Electronic signature: cloud or on-premise - which choice in 2026?
Cloud SaaS or on-premise deployment: your electronic signature solution's hosting choice determines security, costs and eIDAS compliance. Discover our expert analysis.
Équipe éditoriale Certyneo
Writer — Certyneo · About Certyneo
Introduction
Choosing between a cloud electronic signature and on-premise hosting is one of the most structuring strategic decisions for an IT director or legal department in 2026. While SaaS has largely won over SMEs with its deployment simplicity, large enterprises and organisations subject to sector-specific regulatory constraints are still questioning the relevance of internalised hosting. This in-depth comparison analyses the two models across five key axes: data sovereignty, technical security, eIDAS compliance, total cost of ownership and business agility. By the end of this article, you will have an operational decision framework to choose the architecture suited to your context.
Understanding the two hosting models
Cloud electronic signature (SaaS)
In a cloud model, the publisher operates the entire infrastructure: servers, updates, availability, backup and data security. The client company accesses the solution via an API or web interface, without any local installation. European market players — including Certyneo — generally rely on ISO 27001 certified datacentres located within the European Union (France, Germany, Netherlands), guaranteeing GDPR compliance without additional effort on the client side.
The advantages are well known: deployment within hours, immediate scalability, automatic updates incorporating regulatory developments (eIDAS 2.0, DSP3, NIS2), and a pay-as-you-go economic model (OPEX). According to the Markess by Exaegis 2025 report, 78% of French companies with fewer than 500 employees now favour SaaS for their dematerialisation tools.
On-premise deployment
On-premise consists of installing the electronic signature platform directly on the company's servers or in a private datacentre it controls. This model offers total control over data, flows and security policies. It has historically been adopted by banks, insurers, hospitals or public administrations handling sensitive data subject to specific frameworks (HDS, SecNumCloud, PGSSI-S).
The downside is a significant operational burden: the IT team must manage updates, qualified signature certificates, HSMs (Hardware Security Modules), high availability and regulatory oversight. The initial cost (CAPEX) is high, with licences potentially exceeding €80,000 for enterprise installation, plus annual infrastructure costs.
Data sovereignty and regulatory compliance
GDPR and data localisation
The eIDAS regulation and its implications for your qualified signatures require that trust service providers (TSP) be audited and listed on national trusted lists. Whether you opt for cloud or on-premise, your solution must imperatively rely on a qualified TSP. The real GDPR question concerns transfers outside the EU: a cloud hosted by an American hyperscaler (AWS, Azure, GCP) without valid standard contractual clauses (SCC) exposes the company to penalties reaching 4% of global turnover.
European cloud solutions such as Certyneo meet this requirement natively, with servers exclusively located in France and a DPA (Data Processing Agreement) compliant with article 28 of the GDPR provided upon subscription.
SecNumCloud and regulated sectors
For operators of vital importance (OVI) and organisations subject to the Cloud-centric doctrine of DINUM, ANSSI's SecNumCloud qualification is progressively becoming mandatory. In 2026, only a few French cloud players have obtained this qualification (OVHcloud, Outscale). Affected organisations must therefore either choose a SecNumCloud-qualified cloud or maintain an on-premise compliant with the ANSSI RGS v2 framework.
Note that NIS2, transposed into French law by the law of 26 January 2025, extends cybersecurity obligations to more than 15,000 essential and important entities, creating new normative pressure on the choice of architecture.
Total cost of ownership: comparative analysis
The TCO (Total Cost of Ownership) analysis over 5 years consistently reveals an advantage for cloud solutions with volumes below 50,000 signatures/year. Beyond that threshold, on-premise can become competitive if the infrastructure already exists. Certyneo's ROI calculator allows you to estimate precisely this switching threshold according to your volumes and sector.
A typical on-premise deployment for a company with 1,000 employees represents:
- Initial licence: €60,000 to €120,000
- HSM infrastructure and dedicated servers: €30,000 to €50,000
- Annual maintenance (20% of licence): €12,000 to €24,000/year
- Internal IT resources: 0.5 to 1 dedicated FTE
Against this, a cloud SaaS of equivalent capacity typically costs €18,000 to €40,000/year all-inclusive, with zero CAPEX.
Technical security: advantages and limitations of each model
Security in cloud environment
Contrary to a persistent preconception, the cloud of a specialised publisher often offers a level of security superior to a typical company on-premise infrastructure. The reasons are structural: publishers invest massively in dedicated teams (24/7 SOC, quarterly pen-tests, ISO 27001 and SOC 2 Type II certifications), which is beyond the reach of most internal IT departments.
Best practices include AES-256 encryption at rest and TLS 1.3 in transit, mandatory multi-factor authentication, immutable logging of signature events, and geo-redundant backups. The legal value of the electronic signature rests precisely on this unalterable traceability.
Risks specific to on-premise
On-premise creates specific risks that are often underestimated:
- Version drift: without a dedicated team, cryptographic updates (certificate revocation, transition to SHA-3) are delayed, exposing the company to technically invalid signatures.
- HSM management: a poorly configured Hardware Security Module or whose firmware is not updated annually nullifies non-repudiation guarantees.
- Business continuity plan: the availability (SLA) of an internal on-premise rarely exceeds 99.5%, compared to 99.95% for a structured cloud SaaS.
For organisations wishing to combine sovereignty with operational delegation, the private cloud model (dedicated Private Cloud in a certified HDS or SecNumCloud datacentre) constitutes a relevant middle ground.
Integration, agility and scalability
APIs and interoperability
Both models now expose documented REST APIs. Nevertheless, the velocity of updates is structurally different: a cloud publisher deploys new features (biometric signature, AI for documentary fraud detection, eIDAS 2.0 Wallet support) within weeks, whilst on-premise requires an internal qualification cycle of 3 to 6 months per major version.
To integrate electronic signature into an ERP (SAP, Oracle), HRIS or document management system (OpenText, Alfresco), the cloud offers pre-built connectors maintained by the publisher. The complete comparison of electronic signature solutions details the integration capabilities of the major market players.
Scalability and volume
In the cloud, scalability is near-instantaneous: a campaign of 10,000 simultaneous signatures (shareholder AGM, mass HR rollout) is absorbed without prior configuration. In on-premise, infrastructure oversizing must anticipate peaks, generating immobilisation costs.
Rapidly growing organisations or those with seasonal cycles (real estate, insurance) particularly benefit from cloud elasticity. Electronic signature in real estate, for example, experiences volume peaks linked to market cycles that would render permanently oversized on-premise infrastructure.
Decision criteria: which model for which profile?
Businesses and SMEs without sector-specific regulatory constraints
For an SME of 10 to 500 employees without particular sector-specific regulatory obligation, cloud SaaS is clearly the choice: rapid deployment, controlled costs, eIDAS and GDPR compliance guaranteed by the publisher. Integration into existing HR tools is facilitated by native connectors — as illustrated by the use of electronic signature for HR teams which covers payslips, contracts and consensual terminations without dedicated infrastructure.
Large enterprises and regulated sectors
Companies processing healthcare data (HDS mandatory), critical financial data or classified information must seriously evaluate on-premise or qualified private cloud. The question is not technical but regulatory: does the applicable framework allow for public cloud or not?
A hybrid architecture — cloud for routine signatures, on-premise for the most sensitive qualified acts — has been adopted by several major French groups since 2024. This model requires rigorous orchestration and solid API gateways.
Public bodies and administrations
Since DINUM circular 2023-1, State administrations are encouraged to favour SecNumCloud-qualified cloud offerings. On-premise remains authorised for sensitive information systems (SIS) but must comply with RGS v2 and PGSSI-S for healthcare data. The electronic signature for law firms illustrates how entities with high traceability requirements find their balance between these two models.
Legal framework applicable to hosting your electronic signature solution
The choice between cloud and on-premise is not neutral from a legal perspective. Several legal frameworks directly govern the technical architecture of your signature solutions.
Civil Code, articles 1366 and 1367: These provisions define electronic signature as a reliable process of identification guaranteeing its link with the act to which it is attached. The reliability of the process is presumed until proof to the contrary when a qualified electronic signature is used. This presumption applies regardless of the hosting mode, provided that the trust service provider (TSP) is qualified.
eIDAS Regulation No 910/2014 and eIDAS 2.0 (EU Regulation 2024/1183): The eIDAS regulation distinguishes three levels of signature (simple, advanced, qualified). Qualified signature mandatorily requires the intervention of a TSP listed on the national trusted list (ANSSI trust list for France). Whether your solution is cloud or on-premise, it must interface with a qualified TSP to issue qualified signatures. eIDAS 2.0, applicable since May 2024, introduces the European digital identity wallet (EUDIW) and strengthens requirements for qualified certificate management.
GDPR Regulation No 2016/679: Article 28 requires the conclusion of a DPA (data processing contract) with any cloud provider processing personal data on your behalf. Article 44 prohibits data transfers outside the EU without adequate safeguards (standard contractual clauses or binding corporate rules). In internal on-premise, this obligation disappears but the company becomes fully responsible for processing and must document its technical and organisational measures (TOM) in accordance with article 32.
NIS2 Directive (EU Directive 2022/2555), transposed into French law by the law of 26 January 2025: Essential and important entities (energy, health, finance, water, digital, transport, administration sectors) must implement proportionate cybersecurity measures, including management of risks related to digital supply chain. An electronic signature cloud provider constitutes a critical third-party supplier under NIS2: mandatory due diligence, specific contractual clauses and audit rights.
ETSI EN 319 132 and ETSI EN 319 122 standards: These standards define advanced electronic signature formats (XAdES, PAdES, CAdES) accepted in European public procurement and B2B exchanges. Compliance with these formats must be verified regardless of the architecture chosen.
General Security Reference (RGS v2) and HDS: For administrations and healthcare data hosting providers, ANSSI's RGS v2 and HDS certification (Healthcare Data Hoster, order of 11 June 2018) apply respectively. A non-HDS-certified cloud is legally disqualified from hosting personal healthcare data, even temporarily during signature of patient consent.
Legal risks to anticipate: A signature issued from a non-compliant system may be contested in court, particularly if the integrity of the document or identity of the signatory cannot be proven beyond doubt. The burden of proof rests with the party invoking the signature. A compliance audit prior to deployment, cloud or on-premise, is strongly recommended.
Use scenarios: cloud or on-premise according to business context
Scenario 1 — An intermediate-sized industrial group managing 15,000 annual contracts
A mid-sized industrial company (approximately 1,200 employees, 3 production sites in France) must dematerialise all its supplier, customer and sub-contractor contracts. It averages 15,000 signatures per year, with peaks in January (renewal of framework contracts) and September (purchasing campaigns). Its industrial data is sensitive but not classified.
Following TCO analysis over 5 years, the finance department concludes that a European cloud SaaS certified ISO 27001 is 40% less expensive than equivalent on-premise deployment (publisher economy of scale vs. 0.7 dedicated IT FTE internally). The IT department selects a cloud solution hosted in France with 99.95% SLA and documented REST API, directly integrated into its ERP. Seasonal peaks are absorbed at no extra cost. Result observed after 12 months: 65% reduction in average supplier contract signature time (from 8.3 days to 2.9 days), and estimated annual saving of €120,000 on paper handling and follow-up costs.
Scenario 2 — A hospital group of 1,200 beds subject to HDS certification
A public hospital group wishes to dematerialise patient consents, contracts with freelance practitioners and public procurement. Data processed includes health information of a personal nature, subject to HDS (Healthcare Data Hoster) certification and PGSSI-S.
Pure on-premise is ruled out due to the complexity of HSM maintenance and absence of in-house cryptographic expertise. The group opts for a private cloud hosted by a provider certified HDS and qualified SecNumCloud. The signature solution is deployed in this dedicated cloud, with strict network compartmentalisation and audit logs exported to the internal SIEM. The cost is 25% higher than standard mutualised cloud but 35% lower than complete on-premise. Operational benefit: the 800 monthly consents are processed within 24 hours versus 5 days in paper format, with full traceability compliant with HAS requirements.
Scenario 3 — A law firm of 25 lawyers integrating signature into daily workflow
A Paris corporate law firm daily handles assignment deeds, settlement agreements and mandates requiring advanced or qualified electronic signature. Client data confidentiality is an absolute priority, but the firm has no proprietary IT infrastructure.
On-premise is ruled out immediately for resource reasons. The firm selects a European cloud SaaS with end-to-end encryption, encryption keys controlled by the client (BYOK — Bring Your Own Key), and contractual guarantee of non-access by the publisher. This so-called "zero knowledge" architecture satisfies both Bar Association ethical requirements and GDPR obligations. Integration with the case management software (via API) reduces the time to prepare a signable deed from 45 minutes to 8 minutes on average, a productivity gain of 82% on this task.
Conclusion
Cloud or on-premise: there is no universal answer, but a structured decision framework. For the vast majority of French companies — SMEs, mid-sized enterprises without critical sectoral constraint — European cloud SaaS compliant with eIDAS and GDPR offers the best ratio between security, compliance and total cost of ownership. On-premise or qualified private cloud remains relevant for regulated sectors (healthcare, defence, OVI) where constraining frameworks (HDS, SecNumCloud, RGS v2) require total infrastructure control.
In 2026, the real question is no longer "cloud or on-premise" but "what level of sovereignty for which data, with which qualified TSP?" Certyneo addresses these requirements with a cloud architecture hosted exclusively in France, certified ISO 27001, compliant with eIDAS 2.0 and GDPR. Discover our offers and pricing on Certyneo or contact our team for a free audit of your electronic signature requirements.
Try Certyneo for free
Send your first signature envelope in less than 5 minutes. 5 free envelopes per month, no credit card required.
Recommended articles
Deepen your knowledge with these related articles.
Electronic signature: free or paid, what to choose in 2026?
Between limited free offers and eIDAS-compliant paid solutions, the choice is not trivial for an SME. Discover our comparison to make an informed decision.
HelloSign vs Certyneo comparison: which to choose in 2026?
HelloSign and Certyneo both serve B2B companies, but their approaches differ radically. Discover which one truly meets your eIDAS compliance and productivity requirements.
Digital site planning: electronic signature in 2026
Digital site planning is revolutionising construction project management in 2026. Electronic signature, traceability and regulatory compliance: a comprehensive guide for industry professionals.