Electronic Signature Service Provider Obligations France

Introduction

Deploying an electronic signature solution in France is not something to be improvised. Behind every qualified or advanced signature lies dozens of legal obligations incumbent upon the Trust Service Provider (TSP). The eIDAS Regulation, GDPR, general security framework, ETSI standards… the regulatory landscape is both dense and evolving. For end-user companies, understanding these legal obligations for electronic signature service providers in France — eIDAS, GDPR — is essential in order to choose a compliant partner and avoid any legal risk. This article details, section by section, all the requirements applicable to TSPs operating in French territory.

---

The status of qualified trust service provider

What is a TSP under eIDAS?

Regulation eIDAS No 910/2014 distinguishes two categories of service providers: non-qualified trust service providers and qualified service providers (QTSP). The former may offer simple or advanced electronic signature services without mandatory third-party audit. The latter — alone authorised to deliver qualified signatures within the meaning of Article 3(15) of eIDAS — must satisfy considerably stricter requirements.

In France, it is the National Cybersecurity Agency (ANSSI — Agence nationale de la sécurité des systèmes d'information) that fulfils the role of supervisory authority (« Supervisory Body ») as provided for in Article 17 of eIDAS. It publishes and maintains the French Trust List (TSL — Trust Service List), accessible on its official website, listing qualified service providers and their services.

The qualification procedure: audit and compliance

To obtain qualified status, a TSP must:

• Have its services audited by a Conformity Assessment Body (CAB) accredited by COFRAC in accordance with the EN ISO/IEC 17065 standard.

• Submit the audit report to ANSSI, which decides on the granting of qualified status. This status is re-evaluated at least every 24 months (Article 20 §1 eIDAS).

• Notify ANSSI of any substantial change to its services within 3 months before the planned modification (Article 21 eIDAS).

Failure to follow these steps exposes the service provider to removal from the TSL and loss of the legal presumptions attached to the qualified signature. For client companies, using a TSP not listed on the TSL amounts to receiving no legal presumption of reliability whatsoever.

> To learn more about the different signature levels and their legal effects, consult our complete guide to eIDAS 2.0 Regulation.

---

Technical and security obligations imposed on TSPs

Compliance with ETSI standards

Qualified service providers must comply with a set of European standards published by the European Telecommunications Standards Institute (ETSI). The principal ones are:

• ETSI EN 319 401: general security requirements applicable to all TSPs.

• ETSI EN 319 411-1 and 411-2: policies and practices of certification authorities issuing qualified signature certificates.

• ETSI EN 319 132: advanced electronic signature formats (XAdES for XML, PAdES for PDF, CAdES for CMS).

• ETSI EN 319 122: CAdES format for qualified signatures.

• ETSI TS 119 431: requirements for remote signature creation services (remote QSCD).

These standards are not optional: the eIDAS Regulation (Annexes II, III and IV) explicitly refers to them to define the minimum requirements for qualified certificates and signature creation devices.

Management of qualified signature creation devices (QSCD)

One of the cornerstones of the qualified signature is the use of a Qualified Signature Creation Device (QSCD) compliant with Annex II of eIDAS. The service provider must ensure that:

• The private key of the signer cannot be generated, stored or copied outside the QSCD.

• Key generation takes place exclusively in a certified environment (Common Criteria certification EAL 4+ or equivalent).

• Signer authentication preceding any signing act relies on at least two authentication factors.

In the context of remote signature — increasingly prevalent in SaaS environments — these requirements apply to the HSM (Hardware Security Module) server hosting the keys. ANSSI has published specific protection profiles (PP-0075, PP-0076) defining the security criteria to be met.

Business continuity policy and incident notification

Article 19 of eIDAS requires every trust service provider (qualified or otherwise) to:

• Notify the supervisory authority (ANSSI) and, where applicable, the data protection authority (CNIL), within 24 hours following detection of a security breach likely to impact the reliability of the service.

• Maintain a documented and regularly tested business continuity plan.

• Have an information security policy in place, covering in particular risk management, incident management and backup policy.

These requirements partially overlap with those of the NIS2 Directive (2022/2555/EU), transposed into French law by Law No 2023-703 of 1 August 2023, which classifies TSPs of significant size among important or essential entities subject to enhanced cybersecurity obligations.

> Discover how electronic signature for law firms must integrate these constraints into their document workflows.

---

GDPR-specific obligations for TSPs

Is the TSP a controller or processor?

The GDPR qualification of the service provider depends on the nature of the service provided:

• When the TSP directly delivers qualified certificates on behalf of the signer and determines the purposes of personal data processing (identity, biometric authentication data), it acts as a controller within the meaning of Article 4(7) GDPR.

• When it integrates its API into a B2B client's platform and processes personal data solely on the instructions of that client, it holds the status of processor (Article 4(8) GDPR) and must necessarily conclude a DPA (Data Processing Agreement) compliant with Article 28 GDPR.

In practice, most SaaS TSPs cumulate both roles: controller for the management of their own certification infrastructure, processor for the processing of signers' documents and metadata.

Specific obligations relating to biometric and identity data

Signer identification and authentication — a mandatory step to issue a qualified certificate — often involves processing sensitive data: identity document scan, video selfie, facial recognition biometric data. This data constitutes personal data subject to GDPR, or even biometric data falling under Article 9 GDPR (special categories).

The TSP's obligations include:

• Legal basis: explicit consent (Article 9§2a) or, in certain cases, legal obligation (Article 9§2b) for processing biometric data.

• Limited retention period: according to CNIL guidelines, identification data must be retained for as long as strictly necessary, generally aligned with the certificate validity period + legal proof duration (often 10 years for documents under private seal, Article 2224 of the French Civil Code).

• Data Protection Impact Assessment (DPIA) mandatory (Article 35 GDPR) whenever the processing is likely to pose a high risk — which is systematically the case for biometrics.

• Records of processing (Article 30 GDPR) kept up to date and documenting each processing category.

International data transfers

Many TSPs host all or part of their infrastructure outside the European Economic Area (EEA). In such cases, the appropriate safeguards required by Chapter V of the GDPR apply: adequacy decision, Standard Contractual Clauses (SCCs) of the European Commission or Binding Corporate Rules (BCRs). The Schrems II judgment (CJEU, C-311/18, 16 July 2020) recalled that transfers to the United States require prior country-level risk analysis.

> To understand the impact of these rules on your organisation, consult our guide on electronic signature in the enterprise.

---

Transparency and information obligations towards users

Certification Policy (CP) and Certification Practice Statement (CPS)

Every TSP issuing certificates is required to publish a Certification Policy (CP) and a Certification Practice Statement (CPS), in compliance with the ETSI EN 319 411 standard. These freely accessible documents detail:

• Procedures for signer identification and registration.

• Physical and logical security measures deployed.

• Certificate revocation conditions and associated timelines.

• The TSP's responsibilities and limitations of liability.

The absence or incompleteness of these documents constitutes a non-compliance that may be identified during re-qualification audit by the accredited body.

Pre-contractual and contractual information to clients

Beyond purely technical obligations, Article 13 of the GDPR requires the TSP to provide each person whose data is collected with clear and accessible information on:

• The identity of the controller and the contact details of the DPO (mandatory for TSPs that process sensitive data on a large scale, Article 37 GDPR).

• The purposes and legal basis for each processing activity.

• The rights of individuals (access, rectification, erasure, portability, objection).

• Any recipients of the data (processors, authorities).

This information must appear in the service's privacy policy, in the terms of use and, where applicable, in the DPA concluded with professional clients.

Qualified timestamp and audit trail

To guarantee long-term probative value of signatures, serious TSPs systematically associate a qualified electronic timestamp (Article 42 eIDAS) with each signed act. This timestamp is legal proof of the existence of the data on the date indicated. Maintaining the audit trail (identification logs, document fingerprint, signature data) is a practical obligation enabling any future judicial verification.

> Compare market solutions based on these criteria in our comparison of electronic signature solutions.

---

eIDAS 2.0: new obligations on the horizon for 2026-2027

Regulation eIDAS 2.0 (EU) 2024/1183

Published in the Official Journal of the EU on 30 April 2024, Regulation (EU) 2024/1183 known as "eIDAS 2.0" significantly strengthens TSP obligations around three pillars:

• The European Digital Identity Wallet (EUDI Wallet): Member States must make available a certified digital identity wallet by 2 November 2026. TSPs will need to integrate their service with this wallet to offer qualified signatures via eIDAS 2.0 identity.

• Management of attribute attestations: eIDAS 2.0 introduces Qualified Electronic Attestations of Attributes (QEAAs), issued by qualified attestation service providers. New audit and qualification procedures will apply.

• Strengthened supervision: national supervisory authorities (ANSSI for France) see their powers enlarged, particularly the ability to conduct unannounced audits and impose binding corrective measures within shortened timeframes.

Practical implications for current service providers

TSPs already qualified under eIDAS 1.0 will need to undergo progressive compliance adjustment before the deadlines set by Commission implementing acts (published or in preparation). The main adaptations concern:

• Overhaul of the identification infrastructure to support the EUDI Wallet as an authentication method.

• Update of CP/CPS to integrate new certificate and attestation typologies.

• Strengthening security requirements for remote QSCDs, with new protection profiles forthcoming.

For client companies, this means verifying now that their service provider has a documented and verifiable eIDAS 2.0 compliance roadmap.

Legal framework applicable to electronic signature service provider obligations

The normative chain applicable to electronic signature service providers operating in France is structured across several complementary hierarchical levels.

French Civil Code — Articles 1366 and 1367

Article 1366 of the French Civil Code recognises electronic writing as a method of proof equivalent to paper writing, provided that "the person from whom it emanates can be properly identified and it is established and preserved in conditions such as to guarantee its integrity". Article 1367 specifies that the electronic signature "consists of the use of a reliable identification process guaranteeing its link with the act to which it is attached". The presumption of reliability benefits signatures qualified within the meaning of eIDAS, reversing the burden of proof in the signer's favour.

Regulation eIDAS No 910/2014/EU

This regulation, directly applicable in all Member States, establishes the legal framework for trust services. Its Article 26 defines the conditions for advanced electronic signatures; its Article 28 the requirements for qualified certificates; its Annex I details the mandatory content of such certificates. Qualified TSPs benefit from a presumption of conformity with the technical and legal requirements of the regulation (Article 19§2), which constitutes a significant advantage in case of dispute.

Regulation eIDAS 2.0 — (EU) 2024/1183

Published on 30 April 2024, this amending regulation introduces new categories of trust services (qualified attestations of attributes, qualified archival services) and strengthens supervisory obligations. It repeals and partially replaces Regulation 910/2014, with progressive applicability according to Commission implementing acts.

GDPR — Regulation (EU) 2016/679

The GDPR applies to any processing of personal data carried out within the framework of an electronic signature service. Articles 5 (lawfulness principles), 6 (legal basis), 9 (sensitive data), 13-14 (information), 28 (processing), 32 (security), 33-34 (breach notification), 35 (DPIA) and 37 (DPO) constitute the most frequently applicable provisions. The CNIL is the competent supervisory authority in France and may impose fines of up to €20 million or 4% of annual worldwide turnover (Article 83§5 GDPR).

NIS2 Directive — (EU) 2022/2555

Transposed into French law by Law No 2023-703 of 1 August 2023, NIS2 classifies significant TSPs among important or essential entities subject to cyber risk management obligations and incident notification to ANSSI within 24 hours (early warning) then 72 hours (full notification).

ETSI Standards

The entire set of standards EN 319 401, EN 319 411-1/2, EN 319 132, EN 319 122 and TS 119 431 constitutes the mandatory technical reference for qualification audit. Failure to comply therewith prevents obtaining or maintaining qualified status.

Legal risks in case of non-compliance

A non-compliant service provider faces: removal from the French TSL, engagement of its contractual and non-contractual liability, CNIL administrative sanctions, NIS2 fines potentially reaching €10 million or 2% of worldwide turnover for important entities and €20 million or 4% of worldwide turnover for essential entities, as well as legal action by clients who have suffered loss due to legally invalid signatures.

Usage scenarios: how companies verify their TSP's compliance

Scenario 1 — An industrial group managing 3,000 supplier contracts per year

A mid-sized industrial group (ETI), active in the manufacture of mechanical equipment, dematerialises all its supplier contracts via a SaaS electronic signature platform. During an internal audit triggered following a regulatory change, the legal department discovers that the chosen service provider — initially selected on price — is listed neither on the French TSL nor on any European TSL. The signatures delivered are of "simple" type without robust signer identification mechanism.

Facing legal risk — the entire set of signed contracts could see their probative value challenged in case of dispute — the company initiates a migration to an ANSSI-qualified TSP. The new solution integrates an advanced signature with qualified certificate, a qualified timestamp and an exportable audit trail. The migration project, completed in less than 8 weeks, enables retroactively securing new acts and establishing a compliant document policy. The legal teams estimate that the legal risk linked to old contracts remains marginal due to their execution without contestation, but any new signature is now covered.

Observed gains: 60% reduction in potential disputes linked to signature authenticity, and a gain of 3.5 days average on contract signature delays for complex documents thanks to workflow automation.

Scenario 2 — A law firm with 25 lawyers specialising in business law

A law firm wishing to digitalise the signature of mandates, opinions and procedural documents evaluates several service providers. Its assessment matrix incorporates the following criteria: presence on the TSL, publication of an accessible CP/CPS, existence of a GDPR-compliant DPA, availability of a reachable DPO and certification of remote QSCDs.

Of five evaluated service providers, only two satisfy all criteria. The firm ultimately chooses a TSP offering natively a qualified signature via remote QSCD, guaranteeing the presumption of reliability of Article 1367 of the French Civil Code. Implementation takes 3 weeks, training included. Result: 75% of mandates are now signed within 24 hours versus 5 to 7 days previously (postal dispatch), and the firm can justify to its clients the level of legal security offered by the solution — a differentiating argument in its commercial proposals.

Scenario 3 — A hospital group with approximately 1,200 beds

A public hospital group wishes to dematerialise employment contracts, internship agreements and partnership agreements with partner healthcare facilities. The sensitivity of the data processed (healthcare data of healthcare staff, HR data) requires particular vigilance regarding the GDPR obligations of the TSP.

The IT Department and the establishment's DPO require: data hosting in France with a HDS-certified health data host (HDS Certification provided for by Article L.1111-8 of the French Public Health Code), no transfer outside the EEA, documented DPIA for signer identification processing, and signed DPA before any deployment to production.

Following selection of a TSP meeting these criteria, deployment initially covers HR contracts (approximately 800 acts per year). The average time for signing fixed-term contracts falls from 9 days to less than 48 hours, freeing significant capacity for HR team resources. The establishment has moreover full traceability of collected consents, audited annually by its DPO.

Conclusion

The legal obligations borne by electronic signature service providers in France form a demanding normative corpus: eIDAS qualification, GDPR compliance, respect for ETSI standards, NIS2 obligations and imminent adaptation to eIDAS 2.0. For end-user companies, ensuring the compliance of one's TSP is not an optional undertaking — it is a sine qua non condition for the probative value of signed acts and for the protection of personal data of signers.

Certyneo is an electronic signature service provider designed to meet all these requirements: eIDAS compliance, GDPR by design, sovereign hosting and documented eIDAS 2.0 roadmap. Ready to secure your signatures in full compliance? Request a demonstration or create your account on Certyneo and benefit from personalised support from day one.