How Electronic Signature Works in 2026

Introduction

Electronic signature is today at the heart of the digital transformation of enterprises: in 2025, over 70% of large European organisations have integrated it into at least one contractual process (source: Gartner, Digital Process Automation Survey 2025). Yet few decision-makers understand precisely the mechanisms that make it legally valid and technically unforgeable. Understanding how electronic signature works technically — cryptography, PKI, certificates — makes it possible to choose the right solution, reduce legal risks and accelerate internal adoption. This article guides you, step by step, through the technical architecture and standards that govern electronic signature in 2026.

---

The Cryptographic Foundations of Electronic Signature

Electronic signature relies on proven cryptographic primitives. Understanding their mechanisms means understanding why it is more reliable than a digitised handwritten signature.

Asymmetric encryption: public key and private key

The fundamental principle is asymmetric cryptography, invented in the 1970s and standardised by algorithms such as RSA (Rivest–Shamir–Adleman) or elliptic curves (ECDSA). Each signatory has two mathematically linked keys:

• The private key: kept secret by the signatory, on a secure device (smart card, HSM token, or protected software module). It is used to create the signature.
• The public key: distributed freely, included in a digital certificate. It is used to verify the signature.

The security principle rests on a computational asymmetry: it is mathematically trivial to verify a signature with the public key, but practically impossible to reconstruct the private key from the public key (discrete logarithm problem or factorisation of large integers).

Hash functions: the digital fingerprint of the document

Before signing, the system calculates a cryptographic fingerprint of the document using a hash function (SHA-256 or SHA-3 in 2026). This fingerprint, called a hash or digest, is a fixed-size string of characters (256 bits for SHA-256) that uniquely represents the content of the document.

Essential property: modifying a single character of the document produces a radically different hash. This is what guarantees the integrity of the signed document: any alteration after signing is immediately detectable.

The electronic signature itself is therefore the encryption of this hash with the signatory's private key. When verifying, the recipient:

1. Decrypts the signature with the public key to retrieve the original hash;
2. Recalculates the hash of the received document themselves;
3. Compares the two: if identical, the signature is valid.

---

The Public Key Infrastructure (PKI): the chain of trust

Cryptography alone is not enough: you must also prove that the public key belongs to the person who claims to use it. This is the role of the PKI (Public Key Infrastructure).

Certification authorities (CA)

A Certification Authority (CA) is an accredited trusted third party that issues digital certificates. A digital certificate is a standardised file (X.509 format) containing:

• The identity of the holder (name, organisation, e-mail);
• Their public key;
• The period of validity;
• The digital signature of the CA itself.

In Europe, qualified CAs are listed in the Trusted Lists published by each EU Member State in accordance with the eIDAS Regulation. In France, the ANSSI publishes and maintains this list. Qualified trust service providers (QTSP) — such as CertSign, Certigna, or Universign — are subject to regular audits according to the ETSI EN 319 401 standard.

The certification chain and revocation

The PKI operates on a hierarchical model:

• A root CA (Root CA) self-signed, kept offline under maximum physical security conditions;
• Intermediate CAs that issue certificates for end-users.

Revocation of certificates is a critical mechanism: if a private key is compromised, the CA publishes its invalidation via a CRL (Certificate Revocation List) or via the OCSP (Online Certificate Status Protocol), allowing real-time verification.

For qualified electronic signature under eIDAS, the private key must be generated and stored in a QSCD (Qualified Signature Creation Device) — certified hardware CC EAL4+ or higher, such as a smart card or HSM (Hardware Security Module).

---

The Three Levels of Signature According to eIDAS

The European Regulation eIDAS No. 910/2014 (and its developing eIDAS 2.0) defines three levels of signature, each based on increasing technical guarantees. To delve deeper into this regulatory framework, consult our complete guide to eIDAS Regulation.

Simple Electronic Signature (SES)

Simple signature is the least technically constraining form. It can be as simple as a checkbox, a one-time password (OTP) sent by SMS, or an image of a handwritten signature. It does not necessarily involve a qualified certificate.

Typical use: validation of quotes, marketing consents, contracts with low stakes.

Risk: limited probative value in the event of judicial dispute. The burden of proof lies with the person invoking the signature.

Advanced Electronic Signature (AdES)

The advanced signature meets four precise technical requirements (Article 26 eIDAS):

1. It is linked to the signatory in a unique manner;
2. It allows the signatory to be identified;
3. It is created from data under the exclusive control of the signatory;
4. It allows detection of any subsequent modification of the document.

Concretely, this involves the use of a personal digital certificate and a robust authentication mechanism. Standard formats are defined by ETSI: PAdES (for PDF), XAdES (XML), CAdES (binary data) and JAdES (JSON), all standardised in the ETSI EN 319 100 series.

Qualified Electronic Signature (QES)

Qualified signature is the highest level. It requires:

• A qualified certificate issued by an accredited eIDAS QTSP;
• A QSCD for signature creation.

It benefits from a legal presumption of reliability and equivalence with handwritten signature throughout the European Union (Article 25 eIDAS). This is the level required for electronic authentic acts, certain notarial acts, or sensitive public procurement.

Our comparison of electronic signature solutions analyses the practical differences between these levels to help you choose.

---

The Complete Process of Electronic Signature Step by Step

Here is how a transaction of electronic signature concretely takes place on a SaaS platform like Certyneo:

Step 1: document preparation and transmission

The signature initiator uploads the document (contract, amendment, purchase order) to the platform. The system immediately generates a SHA-256 hash of the original file, time-stamped and preserved in an immutable manner. This fingerprint will serve as a reference for all future verification.

Step 2: authentication of the signatory

Depending on the signature level chosen, authentication varies:

• SES: e-mail + signature link;
• AdES: strong authentication (OTP SMS, FIDO2 mobile application);
• QES: prior identity verification (in-person or video IDV), issuance of a qualified certificate for single or repeated use.

Step 3: creation of the cryptographic signature

The signatory triggers the signature act. The platform (or QSCD):

1. Calculates the hash of the document;
2. Encrypts this hash with the signatory's private key;
3. Integrates the signature and certificate into the document (PDF signed in PAdES-LTV format for long-term storage).

Step 4: qualified time-stamping

A qualified time-stamping service (TSA) compliant with RFC 3161 standard applies a cryptographic timestamp, proving that the signature existed at a specific instant. This protects against date falsification and guarantees probative value over time — even if the signatory's certificate expires later.

Step 5: probationary archiving

The signed document is archived with its complete audit trail: signatory identity, IP address, time-stamp, document hash, certificates used. This file of proof (audit trail) is essential in case of judicial dispute. eIDAS-compliant solutions maintain these proofs in a PAdES-LTV (Long-Term Validation) format that integrates validation data to enable verification years after the signature.

To understand how to integrate this process into your HR flows, discover our electronic signature solution for HR and our contract templates to download.

Legal Framework Applicable to Electronic Signature

Electronic signature falls within a multi-layered regulatory framework, articulating national civil law and harmonised European law.

French Civil Code

Article 1366 of the Civil Code establishes the fundamental principle: "An electronic document has the same probative force as a document on paper support, provided that the person from whom it emanates can be duly identified and that it is established and preserved in conditions such as to guarantee its integrity." Article 1367 clarifies that electronic signature "consists in the use of a reliable identification method guaranteeing its link with the act to which it is attached".

Decree No. 2017-1416 of 28 September 2017 defines the presumption of reliability for qualified and advanced signatures compliant with eIDAS.

Regulation eIDAS No. 910/2014

Cornerstone of European digital trust law, the eIDAS Regulation (electronic IDentification, Authentication and trust Services) establishes a unified legal framework for electronic signatures, electronic seals, qualified time-stamping, certified electronic delivery services and certificates for authentication of websites. Its Article 25, paragraph 2, grants qualified signature a legal presumption of equivalence with handwritten signature throughout the EU.

The eIDAS 2.0 Regulation (in process of transposition by Q1 2026) strengthens these provisions with the European digital identity wallet (EUDIW) and extends obligations to financial services and healthcare markets.

ETSI Standards

Signature formats are standardised by ETSI:

• ETSI EN 319 132 (XAdES), EN 319 122 (CAdES), EN 319 102 (PAdES) define the technical profiles of advanced and qualified signatures;
• ETSI EN 319 421 frames the policies of qualified time-stamping services.

GDPR and Data Protection

The processing of identity data in the context of an electronic signature (name, e-mail, biometrics for identity verification) is subject to GDPR No. 2016/679. Controllers must: have a legal basis (legitimate interest or contract performance), apply the principle of data minimisation, and ensure security through appropriate technical measures (encryption, pseudonymisation).

NIS2 Directive

The NIS2 Directive (2022/2555/EU), transposed into French law since October 2024, imposes on essential service operators and digital service providers (including electronic signature providers) strengthened obligations regarding cybersecurity, risk management and incident notification within 24 hours. Non-compliance is subject to sanctions of up to €10 million or 2% of global turnover.

Concrete Use Cases for Electronic Signature

Scenario 1: a corporate law firm automates the signature of mandates

A corporate law firm with about a dozen collaborators processed an average of 120 representation mandates per month. The paper procedure involved printing, postal sending or delivery in person, then digitising the returned documents — resulting in an average delay of 4.5 working days per file and an estimated document loss rate of 8%.

By deploying advanced electronic signature (AdES) with OTP authentication, the firm reduced the average signature delay to less than 4 hours, reduced the document anomaly rate to less than 1%, and saved approximately €2,200 per year in postage and printing costs. The audit trail generated automatically also simplified two mandate dispute proceedings, by providing an indisputable time-stamped proof. Discover our solution dedicated to legal firms.

Scenario 2: an SME in industry digitalises its supplier contracts

An industrial SME managing approximately 200 supplier contracts per year (general purchasing terms, price amendments, NDAs) suffered signature delays that could exceed three weeks for cross-border contracts with German and Spanish partners. Differences in legal systems and lack of mutual recognition slowed negotiations.

By adopting qualified signature (QES) issued by an eIDAS-accredited QTSP, recognised throughout the EU, the SME benefited from automatic legal recognition in all three countries without any additional legalisation. The average cross-border signature delay fell from 18 days to 2.5 days. Electronic signature in enterprise details these benefits for purchasing teams.

Scenario 3: a hospital group secures informed patient consent

A hospital group with approximately 800 beds had to obtain informed consent from patients for clinical research protocols. Paper management created GDPR compliance risks (poorly stored documents, non-traceable dates) and mobilised healthcare staff for administrative tasks.

By integrating simple electronic signature with identification by SMS code — sufficient for acts not subject to qualified requirements — the group automated the collection, archiving and traceability of consents. The administrative time per patient fell from 12 minutes to less than 2 minutes, freeing approximately 800 nursing hours per year. All documents are archived with qualified time-stamping, fully satisfying CNIL requirements. Explore our signature solution for healthcare.

Conclusion

Understanding how electronic signature works technically — from asymmetric cryptography to PKI, from qualified certificates to probationary time-stamping — is essential to making informed choices in terms of compliance and operational efficiency. The three eIDAS levels (simple, advanced, qualified) meet different needs, and the choice should always be guided by analysis of legal risk and expected probative value.

Certyneo accompanies you in this transition with an eIDAS-compliant SaaS platform, accredited QTSPs and simplified integration into your existing processes. Estimate the potential gains for your organisation using our electronic signature ROI calculator, or start directly by consulting our offers and pricing. Compliance and performance are no longer trade-offs.