Verify the Authenticity of a Signed Document: the DUER

The Unique Risk Assessment Document (DUER) is a cornerstone of compliance in occupational health and safety in France. Established by decree No. 2001-1016 of 5 November 2001, it is mandatory for any company from the first employee onwards. However, its legal value in the event of inspection by the Labour Inspectorate, accident or dispute rests largely on its traceability and the authenticity of the signatures that validate it. How can you ensure that a digitally signed DUER has not been altered after signature? What tools and methods allow you to verify this authenticity? This article guides you step by step, from technical fundamentals to organisational best practices.

Why is the authenticity of the DUER signature critical?

Legal and regulatory stakes

The DUER is not an ordinary administrative document. In the event of a work accident, occupational illness or employment dispute, it can be submitted as evidence of the employer's prevention policy. The Labour Code (articles L.4121-1 and following) imposes on the employer a strict liability obligation for safety, and the DUER is the formal record of his assessment.

An unverifiable or altered electronic signature can lead to:

• The nullity of the document as evidence before a court;
• Administrative penalties reaching €3,750 in fines per uncovered employee;
• Criminal liability of the business leader in case of serious accident.

Since law No. 2021-1018 of 2 August 2021 (Occupational Health Law), the DUER must be updated more frequently in companies with 11 or more employees, and its retention is now extended to 40 years. This long period reinforces the imperative of a robust and verifiable electronic signature over time.

The difference between scanned signature and qualified electronic signature

Many HR or HSE managers believe that affixing a scanned handwritten signature to a PDF is sufficient. This is not the case. A scanned signature image guarantees no document integrity: the file can be modified afterwards without leaving any detectable trace.

A electronic signature compliant with the eIDAS regulation, on the other hand, is based on a cryptographic mechanism that irreversibly binds the signer's identity to the document content at a specific moment. Any subsequent modification, even minimal — an added space, a changed digit — invalidates the signature and triggers an alert when verified.

The electronic signature glossary distinguishes three levels recognised by eIDAS: simple electronic signature (SES), advanced (AES) and qualified (QES). For a document as sensitive as the DUER, the advanced level is recommended as a minimum, with the qualified level being preferable for companies subject to frequent inspections.

Concrete methods to verify the authenticity of a signed DUER

Verification via native PDF reader

The most accessible method is to open the document in Adobe Acrobat Reader (free version) or a compatible PDF reader. When a compliant electronic signature is present, a signature panel displays automatically. It indicates:

1. The identity of the signatory: name, surname, organisation and certificate used;
2. The date and time of signature, stamped by cryptographic timestamping;
3. The integrity status: "The signature is valid" or "The document has been modified after signature";
4. The trust chain of the certificate: validated by a recognised certification authority.

This verification is immediate and requires no subscription. It is, however, limited: if the certificate of the issuing authority is not in the software's trust list (such as the EUTL — European Union Trusted Lists), the signature may appear as "unverified" even if it is technically valid.

Verification via online validation services

The European Commission provides the DSS Demo Tools service (accessible at ec.europa.eu), which allows you to upload a signed document and obtain a validation report compliant with the ETSI EN 319 102 standard. This service:

• Verifies compliance with XAdES, CAdES, PAdES and JAdES formats;
• Checks the validity of the certificate at the time of signature via OCSP or CRL protocols;
• Generates a JSON or PDF report detailing each step of the validation.

There are also private services offered by qualified trust service providers (QTSP) listed on national trust lists. In France, the ANSSI publishes the list of accredited QTSPs. Using one of these services to validate a disputed DUER in litigation provides significantly greater probative value.

Verification via the original signing platform

If the DUER was signed via a SaaS solution like Certyneo, verification is even more direct. Each signed document generates a signature certificate (also called audit report or signature trail) which archives:

• The IP address and session identifier of the signatory;
• The SHA-256 cryptographic hash of the original document;
• The qualified RFC 3161 timestamp;
• Identity proofs used (email, SMS OTP, or even eIDAS strong authentication).

This report is itself electronically signed by the service provider, making it unfalsifiable and directly usable as evidence in court. The electronic signature solution for businesses Certyneo integrates this mechanism natively for all documents, including DUERs.

Best practices for securing DUER signature and retention

Choosing the right signature level based on risk profile

The selection of the signature level should not be left to chance. For a DUER, here is the recommended reasoning:

| Context | Recommended level | Justification | |---|---|---| | Micro-enterprises < 10 employees, low-risk activity | Advanced signature (AES) | Balance between cost and probative value | | SMEs, industrial or construction sector | Advanced signature with QSCD certificate | High-level eIDAS compliance | | Large enterprises, healthcare or chemical sector | Qualified signature (QES) | Value equivalent to handwritten signature |

For healthcare sector companies, electronic signature in healthcare is subject to additional regulatory constraints (HDS, medical GDPR) that systematically justify recourse to qualified signature.

Timestamping and long-term archiving

The Occupational Health Law requiring retention of the DUER for 40 years, the question of the lifespan of signatures arises concretely. A signature certificate has a limited validity period (typically 1 to 3 years). After this period, the trust chain can be broken.

The solution is the archiving service with probative value (electronic archiving service or EAS), combined with long-term timestamping according to the ETSI EN 319 122 standard. This mechanism, sometimes called LTV (Long Term Validation), periodically retimestamps the document by adding additional integrity proofs, guaranteeing its verifiability for the entire legal duration.

Do not confuse archiving and storage: a simple file server or cloud drive does not constitute archiving with probative value. Only a system guaranteeing integrity, readability and traceability of access meets legal requirements.

Verification process during updates

The DUER must be updated at least once a year, and whenever there are significant changes to working conditions. Each new version must be distinguished from the previous one and be subject to a new signature. A rigorous process includes:

1. Explicit versioning: version number, effective date, list of changes made;
2. Signature of the new version by the HSE officer and, where applicable, by the employee representative (CSE);
3. Retention of all previous versions in the EAS, accessible in read-only mode;
4. Systematic verification of the integrity of the current version before any sharing with the Labour Inspectorate or occupational health services.

Automating these steps via a platform like Certyneo significantly reduces the risk of human error and ensures continuous process compliance. To measure the return on investment of such a solution, the electronic signature ROI calculator allows you to estimate gains based on your organisation's size.

Legal framework applicable to DUER signature and verification

Founding texts in labour law

The obligation to establish a Unique Risk Assessment Document (DUER) derives from article L.4121-1 of the Labour Code, which imposes on the employer the transcription and updating of the results of risk assessment. Decree No. 2001-1016 of 5 November 2001 established this formal obligation. Law No. 2021-1018 of 2 August 2021 to strengthen occupational health prevention extended retention obligations to 40 years and introduced requirements for dematerialised filing with occupational health services for companies with at least 150 employees.

Legal value of electronic signature

Article 1366 of the Civil Code sets out the principle: "An electronic writing has the same probative force as writing on paper, provided that the person from whom it originates can be duly identified and that it is established and preserved under conditions such as to guarantee its integrity." Article 1367 clarifies that electronic signature "consists of the use of a reliable identification procedure guaranteeing its connection to the act to which it attaches."

The eIDAS Regulation No. 910/2014 of the European Parliament and of the Council establishes the European framework of trust for electronic transactions. It defines three levels of signatures (simple, advanced, qualified) and establishes equivalence between qualified electronic signature and handwritten signature in article 25§2. Advanced signature, without benefiting from this legal presumption, remains admissible as a mode of proof under the non-discrimination principle of article 25§1.

Technical reference standards

The formats of electronic signature recognised for PDF documents are defined by the standards ETSI EN 319 132 (XAdES), ETSI EN 319 122 (CAdES) and ETSI EN 319 142 (PAdES). For long-term validation, the standard ETSI EN 319 102 defines algorithm validation procedures compliant with eIDAS.

Qualified electronic timestamping is governed by article 41 of the eIDAS Regulation and the RFC 3161 standard of the IETF, guaranteeing the date certain enforceable against third parties.

Data protection

The DUER contains personal data (employee identities, information about their health and safety). Its processing is subject to the GDPR Regulation No. 2016/679. Electronic signature itself involves processing of signatory identity data. The employer, as the data controller, must ensure that the signature service provider is a GDPR-compliant data processor with a DPA (Data Processing Agreement) compliant with article 28 of the GDPR.

Risks of non-compliance

The absence of a DUER or a DUER whose signature is not enforceable exposes the employer to a fine of €3,750 (5th class of misdemeanour) per infraction found. In case of serious work accident, the non-enforceability of the DUER can lead to the recognition of gross negligence by the employer, resulting in increased compensation paid to the victim and a contribution action by the CPAM.

Concrete use scenarios

An industrial service provider facing a Labour Inspectorate inspection

A 85-employee industrial SME, operating in the manufacture of metal parts, is subject to an unannounced visit by the Labour Inspectorate following a machinery accident. The inspector asks to review the current DUER at the date of the accident. The HSE officer presents a PDF file electronically signed via the company's signature platform.

Thanks to the audit certificate attached to the document, the inspector can verify in real time: the date and time of signature (prior to the accident), the identity of the signatory (the authorised production director), the document integrity (intact SHA-256 hash), and compliance with the signature level (advanced with qualified certificate). The company is able to demonstrate that the risk was identified and that corrective measures had been planned. This file avoids the classification of gross negligence. According to data from the CNAM's annual report on claims, companies with robust documentary traceability reduce their exposure to CPAM contribution actions by 30 to 45%.

An HR consulting firm managing multi-client DUERs

An HR consulting firm with 18 employees supports about forty small and medium-sized client companies in drafting and annually updating their DUERs. Previously, documents were sent by email as unsigned PDFs, then manually signed and returned scanned.

After migrating to a SaaS electronic signature solution, each DUER is signed online by the client director in less than 3 minutes. The firm has a centralised dashboard allowing it to verify the status of each document at any time: signed, timestamped, archived. If a client has questions about the validity of a previous version, authenticity verification takes less than 30 seconds. The time spent on follow-ups and document management has decreased by approximately 60%, according to comparable industry benchmarks published by HR consulting associations.

A healthcare establishment grouping managing multi-year DUERs

A private hospital group of around 600 beds, comprising several care facilities and nursing homes, must manage specific DUERs for each of its sites, including chemical, biological and psychosocial risks. The legal 40-year retention period and the multiplicity of signatories (site directors, occupational health doctors, CSE representatives) make monitoring particularly complex.

The group deploys a qualified electronic signature solution with archiving with probative value and long-term timestamping. Each version of the DUER is cryptographically sealed and automatically retimestamped every 3 years to maintain the trust chain. In case of ARS audit or litigation, any historical version can be extracted with its complete validation report. This organisation reduced by nearly 70% the time to prepare files during external inspections, compared to the old hybrid paper-digital archiving system.

Conclusion

Verifying the authenticity of a signed document for a Unique Risk Assessment Document is not an optional formality: it is a legal and organisational necessity. Between the obligations arising from the Labour Code, the 40-year retention period imposed since 2021 and the liability issues in case of accident, only robust electronic signature — accompanied by reliable verification tools — guarantees the full probative value of your DUER.

Whether you go through a PDF reader, a European validation service or directly through your signature platform, the key is to integrate this verification into a documented and reproducible process.

Certyneo allows you to sign, verify and archive your DUERs in full eIDAS compliance, with complete audit trail and integrated archiving with probative value. Create your free account on Certyneo and secure the legal value of your prevention documents today.