How Electronic Signature Works in 2026

Introduction

Electronic signature is now at the heart of digital transformation in enterprises: in 2025, more than 70% of large European organisations have integrated it into at least one contractual process (source: Gartner, Digital Process Automation Survey 2025). Yet few decision-makers understand precisely the mechanisms that make it legally valid and technically unforgeable. Understanding how electronic signature works technically — cryptography, PKI, certificates — allows you to choose the right solution, reduce legal risks and accelerate internal adoption. This article guides you, step by step, through the technical architecture and standards that govern electronic signature in 2026.

---

The Cryptographic Foundations of Electronic Signature

Electronic signature relies on proven cryptographic primitives. Understanding the mechanisms is understanding why it is more reliable than a digitalised handwritten signature.

Asymmetric encryption: public and private key

The fundamental principle is asymmetric cryptography, invented in the 1970s and standardised by algorithms such as RSA (Rivest–Shamir–Adleman) or elliptic curves (ECDSA). Each signatory has two mathematically linked keys:

• The private key: kept secret by the signatory, on a secure device (smart card, HSM token, or protected software module). It is used to create the signature.
• The public key: distributed freely, included in a digital certificate. It is used to verify the signature.

The security principle rests on computational asymmetry: it is mathematically trivial to verify a signature with the public key, but practically impossible to reconstruct the private key from the public key (the discrete logarithm or large integer factorisation problem).

Hash functions: the digital fingerprint of the document

Before signing, the system calculates a cryptographic fingerprint of the document using a hash function (SHA-256 or SHA-3 in 2026). This fingerprint, called a hash or digest, is a fixed-length character string (256 bits for SHA-256) that uniquely represents the content of the document.

Essential property: modifying a single character in the document produces a radically different hash. This is what guarantees the integrity of the signed document: any alteration after signature is immediately detectable.

The electronic signature itself is therefore the encryption of this hash with the signatory's private key. When verifying, the recipient:

1. Decrypts the signature with the public key to recover the original hash;
2. Recalculates the hash of the received document themselves;
3. Compares the two: if identical, the signature is valid.

---

Public Key Infrastructure (PKI): the chain of trust

Cryptography alone is not enough: it is also necessary to prove that the public key belongs to the person claiming to use it. This is the role of the PKI (Public Key Infrastructure).

Certification Authorities (CA)

A Certification Authority (CA) is an accredited trusted third party that issues digital certificates. A digital certificate is a standardised file (X.509 format) containing:

• The identity of the holder (name, organisation, e-mail);
• Their public key;
• The validity period;
• The digital signature of the CA itself.

In Europe, qualified CAs are referenced in the Trusted Lists published by each EU Member State in accordance with the eIDAS regulation. In France, the ANSSI publishes and maintains this list. Qualified trust service providers (QTSP) — such as CertSign, Certigna, or Universign — are subject to regular audits according to the ETSI EN 319 401 standard.

The certification chain and revocation

The PKI operates on a hierarchical model:

• A Root CA (Certificate Authority) self-signed, kept offline under maximum physical security conditions;
• Intermediate CAs that issue end-user certificates.

Revocation of certificates is a critical mechanism: if a private key is compromised, the CA publishes its invalidation via a CRL (Certificate Revocation List) or via the OCSP (Online Certificate Status Protocol), allowing real-time verification.

For qualified electronic signature under eIDAS, the private key must be generated and held in a QSCD (Qualified Signature Creation Device) — hardware certified CC EAL4+ or higher, such as a smart card or HSM (Hardware Security Module).

---

Three Levels of Signature under eIDAS

European Regulation eIDAS No. 910/2014 (and its evolving eIDAS 2.0 currently being deployed) defines three levels of signature, each based on increasing technical guarantees. To deepen this regulatory framework, consult our comprehensive guide to eIDAS regulation.

Simple Electronic Signature (SES)

Simple signature is the least technically constraining form. It can be as basic as a checkbox, an OTP (One-Time Password) sent by SMS, or an image of a handwritten signature. It does not necessarily involve a qualified certificate.

Typical use: validation of quotes, marketing consents, low-value contracts.

Risk: limited probative value in case of judicial dispute. The burden of proof falls on the one invoking the signature.

Advanced Electronic Signature (AdES)

Advanced signature meets four precise technical requirements (Article 26 eIDAS):

1. It is uniquely linked to the signatory;
2. It allows identification of the signatory;
3. It is created from data under the exclusive control of the signatory;
4. It allows detection of any subsequent modification of the document.

Concretely, this involves the use of a personal digital certificate and a robust authentication mechanism. Standard formats are defined by ETSI: PAdES (for PDF), XAdES (XML), CAdES (binary data) and JAdES (JSON), all standardised in the ETSI EN 319 100 series.

Qualified Electronic Signature (QES)

Qualified signature is the highest level. It requires:

• A qualified certificate issued by an accredited QTSP eIDAS;
• A QSCD for signature creation.

It benefits from a legal presumption of reliability and legal equivalence with handwritten signature throughout the European Union (Article 25 eIDAS). This is the level required for electronic authentic acts, certain notarial acts, or sensitive public procurement.

Our comparison of electronic signature solutions analyses the practical differences between these levels to help you choose.

---

The Complete Process of Electronic Signature Step by Step

Here is how a transaction of electronic signature is concretely carried out on a SaaS platform like Certyneo:

Step 1: document preparation and sending

The signature initiator uploads the document (contract, amendment, purchase order) to the platform. The system immediately generates a SHA-256 hash of the original file, timestamped and kept immutably. This fingerprint will serve as the reference for any future verification.

Step 2: authentication of the signatory

Depending on the level of signature chosen, authentication varies:

• SES: e-mail + signature link;
• AdES: strong authentication (OTP SMS, FIDO2 mobile application);
• QES: prior identity verification (face-to-face or video IDV), issuance of a qualified certificate for single use or persistent use.

Step 3: creation of the cryptographic signature

The signatory triggers the signature act. The platform (or QSCD):

1. Calculates the hash of the document;
2. Encrypts this hash with the signatory's private key;
3. Integrates the signature and certificate into the document (PDF signed in PAdES-LTV format for long-term preservation).

Step 4: qualified timestamping

A qualified timestamping service (TSA) compliant with RFC 3161 standard applies a cryptographic timestamp, proving that the signature existed at a specific moment. This protects against date falsification and guarantees probative value over time — even if the signatory's certificate expires later.

Step 5: evidence-based archiving

The signed document is archived with its complete audit trail: signatory identity, IP address, timestamp, document hash, certificates used. This proof file (audit trail) is essential in case of judicial dispute. Solutions compliant with eIDAS maintain these proofs in a PAdES-LTV (Long-Term Validation) format that integrates validation data to enable verification years after signature.

To understand how to integrate this process into your HR workflows, discover our electronic signature solution for HR and our downloadable contract templates.

Legal Framework Applicable to Electronic Signature

Electronic signature operates within a multi-layered regulatory framework, articulating national civil law and harmonised European law.

French Civil Code

Article 1366 of the French Civil Code sets the fundamental principle: "An electronic document has the same probative force as a document on paper support, provided that the person from whom it emanates can be duly identified and that it is established and preserved in conditions such as to guarantee its integrity." Article 1367 specifies that electronic signature "consists of the use of a reliable identification process guaranteeing its link with the act to which it attaches."

Decree No. 2017-1416 of 28 September 2017 defines the presumption of reliability for qualified and advanced signatures complying with eIDAS.

eIDAS Regulation No. 910/2014

Cornerstone of European law on digital trust, the eIDAS (electronic IDentification, Authentication and trust Services) regulation establishes a unified legal framework for electronic signatures, electronic seals, qualified timestamping, registered delivery services and website authentication certificates. Its article 25, paragraph 2, grants qualified signature a legal presumption of equivalence with handwritten signature throughout the EU.

eIDAS 2.0 regulation (currently being transposed in Q1 2026) strengthens these provisions with the European digital identity wallet (EUDIW) and extends obligations to the financial and healthcare services markets.

ETSI Standards

Signature formats are standardised by ETSI:

• ETSI EN 319 132 (XAdES), EN 319 122 (CAdES), EN 319 102 (PAdES) define the technical profiles of advanced and qualified signatures;
• ETSI EN 319 421 governs qualified timestamping service policies.

GDPR and Data Protection

The processing of identity data in the context of electronic signature (name, e-mail, biometrics for identity verification) is subject to GDPR No. 2016/679. Data controllers must: have a legal basis (legitimate interest or contract performance), apply the data minimisation principle, and ensure security through appropriate technical measures (encryption, pseudonymisation).

NIS2 Directive

The NIS2 directive (2022/2555/EU), transposed into French law since October 2024, imposes strengthened obligations on operators of essential services and providers of digital services (including electronic signature providers) with regard to cybersecurity, risk management and incident notification within 24 hours. Non-compliance may result in penalties of up to 10 million euros or 2% of global turnover.

Concrete Use Cases of Electronic Signature

Scenario 1: a corporate law firm automates the signature of mandates

A corporate law firm with about a dozen collaborators processed on average 120 representation mandates per month. The paper procedure involved printing, postal sending or hand delivery, then scanning of returned documents — resulting in an average delay of 4.5 working days per file and a document loss rate estimated at 8%.

By deploying advanced electronic signature (AdES) with OTP authentication, the firm reduced signature delay to less than 4 hours on average, reduced documentary anomaly rate to less than 1%, and saved approximately 2,200 € per year in postage and printing costs. The automatically generated audit trail also simplified two mandate contest procedures, providing undeniable timestamped evidence. Discover our solution for law firms.

Scenario 2: an SME manufacturer digitalises its supplier contracts

An SME manufacturer managing approximately 200 supplier contracts per year (general purchase conditions, price amendments, NDA) suffered signature delays of up to three weeks for cross-border contracts with German and Spanish partners. Differences in legal systems and lack of mutual recognition slowed down negotiations.

By adopting qualified signature (QES) issued by an accredited eIDAS QTSP, recognised throughout the EU, the SME benefited from automatic legal recognition in all three countries without any additional legalisation. The average cross-border signature delay dropped from 18 days to 2.5 days. Electronic signature in business details these benefits for procurement teams.

Scenario 3: a hospital group secures informed patient consent

A hospital group with approximately 800 beds had to obtain informed consent from patients for clinical research protocols. Paper management created GDPR compliance risks (poorly archived documents, non-traceable dates) and mobilised healthcare staff for administrative tasks.

By integrating simple electronic signature with SMS code identification — sufficient for acts not subject to qualified requirements — the group automated the collection, archiving and traceability of consents. Administrative time per patient dropped from 12 minutes to less than 2 minutes, freeing up approximately 800 nursing hours per year. All documents are archived with qualified timestamping, fully meeting CNIL requirements. Explore our signature solution for healthcare.

Conclusion

Understanding how electronic signature works technically — from asymmetric cryptography to PKI, from qualified certificates to probative timestamping — is essential for making informed choices regarding compliance and operational efficiency. The three eIDAS levels (simple, advanced, qualified) meet different needs, and the choice must always be guided by analysis of legal risk and expected probative value.

Certyneo supports you in this transition with an eIDAS-compliant SaaS platform, accredited QTSPs and simplified integration into your existing processes. Estimate the potential gains for your organisation using our electronic signature ROI calculator, or get started by consulting our offers and pricing. Compliance and performance are no longer a compromise.