Qualified Electronic Certificate for Businesses: 2026 Guide

Why the qualified electronic certificate has become essential for businesses

At a time when the dematerialisation of contractual processes is accelerating across all sectors, the question of the qualified electronic certificate has emerged as a strategic issue for legal departments, IT directors and senior management. According to ANSSI's 2024 annual report, more than 78% of French SMEs that have adopted qualified electronic signature have reduced their contracting timelines by more than 60%. Yet many still confuse simple, advanced and qualified signatures — risking their legal acts being contested. This article guides you step by step to understand what a qualified electronic certificate is, how to obtain it in compliance with the RGS and eIDAS framework, and how to deploy it effectively within your organisation.

What is a qualified electronic certificate?

An electronic certificate is a digital file issued by a Certification Authority (CA) that links the identity of a natural or legal person to a public cryptographic key. It is the cornerstone that allows a third party to verify the authenticity and integrity of a digital signature.

The term "qualified" refers to a precise definition derived from the European regulation eIDAS (no. 910/2014, Article 28): the certificate must be issued by a Qualified Trust Service Provider (QTSP), listed on the national trust list (in France, published by ANSSI). It must also comply with the technical requirements of the ETSI EN 319 411-2 standard, which governs certification policies and practices.

In practice, a qualified certificate guarantees:

• Verified identity of the signatory (face-to-face document verification or equivalent approved means);
• Integrity of the signed document (any subsequent modification is detectable);
• Non-repudiation (the signatory cannot deny having affixed their signature).

Difference between simple, advanced and qualified signatures

The eIDAS regulation distinguishes three levels of electronic signature, each associated with a certificate level:

| Level | Certificate required | Probative value | Typical usage | |---|---|---|---| | Simple | Not required | Low | Standard purchase orders | | Advanced | Advanced certificate (QTSP) | Medium | B2B commercial contracts | | Qualified | Qualified certificate (qualified QTSP) | Maximum, equivalent to handwritten | Notarial deeds, public procurement, sensitive HR |

For qualified signature — the only one benefiting from the legal presumption of equivalence to handwritten signature (Article 1367 French Civil Code) — a qualified certificate is absolutely required. To learn more about the differences between levels, see our comprehensive guide to electronic signature.

---

The RGS framework: French specificities to know

In France, the General Security Reference (RGS), established by Decree no. 2010-112 and regularly updated by ANSSI, defines the security requirements applicable to the information systems of administrations. For businesses that enter into contracts with public entities (public procurement, e-procedures), compliance with RGS is often a contractual or regulatory obligation.

RGS levels applicable to certificates

The RGS defines three qualification stars for certificates:

• RGS* (one star): basic level, suitable for common uses of low sensitivity;
• RGS (two stars)**: intermediate level, required for most administrative e-procedures;
• RGS (three stars)*: high level, for acts with significant legal or financial implications.

For dematerialised public procurement via the buyer profile, Decree no. 2016-360 (Articles 39 and 40) generally imposes a minimum RGS level signature, which implies an equivalent qualification certificate.

Articulation of RGS and eIDAS

Since the eIDAS regulation came into effect, the two reference frameworks coexist. A qualified certificate within the meaning of eIDAS is deemed to satisfy the RGS** requirements in the vast majority of cases. ANSSI has published correspondence tables to ensure compatibility. It is therefore advisable for businesses working with both private and public partners to favour a qualified eIDAS certificate issued by a QTSP listed on the French trust list — this simultaneously covers both reference frameworks.

To delve deeper into the European regulation, our eIDAS 2.0 guide details the major changes planned and their impact on French businesses.

---

How to obtain a qualified electronic certificate: step-by-step process

Obtaining a qualified electronic certificate is not a trivial undertaking: it involves rigorous verification of the applicant's identity and, for a legal person, of their legal representativeness. Here are the main steps.

Step 1: Identify the right qualified trust service provider

In France, the QTSPs authorised to issue qualified certificates are listed on the Trust Service Status List (TSL) published by ANSSI (available on the esignature.gouv.fr portal). Among the players present on this list are notably CAs such as CertEurope, Certinomis (La Poste subsidiary), Keynectis and other European providers recognised under the eIDAS mutual recognition principle.

Selection criteria to examine:

• Effective presence on the French and/or European TSL;
• Format of the certificate offered (software, smart card, cloud HSM);
• Compatibility with your existing IT infrastructure;
• Pricing and validity period (generally 1 to 3 years);
• Level of support and enrolment timeline.

Step 2: Enrolment file preparation

For a business, the application for a qualified certificate requires the production of documents proving both the identity of the bearer (natural person) and their capacity to represent the legal person. The documents generally required are:

• Official identity document of the bearer (passport, national ID card);
• Kbis extract less than 3 months old (or equivalent for associations, public establishments);
• Power of attorney if the bearer is not the statutory legal representative;
• Specific application form for the QTSP chosen.

Identity verification must be performed face-to-face before a Registration Officer (OE) mandated by the QTSP, or through an approved remote verification process (video identification compliant with ETSI TS 119 461 standard).

Step 3: Certificate delivery and activation

Depending on the format chosen, the certificate is delivered:

• On a qualified signature creation device (QSCD): USB security key or smart card certified Common Criteria EAL 4+;
• Via a remote signing service (Remote Qualified Electronic Signature — RQES) managed by the QTSP, where the private key is hosted in a certified HSM (Hardware Security Module) according to ETSI EN 419 241 standard.

Deployment of an RQES service is today the most widely adopted solution by businesses, as it avoids the physical management of cryptographic media whilst maintaining qualified compliance. Compare electronic signature solutions to identify the model best suited to your context.

Step 4: Integration into your business processes

Once the certificate is obtained, its integration into the company's document flows generally goes through a SaaS electronic signature platform. This must imperatively be compatible with ETSI standards (XAdES, PAdES, CAdES) to ensure interoperability and sustainability of digital evidence. Our dedicated article on electronic signature in business will help you structure this deployment.

---

Cost, validity and renewal: what businesses need to anticipate

Price ranges in 2026

The prices of qualified certificates vary significantly depending on the format and provider:

• Certificate on physical media (USB key/card): between €80 and €250 ex. VAT per bearer per year;
• Cloud qualified certificate (RQES): between €40 and €150 ex. VAT per bearer per year, depending on volumes;
• Enterprise packages: significant discounts apply from 10 bearers onwards, potentially reaching 30 to 40% of unit price.

These costs must be weighed against the savings generated: elimination of printing, postage, postal processing times and disputes arising from contested signatures.

Validity period and renewal

The validity of a qualified certificate is generally set at 1, 2 or 3 years depending on the package subscribed. Upon expiry, previously signed documents remain valid (provided their integrity is preserved via a qualified timestamping service), but new acts cannot be signed with the expired certificate. It is therefore essential to establish a monitoring and renewal process — ideally 60 days before the deadline.

Revocation and incident management

In the event of compromise of the private key (loss, theft of media, suspected disclosure), the certificate must be immediately revoked with the QTSP. The latter publishes the revocation in its Certificate Revocation List (CRL) or via the OCSP protocol, rendering any subsequent signature with this certificate invalid. Internal security policy must therefore provide for a dedicated point of contact and an alert time of less than 24 hours.

---

Best practices for successful deployment in business

Governance and internal roles

Successful deployment is based on clear governance. It is recommended to designate:

• A PKI manager (Public Key Infrastructure) on the IT side, responsible for the relationship with the QTSP and monitoring renewals;
• A legal reference person who validates use cases requiring qualified signature (vs advanced);
• Delegated administrators by department for operational management of bearers.

Training and change management

Adopting a qualified certificate is not enough: employees must understand how to use their certificate, when to activate it, and how to react in case of incident. A short training plan (1 to 2 hours) and documented procedures significantly reduce usage errors and support tickets.

Audit and traceability

To satisfy proof obligations, keep a timestamped audit log of each signature performed: signatory identity, document fingerprint, certified date/time, certificate identifier. This data forms the basis of the evidence chain in case of dispute. The ETSI EN 319 132 (XAdES) standard provides signature formats that natively include this information.

Legal framework applicable to qualified electronic certificates

Civil Code and probative value

Under French law, Article 1366 of the Civil Code establishes the principle of equivalence between electronic and paper writing, provided that "the identity of the person from whom it emanates is duly established and it is created and stored in such conditions as to guarantee its integrity". Article 1367 paragraph 2 specifies that qualified electronic signature benefits from a presumption of reliability: it is for the party contesting the signature to prove the contrary, thus reversing the burden of proof in favour of the signatory.

eIDAS Regulation no. 910/2014

The European regulation eIDAS (no. 910/2014), directly applicable in all Member States since 1 July 2016, constitutes the supranational foundation. Its Article 25(2) states that "a qualified electronic signature has a legal effect equivalent to that of a handwritten signature". Articles 28 and 29 define the requirements applicable to qualified certificates and qualified signature creation devices (QSCD). Annex I lists the mandatory details of a qualified certificate (policy OID, identity of the QTSP, public key, validity dates, etc.).

eIDAS 2.0 developments

The eIDAS 2.0 regulation (EU Regulation 2024/1183, which came into force on 20 May 2024) introduces the European digital identity wallet (EUDIW) and strengthens accessibility requirements for qualified trust services. Businesses must anticipate the integration of these new identification mechanisms by 2026-2027.

Applicable ETSI standards

• ETSI EN 319 411-2: policy and practices for QTSPs issuing qualified certificates;
• ETSI EN 319 132 (XAdES) and ETSI EN 319 122 (CAdES), ETSI EN 319 162 (PAdES): formats for advanced and qualified electronic signature;
• ETSI EN 419 241: requirements for signature servers (RQES).

GDPR and data protection

Processing of personal data as part of enrolment (identity verification, document collection) is subject to GDPR no. 2016/679. The QTSP and the client business are joint controllers or in a controller/processor relationship depending on the configuration. A DPA (Data Processing Agreement) compliant with Article 28 GDPR must be signed. Enrolment data must be retained for the lifetime of the certificate plus the applicable limitation period (5 years for contractual matters).

NIS2 Directive and critical infrastructure security

The NIS2 Directive (2022/2555/EU), transposed into French law by Law no. 2024-449, requires essential and important entities to implement risk management measures including digital supply chain security. Recourse to a qualified QTSP listed on the national TSL is a recognised best practice for partially satisfying these requirements.

Use scenarios: the qualified certificate in practice

Scenario 1: A law firm managing high-value acts

A business law firm with about twenty partners and associates must regularly sign acts for transfer of shares, settlement protocols and powers of attorney. Until then, each act required printing, handwritten signature, scanning and postal dispatch — approximately 4 to 7 working days per signature cycle. After deploying cloud qualified certificates (RQES) for each partner, this time is reduced to less than 4 hours for acts not requiring notarial intervention. The firm estimates a 65% reduction in administrative time related to document management, and has recorded no signature disputes over the first 18 months of use. The electronic signature solutions for law firms offered by Certyneo natively integrate into this type of workflow.

Scenario 2: An SME contracting with public sector clients

An SME in the metalworking sector, employing about 120 people, regularly responds to dematerialised public tenders on buyer profiles. It is required to electronically sign its bids and commitments with a minimum RGS** level certificate. After obtaining two qualified certificates (for the chief executive officer and an authorised commercial director), the SME was able to submit its bids within the prescribed timelines without travel or postal dispatch. Over one year, this represents about 35 call for tender files, equating to an estimated saving of 15 person-days per year on document management alone. The eIDAS compliance of the certificate also ensures recognition of its signatures with German and Belgian public sector clients, broadening its commercial scope. Use our ROI calculator to estimate potential gains in your own context.

Scenario 3: A healthcare group securing HR and supplier acts

A hospital group of approximately 1,200 beds, bringing together several establishments, faces an annual volume of nearly 3,000 employment contracts, amendments and supplier commitments. The Human Resources Department and the Procurement Department jointly deployed a qualified signature solution, with certificates issued for authorised managers. In parallel, documents to be signed by staff are processed via an advanced signature workflow, reserving qualified signature for high-value management acts. Result: the average time to finalise an employment contract fell from 12 days to 2.5 days, and the rate of incomplete files (missing signature, wrong signed version) decreased by 78%. The electronic signature solutions in healthcare from Certyneo integrate the regulatory specificities of the hospital sector.

Conclusion

Obtaining a qualified electronic certificate is today a necessary step for any business wishing to secure its digital acts legally, meet public procurement requirements and align with the eIDAS regulatory framework. Far from being a constraint, it is a competitive advantage: reduced signature timelines, an unassailable evidence chain and recognition across the entire European Union.

Key steps to remember: choose a QTSP listed on the ANSSI trust list, prepare a rigorous enrolment file, opt for a cloud format (RQES) to facilitate deployment, and integrate the certificate into a platform compliant with ETSI standards.

Certyneo supports you at every step: from selecting the right signature level to integration into your business processes. Request a free demonstration and discover how to deploy qualified signature in less than 48 hours in your organisation.