Qualified eIDAS timestamp: certified date proof

Electronic timestamping is often perceived as a minor technical detail. In reality, it is one of the cornerstones of the evidential value of an electronically signed document. Without it, a digital signature says nothing about the moment it was affixed — a gap that can prove fatal in the event of litigation. Regulation eIDAS No. 910/2014 specifically introduced the notion of qualified timestamp, the highest level of date certification recognised across all EU Member States. This article deciphers this mechanism, its technical requirements, its legal scope and the concrete situations in which it becomes indispensable.

What is a qualified timestamp under eIDAS?

Definition and levels of timestamping

Regulation eIDAS distinguishes between two categories of electronic timestamping:

• Simple electronic timestamp: any data in electronic form associating a date and time with other data. It benefits from a rebuttable presumption of reliability (Art. 41 eIDAS).
• Qualified timestamp: a higher level, issued by a Qualified Trust Service Provider (QTSP) registered on a national trust list under supervision. It benefits from a legal presumption of accuracy of the date and time and integrity of the timestamped data (Art. 42 eIDAS).

This distinction is fundamental: a qualified timestamp is presumed accurate until proven otherwise, which reverses the burden of proof in the event of a dispute. To learn more about the different levels of trust provided for in this text, consult our comprehensive guide to eIDAS Regulation 2.0.

The technical requirements for a qualified timestamp

To be qualified under eIDAS, a timestamp must meet strict criteria defined in Article 42 of the regulation:

1. Link the date and time to the data in a way that reasonably excludes any possibility of undetectable modification.
2. Be based on an accurate time source linked to Coordinated Universal Time (UTC), traceable and in compliance with ETSI EN 319 421 and EN 319 422 standards.
3. Be signed using an advanced electronic signature or advanced electronic seal by the qualified QTSP, or via an equivalent method.

In practice, the service provider receives a cryptographic hash of the document, applies a signed timestamp to it, and returns a timestamp token (TST) compliant with RFC 3161 protocol. This process never transmits the document's content to the service provider — only its hash — thus guaranteeing data confidentiality.

Trust lists and national supervision

In France, ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) is the supervisory authority that maintains the list of qualified service providers. This list is published in signed XML format and integrated into the European trust list (EU Trusted List) accessible via the European Commission's eIDAS portal. Any service provider listed there has undergone rigorous compliance auditing in accordance with ETSI EN 319 401 (general requirements) and ETSI EN 319 421 (policy profile for qualified TSAs).

When evaluating an electronic signature solution for your business, verifying that the service provider integrates a qualified timestamp — rather than a simple internal timestamp — is a decisive selection criterion.

Why is qualified timestamp crucial for date proof?

Date in the digital evidence chain

A qualified electronic signature proves who signed and that the document has not been modified. But it does not prove when the signature was affixed, unless it is accompanied by a qualified timestamp. This distinction becomes particularly important in several scenarios:

• Proof of invention priority: to establish that a patent or know-how existed before a specific date.
• Compliance with a contractual deadline: to demonstrate that a contract was signed before the expiry of an offer.
• Long-term evidential archiving: the cryptographic validity of a signature can expire with the obsolescence of algorithms (signature ageing phenomenon). A qualified timestamp would allow the document to be "re-timestamped" and extend its evidential value.

Signature ageing and re-timestamping

Cryptographic algorithms evolve. A signature certificate based on RSA-2048, considered secure in 2015, could be judged insufficient by 2030 with the rise of quantum computing. Evidential archiving relies on the practice of re-timestamping: before the presumed expiration of algorithm robustness, a new qualified timestamp is applied to the whole (document + signature + previous timestamp), creating an unbroken chain of trust.

This approach is standardised in ETSI EN 319 102-2 (verification procedures for advanced and qualified signatures) and recommended for any document that must be retained for more than 10 years — notarial acts, long-term commercial contracts, medical records or regulatory documents.

European interoperability and mutual recognition

One of the major strengths of eIDAS qualified timestamp lies in its automatic recognition throughout all 27 Member States (Art. 41.3 eIDAS). A qualified timestamp issued by a French QTSP has the same legal effects in Germany, Spain or Poland. This legal portability is particularly valuable for companies operating on cross-border European markets, which sign contracts with partners in several countries. To compare the different approaches available on the market, our comparison of electronic signature solutions provides detailed analysis.

Integration of qualified timestamp into an electronic signature workflow

Architecture of a compliant workflow

In a qualified electronic signature (QES) process, the timestamp is integrated at several levels of the signed document, according to ETSI formats defined for long-term signatures:

• XAdES-LTA format (XML Advanced Electronic Signatures – Long-Term Archive): for XML documents.
• PAdES-LTA format (PDF Advanced Electronic Signatures – Long-Term Archive): for PDFs, the most common format in business.
• CAdES-LTA format (CMS Advanced Electronic Signatures – Long-Term Archive): for generic binary files.

The LTA (Long-Term Archive) suffix designates precisely the level that incorporates a qualified timestamp and the revocation data necessary for future verification, even after certificate expiry.

The role of the SaaS signature platform

In a SaaS solution like Certyneo, the integration of qualified timestamp is transparent to the end user. The platform:

1. Generates the cryptographic hash of the finalised document.
2. Sends this hash to the partner qualified TSA (Time Stamping Authority) via a secure connection.
3. Receives the signed timestamp token (TST).
4. Incorporates the TST into the PDF/A file according to PAdES-LTA format.
5. Stores the whole in a secure archiving environment, itself auditable.

The user thus has a document whose date of signature completion is certified and verifiable by any third party, without dependence on the infrastructure of the platform that carried out the signature. This independence of verification is a criterion of excellence often underestimated during tender calls. If you are considering switching service providers, our guide to migration from DocuSign or YouSign to Certyneo details the technical points of vigilance to anticipate.

Verification and auditability

Any document incorporating a qualified PAdES-LTA timestamp can be verified free of charge via open source tools (European Commission's DSS Library) or online validators compliant with eIDAS. Verification confirms:

• The signer's identity (qualified certificate).
• Document integrity (no post-signature modification).
• The certified date and time (valid TST token, TSA on trust list).
• Non-revocation of the certificate at the time of signature.

This complete traceability is a decisive advantage for legal teams who must regularly produce documentary evidence as part of litigation or regulatory audits.

Legal framework applicable to qualified timestamp

Regulation eIDAS No. 910/2014

Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014, known as the eIDAS Regulation, is the legal foundation for qualified timestamp in Europe. Its key provisions are:

• Article 3(34): defines electronic timestamp as "data in electronic form that associates other data in electronic form with a particular moment and establishes evidence that those latter data existed at that moment".
• Article 41: grants simple electronic timestamps a rebuttable presumption of accuracy.
• Article 42: sets out the conditions for the qualification of a timestamp (traceable UTC source, signature by qualified QTSP, cryptographic link with data).
• Article 42(2): confers on the qualified timestamp a legal presumption of accuracy of the date and time and integrity of the associated data. This presumption applies before any court of the EU without requiring additional evidence.

The eIDAS 2.0 Regulation (EU Regulation 2024/1183, progressively entering into force from 2024) strengthens these provisions by extending the framework to European digital identity wallets (EUDIW), without undermining the fundamentals of qualified timestamp.

French Civil Code — Articles 1366 and 1367

In French law, Article 1366 of the Civil Code states that "the electronic writing has the same evidential force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and preserved in conditions such as to guarantee its integrity". Article 1367 clarifies the conditions for reliable electronic signature. Qualified timestamp directly contributes to satisfying the condition of integrity and certified dating required by these texts.

Furthermore, Decree No. 2017-1416 of 28 September 2017 on electronic signature explicitly refers to the eIDAS Regulation to define the levels of signature acceptable before French courts.

Storage obligations and GDPR

The Regulation (EU) 2016/679 (GDPR), applicable to any processing of personal data, imposes appropriate technical security measures (Art. 32). Qualified timestamp, by guaranteeing the integrity and dating of processed data, contributes to GDPR compliance in document workflows involving personal data.

Certain sectors impose specific legal retention periods: 5 years for commercial contracts (Art. L.110-4 of the Commercial Code), 10 years for civil records, 20 years for certain medical documents. For such long-term archiving, the absence of qualified timestamp and periodic re-timestamping constitutes a major legal risk: the document could lose its evidential value before the expiry of the legal retention period.

ETSI reference standards

• ETSI EN 319 421: policy and security requirements for qualified TSAs (Time Stamping Authorities).
• ETSI EN 319 422: timestamp token profile.
• ETSI EN 319 102-1/2: procedures for creation and verification of advanced and qualified signatures, incorporating timestamp.
• ETSI EN 319 132 (XAdES) and EN 319 122 (CAdES): long-term signature formats.

Use cases: when is qualified timestamp decisive?

Scenario 1 — Corporate law firm managing contentious cases

A corporate law firm of about fifteen lawyers, specialising in B2B contractual disputes, uses qualified electronic signature for its court pleadings, fee agreements and sensitive correspondence. In the context of litigation concerning the date of acceptance of a commercial offer, the opposing party disputes that the signature of its client is prior to the expiry of the deadline stipulated in the offer.

Thanks to the qualified timestamp integrated into the PAdES-LTA document, the firm produces a timestamp token issued by a QTSP registered on the French trust list. The certified date — to the second — is verifiable independently by the judge and the expert witness. The legal presumption of Article 42 eIDAS applies: the burden of proof to the contrary now rests with the opposing party. The case is resolved without costly expert appraisal, saving approximately 15 to 25 days of proceedings according to usual estimates for this type of dispute.

Scenario 2 — SME industrial company managing a supplier contract portfolio

An industrial SME managing approximately 300 supplier contracts per year — NDAs, general terms of purchase, price amendments — seeks to secure its document archiving in the context of an overhaul of its ERP system. The company wishes to maintain evidential value of its contracts for a minimum of 10 years, in accordance with its legal obligations and the requirements of its insurer.

By deploying an electronic signature solution integrating qualified timestamp and PAdES-LTA format, the SME automatically creates long-term evidential archives. An internal audit conducted 18 months after deployment reveals a 40% reduction in time spent on document searching and reconstruction during supplier audits, and an almost complete elimination of disputes related to disagreements over the effective date of price amendments. Human resources teams benefit from the same advantage for employment contracts and amendments, with enhanced compliance during labour inspections.

Scenario 3 — Healthcare establishment and archiving of patient consent

An intermediate-sized hospital group (approximately 600 beds) is dematerialising its informed consent forms for surgical procedures and clinical trials. The applicable regulations (Art. L.1111-4 of the French Public Health Code, Regulation (EU) 536/2014 on clinical trials) require not only traceability of consent but also certainty of its dating prior to the medical procedure.

The integration of qualified timestamp into the consent signature workflow ensures that the consent date is certified and incontestable, even in the event of inspection by health authorities (HAS, ANSM) or medical litigation. For this sector, electronic signature solutions adapted to healthcare must necessarily integrate this qualified timestamp to meet specific regulatory requirements. Establishments that have deployed this type of solution generally report a reduction of 60 to 70% in time spent on administrative consent management compared to a paper process, according to benchmarks published by associations of healthcare facility directors.

Conclusion

Qualified eIDAS timestamp is not just a digital seal: it is a strong legal presumption, recognised throughout the European Union, that transforms the date of an electronically signed document into evidence enforceable before any court. By relying on supervised QTSPs, rigorous ETSI standards and long-term archiving formats (PAdES-LTA), it provides legal certainty that neither an internal server timestamp nor a simple file metadata can match.

For companies that sign contracts, manage sensitive files or must retain documentary evidence over several years, integrating qualified timestamp into their signature workflow is no longer an option — it is a requirement of sound legal practice.

Certyneo natively integrates qualified timestamp into each qualified electronic signature issued on its platform. Discover how to secure your documentary evidence by starting your free trial or by consulting our transparent pricing.