Secure electronically signed documents: 2026 guide

Introduction

Electronic signature has become the standard in European B2B exchanges. However, signing a document is not enough: you must secure, archive and preserve these electronically signed documents in compliance with the applicable legal framework. In France and Europe, the obligations arising from the eIDAS regulation, GDPR and the Civil Code impose precise requirements regarding integrity, traceability and retention periods. This guide explains, step by step, how to implement a robust archiving strategy for your electronically signed documents — and why this approach is inseparable from a serious electronic signature policy.

---

Why securing signed documents is an absolute priority

Risks associated with poor document preservation

An electronically signed document loses all probative value if it is altered, corrupted or inaccessible when its production is required — during a dispute, audit or tax inspection. Concrete risks include:

• Loss of integrity: any post-signature modification, however minor, invalidates the signature and therefore the legal value of the document.
• Certificate expiration: a qualified certificate has a limited lifespan (generally 1 to 3 years). If the document is not time-stamped or archived correctly before expiration, its future verifiability is compromised.
• Technological obsolescence: file formats evolve. A PDF document signed in 2018 with a SHA-1 algorithm, now considered vulnerable, may pose validation problems in the long term.
• GDPR violations: signed documents systematically contain personal data (name, surname, IP address, e-mail). Poor management of this data exposes the company to CNIL sanctions of up to 4% of worldwide turnover.

According to a KPMG study published in 2024, 34% of French companies do not have a formalised electronic archiving policy, exposing them to significant legal risks in the event of disputes.

Probative value: a central issue

The probative value of an electronically signed document rests on three fundamental pillars:

1. Authenticity: the signatory is indeed who they claim to be (identity verification, qualified certificate).
2. Integrity: the content has not been modified since signature (cryptographic fingerprint, SHA-256 or higher hashing).
3. Non-repudiation: the signatory cannot deny having signed (qualified time-stamping, audit trail).

These three pillars must be maintainable over time, which implies an active rather than passive archiving strategy.

---

Technical standards for securing your signed documents

Long-term signature formats: PAdES, XAdES, CAdES

To guarantee the durability of a signed document, the standards ETSI EN 319 132 (XAdES), ETSI EN 319 122 (CAdES) and ETSI EN 319 142 (PAdES) define signature formats suitable for long-term retention. The most commonly used in B2B practice is the PAdES (PDF Advanced Electronic Signatures) format, with its levels:

• PAdES-B: basic level, suitable for short durations.
• PAdES-T: adds qualified time-stamping to prove the existence of the document at a specific moment.
• PAdES-LT: incorporates certificate revocation data, enabling validation without access to online services.
• PAdES-LTA: most robust level, adds an archive time-stamp allowing periodic renewals. Recommended for any retention exceeding 3 years.

For long-term archiving, the PAdES-LTA level is the recommended standard by ANSSI and qualified trust service providers (QTSP).

Qualified time-stamping: the cornerstone of archiving

Qualified time-stamping, defined in article 42 of the eIDAS regulation, constitutes legal proof of the existence of a document at a specific moment. It is issued by a qualified Time Stamping Authority (TSA) registered on the EU Trust List.

In practice, time-stamping:

• Cryptographically binds the document's fingerprint to a certified date and time.
• Proves that the signature was valid at the time of its creation, even if the certificate has since expired.
• Is essential to ensure the admissibility of the document in court years after its signature.

Encryption and access control

Beyond the cryptographic aspects related to signature itself, the physical and logical security of archived documents is equally critical:

• Encryption at rest: documents must be encrypted on hosting servers (AES-256 minimum).
• Encryption in transit: TLS 1.3 protocols for all transfers.
• Role-based access control (RBAC): only authorised personnel can access archived documents.
• Access logging: all access, consultation or download must be traced (immutable logs).
• Geo-redundant backups: at least two copies on geographically distinct sites, with regular restoration testing.

---

Electronic archiving strategies with probative value: EAS and digital safe

The Electronic Archiving System (EAS)

An Electronic Archiving System (EAS) is an infrastructure dedicated to the long-term preservation of digital documents with guarantees of their integrity and accessibility. In France, the applicable standard is the NF Z42-013 standard (homologated ISO 14641), which defines requirements for the design and operation of a probative EAS.

The characteristics of a compliant EAS include:

• A structured classification plan with retention rules per document category.
• An integrity fingerprint calculated on entry and verified periodically.
• An immutable log of all operations.
• Procedures for technology migration to evolve formats without loss of integrity.
• Secure and auditable access with strong authentication.

Using an EAS managed by a qualified provider (type Electronic Archiving with Probative Value - EAPV) allows companies to delegate this complexity whilst benefiting from solid contractual and regulatory guarantees.

The digital safe: a complementary solution

The digital safe is a simplified variant of the EAS, oriented towards the end user. It allows each signatory to keep a personal, secure and accessible copy of their signed documents. This approach is particularly relevant for:

• Employment contracts and amendments (accessible by the employee).
• General terms and conditions accepted electronically.
• Customer onboarding documents (KYC, SEPA mandates).

Legal retention periods: what the law requires

The retention period for documents varies depending on their legal nature. Here are the main deadlines to know:

| Document type | Minimum legal retention | Legal basis | |---|---|---| | Commercial contracts | 5 years | Art. L110-4 Code of Commerce | | Tax documents | 6 years | Art. L102 B LPF | | Employment contracts | 5 years after termination | Labour Code | | Private deeds | 5 years (personal action) | Art. 2224 Civil Code | | Accounting documents | 10 years | Art. L123-22 Code of Commerce | | Health data | 20 years minimum | Art. R1112-7 CSP |

These periods must be integrated into the archiving policy and configured in document management tools.

---

Integrating security into your electronic signature workflow

Choosing a signature platform with native archiving

The best strategy is to choose an electronic signature solution that natively integrates secure archiving, rather than managing two separate tools. Essential selection criteria are:

• eIDAS qualification: the platform must be or rely on a qualified trust service provider (QTSP) registered on the EU Trust List.
• GDPR compliance: hosting of data within the European Union, DPA (Data Processing Agreement) available, ability to exercise individuals' rights.
• Certified archiving formats: native support for PAdES-LTA or equivalent.
• Complete audit trail: each step of the signature process must be traced and exportable.
• Integration API: to connect the platform to your existing DMS (Document Management System) or ERP.

To compare available solutions on the market, consult our electronic signature solutions comparison.

The audit trail: your best protection in case of dispute

The audit trail is a chronological and immutable log retracing all actions related to a document: sending, opening, signing, refusal, reminders. It constitutes complementary proof to the signature itself.

A probative audit trail must contain:

• Qualified time-stamps of each action.
• IP addresses and user agents of signatories.
• Identity verification identifiers used.
• Document metadata (hash fingerprint).

In the event of a dispute, it is often the audit trail that makes the difference before a court, particularly when a simple or advanced (rather than qualified) signature was used.

Automating renewal and archiving reminders

An effective archiving policy is above all an automated policy. Best practices include:

• Automatic alerts before certificate or time-stamp expiration.
• Time-stamp renewal workflow before cryptographic algorithms become obsolete.
• Periodic reviews of archived documents, with random integrity verification.
• Compliance dashboard allowing identification of documents whose retention period is approaching the legal deadline.

These automations are natively available in next-generation electronic signature platforms, such as Certyneo for enterprises.

Applicable legal framework for securing and archiving signed documents

Secure preservation of electronically signed documents falls within a dense regulatory framework, the mastery of which is essential for any organisation wishing to assert these documents against third parties or produce them in court.

eIDAS Regulation No. 910/2014 and its developments

The European eIDAS regulation (Electronic IDentification, Authentication and trust Services), applicable since 1 July 2016 and currently being revised via eIDAS 2.0, establishes the trust framework for electronic signature services in Europe. It distinguishes three levels of signature (simple, advanced, qualified) and imposes strict security, audit and business continuity requirements on qualified trust service providers (QTSP). Article 25 recognises the presumption of non-repudiation for qualified signature. Article 42 governs qualified time-stamping services.

French Civil Code: articles 1366 and 1367

Article 1366 of the Civil Code provides that "electronic writing has the same probative force as writing on paper, provided that the person from whom it originates can be duly identified and that it is established and preserved in such conditions as to guarantee its integrity". Article 1367 specifies the conditions for the validity of electronic signature. The responsibility for preservation in conditions guaranteeing integrity rests with the organisation holding the document.

GDPR No. 2016/679: protection of personal data in archives

Electronically signed documents systematically contain personal data (signatory identity, e-mail address, IP address, sometimes behavioural biometric data). The GDPR imposes a legal basis for each processing, limiting the retention period to what is strictly necessary, and implementing appropriate technical and organisational measures (article 32). In the event of a data breach affecting archives of signed documents, article 33 requires notification to the CNIL within 72 hours.

NIS2 Directive (2022/2555/EU)

Transposed into French law by ordinance in 2024, the NIS2 Directive imposes strengthened cybersecurity obligations on essential and important entities, including securing information systems processing sensitive data. Document archiving platforms of concerned organisations fall within the scope of application.

ETSI standards and NF Z42-013

The standards ETSI EN 319 132 (XAdES), ETSI EN 319 122 (CAdES) and ETSI EN 319 142 (PAdES) define advanced and qualified electronic signature formats compliant with eIDAS. The NF Z42-013 / ISO 14641 standard constitutes the French reference for the design and operation of a probative electronic archiving system. Its compliance is strongly recommended by ANSSI and provides solid protection in case of judicial challenge.

Sanctions and risks in case of non-compliance

The risks are multiple: inadmissibility of the document in court, CNIL sanctions (up to 20 million euros or 4% of worldwide turnover for major GDPR violations), commitment of the organisation's contractual or tortious liability, and loss of guarantees offered by the signature provider if preservation obligations have not been met.

Use scenarios: how organisations secure their signed documents

Scenario 1 — A law firm managing thousands of acts annually

A business law firm with 25 collaborators processes on average 3,000 electronically signed acts and contracts per year (settlement agreements, proxies, deed of transfer). Faced with the need to produce documents seven years old during a client's tax inspection, the firm discovers that several signatures are no longer verifiable: certificates have expired and no archive time-stamp (PAdES-LTA level) had been applied.

After integrating a signature solution with native archiving in an EAS compliant with NF Z42-013, the firm benefits from guaranteed verifiability over 30 years. The time to search for and produce a document in the event of a dispute falls from 4 hours to less than 15 minutes. Partners estimate a 60% reduction in legal risk related to document preservation. To learn more about the specific needs of law firms, consult our page dedicated to electronic signature for law firms.

Scenario 2 — An SME managing supplier and customer contracts

An SME with 180 employees generates approximately 400 supplier contracts and 250 customer contracts signed electronically per year. Its documents were previously stored in an unencrypted shared folder on an internal server, without audit trail, without granular access control.

Following a cybersecurity incident (ransomware) that encrypted part of the server, several active contracts had to be re-signed, generating delays and costs estimated at €40,000. After migration to a SaaS signature platform with integrated digital safe, sovereign hosting in France and geo-redundant backups, the SME eliminates this risk. It also benefits from automatic alerts on contractual deadlines. To estimate the return on investment of such an approach, use our ROI calculator for electronic signature.

Scenario 3 — A hospital group managing patient consents and HR contracts

A hospital group with approximately 1,200 beds must retain electronically signed patient informed consents for a minimum of 20 years (article R1112-7 of the Public Health Code), as well as employment contracts for its 2,500 employees. The multiplicity of documents and different retention periods made manual management impossible and risky.

By deploying an electronic signature solution with an archiving module configurable by document category, the hospital group's legal department automates retention rules: 20 years for consents, 5 years post-termination for HR contracts, 10 years for public contracts. Internal GDPR compliance audits reveal a documentary compliance rate rising from 67% to 96% in less than a year. For sector-specific considerations, our guide on electronic signature in healthcare details the applicable regulatory constraints.

Conclusion

Securing and preserving your electronically signed documents is not a minor technical option: it is a legal obligation and a strategic imperative for any organisation that relies on electronic signature in its business processes. Between eIDAS compliance, GDPR requirements, ETSI standards and retention periods imposed by the Commercial Code, the complexity is real — but entirely manageable with the right tools.

The keys to a successful archiving strategy are clear: long-term signature formats (PAdES-LTA), systematic qualified time-stamping, secure and sovereign hosting, automated retention rules and a complete audit trail.

Certyneo natively integrates all of these features in a SaaS platform designed for B2B teams. Discover how to durably protect your signed documents by trying Certyneo for free or by exploring our pricing.