E-Signature Provider Obligations in France

Introduction

Deploying an e-signature solution in France is not something to be done on a whim. Behind each qualified or advanced signature lie dozens of legal obligations that fall on the provider of trust services (PSCo). The eIDAS Regulation, GDPR, general security framework, ETSI standards… the regulatory framework is both dense and evolving. For user enterprises, understanding these legal obligations for e-signature providers in France eIDAS GDPR is essential in order to choose a compliant partner and avoid any legal risk. This article details, section by section, all the requirements applicable to PSCos operating in French territory.

---

The status of qualified trust service provider

What is a PSCo under eIDAS?

The eIDAS Regulation No. 910/2014 distinguishes between two categories of providers: non-qualified trust service providers and qualified providers (PSCQ). The former may offer simple or advanced electronic signature services without mandatory third-party audit. The latter — the only ones authorised to deliver qualified signatures within the meaning of Article 3(15) of eIDAS — must meet considerably stricter requirements.

In France, it is the National Cybersecurity Agency (ANSSI) that fulfils the role of supervisory authority (« Supervisory Body ») provided for in Article 17 of eIDAS. It publishes and maintains the French trust list (TSL — Trust Service List), accessible on its official website, listing qualified providers and their services.

The qualification procedure: audit and compliance

To obtain qualified status, a PSCo must necessarily:

• Have its services audited by a Conformity Assessment Body (CAB) accredited by COFRAC in accordance with the EN ISO/IEC 17065 standard.

• Submit the audit report to ANSSI, which decides on the granting of qualified status. This status is re-evaluated at least every 24 months (Article 20 §1 eIDAS).

• Notify ANSSI of any substantial change in its services within 3 months before the planned modification (Article 21 eIDAS).

Non-compliance with these steps exposes the provider to removal from the TSL and loss of the legal presumptions attached to the qualified signature. For client enterprises, using a PSCo not listed on the TSL is equivalent to forfeiting any legal presumption of reliability.

> To learn more about the different levels of signature and their legal effects, consult our complete guide to eIDAS 2.0 Regulation.

---

Technical and security obligations imposed on PSCos

Compliance with ETSI standards

Qualified providers must comply with a set of European standards published by the European Telecommunications Standards Institute (ETSI). The main ones are:

• ETSI EN 319 401: general security requirements applicable to all PSCos.

• ETSI EN 319 411-1 and 411-2: policies and practices of certification authorities issuing qualified signature certificates.

• ETSI EN 319 132: advanced electronic signature formats (XAdES for XML, PAdES for PDF, CAdES for CMS).

• ETSI EN 319 122: CAdES format for qualified signatures.

• ETSI TS 119 431: requirements for remote signature creation services (remote QSCD).

These standards are not optional: the eIDAS Regulation (Annex II, III and IV) explicitly refers to them to define the minimum requirements for qualified certificates and signature creation devices.

Management of qualified signature creation devices (QSCD)

One of the cornerstones of the qualified signature is the use of a qualified signature creation device (QSCD) compliant with Annex II of eIDAS. The provider must ensure that:

• The private key of the signatory cannot be generated, stored or copied outside the QSCD.

• Key generation takes place exclusively in a certified environment (Common Criteria EAL 4+ certification or equivalent).

• Authentication of the signatory preceding any signing act relies on at least two authentication factors.

In a remote signature context — increasingly common in SaaS environments — these requirements apply to the HSM (Hardware Security Module) server hosting the keys. ANSSI has published specific protection profiles (PP-0075, PP-0076) defining the security criteria to be met.

Continuity policy and incident notification

Article 19 of eIDAS requires all trust service providers (qualified or not) to:

• Notify the supervisory authority (ANSSI) and, where applicable, the data protection authority (CNIL), within 24 hours of discovering a security breach liable to affect the reliability of the service.

• Maintain a documented and regularly tested business continuity plan.

• Have a formalised information security policy, covering in particular risk management, incident management and backup policy.

These requirements partly overlap with those of the NIS2 Directive (2022/2555/EU), transposed into French law by Law No. 2023-703 of 1 August 2023, which classifies PSCos of significant size among the important or essential entities subject to strengthened cybersecurity obligations.

> Discover how e-signature for law firms must integrate these constraints into their document workflows.

---

GDPR obligations specific to PSCos

Is the PSCo a data controller or processor?

The GDPR qualification of the provider depends on the nature of the service provided:

• When the PSCo directly issues qualified certificates on behalf of the signatory and determines the purposes of processing personal data (identity, authentication biometric data), it acts as a data controller within the meaning of Article 4(7) GDPR.

• When it integrates its API into a B2B client's platform and processes personal data according solely to that client's instructions, it has the status of processor (Article 4(8) GDPR) and must necessarily conclude a DPA (Data Processing Agreement) compliant with Article 28 GDPR.

In practice, most SaaS PSCos combine both statuses: controller for managing their own certification infrastructure, processor for processing documents and metadata of signatories.

Specific obligations relating to biometric and identity data

The identification and authentication of the signatory — a mandatory step to issue a qualified certificate — often involves the processing of sensitive data: scan of identity document, video selfie, biometric recognition facial data. This data constitutes personal data subject to GDPR, or even biometric data falling under Article 9 GDPR (special categories).

The PSCo's obligations include:

• Legal basis: explicit consent (Article 9§2a) or, in certain cases, legal obligation (Article 9§2b) for processing biometric data.

• Limited retention period: according to CNIL guidelines, identification data must be retained only as long as necessary, generally aligned with the validity period of the certificate + legal proof period (often 10 years for documents under private signature, Article 2224 of the Civil Code).

• Impact Assessment (AIPD) mandatory (Article 35 GDPR) as soon as the processing is liable to create a high risk — which is systematically the case for biometrics.

• Processing Register (Article 30 GDPR) kept up to date and documenting each category of processing.

International data transfers

Many PSCos host all or part of their infrastructure outside the European Economic Area (EEA). In this case, the appropriate safeguards required by Chapter V GDPR apply: adequacy decision, standard contractual clauses (SCCs) from the European Commission or binding corporate rules (BCR). The Schrems II ruling (CJEU, C-311/18, 16 July 2020) recalled that transfers to the United States require prior country risk analysis.

> To understand the impact of these rules on your organisation, consult our guide on electronic signature in business.

---

Transparency and information obligations to users

Certification policy (CP) and certification practices statement (CPS)

Any PSCo issuing certificates is required to publish a Certification Policy (CP) and a Certification Practices Statement (CPS), in accordance with the ETSI EN 319 411 standard. These documents, freely accessible, detail:

• The procedures for identifying and registering signatories.

• The physical and logical security measures deployed.

• The conditions for certificate revocation and associated timescales.

• The PSCo's responsibilities and liability limitations.

The absence or incompleteness of these documents constitutes a non-compliance that may be identified during the re-qualification audit by the accredited body.

Pre-contractual and contractual information to clients

Beyond purely technical obligations, Article 13 GDPR requires the PSCo to provide each person whose data is collected with clear and accessible information on:

• The identity of the data controller and the contact details of the DPO (mandatory for PSCos processing large quantities of sensitive data, Article 37 GDPR).

• The purposes and legal basis of each processing.

• The rights of persons (access, rectification, erasure, portability, objection).

• Any recipients of the data (processors, authorities).

This information must appear in the service's privacy policy, in the terms and conditions and, where applicable, in the DPA concluded with professional clients.

Qualified timestamping and audit trail

To ensure the long-term evidential value of signatures, serious PSCos systematically associate a qualified electronic timestamp (Article 42 eIDAS) with each signed act. This timestamp constitutes legally presumed proof of the existence of the data on the date indicated. The preservation of the audit trail (identification logs, document fingerprint, signature data) is a de facto obligation to enable any future judicial verification.

> Compare market solutions according to these criteria in our comparison of electronic signature solutions.

---

eIDAS 2.0: new obligations on the horizon 2026-2027

The eIDAS 2.0 Regulation (EU) 2024/1183

Published in the EU Official Journal on 30 April 2024, the regulation (EU) 2024/1183 known as « eIDAS 2.0 » significantly strengthens the obligations of PSCos around three axes:

• The European Digital Identity Wallet (EUDI Wallet): Member States must make a certified digital identity wallet available by 2 November 2026. PSCos will have to integrate their service with this wallet to offer qualified signatures via eIDAS 2.0 identity.

• Management of attribute attestations: eIDAS 2.0 introduces qualified attribute attestations (QEAAs), issued by qualified attestation providers. New audit and qualification procedures will apply.

• Strengthened supervision: national supervisory authorities (ANSSI for France) see their powers expanded, notably the ability to carry out unannounced audits and to impose binding corrective measures within shortened timescales.

Practical implications for current providers

PSCos already qualified under eIDAS 1.0 will need to undertake progressive compliance measures before the deadlines set by the Commission's implementing acts (published or pending publication). The main adaptations concern:

• The overhaul of the identification infrastructure to support the EUDI Wallet as an authentication means.

• The update of CP/CPS to integrate new types of certificates and attestations.

• The strengthening of QSCD security requirements for remote QSCDs, with new protection profiles forthcoming.

For client enterprises, this means verifying from today that their provider has a documented and verifiable eIDAS 2.0 compliance roadmap.

Legal framework applicable to the obligations of electronic signature providers

The normative chain applicable to e-signature providers operating in France is structured across several complementary hierarchical levels.

French Civil Code — Articles 1366 and 1367

Article 1366 of the Civil Code recognises electronic writing as a mode of proof equivalent to paper writing, provided that « the person from whom it emanates can be duly identified and it is established and preserved in conditions apt to guarantee its integrity ». Article 1367 specifies that electronic signature « consists of the use of a reliable identification procedure guaranteeing its link with the act to which it is attached ». The presumption of reliability benefits qualified signatures within the meaning of eIDAS, reversing the burden of proof in favour of the signatory.

eIDAS Regulation No. 910/2014/EU

This regulation, directly applicable in all Member States, establishes the legal framework for trust services. Its Article 26 defines the conditions for advanced electronic signature; its Article 28 the requirements of qualified certificates; its Annex I details the mandatory content of these certificates. Qualified PSCos benefit from a presumption of compliance with the technical and legal requirements of the regulation (Article 19§2), which constitutes a major asset in case of dispute.

eIDAS 2.0 Regulation — (EU) 2024/1183

Published on 30 April 2024, this amending regulation introduces new categories of trust services (qualified attribute attestations, qualified archiving services) and strengthens supervisory obligations. It repeals and partially replaces Regulation 910/2014, with progressive applicability according to the Commission's implementing acts.

GDPR — Regulation (EU) 2016/679

GDPR applies to any processing of personal data carried out in the context of an electronic signature service. Articles 5 (principles of lawfulness), 6 (legal basis), 9 (sensitive data), 13-14 (information), 28 (sub-processing), 32 (security), 33-34 (breach notification), 35 (DPIA) and 37 (DPO) constitute the most frequently applicable provisions. The CNIL is the competent supervisory authority in France and can impose fines of up to 20 million euros or 4% of worldwide annual turnover (Article 83§5 GDPR).

NIS2 Directive — (EU) 2022/2555

Transposed into French law by Law No. 2023-703 of 1 August 2023, NIS2 classifies significant PSCos among the important or essential entities subject to obligations for cyber risk management and incident notification to ANSSI within 24 hours (early warning) then 72 hours (full notification).

ETSI Standards

The entire set of EN 319 401, EN 319 411-1/2, EN 319 132, EN 319 122 and TS 119 431 standards constitutes the mandatory technical reference for the qualification audit. Non-compliance with them leads to the impossibility of obtaining or maintaining qualified status.

Legal risks in case of non-compliance

A non-compliant provider is exposed to: removal from the French TSL, engagement of its contractual and non-contractual liability, CNIL administrative sanctions, NIS2 fines that can reach 10 million euros or 2% of worldwide turnover for important entities and 20 million or 4% of turnover for essential entities, as well as legal claims from clients who have suffered loss due to invalid signatures legally.

Usage scenarios: how enterprises verify their PSCo's compliance

Scenario 1 — An industrial group managing 3,000 supplier contracts per year

A mid-sized industrial group (ETI), active in the manufacture of mechanical equipment, digitalises all of its supplier contracts via a SaaS e-signature platform. During an internal audit triggered following a regulatory change, the legal department finds that the selected provider — initially chosen on cost criterion — is listed neither on the French TSL, nor on any European TSL. The signatures delivered are of the « simple » type without robust signatory identification mechanism.

Faced with legal risk — all signed contracts could see their evidential value contested in case of dispute — the company engages a migration to a qualified ANSSI PSCo. The new solution integrates an advanced signature with qualified certificate, qualified timestamp and exportable audit trail. The migration project, carried out in less than 8 weeks, makes it possible to retroactively secure new acts and establish a compliant document policy. The legal teams estimate that the litigation risk related to old contracts remains marginal due to their execution without contestation, but all new signatures are now covered.

Observed gains: reduction of 60% in potential disputes related to signature authenticity, and a gain of 3.5 days average signing time on complex contracts thanks to workflow automation validation.

Scenario 2 — A law firm of 25 collaborators specialising in business law

A law firm seeking to digitalise the signature of mandates, consultations and procedural documents evaluates several providers. Its evaluation grid incorporates the following criteria: presence on TSL, publication of an accessible CP/CPS, existence of a GDPR-compliant DPA, availability of a reachable DPO and certification of remote QSCDs.

Of five providers evaluated, only two satisfy all criteria. The firm ultimately selects a PSCo natively offering a qualified signature via remote QSCD, guaranteeing the presumption of reliability of Article 1367 of the Civil Code. Implementation takes 3 weeks, training included. Result: 75% of mandates are now signed in less than 24 hours compared to 5 to 7 days previously (postal shipping), and the firm can justify to its clients the level of legal security offered by the solution — a differentiating argument in its commercial proposals.

Scenario 3 — A hospital group of approximately 1,200 beds

A public hospital group wishes to digitalise employment contracts, internship agreements and partnership agreements with partner care facilities. The sensitivity of the data processed (healthcare data of nursing staff, HR data) requires particular vigilance regarding the GDPR obligations of the PSCo.

The IT department and the establishment's DPO require: data hosting in France with a certified healthcare data hosting provider HDS (Healthcare Data Hosting provider, certification provided for in Article L.1111-8 of the Public Health Code), no transfer outside EEA, documented DPIA for signatory identification processing, and DPA signed before any production deployment.

Following the selection of a PSCo meeting these criteria, the deployment first covers HR contracts (approximately 800 acts per year). The average time for signing fixed-term employment contracts drops from 9 days to less than 48 hours, freeing significant capacity for the human resources teams. The establishment also has complete traceability of the consents obtained, audited annually by its DPO.

Conclusion

The legal obligations weighing on e-signature providers in France form an exacting normative corpus: eIDAS qualification, GDPR compliance, compliance with ETSI standards, NIS2 obligations and imminent adaptation to eIDAS 2.0. For user enterprises, ensuring the compliance of one's PSCo is not an optional undertaking — it is a sine qua non condition of the evidential value of signed acts and the protection of personal data of signatories.

Certyneo is an electronic signature provider designed to meet all of these requirements: eIDAS compliance, GDPR by design, sovereign hosting and documented eIDAS 2.0 roadmap. Ready to secure your signatures in full compliance? Request a demonstration or create your account on Certyneo and benefit from personalised support from day one.