).
The counterpart is significant operational burden: the IT team must manage updates, qualified signature certificates, HSMs (Hardware Security Modules), high availability and regulatory monitoring. The initial cost (CAPEX) is high, with licences potentially exceeding €80,000 for an enterprise installation, to which must be added annual infrastructure costs.
Data sovereignty and regulatory compliance
GDPR and data localisation
The eIDAS regulation and its implications for your qualified signatures require that trust service providers (TSP) be audited and listed on national trusted lists. Whether you opt for cloud or on-premise, your solution must necessarily rely on a qualified TSP. The real GDPR question concerns transfers outside the EU: a cloud hosted with an American hyperscaler (AWS, Azure, GCP) without valid standard contractual clauses (SCC) exposes the company to penalties potentially reaching 4% of global turnover.
European cloud solutions like Certyneo meet this requirement natively, with servers exclusively located in France and a DPA (Data Processing Agreement) compliant with GDPR Article 28 provided upon subscription.
SecNumCloud and regulated sectors
For vital infrastructure operators (OIV) and organisations subject to the Cloud-Centric Doctrine of DINUM, ANSSI's SecNumCloud qualification is increasingly required. In 2026, only a few French cloud actors have obtained this qualification (OVHcloud, Outscale). Affected organisations must therefore either choose a SecNumCloud-qualified cloud or maintain on-premise compliant with ANSSI RGS v2 framework.
Note that NIS2, transposed into French law by the law of 26 January 2025, extends cybersecurity obligations to more than 15,000 essential and important entities, creating new normative pressure on architecture choice.
Total cost of ownership: comparative analysis
TCO (Total Cost of Ownership) analysis over 5 years consistently reveals a cloud advantage for volumes below 50,000 signatures/year. Beyond that, on-premise can become competitive if infrastructure already exists. The Certyneo ROI calculator allows you to precisely estimate this tipping point based on your volume and sector.
A typical on-premise deployment for a company with 1,000 employees represents:
- Initial licence: €60,000 to €120,000
- HSM infrastructure and dedicated servers: €30,000 to €50,000
- Annual maintenance (20% of licence): €12,000 to €24,000/year
- Internal IT resources: 0.5 to 1 FTE dedicated
Against this, a cloud SaaS of equivalent capacity typically costs €18,000 to €40,000/year all-inclusive, with zero CAPEX.
Technical security: advantages and limitations of each model
Security in cloud environment
Contrary to persistent assumptions, a specialised editor's cloud often offers a higher level of security than a typical enterprise on-premise infrastructure. The reasons are structural: editors invest heavily in dedicated teams (24/7 SOC, quarterly pen-tests, ISO 27001 and SOC 2 Type II certifications), which is beyond the reach of most internal CIOs.
Best practices include AES-256 encryption at rest and TLS 1.3 in transit, mandatory multi-factor authentication, immutable logging of signature events, and geo-redundant backups. The legal value of electronic signature is based precisely on this unalterable traceability.
Risks specific to on-premise
On-premise generates specific risks often underestimated:
- Version drift: without a dedicated team, cryptographic updates (certificate revocation, transition to SHA-3) are delayed, exposing the company to technically invalid signatures.
- HSM management: a Hardware Security Module that is poorly configured or whose firmware is not updated nullifies non-repudiation guarantees.
- Business recovery plan: the availability (SLA) of an internal on-premise rarely exceeds 99.5%, compared to 99.95% for a structured cloud SaaS.
For organisations wishing to combine sovereignty and operational delegation, the private cloud model (dedicated Private Cloud in a third-party certified HDS or SecNumCloud datacentre) constitutes a relevant middle path.
Integration, agility and scalability
APIs and interoperability
Both models now expose documented REST APIs. Nevertheless, the velocity of update is structurally different: a cloud editor deploys new features (biometric signature, AI fraud detection, eIDAS 2.0 Wallet support) within weeks, whilst on-premise involves an internal qualification cycle of 3 to 6 months per major version.
To integrate electronic signature into an ERP (SAP, Oracle), an HRIS or a DMS (OpenText, Alfresco), the cloud offers pre-built connectors maintained by the editor. The complete comparison of electronic signature solutions details the integration capabilities of major market players.
Scalability and volume
In cloud, scalability is quasi-instantaneous: a campaign of 10,000 simultaneous signatures (shareholder AGM, large-scale HR rollout) is absorbed without prior configuration. On-premise, infrastructure oversizing must anticipate peaks, generating capitalisation costs.
Fast-growing organisations or those with seasonal cycles (real estate, insurance) particularly benefit from cloud elasticity. Electronic signature in real estate, for example, experiences volume spikes linked to market cycles that would make permanently oversized on-premise infrastructure uneconomic.
Decision criteria: which model for which profile?
Enterprises and SMEs without specific sector constraints
For an SME with 10 to 500 employees without particular sector-specific regulatory obligations, cloud SaaS imposes itself without hesitation: rapid deployment, controlled cost, eIDAS and GDPR compliance guaranteed by the editor. Integration into existing HR tools is facilitated by native connectors — as illustrated by the use of electronic signature for HR teams covering pay slips, contracts and conventional redundancies without dedicated infrastructure.
Large enterprises and regulated sectors
Companies processing health data (HDS mandatory), critical financial data or classified information must seriously evaluate on-premise or qualified private cloud. The question is not technical but regulatory: does the applicable framework allow or not for public cloud?
A hybrid architecture — cloud for routine signatures, on-premise for the most sensitive qualified acts — has been adopted by several large French groups since 2024. This model requires rigorous orchestration and solid API gateways.
Public bodies and administrations
Since DINUM Circular 2023-1, State administrations are encouraged to favour SecNumCloud-qualified cloud offerings. On-premise remains authorised for sensitive information systems (SIS) but must comply with RGS v2 and PGSSI-S for health data. The electronic signature for law firms illustrates how entities with strong traceability requirements find their balance between these two models.
Applicable legal framework for hosting your electronic signature solution
The choice between cloud and on-premise is not neutral from a legal standpoint. Several normative frameworks directly regulate the technical architecture of your signature solutions.
Civil Code, Articles 1366 and 1367: These provisions define electronic signature as a reliable identification process guaranteeing its link to the deed to which it attaches. The reliability of the process is presumed unless proven otherwise when a qualified electronic signature is used. This presumption applies regardless of hosting mode, provided the trust service provider (TSP) is qualified.
eIDAS Regulation No. 910/2014 and eIDAS 2.0 (EU Regulation 2024/1183): The eIDAS regulation distinguishes three signature levels (simple, advanced, qualified). Qualified signature necessarily requires intervention by a TSP listed on the national trusted list (ANSSI trust list for France). Whether your solution is cloud or on-premise, it must interface with a qualified TSP to issue qualified signatures. eIDAS 2.0, applicable since May 2024, introduces the European digital identity wallet (EUDIW) and strengthens requirements on qualified certificate management.
GDPR Regulation No. 2016/679: Article 28 mandates conclusion of a DPA (data processing contract) with any cloud service provider processing personal data on your behalf. Article 44 prohibits data transfers outside the EU without adequate safeguards (standard contractual clauses or binding corporate rules). In internal on-premise, this obligation disappears but the company becomes data controller in full and must document its technical and organisational measures (TOM) in accordance with Article 32.
NIS2 Directive (EU Directive 2022/2555), transposed into French law by the law of 26 January 2025: Essential and important entities (energy, health, finance, water, digital, transport, administration sectors) must implement proportionate cybersecurity measures, including management of risks linked to digital supply chain. An electronic signature cloud provider constitutes a critical third-party supplier within NIS2: due diligence mandatory, specific contractual clauses and audit rights.
ETSI Standards EN 319 132 and ETSI EN 319 122: These standards define advanced electronic signature formats (XAdES, PAdES, CAdES) accepted in European public procurement and B2B exchanges. Compliance with these formats must be verified regardless of chosen architecture.
General Security Framework (RGS v2) and HDS: For administrations and health data hosters, ANSSI's RGS v2 and HDS (Health Data Hoster) certification (order of 11 June 2018) apply respectively. Non-HDS-certified cloud is legally disqualified from hosting health-related personal data, even temporarily during signature of patient consent.
Legal risks to anticipate: A signature issued from a non-compliant system may be challenged in court, particularly if document integrity or signer identity cannot be proven incontestably. The burden of proof lies with the person invoking the signature. A pre-deployment compliance audit, cloud or on-premise, is strongly recommended.
Use scenarios: cloud or on-premise depending on business context
Scenario 1 — Mid-sized industrial group managing 15,000 contracts annually
A mid-market industrial company (approximately 1,200 employees, 3 production sites in France) must digitise all supplier, customer and subcontractor contracts. It processes on average 15,000 signatures per year, with peaks in January (framework contract renewals) and September (purchasing campaigns). Its industrial data is sensitive but unclassified.
Following TCO analysis over 5 years, the finance direction concludes that a European SaaS cloud certified ISO 27001 is 40% less costly than an equivalent on-premise deployment (editor's economies of scale vs. 0.7 FTE IT dedicated internally). The CIO selects a cloud solution hosted in France with 99.95% SLA and documented REST API, integrated directly to its ERP. Seasonal peaks are absorbed at no extra cost. Result observed after 12 months: 65% reduction in average contract signature time (from 8.3 days to 2.9 days), and estimated annual savings of €120,000 on paper processing and follow-up costs.
Scenario 2 — Hospital group with 1,200 beds subject to HDS certification
A public hospital group wishes to digitise patient consents, freelance practitioner contracts and public procurement. Data processed includes health-related personal information, subject to HDS (Health Data Hoster) certification and PGSSI-S.
Pure on-premise is ruled out due to complexity of HSM maintenance and lack of internal cryptographic expertise. The group opts for private cloud hosted by an HDS-certified and SecNumCloud-qualified provider. The signature solution is deployed in this dedicated cloud, with strict network isolation and audit logs exported to the internal SIEM. Cost is 25% higher than standard mutualized cloud, but 35% lower than complete on-premise. Operational benefit: 800 monthly consents are processed in less than 24 hours versus 5 days in paper format, with complete traceability compliant with HAS requirements.
Scenario 3 — Law firm with 25 employees integrating signature into daily workflow
A Parisian business law firm daily processes deed of cession, settlement protocols and mandates requiring advanced or qualified electronic signature. Client data confidentiality is a top priority, but the firm has no dedicated IT infrastructure.
On-premise is ruled out from the outset due to lack of resources. The firm chooses a European cloud SaaS with end-to-end encryption, encryption keys controlled by the client (BYOK — Bring Your Own Key), and contractual guarantee of non-access to data by the editor. This so-called "zero knowledge" architecture satisfies both Bar Association ethical requirements and GDPR obligations. Integration with case management software (via API) reduces time to prepare a signable deed from 45 minutes to 8 minutes on average, a productivity gain of 82% on this task.
Conclusion
Cloud or on-premise: there is no universal answer, but a structured decision-making framework. For the vast majority of French companies — SMEs, mid-market firms without critical sector constraints — European SaaS cloud compliant with eIDAS and GDPR offers the best ratio between security, compliance and total cost of ownership. On-premise or qualified private cloud remains relevant for regulated sectors (health, defence, OIV) where constraining frameworks (HDS, SecNumCloud, RGS v2) require complete infrastructure control.
In 2026, the real question is not "cloud or on-premise" but "what level of sovereignty for which data, with which qualified TSP?" Certyneo meets these requirements with a cloud architecture hosted exclusively in France, ISO 27001 certified, compliant with eIDAS 2.0 and GDPR. Discover our offers and pricing on Certyneo or contact our team for a free audit of your electronic signature needs.
Try Certyneo for free
Send your first signature envelope in less than 5 minutes. 5 free envelopes per month, no credit card required.
Recommended articles
Deepen your knowledge with these related articles.
Electronic signature: free or paid, what to choose in 2026?
Between limited free offers and eIDAS-compliant paid solutions, the choice is not trivial for an SME. Discover our comparison to decide with full knowledge of the facts.
HelloSign vs Certyneo comparison: which one to choose in 2026?
HelloSign and Certyneo both serve B2B businesses, but their approaches differ radically. Discover which one truly meets your eIDAS compliance and productivity requirements.
Digital Site Planning: Electronic Signature in 2026
Digital site planning is transforming construction project management in 2026. Electronic signature, traceability and regulatory compliance: a comprehensive guide for industry professionals.