Skip to main content
Certyneo

Cloud or On-Premise Electronic Signature: Which Choice in 2026?

Cloud SaaS or on-premise deployment: your electronic signature solution's hosting choice determines security, costs and eIDAS compliance. Discover our expert analysis.

Équipe éditoriale Certyneo12 min read

Équipe éditoriale Certyneo

Writer — Certyneo · About Certyneo

Introduction

Choosing between cloud electronic signature and on-premise hosting is one of the most structurally important strategic decisions for an IT department or legal team in 2026. While SaaS has widely seduced SMEs through its simplicity of deployment, large enterprises and organisations subject to sector-specific regulatory constraints are still questioning the relevance of internalised hosting. This in-depth comparison analyses both models according to five key axes: data sovereignty, technical security, eIDAS compliance, total cost of ownership and business agility. By the end of this article, you will have an operational decision framework to choose the architecture suited to your context.

Understanding the Two Hosting Models

Cloud Electronic Signature (SaaS)

In a cloud model, the publisher operates the entire infrastructure: servers, updates, availability, backup and data security. The client company accesses the solution via an API or web interface, without any local installation. European market players — including Certyneo — generally rely on ISO 27001 certified datacentres located within the European Union (France, Germany, Netherlands), guaranteeing GDPR compliance without additional effort on the client side.

The advantages are well-known: deployment in a few hours, immediate scalability, automatic updates incorporating regulatory developments (eIDAS 2.0, DSP3, NIS2), and usage-based economic model (OPEX). According to the Markess by Exaegis 2025 report, 78% of French companies with fewer than 500 employees now favour SaaS for their dematerialisation tools.

On-Premise Deployment

On-premise consists of installing the electronic signature platform directly on the company's own servers or in a private datacentre it controls. This model offers complete control over data, flows and security policies. It is historically adopted by banks, insurers, hospitals or public administrations handling sensitive data subject to specific reference systems (HDS, SecNumCloud, PGSSI-S).

The trade-off is significant operational burden: the IT team must manage updates, qualified signature certificates, HSMs (Hardware Security Modules), high availability and regulatory monitoring. The initial cost (CAPEX) is high, with licences potentially exceeding €80,000 for an enterprise installation, to which annual infrastructure costs must be added.

Data Sovereignty and Regulatory Compliance

GDPR and Data Localisation

The eIDAS regulation and its implications for your qualified signatures require that trust service providers (TSP) be audited and listed on national trusted lists. Whether you choose cloud or on-premise, your solution must imperative rely on a qualified TSP. The real GDPR question concerns transfers outside the EU: a cloud hosted by an American hyperscaler (AWS, Azure, GCP) without valid standard contractual clauses (SCC) exposes the enterprise to penalties that can reach 4% of global turnover.

European cloud solutions like Certyneo meet this requirement natively, with servers exclusively located in France and a DPA (Data Processing Agreement) compliant with article 28 of the GDPR provided from subscription.

SecNumCloud and Regulated Sectors

For operators of vital importance (OVI) and organisations subject to the Cloud-First doctrine of DINUM, the ANSSI's SecNumCloud qualification is progressively becoming mandatory. In 2026, only a few French cloud players have obtained this qualification (OVHcloud, Outscale). Affected organisations must therefore either choose a cloud qualified SecNumCloud or maintain an on-premise compliant with ANSSI RGS v2 reference system.

Note that NIS2, transposed into French law by the law of 26 January 2025, extends cybersecurity obligations to more than 15,000 essential and important entities, creating new regulatory pressure on architecture choice.

Total Cost of Ownership: Comparative Analysis

TCO (Total Cost of Ownership) analysis over 5 years systematically reveals a cloud advantage for volumes below 50,000 signatures/year. Beyond that, on-premise can become competitive if infrastructure already exists. Certyneo's ROI calculator allows you to estimate precisely this switching threshold according to your volume and sector.

A typical on-premise deployment for a company of 1,000 employees represents:

  • Initial licence: €60,000 to €120,000
  • HSM infrastructure and dedicated servers: €30,000 to €50,000
  • Annual maintenance (20% of licence): €12,000 to €24,000/year
  • Internal IT resources: 0.5 to 1 FTE dedicated

Against this, a SaaS cloud of equivalent capacity typically costs €18,000 to €40,000/year all-in, with zero CAPEX.

Technical Security: Advantages and Limitations of Each Model

Security in Cloud Environment

Contrary to a persistent assumption, the cloud of a specialised publisher often offers a higher level of security than a typical on-premise enterprise infrastructure. The reasons are structural: publishers invest massively in dedicated teams (24/7 SOC, quarterly pen-tests, ISO 27001 and SOC 2 Type II certifications), which is beyond the reach of most internal IT departments.

Good practices include AES-256 encryption at rest and TLS 1.3 in transit, mandatory multi-factor authentication, immutable logging of signature events, and geo-redundant backups. The legal value of electronic signature rests precisely on this unalterable traceability.

Risks Specific to On-Premise

On-premise generates specific risks that are often underestimated:

  • Version drift: without a dedicated team, cryptographic updates (certificate revocation, transition to SHA-3) are delayed, exposing the company to technically invalid signatures.
  • HSM management: a poorly configured Hardware Security Module or whose firmware is not updated annually negates non-repudiation guarantees.
  • Business continuity plan: the availability (SLA) of an internal on-premise rarely exceeds 99.5%, compared to 99.95% for a structured SaaS cloud.

For organisations wishing to combine sovereignty and operational delegation, the private cloud model (dedicated Private Cloud in a certified datacentre, HDS or SecNumCloud) constitutes a relevant middle ground.

Integration, Agility and Scalability

APIs and Interoperability

Both models now expose documented REST APIs. Nevertheless, the speed of update is structurally different: a cloud publisher deploys new features (biometric signature, AI fraud detection, eIDAS 2.0 Wallet support) in a few weeks, while on-premise involves a 3 to 6-month internal qualification cycle per major version.

To integrate electronic signature into an ERP (SAP, Oracle), an HRIS or a DMS (OpenText, Alfresco), the cloud offers pre-built connectors maintained by the publisher. The complete comparison of electronic signature solutions details the integration capabilities of the main market players.

Scalability and Volume

In the cloud, scalability is near-instantaneous: a campaign of 10,000 simultaneous signatures (shareholder AGM, massive HR deployment) is absorbed without prior configuration. On-premise, infrastructure oversizing must anticipate peaks, generating capitalisation costs.

Organisations in rapid growth or practising seasonal cycles (real estate, insurance) particularly benefit from cloud elasticity. Electronic signature in real estate, for example, experiences volume peaks related to market cycles that would render permanently oversized on-premise.

Decision Criteria: Which Model for Which Profile?

Enterprises and SMEs Without Specific Sector Constraints

For an SME of 10 to 500 employees without particular sector-specific regulatory obligation, cloud SaaS is a clear choice: rapid deployment, controlled cost, eIDAS and GDPR compliance guaranteed by the publisher. Integration into existing HR tools is facilitated by native connectors — as illustrated by the use of electronic signature for HR teams covering pay slips, contracts and conventional terminations without dedicated infrastructure.

Large Enterprises and Regulated Sectors

Enterprises handling health data (mandatory HDS), critical financial data or classified information must seriously evaluate on-premise or qualified private cloud. The question is not technical but regulatory: does the applicable reference framework allow for a public cloud or not?

A hybrid architecture — cloud for standard signatures, on-premise for the most sensitive qualified acts — has been adopted by several major French groups since 2024. This model requires rigorous orchestration and solid API bridges.

Public Bodies and Administrations

Since DINUM circular 2023-1, State administrations are encouraged to favour cloud offerings qualified SecNumCloud. On-premise remains authorised for sensitive information systems (SIS) but must comply with RGS v2 and PGSSI-S for health data. Electronic signature for law firms illustrates how entities with high traceability requirements find their balance between these two models.

The choice between cloud and on-premise is not neutral from a legal standpoint. Several legal frameworks directly govern the technical architecture of your signature solutions.

Civil Code, articles 1366 and 1367: These provisions define electronic signature as a reliable process of identification guaranteeing its link with the deed to which it is attached. The reliability of the process is presumed until proven otherwise when a qualified electronic signature is used. This presumption applies regardless of the hosting method, provided that the trust service provider (TSP) is qualified.

eIDAS Regulation No. 910/2014 and eIDAS 2.0 (EU Regulation 2024/1183): The eIDAS Regulation distinguishes three levels of signature (simple, advanced, qualified). Qualified signature necessarily requires the involvement of a TSP registered on the national trusted list (ANSSI trust list for France). Whether your solution is cloud or on-premise, it must interface with a qualified TSP to issue qualified signatures. eIDAS 2.0, applicable since May 2024, introduces the European Digital Identity Wallet (EUDIW) and strengthens requirements on qualified certificate management.

GDPR Regulation No. 2016/679: Article 28 requires the conclusion of a DPA (data processor contract) with any cloud provider processing personal data on your behalf. Article 44 prohibits transfers of data outside the EU without adequate guarantees (standard contractual clauses or binding corporate rules). In internal on-premise, this obligation disappears but the company becomes fully responsible for processing and must document its technical and organisational measures (TOM) in accordance with article 32.

NIS2 Directive (EU Directive 2022/2555), transposed into French law by the law of 26 January 2025: Essential and important entities (energy, health, finance, water, digital, transport, administration sectors) must implement proportionate cybersecurity measures, including management of digital supply chain risks. An electronic signature cloud provider constitutes a critical third-party supplier under NIS2: mandatory due diligence, specific contractual clauses and audit rights.

ETSI Standards EN 319 132 and ETSI EN 319 122: These standards define advanced electronic signature formats (XAdES, PAdES, CAdES) accepted in European public procurement and B2B exchanges. Compliance with these formats must be verified regardless of the architecture chosen.

General Security Reference (RGS v2) and HDS: For administrations and health data hosters, the ANSSI's RGS v2 and HDS certification (Health Data Hoster, order of 11 June 2018) apply respectively. A non-HDS certified cloud is legally disqualified from hosting health data of a personal nature, even transiently when signing a patient consent.

Legal Risks to Anticipate: A signature issued from a non-compliant system may be contested in court, particularly if the integrity of the document or the signer's identity cannot be proven incontrovertibly. The burden of proof lies with the person invoking the signature. A compliance audit prior to deployment, cloud or on-premise, is strongly recommended.

Use Cases: Cloud or On-Premise According to Business Context

Scenario 1 — An intermediate-sized industrial group managing 15,000 annual contracts

A mid-market industrial company (approximately 1,200 employees, 3 production sites in France) must dematerialise all of its supplier, customer and subcontractor contracts. It processes an average of 15,000 signatures per year, with peaks in January (renewal of framework contracts) and September (purchasing campaigns). Its industrial data is sensitive but not classified.

After TCO analysis over 5 years, the finance department concludes that a European SaaS cloud certified ISO 27001 is 40% less expensive than an equivalent on-premise deployment (publisher economy of scale vs. 0.7 FTE IT dedicated internally). The IT department selects a cloud solution hosted in France with 99.95% SLA and documented REST API, integrated directly into its ERP. Seasonal peaks are absorbed without additional cost. Result observed after 12 months: 65% reduction in average supplier contract signature time (from 8.3 days to 2.9 days), and estimated annual saving of €120,000 on paper processing and follow-up costs.

Scenario 2 — A hospital group with 1,200 beds subject to HDS certification

A public hospital group wishes to dematerialise its patient consents, its freelance practitioner contracts and its public contracts. The data processed includes health information of a personal nature, subject to HDS certification (Health Data Hoster) and PGSSI-S.

Pure on-premise is ruled out because of the complexity of HSM maintenance and the absence of cryptographic expertise internally. The group opts for private cloud hosted by an HDS certified and SecNumCloud qualified provider. The signature solution is deployed in this dedicated cloud, with strict network segregation and audit logs exported to the internal SIEM. The cost is 25% higher than standard mutualized cloud, but 35% lower than a complete on-premise. Operational benefit: the 800 monthly consents are processed in less than 24 hours compared to 5 days in paper format, with complete traceability compliant with HAS requirements.

Scenario 3 — A law firm with 25 employees integrating signature into its daily workflow

A Paris-based business law firm daily processes asset transfers, settlement agreements and mandates requiring advanced or qualified electronic signature. Client data confidentiality is an absolute priority, but the firm has no IT infrastructure of its own.

On-premise is ruled out from the outset for lack of resources. The firm chooses a European SaaS cloud with end-to-end encryption, encryption keys controlled by the customer (BYOK — Bring Your Own Key), and contractual guarantee of non-access to data by the publisher. This so-called "zero knowledge" architecture satisfies both the Bar Association's ethical requirements and GDPR obligations. Integration with the case management software (via API) reduces the time for preparing a signable deed from 45 minutes to 8 minutes on average, a productivity gain of 82% on this task.

Conclusion

Cloud or on-premise: there is no universal answer, but a structured decision framework. For the vast majority of French enterprises — SMEs, mid-market companies without critical sector constraint — compliant European SaaS cloud eIDAS and GDPR offers the best balance between security, compliance and total cost of ownership. On-premise or qualified private cloud remains relevant for regulated sectors (health, defence, OVI) where constraining reference frameworks (HDS, SecNumCloud, RGS v2) impose complete infrastructure control.

In 2026, the real question is no longer "cloud or on-premise" but "what level of sovereignty for which data, with which qualified TSP?" Certyneo meets these requirements with a cloud architecture hosted exclusively in France, ISO 27001 certified, eIDAS 2.0 and GDPR compliant. Discover our offers and pricing on Certyneo or contact our team for a free audit of your electronic signature needs.

Try Certyneo for free

Send your first signature envelope in less than 5 minutes. 5 free envelopes per month, no credit card required.

Dive deeper

Our comprehensive guides to master electronic signatures.

Certyneo Community

A question about electronic signatures?

Join the Certyneo community: ask your questions, share your answers and connect with thousands of users and our team.