Electronic Signature Service Provider Obligations in France

Introduction

Deploying an electronic signature solution in France is not something to be done lightly. Behind every qualified or advanced signature lies dozens of legal obligations incumbent upon the Qualified Trust Service Provider (QTSP). The eIDAS Regulation, GDPR, General Security Framework, ETSI standards… the regulatory framework is both dense and evolving. For using enterprises, understanding these legal obligations is essential to choose a compliant partner and avoid any legal risk. This article details, section by section, all the requirements applicable to QTSPs operating on French territory.

---

The status of qualified trust service provider

What is a QTSP under eIDAS?

Regulation eIDAS No. 910/2014 distinguishes two categories of service providers: non-qualified trust service providers and qualified providers (QTSP). The former may offer simple or advanced electronic signature services without mandatory third-party audit. The latter — solely authorised to deliver qualified signatures within the meaning of Article 3(15) of eIDAS — must satisfy considerably stricter requirements.

In France, it is the National Agency for Information Systems Security (ANSSI) that fulfils the role of supervisory authority provided for by Article 17 of eIDAS. It publishes and maintains the French Trust Service List (TSL), accessible on its official website, listing qualified providers and their services.

The qualification procedure: audit and compliance

To obtain qualified status, a QTSP must obligatorily:

• Have its services audited by a Conformity Assessment Body (CAB) accredited by COFRAC in accordance with EN ISO/IEC 17065 standard.

• Submit the audit report to ANSSI, which rules on the granting of qualified status. This status is reassessed at least every 24 months (Article 20 §1 eIDAS).

• Notify ANSSI of any substantial change to its services within 3 months before the planned modification (Article 21 eIDAS).

Non-compliance with these steps exposes the provider to removal from the TSL and loss of legal presumptions attached to qualified signature. For client enterprises, using a QTSP not listed on the TSL amounts to not benefiting from any legal presumption of reliability.

> For more information on the different signature levels and their legal effects, consult our guide.

---

Technical and security obligations imposed on QTSPs

Compliance with ETSI standards

Qualified providers must comply with a set of European standards published by the European Telecommunications Standards Institute (ETSI). The main ones are:

• ETSI EN 319 401: general security requirements applicable to all QTSPs.

• ETSI EN 319 411-1 and 411-2: policies and practices of certification authorities issuing qualified signature certificates.

• ETSI EN 319 132: advanced electronic signature formats (XAdES for XML, PAdES for PDF, CAdES for CMS).

• ETSI EN 319 122: CAdES format for qualified signatures.

• ETSI TS 119 431: requirements for remote signature creation services (remote QSCD).

These standards are not optional: the eIDAS Regulation (Annex II, III and IV) explicitly refers to them to define the minimum requirements for qualified certificates and signature creation devices.

Management of qualified signature creation devices (QSCD)

One of the cornerstones of qualified signature is the use of a Qualified Signature Creation Device (QSCD) compliant with Annex II of eIDAS. The provider must ensure that:

• The signatory's private key can only be generated, stored or copied within the QSCD.

• Key generation takes place exclusively in a certified environment (Common Criteria EAL 4+ certification or equivalent).

• Authentication of the signatory preceding any signature act is based on at least two authentication factors.

In a remote signature context — increasingly prevalent in SaaS environments — these requirements apply to the HSM (Hardware Security Module) server hosting the keys. ANSSI has published specific protection profiles (PP-0075, PP-0076) defining the security criteria to be achieved.

Continuity and incident notification policy

Article 19 of eIDAS requires every trust service provider (qualified or not) to:

• Notify the supervisory authority (ANSSI) and, where applicable, the data protection authority (CNIL), within 24 hours of detecting a security breach that could impact the reliability of the service.

• Maintain a documented and regularly tested business continuity plan.

• Have a formalised information security policy, covering in particular risk management, incident management and backup policy.

These requirements partially overlap with those of the NIS2 Directive (2022/2555/EU), transposed into French law by Law No. 2023-703 of 1 August 2023, which classifies QTSPs of significant size amongst important or essential entities subject to enhanced cybersecurity obligations.

> Discover how your document management should integrate these constraints into their workflows.

---

GDPR-specific obligations for QTSPs

Is the QTSP a controller or processor?

The GDPR qualification of the provider depends on the nature of the service rendered:

• When the QTSP directly issues qualified certificates in the signatory's name and determines the purposes of personal data processing (identity, biometric authentication data), it acts as a controller within the meaning of Article 4(7) GDPR.

• When it integrates its API into a B2B client's platform and processes personal data solely in accordance with that client's instructions, it takes on the role of processor (Article 4(8) GDPR) and must obligatorily conclude a DPA (Data Processing Agreement) compliant with Article 28 GDPR.

In practice, most SaaS QTSPs combine both roles: controller for managing their own certification infrastructure, processor for processing signatory documents and metadata.

Specific obligations related to biometric and identity data

The identification and authentication of the signatory — a mandatory step for issuing a qualified certificate — often involves processing sensitive data: identity document scan, video selfie, facial recognition biometric data. This data constitutes personal data subject to GDPR, or even biometric data falling under Article 9 GDPR (special categories).

The QTSP's obligations include:

• Legal basis: explicit consent (Article 9§2a) or, in certain cases, legal obligation (Article 9§2b) for processing biometric data.

• Limited retention period: according to CNIL guidelines, identification data must be retained for the time strictly necessary, generally aligned with the certificate's validity period + statutory period for proof (often 10 years for private documents, Article 2224 of the Civil Code).

• Mandatory impact assessment (DPIA) (Article 35 GDPR) as soon as processing is likely to entail a high risk — which is systematically the case for biometrics.

• Record of processing activities (Article 30 GDPR) kept up-to-date and documenting each processing category.

International data transfers

Many QTSPs host all or part of their infrastructure outside the European Economic Area (EEA). In this case, the appropriate safeguards required by Chapter V of GDPR apply: adequacy decision, standard contractual clauses (SCCs) from the European Commission or binding corporate rules (BCRs). The Schrems II judgment (CJEU, C-311/18, 16 July 2020) recalled that transfers to the United States require a prior country risk analysis.

> To understand the impact of these rules on your organisation, consult our guide.

---

Transparency and user information obligations

Certification Policy (CP) and Certification Practice Statement (CPS)

Every QTSP issuing certificates is required to publish a Certification Policy (CP) and Certification Practice Statement (CPS), in accordance with ETSI EN 319 411 standard. These publicly accessible documents detail:

• Procedures for identifying and registering signatories.

• Physical and logical security measures deployed.

• Conditions for certificate revocation and associated timescales.

• The QTSP's responsibilities and limitations of liability.

The absence or incompleteness of these documents constitutes non-compliance that may be noted during the re-qualification audit by the accredited body.

Pre-contractual and contractual client information

Beyond purely technical obligations, Article 13 of GDPR requires the QTSP to provide to each person whose data is collected clear and accessible information on:

• The identity of the controller and the contact details of the DPO (mandatory for QTSPs processing sensitive data on a large scale, Article 37 GDPR).

• The purposes and legal bases of each processing.

• Rights of individuals (access, rectification, erasure, portability, objection).

• Any data recipients (processors, authorities).

This information must appear in the service's privacy policy, in the terms and conditions and, where applicable, in the DPA concluded with professional clients.

Qualified timestamping and audit trail

To guarantee the long-term probative value of signatures, serious QTSPs systematically associate a qualified electronic timestamp (Article 42 eIDAS) with each signed document. This timestamp constitutes legally presumed evidence of the data's existence at the stated date. The retention of the audit trail (identification logs, document hash, signature data) is a de facto obligation to allow any subsequent judicial verification.

> Compare market solutions based on these criteria in our comparison guide.

---

eIDAS 2.0: new obligations on the horizon for 2026-2027

Regulation eIDAS 2.0 (EU) 2024/1183

Published in the EU Official Journal on 30 April 2024, Regulation (EU) 2024/1183, known as "eIDAS 2.0", significantly strengthens QTSP obligations around three axes:

• The European Digital Identity Wallet (EUDI Wallet): Member States must make available a certified digital identity wallet by 2 November 2026. QTSPs will need to integrate their service with this wallet to offer qualified signatures via eIDAS 2.0 identity.

• Management of attribute attestations: eIDAS 2.0 introduces Qualified Electronic Attestations of Attributes (QEAAs), issued by qualified attestation providers. New audit and qualification procedures will apply.

• Strengthening of supervision: national supervisory authorities (ANSSI for France) see their powers enlarged, particularly the ability to initiate unannounced audits and to impose binding corrective measures within shortened timescales.

Practical implications for current providers

QTSPs already qualified under eIDAS 1.0 will need to proceed with progressive compliance before the deadlines set by Commission implementing acts (published or in progress). The main adaptations concern:

• Overhaul of identification infrastructure to support the EUDI Wallet as an authentication means.

• Update of CP/CPS to integrate new certificate and attestation typologies.

• Strengthening of remote QSCD security requirements, with new protection profiles forthcoming.

For client enterprises, this means verifying from today that their provider has a documented and verifiable eIDAS 2.0 compliance roadmap.

Legal framework applicable to electronic signature service provider obligations

The normative chain applicable to electronic signature service providers operating in France is structured across several complementary hierarchical levels.

French Civil Code — Articles 1366 and 1367

Article 1366 of the Civil Code recognises electronic documents as equivalent proof to paper documents, provided that "the person from whom it emanates can be duly identified and it is drawn up and kept in conditions such as to guarantee its integrity". Article 1367 clarifies that electronic signature "consists in the use of a reliable identification procedure guaranteeing its link with the act to which it is attached". The presumption of reliability benefits qualified signatures within the meaning of eIDAS, reversing the burden of proof in favour of the signatory.

Regulation eIDAS No. 910/2014/EU

This Regulation, directly applicable in all Member States, establishes the legal framework for trust services. Its Article 26 defines the conditions for advanced electronic signatures; Article 28 the requirements for qualified certificates; its Annex I details the mandatory content of these certificates. Qualified QTSPs benefit from a presumption of compliance with the Regulation's technical and legal requirements (Article 19§2), which constitutes a major asset in the event of dispute.

Regulation eIDAS 2.0 — (EU) 2024/1183

Published on 30 April 2024, this amending Regulation introduces new categories of trust services (qualified attribute attestations, qualified archiving services) and strengthens supervisory obligations. It repeals and partially replaces Regulation 910/2014, with progressive applicability according to Commission implementing acts.

GDPR — Regulation (EU) 2016/679

GDPR applies to any processing of personal data carried out as part of an electronic signature service. Articles 5 (principles of lawfulness), 6 (legal basis), 9 (sensitive data), 13-14 (information), 28 (processing), 32 (security), 33-34 (breach notification), 35 (DPIA) and 37 (DPO) constitute the most frequently applicable provisions. CNIL is the competent supervisory authority in France and may impose fines up to €20 million or 4% of annual worldwide turnover (Article 83§5 GDPR).

NIS2 Directive — (EU) 2022/2555

Transposed into French law by Law No. 2023-703 of 1 August 2023, NIS2 classifies significant QTSPs amongst important or essential entities subject to cyber risk management obligations and incident notification to ANSSI within 24 hours (early warning) then 72 hours (full notification).

ETSI Standards

The entirety of EN 319 401, EN 319 411-1/2, EN 319 132, EN 319 122 and TS 119 431 standards constitute the mandatory technical reference for qualification audit. Non-compliance with them prevents obtaining or maintaining qualified status.

Legal risks in case of non-compliance

A non-compliant provider faces: removal from the French TSL, liability for breach of contract and tort, CNIL administrative sanctions, NIS2 fines potentially reaching €10 million or 2% of worldwide turnover for important entities and €20 million or 4% of turnover for essential entities, as well as court proceedings from clients who have suffered loss due to legally invalid signatures.

Use cases: how enterprises verify their QTSP's compliance

Scenario 1 — An industrial group managing 3,000 supplier contracts per year

A medium-sized industrial group (SME), active in mechanical equipment manufacturing, dematerialises all its supplier contracts via a SaaS electronic signature platform. During an internal audit triggered by regulatory change, the legal team discovers that the selected provider — initially chosen on price — is listed neither on the French TSL nor on any European TSL. The signatures issued are of "simple" type without robust signatory identification mechanism.

Faced with legal risk — all signed contracts could see their probative value contested in case of dispute — the company initiates migration towards an ANSSI-qualified QTSP. The new solution integrates advanced signature with qualified certificate, qualified timestamping and exportable audit trail. The migration project, completed in less than 8 weeks, allows retroactive securing of new acts and establishing a compliant document policy. The legal teams estimate that the contentious risk linked to old contracts remains marginal due to their execution without contest, but all new signatures are now covered.

Observed gains: 60% reduction in potential disputes related to signature authenticity, and 3.5-day average gain in signature deadline for complex contracts thanks to workflow validation automation.

Scenario 2 — A law firm of 25 lawyers specialising in business law

A law firm wishing to digitalise the signature of mandates, consultations and court documents evaluates several providers. Its analysis grid integrates the following criteria: presence on TSL, publication of accessible CP/CPS, existence of GDPR-compliant DPA, availability of reachable DPO and certification of remote QSCDs.

Of five evaluated providers, only two satisfy all criteria. The firm ultimately selects a QTSP natively offering qualified signature via remote QSCD, guaranteeing the presumption of reliability under Article 1367 of the Civil Code. Implementation takes 3 weeks, training included. Result: 75% of mandates are now signed within less than 24 hours versus 5 to 7 days previously (postal sending), and the firm can demonstrate to its clients the level of legal security offered by the solution — a differentiating argument in its commercial proposals.

Scenario 3 — A hospital group of approximately 1,200 beds

A public hospital group wishes to dematerialise employment contracts, internship agreements and partnership conventions with partner care establishments. The sensitivity of processed data (healthcare professionals' health data, HR data) requires particular vigilance regarding the QTSP's GDPR obligations.

The IT department and the establishment's DPO require: data hosting in France with a certified HDS (Health Data Hosting facility, certification provided for by Article L.1111-8 of the Public Health Code), no transfer outside the EEA, documented DPIA for signatory identification processing, and DPA signed before any production deployment.

After selecting a QTSP meeting these criteria, deployment initially covers HR contracts (approximately 800 documents per year). The average signature deadline for fixed-term contracts falls from 9 days to less than 48 hours, freeing significant capacity for human resources teams. The establishment has moreover complete traceability of consents collected, audited annually by its DPO.

Conclusion

The legal obligations weighing on electronic signature service providers in France form a demanding normative corpus: eIDAS qualification, GDPR compliance, respect for ETSI standards, NIS2 obligations and imminent adaptation to eIDAS 2.0. For using enterprises, ensuring the compliance of its QTSP is not an optional undertaking — it is a sine qua non condition for the probative value of signed documents and the protection of signatories' personal data.

Certyneo is an electronic signature service provider designed to meet all these requirements: eIDAS compliance, GDPR by design, sovereign hosting and documented eIDAS 2.0 roadmap. Ready to secure your signatures in full compliance? Contact us today and benefit from personalised support from day one.