Qualified Electronic Certificate for Business: 2026 Guide

Why the qualified electronic certificate has become essential for businesses

At a time when the dematerialisation of contractual processes is accelerating across all sectors, the question of the qualified electronic certificate has become a strategic issue for legal departments, IT directors and senior management. According to ANSSI's 2024 annual report, more than 78% of French SMEs that have adopted qualified electronic signature have reduced their contract processing times by more than 60%. Yet many still confuse simple, advanced and qualified signatures — risking exposing their legal documents to challenge. This article guides you step by step to understand what a qualified electronic certificate is, how to obtain it in compliance with the RGS and eIDAS framework, and how to deploy it effectively within your organisation.

What is a qualified electronic certificate?

An electronic certificate is a digital file issued by a Certification Authority (CA) that links the identity of a natural or legal person to a public cryptographic key. It is the cornerstone that allows a third party to verify the authenticity and integrity of a digital signature.

The qualification "qualified" refers to a precise definition from the European regulation eIDAS (No. 910/2014, Article 28): the certificate must be issued by a Qualified Trust Service Provider (QTSP), listed on the national trust list (in France, published by ANSSI). It must also comply with the technical requirements of the ETSI EN 319 411-2 standard, which governs certification policies and practices.

In practice, a qualified certificate guarantees:

• Verified identity of the signatory (document verification face-to-face or by approved equivalent means);
• Integrity of the signed document (any subsequent modification is detectable);
• Non-repudiation (the signatory cannot deny having affixed their signature).

Difference between simple, advanced and qualified signature

The eIDAS regulation distinguishes three levels of electronic signature, each associated with a certificate level:

| Level | Required Certificate | Probative Value | Typical Usage | |---|---|---|---| | Simple | Not required | Weak | Standard purchase orders | | Advanced | Advanced certificate (QTSP) | Average | B2B commercial contracts | | Qualified | Qualified certificate (qualified QTSP) | Maximum, equivalent to manuscript | Notarial documents, public contracts, sensitive HR |

For qualified signature — the only one benefiting from the legal presumption of equivalence to a manuscript signature (Art. 1367 Civil Code) — a qualified certificate is imperatively required. To learn more about the differences between levels, consult our comprehensive guide to electronic signature.

---

The RGS framework: French specificities to know

In France, the General Security Framework (RGS), established by Decree No. 2010-112 and regularly updated by ANSSI, defines the security requirements applicable to information systems of public administrations. For companies contracting with public entities (public procurements, electronic procedures), compliance with RGS is often a contractual or regulatory obligation.

RGS levels applicable to certificates

RGS defines three qualification stars for certificates:

• RGS* (one star): basic level, suitable for routine low-sensitivity uses;
• RGS (two stars)**: intermediate level, required for most administrative e-procedures;
• RGS (three stars)*: high level, for acts of significant legal or financial importance.

For dematerialised public contracts via the buyer profile, Decree No. 2016-360 (Articles 39 and 40) generally requires a signature at least at RGS level, which implies an equivalent qualification certificate.

Articulation of RGS and eIDAS

Since the eIDAS regulation came into force, the two frameworks coexist. A certificate qualified under eIDAS is deemed to meet RGS** requirements in the vast majority of cases. ANSSI has published correspondence tables to ensure compatibility. It is therefore advisable, for companies working with both private and public partners, to prioritise a qualified eIDAS certificate issued by a QTSP listed on the French trust list — which simultaneously covers both frameworks.

To deepen your understanding of the European regulation, our eIDAS 2.0 guide details the major developments planned and their impact on French companies.

---

How to obtain a qualified electronic certificate: step-by-step process

Obtaining a qualified electronic certificate is not a trivial matter: it involves rigorous verification of the applicant's identity and, for a legal person, their legal representation. Here are the main steps.

Step 1: Identify the right qualified trust service provider

In France, the QTSPs authorised to issue qualified certificates are listed on the Trust Service Status List (TSL) published by ANSSI (available on the esignature.gouv.fr portal). Among the stakeholders on this list are CAs such as CertEurope, Certinomis (La Poste subsidiary), Keynectis and other European providers recognised under the eIDAS mutual recognition principle.

Selection criteria to examine:

• Actual presence on the French and/or European TSL;
• Certificate format offered (software, smart card, cloud HSM);
• Compatibility with your existing IT infrastructure;
• Pricing and validity period (generally 1 to 3 years);
• Support level and enrolment time.

Step 2: Preparation of the enrolment file

For a business, the request for a qualified certificate requires the submission of documents proving both the identity of the bearer (natural person) and their capacity to represent the legal entity. The documents generally required are:

• Official identity document of the bearer (passport, national ID card);
• Kbis extract less than 3 months old (or equivalent for associations, public bodies);
• Power of attorney if the bearer is not the statutory legal representative;
• Application form specific to the QTSP selected.

Identity verification must be carried out face-to-face before a Registration Officer (RO) mandated by the QTSP, or by an approved remote verification process (video identification compliant with ETSI TS 119 461 standard).

Step 3: Receipt and activation of the certificate

Depending on the format chosen, the certificate is provided:

• On a qualified signature creation device (QSCD): cryptographic USB key or certified smart card Common Criteria EAL 4+;
• Via a remote signature service (Remote Qualified Electronic Signature — RQES) managed by the QTSP, where the private key is hosted in a certified HSM (Hardware Security Module) in accordance with the ETSI EN 419 241 standard.

Deploying an RQES service is now the most widely adopted solution by businesses, as it avoids physical management of cryptographic devices while maintaining qualified compliance. Compare electronic signature solutions to identify the model best suited to your context.

Step 4: Integration into your business processes

Once the certificate is obtained, its integration into the company's document flows generally goes through a SaaS electronic signature platform. This must imperatively be compatible with ETSI standards (XAdES, PAdES, CAdES) to guarantee interoperability and sustainability of digital evidence. Our dedicated article on electronic signature in business will help you structure this deployment.

---

Cost, validity and renewal: what businesses need to anticipate

Price ranges in 2026

The cost of qualified certificates varies significantly depending on the format and provider:

• Certificate on physical medium (USB key/card): between €80 and €250 HT per bearer per year;
• Cloud qualified certificate (RQES): between €40 and €150 HT per bearer per year, depending on volumes;
• Business packages: significant discounts apply from 10 bearers onwards, reaching 30 to 40% of the unit price.

These costs should be put into perspective with the savings generated: elimination of printing, postage, postal processing times and disputes related to contested signatures.

Validity period and renewal

The validity of a qualified certificate is generally set at 1, 2 or 3 years depending on the package subscribed. Upon expiration, previously signed documents remain valid (provided their integrity is preserved through a qualified timestamping service), but new documents cannot be signed with the expired certificate. It is therefore essential to implement a process of monitoring and early renewal — ideally 60 days before expiry.

Revocation and incident management

In the event of private key compromise (loss, theft of device, suspected disclosure), the certificate must be revoked immediately to the QTSP. The latter publishes the revocation in its Certificate Revocation List (CRL) or via the OCSP protocol, making any subsequent signature with this certificate invalid. Internal security policy must therefore provide for a dedicated contact point and an alert deadline of less than 24 hours.

---

Best practices for successful business deployment

Governance and internal roles

Successful deployment is based on clear governance. It is recommended to designate:

• A PKI manager (Public Key Infrastructure) on the IT side, responsible for the relationship with the QTSP and monitoring renewals;
• A legal reference point who validates use cases requiring qualified signature (vs advanced);
• Delegated administrators by department for operational bearer management.

Training and change management

Adopting a qualified certificate is not enough: employees must understand how to use their certificate, when to activate it, and how to respond in case of incident. A short training plan (1 to 2 hours) and documented procedures significantly reduce usage errors and support tickets.

Audit and traceability

To meet proof obligations, keep an audited log timestamped for each signature performed: identity of the signatory, document fingerprint, certified date/time, certificate identifier. These data form the basis of the chain of evidence in case of dispute. The ETSI EN 319 132 (XAdES) standard provides signature formats that natively include this information.

Legal framework applicable to qualified electronic certificates

Civil Code and probative value

In French law, Article 1366 of the Civil Code establishes the principle of equivalence between electronic and paper documents, provided that "the identity of the person from whom it comes is duly assured and that it is established and preserved under conditions that guarantee its integrity". Article 1367 paragraph 2 specifies that qualified electronic signature benefits from a presumption of reliability: it is for the party contesting the signature to prove otherwise, thus reversing the burden of proof in favour of the signatory.

eIDAS Regulation No. 910/2014

The European regulation eIDAS (No. 910/2014), directly applicable in all Member States since 1 July 2016, is the supranational foundation. Its Article 25(2) states that "a qualified electronic signature has legal effect equivalent to a manuscript signature". Articles 28 and 29 define the requirements applicable to qualified certificates and qualified signature creation devices (QSCD). Annex I lists the mandatory information in a qualified certificate (policy OID, QTSP identity, public key, validity dates, etc.).

eIDAS 2.0 developments

The eIDAS 2.0 regulation (EU Regulation 2024/1183, which entered into force on 20 May 2024) introduces the European digital identity wallet (EUDIW) and strengthens accessibility requirements for qualified trust services. Companies will need to anticipate the integration of these new identification mechanisms by 2026-2027.

Applicable ETSI standards

• ETSI EN 319 411-2: policy and practices for QTSPs issuing qualified certificates;
• ETSI EN 319 132 (XAdES) and ETSI EN 319 122 (CAdES), ETSI EN 319 162 (PAdES): advanced and qualified electronic signature formats;
• ETSI EN 419 241: requirements for signature servers (RQES).

GDPR and data protection

The processing of personal data in the context of enrolment (identity verification, documentary collection) is subject to GDPR No. 2016/679. The QTSP and the client company are joint controllers of processing or in a controller/processor relationship depending on the configuration. A DPA (Data Processing Agreement) compliant with Article 28 GDPR must be signed. Enrolment data must be retained for the life of the certificate plus the applicable limitation period (5 years in contractual matters).

NIS2 Directive and infrastructure security

The NIS2 Directive (2022/2555/EU), transposed into French law by Law No. 2024-449, requires essential and important entities to implement risk management measures including supply chain digital security. Recourse to a qualified QTSP listed on the national TSL is a recognised best practice for partially satisfying these requirements.

Use cases: the qualified certificate in practice

Scenario 1: A law firm managing high-value acts

A business law firm with about twenty partners and associates regularly has to sign share transfer documents, settlement protocols and powers of attorney. Previously, each document required printing, handwritten signature, scanning and postal dispatch — resulting in an average processing time of 4 to 7 working days per signature cycle. After deploying cloud qualified certificates (RQES) for each partner, this time is reduced to less than 4 hours for documents not requiring notarial intervention. The firm estimates a 65% reduction in administrative time spent on document management, and has recorded no signature contests in the first 18 months of use. The electronic signature solutions for law firms offered by Certyneo integrate natively into this type of workflow.

Scenario 2: An SME contracting with public sector clients

An SME in the metalworking sector, employing approximately 120 people, regularly responds to dematerialised public procurement calls on buyer profiles. It is required to electronically sign its bids and commitment documents with a certificate at least at RGS** level. After obtaining two qualified certificates (for the chief executive and an authorised commercial director), the SME was able to submit its bids within the prescribed deadlines without travel or postal dispatch. Over a year, this represents approximately 35 public procurement files, representing estimated savings of about 15 person-days per year on document management alone. The eIDAS compliance of the certificate also ensures the recognition of its signatures with German and Belgian public sector clients, expanding its commercial scope. Use our ROI calculator to estimate potential gains in your own context.

Scenario 3: A healthcare group securing HR and supplier acts

A hospital group with approximately 1,200 beds, grouping several facilities, faces an annual volume of nearly 3,000 employment contracts, amendments and supplier commitments. The Human Resources Department and the Procurement Department jointly deployed a qualified signature solution, with certificates issued to authorised directors. In parallel, documents to be signed by staff are processed via an advanced signature workflow, reserving qualified signature for high-value management acts. Result: the average time to finalise an employment contract has dropped from 12 days to 2.5 days, and the rate of incomplete files (missing signature, wrong version signed) has decreased by 78%. The electronic signature solutions in healthcare offered by Certyneo integrate the specific regulatory requirements of the hospital sector.

Conclusion

Obtaining a qualified electronic certificate is today a necessary step for any business wishing to legally secure its digital documents, respond to public procurement requirements and comply with the eIDAS regulatory framework. Far from being a constraint, it is a competitive advantage: reduced signature times, an unassailable chain of evidence and recognition across the entire European Union.

Key steps to remember: choose a QTSP listed on ANSSI's trust list, prepare a rigorous enrolment file, opt for a cloud format (RQES) to facilitate deployment, and integrate the certificate into a platform compliant with ETSI standards.

Certyneo supports you at every step: from selecting the right signature level to integration into your business processes. Request a free demonstration and discover how to deploy qualified signature in less than 48 hours in your organisation.