Skip to main content
Certyneo

ISO Certification for Electronic Signature: 2026 Guide

ISO 27001, eIDAS, ETSI… certifications from electronic signature service providers have become an essential selection criterion. Discover how to compare them effectively.

Équipe éditoriale Certyneo14 min read

Équipe éditoriale Certyneo

Writer — Certyneo · About Certyneo

Electronic signature has established itself as a standard in document management for French and European companies. But behind the apparent simplicity of a validation click lies a highly complex technical and regulatory ecosystem. In 2026, the question is no longer "should we adopt electronic signature?" but "which service provider offers sufficient security and compliance guarantees for my business context?". ISO certifications — and in particular ISO 27001 — constitute one of the most reliable answers to this question. This article guides you through the main certifications applicable to electronic signature service providers, their actual scope and the criteria to use for a rigorous comparison.

Why ISO certifications are decisive for electronic signature

Electronic signature is not limited to an application feature. It engages the legal responsibility of the signing company, the confidentiality of the data processed and the long-term integrity of archived documents. This is why the certifications obtained by a service provider are not merely marketing labels: they attest to a level of security maturity audited by an independent third party.

ISO 27001: the essential foundation of information security

ISO/IEC 27001 is the international reference standard for information security management systems (ISMS). It covers the confidentiality, integrity and availability of data. For an electronic signature service provider, this certification means that all its processes — from creating the signer account to archiving the signed document — are subject to documented controls, regularly audited by an accredited body (such as LSTI, Bureau Veritas, BSI, etc.).

Concretely, ISO 27001 requires the service provider to:

  • Maintain a comprehensive inventory of information assets and their associated risks
  • Implement strict access control policies (strong authentication, privilege management)
  • Establish incident management and business continuity procedures
  • Conduct regular internal audits and annual management reviews
  • Continuously monitor for vulnerabilities

The version in force since 2022 (ISO/IEC 27001:2022) integrates 93 security measures grouped into four themes: organisational, human, physical and technological. A service provider certified under this version demonstrates an up-to-date security posture against contemporary threats, particularly ransomware attacks and supply chain compromises.

ISO 27017 and ISO 27018: essential cloud extensions

Virtually all SaaS electronic signature solutions rely on cloud infrastructures. In this context, two extensions of the ISO 27000 family deserve particular attention:

ISO/IEC 27017 provides specific guidance for cloud services, covering notably the shared responsibility between the service provider and its subcontractors (hosting providers, trust third parties). For a B2B buyer, verifying that the service provider has this certification or complies with it allows you to validate that data stored in the cloud is subject to the same security requirements as on-premise environments.

ISO/IEC 27018 specifically addresses the protection of personal data in the cloud. It complements GDPR by defining operational practices: prohibition of using data for advertising purposes without explicit consent, transparency on subcontractors, right to data portability. For DPOs and compliance officers, this certification provides additional assurance of seriousness in processing signatories' data.

To deepen the legal value conferred by these standards in connection with European law, consult our guide on the legal value of electronic signature.

The eIDAS certification and ETSI standards: what it means to be "qualified"

Beyond ISO standards, the European regulatory framework imposes its own compliance requirements for trust service providers (TSP). The eIDAS Regulation 910/2014, whose eIDAS 2.0 revision is being transposed, distinguishes three levels of electronic signature: simple, advanced and qualified.

The status of Qualified Trust Service Provider (QTSP)

To deliver qualified electronic signatures — the only level legally equivalent to a handwritten signature in all EU Member States — a service provider must be listed on the trust list of its Member State (in France, the list managed by ANSSI). This qualification is based on an initial audit carried out by an accredited conformity assessment body (CAB), followed by regular surveillance audits.

The underlying technical standards are mainly published by ETSI (European Telecommunications Standards Institute):

  • ETSI EN 319 401: general requirements for TSPs
  • ETSI EN 319 411: certification policy and practices for certification authorities
  • ETSI EN 319 132: profiles for advanced XML signatures
  • ETSI EN 319 122: profiles for advanced CMS signatures
  • ETSI EN 319 162: registered electronic delivery service

A service provider certified according to these ETSI standards ensures the technical interoperability of its signatures with all solutions recognised in the European area, which is crucial for companies operating in several countries. Our comprehensive guide on the eIDAS regulation details the obligations associated with each qualification level.

SOC 2 Type II: the North American complement to monitor

Although less common in the European area, the SOC 2 Type II report issued according to AICPA standards is often requested by large companies, particularly those with subsidiaries in the United States or American partners. Unlike ISO 27001 (certification), SOC 2 is an audit report that attests to compliance with trust services criteria (security, availability, integrity of processing, confidentiality, privacy) over an observation period generally of six to twelve months. For an exhaustive comparison, verifying that the service provider has a recent SOC 2 Type II report (less than twelve months old) is a strong signal of operational maturity.

Comparing service provider certifications: method and criteria

Faced with the plurality of available certifications, B2B buyers must adopt a structured analysis framework rather than relying solely on marketing claims. Our comparison of electronic signature solutions lists the main platforms available in France; here is how to evaluate their certification level.

The four questions to ask systematically

1. What is the exact date and scope of the certification? An ISO 27001 certification obtained three years ago and not renewed does not offer the same guarantees as a currently valid certificate. Systematically request the official certificate and verify the scope of the audited perimeter: some service providers certify only their head office, excluding datacentres or offshore development teams.

2. Who conducted the certification audit? The certification body must itself be accredited by a member of the IAF (International Accreditation Forum). In France, COFRAC (Comité Français d'Accréditation) is the competent body. A certificate issued by a non-accredited body has no contractual or regulatory value.

3. Does the service provider publish its annual penetration test report? ISO 27001 certification requires regular vulnerability assessments, but does not prescribe a standard format for penetration tests. A mature service provider publishes an executive summary of its annual pentest conducted by a third party. ANSSI recommends using service providers qualified under PASSI (Prestataire d'Audit de la Sécurité des Systèmes d'Information) for this type of exercise.

4. What are the subcontracting arrangements and associated certifications? An electronic signature service provider typically relies on a cloud hosting provider (AWS, Azure, OVHcloud, etc.) and sometimes on third-party certification authorities. Verify that these subcontractors themselves have equivalent certifications (ISO 27001, HDS for health data, SecNumCloud for sensitive data). The trust chain is only as strong as each of its links is audited.

The special case of the HDS framework for health data

For health facilities, nursing homes, mutual societies or insurers managing medical data, HDS (Health Data Hosting) certification is added to ISO requirements. Since the decree of 26 January 2018, any host of personal health data must be HDS certified by an accredited body. For an electronic signature service provider used in a medical context — consent to care, dematerialised prescription, hospital report — this certification is a sine qua non requirement. Discover the specificities of electronic signature in the healthcare sector to assess your obligations.

The impact of certifications on contract negotiation and due diligence

The certifications obtained by a service provider are not solely commercial arguments: they structure the contractual relationship and the allocation of responsibilities between the parties.

Contract clauses to systematically incorporate

When negotiating a contract with an electronic signature service provider, several clauses directly related to certifications merit particular attention:

  • Certification maintenance clause: the service provider commits to maintaining its certifications throughout the contract period and to immediately notify any withdrawal or suspension.
  • Audit clause: the client retains the right to conduct or have a security audit carried out at the service provider's premises, under defined conditions (notice, scope, confidentiality of results).
  • Subcontracting clause: any change in the subcontracting chain must be subject to prior notification, with the possibility of termination if the new subcontractor does not meet the defined certification requirements.
  • Availability SLA: for service providers certified under ISO 27001, a commitment to availability (SLA) of at least 99.9% on a monthly basis is a reasonable expectation, with financial penalties in case of exceeding unavailability thresholds.

These contractual aspects are part of a broader approach to electronic signature governance in the enterprise, which we detail in our dedicated guide.

The contribution of certifications within the framework of a GDPR or NIS2 audit

Since the entry into force of the NIS2 Directive (transposed into French law by the law of 15 April 2025), essential and important entities must demonstrate that their critical service providers — including electronic signature service providers — meet minimum cybersecurity requirements. ISO 27001 certification of a service provider constitutes documented evidence usable during a NIS2 audit or CNIL inspection. It demonstrates in particular the implementation of Article 32 of GDPR, which requires appropriate technical and organisational measures to ensure a level of security adapted to the risk.

For companies wishing to migrate from a less certified solution to a platform offering higher compliance guarantees, our migration guide to Certyneo details the steps and precautions to follow.

The legal validity of an electronic signature relies on a layering of European and national normative texts, the mastery of which is essential for correctly evaluating a service provider's certifications.

Civil Code, Articles 1366 and 1367: These articles constitute the foundation of French law on electronic signature. Article 1366 provides that "electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and it is established and preserved in conditions such as to guarantee its integrity". Article 1367 specifies that "the signature necessary for the perfection of a legal act identifies its author" and that, when electronic, it "consists in the use of a reliable identification process guaranteeing its connection with the act to which it is attached". ISO 27001 certifications and eIDAS qualifications directly contribute to establishing this presumption of reliability.

Regulation eIDAS 910/2014: This European regulation, directly applicable in all Member States, defines the three levels of electronic signature (simple, advanced, qualified) and requires trust service providers qualified to submit to conformity audits according to ETSI standards. Its Article 24 specifies the requirements applicable to qualified service providers, including the obligation to employ qualified personnel and maintain sufficient financial resources. The eIDAS 2.0 revision (EU Regulation 2024/1183, which came into application on 20 May 2024) strengthens these requirements by introducing the European digital identity wallet (EUDIW) and by extending the scope of recognised trust services.

GDPR 2016/679: Articles 28 (processor), 32 (security of processing) and 35 (impact assessment) are directly involved when an electronic signature service provider processes personal data on behalf of a controller. Article 32 notably requires pseudonymisation and encryption of personal data, the ability to ensure confidentiality, integrity and resilience of systems. An ISO 27001 certification covering these aspects allows partial satisfaction of this demonstration requirement.

NIS2 Directive (EU 2022/2555, transposed by French law of 15 April 2025): It requires essential and important entities to manage risks related to their digital supply chain, including their electronic signature service providers. Article 21 of NIS2 lists minimum cybersecurity measures, several of which directly overlap with ISO 27001 requirements.

ETSI Standards: Standards EN 319 401, EN 319 411-1, EN 319 411-2, EN 319 132 (XAdES), EN 319 122 (CAdES) and EN 319 162 define the technical requirements for qualified trust service providers. Their compliance is audited by accredited assessment bodies before any listing on national trust lists.

Liability in case of certification deficiency: A non-certified service provider that suffers a data breach resulting in the compromise of electronic signatures engages its contractual and tortious liability. For the client, the failure to pre-verify certifications may be retained as a failure in cyber risk management, liable to impact cyber insurance coverage.

Usage scenarios: ISO certifications in practice

ISO certifications are not mere theoretical abstractions. Here are three concrete scenarios illustrating their operational impact in varied business contexts.

Scenario 1: A corporate law firm selecting its signature service provider

A corporate law firm of about twenty attorneys handles several hundred sensitive acts annually: share transfers, partnership agreements, confidentiality agreements. The IT manager must justify the choice of service provider to the partners and major clients, who contractually require that the digital tools used be ISO 27001 certified.

By relying on the service provider's ISO 27001:2022 certification, the firm can produce a compliance certificate during client due diligence. The annual renewal audit also serves as an argument in calls for tender, where data security is systematically evaluated. Result observed in this type of structure: 60 to 70% reduction in time spent on security questions during commercial negotiations, and elimination of two incidents related to non-compliant signatures over an eighteen-month period.

Scenario 2: An SME in industry managing supplier contracts internationally

An industrial SME of approximately 150 employees managing nearly 300 supplier contracts per year, with a significant portion with German and Dutch partners, must ensure that its electronic signatures are recognised in these countries. Its service provider's eIDAS certification — listed on the French trust list and offering advanced signatures compliant with ETSI EN 319 132 — guarantees legal interoperability in the European area.

In parallel, the service provider's ISO 27001 certification is required by the procurement department of several of its major customers during annual supplier audits. The company estimates to have avoided two contractual requalifications (shift to handwritten signature for non-compliance) representing an avoided cost of approximately 15,000 to 20,000 euros in delays and logistics fees, over twelve months.

Scenario 3: A hospital group integrating electronic signature into its HR and medical processes

A hospital group of approximately 600 beds wishes to dematerialise both its employment contracts (nursing staff, medical interns) and its digital consents to care. Two families of certifications prove indispensable: ISO 27001 for the overall security of the service provider, and HDS certification (Health Data Hosting) for the medical data processing part.

The hospital group selects a service provider with both certifications, which allows it to cover all its use cases in a single contract while meeting the requirements of the Health Digital Agency (ANS). The measured productivity gain on HR processes (medical intern contracts signed in less than two hours versus two to three days in paper version) represents an estimated saving of 40% on administrative management costs associated, or an annual value of approximately 80,000 to 120,000 euros for a volume of 1,200 contracts signed per year.

Conclusion

ISO 27001, ISO 27017, ISO 27018 certifications and eIDAS qualifications are not mere badges displayed on a marketing page: they constitute a foundation of audited guarantees, regularly verified, that engage the service provider's responsibility and legally protect the customer company. In 2026, faced with the growing sophistication of cyber threats and the tightening of the European regulatory framework (NIS2, eIDAS 2.0), choosing a certified electronic signature service provider is no longer an option but a governance requirement.

To objectively compare the service providers available on the French market, rely on the four key criteria identified in this article: exact scope of certification, accreditation of the auditing body, transparency on the subcontracting chain and contract clauses for certification maintenance. Certyneo meets all these requirements and supports you in your compliance implementation. Contact our team to obtain an audit of your current situation and discover how to move to fully certified electronic signature.

Try Certyneo for free

Send your first signature envelope in less than 5 minutes. 5 free envelopes per month, no credit card required.

Dive deeper

Our comprehensive guides to master electronic signatures.

Certyneo Community

A question about electronic signatures?

Join the Certyneo community: ask your questions, share your answers and connect with thousands of users and our team.