How Electronic Signature Works in 2026

Introduction

Electronic signature is now at the heart of digital transformation in businesses: in 2025, more than 70% of large European organizations have integrated it into at least one contractual process (source: Gartner, Digital Process Automation Survey 2025). Yet few decision-makers precisely understand the mechanisms that make it legally valid and technically unforgeable. Understanding how electronic signature technically works — cryptography, PKI, certificates — makes it possible to choose the right solution, reduce legal risks, and accelerate internal adoption. This article guides you, step by step, through the technical architecture and standards that govern electronic signature in 2026.

---

The Cryptographic Foundations of Electronic Signature

Electronic signature is based on proven cryptographic primitives. Understanding the mechanisms means understanding why it is more reliable than a scanned handwritten signature.

Asymmetric Encryption: Public Key and Private Key

The fundamental principle is asymmetric cryptography, invented in the 1970s and standardized by algorithms such as RSA (Rivest–Shamir–Adleman) or elliptic curves (ECDSA). Each signer has two mathematically linked keys:

• The private key: kept secret by the signer on a secure device (smart card, HSM token, or protected software module). It is used to create the signature.
• The public key: freely distributed, included in a digital certificate. It is used to verify the signature.

The security principle is based on computational asymmetry: it is mathematically trivial to verify a signature with the public key, but practically impossible to reconstruct the private key from the public key (discrete logarithm problem or large integer factorization).

Hash Functions: The Digital Fingerprint of the Document

Before signing, the system calculates a cryptographic fingerprint of the document using a hash function (SHA-256 or SHA-3 in 2026). This fingerprint, called a hash or digest, is a fixed-size string of characters (256 bits for SHA-256) that uniquely represents the document's content.

Essential property: modifying a single character of the document produces a radically different hash. This guarantees the integrity of the signed document: any alteration after signing is immediately detectable.

The electronic signature itself is therefore the encryption of this hash with the signer's private key. When verifying, the recipient:

1. Decrypts the signature with the public key to retrieve the original hash;
2. Recalculates the hash of the received document themselves;
3. Compares the two: if identical, the signature is valid.

---

Public Key Infrastructure (PKI): The Chain of Trust

Cryptography alone is not enough: you must also prove that the public key belongs to the person claiming to use it. This is the role of the PKI (Public Key Infrastructure).

Certification Authorities (CA)

A Certification Authority (CA) is an accredited trusted third party that issues digital certificates. A digital certificate is a standardized file (X.509 format) containing:

• The holder's identity (name, organization, email);
• Their public key;
• The validity period;
• The CA's own digital signature.

In Europe, qualified CAs are listed in the Trusted Lists published by each EU Member State in accordance with the eIDAS regulation. In France, the ANSSI publishes and maintains this list. Qualified trust service providers (QTSP) — such as CertSign, Certigna, or Universign — are subject to regular audits according to the ETSI EN 319 401 standard.

The Certificate Chain and Revocation

The PKI operates on a hierarchical model:

• A Root CA that is self-signed, kept offline under maximum physical security conditions;
• Intermediate CAs that issue certificates to end users.

Revocation of certificates is a critical mechanism: if a private key is compromised, the CA publishes its invalidation via a CRL (Certificate Revocation List) or via the OCSP (Online Certificate Status Protocol) protocol, allowing real-time verification.

For qualified electronic signature under eIDAS, the private key must be generated and kept in a QSCD (Qualified Signature Creation Device) — hardware certified CC EAL4+ or higher, such as a smart card or HSM (Hardware Security Module).

---

The Three Levels of Signature According to eIDAS

The European regulation eIDAS no. 910/2014 (and its evolution eIDAS 2.0 currently being rolled out) defines three levels of signature, each based on increasing technical guarantees. To learn more about this regulatory framework, consult our complete guide to the eIDAS regulation.

Simple Electronic Signature (SES)

Simple signature is the least technically restrictive form. It can be as basic as a checkbox, a one-time password (OTP) sent via SMS, or an image of a handwritten signature. It does not necessarily involve a qualified certificate.

Typical use: validation of quotes, marketing consents, low-stakes contracts.

Risk: limited probative value in case of judicial dispute. The burden of proof rests with the person invoking the signature.

Advanced Electronic Signature (AdES)

Advanced signature meets four precise technical requirements (article 26 eIDAS):

1. It is uniquely linked to the signer;
2. It allows identification of the signer;
3. It is created from data under the exclusive control of the signer;
4. It allows detection of any subsequent alteration of the document.

In practice, this involves the use of a personal digital certificate and a robust authentication mechanism. Standard formats are defined by ETSI: PAdES (for PDF), XAdES (XML), CAdES (binary data) and JAdES (JSON), all standardized in the ETSI EN 319 100 series.

Qualified Electronic Signature (QES)

Qualified signature is the highest level. It requires:

• A qualified certificate issued by an accredited QTSP eIDAS;
• A QSCD for signature creation.

It benefits from a legal presumption of reliability and legal equivalence with handwritten signature throughout the European Union (article 25 eIDAS). This is the level required for electronic authentic deeds, certain notarial deeds, or sensitive public procurement.

Our comparison of electronic signature solutions analyzes the practical differences between these levels to help you choose.

---

The Complete Process of Electronic Signature Step by Step

Here is how a transaction for electronic signature on a SaaS platform like Certyneo concretely proceeds:

Step 1: Document Preparation and Sending

The signature initiator uploads the document (contract, amendment, purchase order) to the platform. The system immediately generates a SHA-256 hash of the original file, timestamped and stored immutably. This fingerprint will serve as a reference for all future verification.

Step 2: Signer Authentication

Depending on the level of signature chosen, authentication varies:

• SES: email + signature link;
• AdES: strong authentication (SMS OTP, FIDO2 mobile application);
• QES: prior identity verification (face-to-face or video IDV), issuance of a qualified certificate for single or persistent use.

Step 3: Creation of Cryptographic Signature

The signer triggers the signing action. The platform (or QSCD):

1. Calculates the hash of the document;
2. Encrypts this hash with the signer's private key;
3. Integrates the signature and certificate into the document (PDF signed in PAdES-LTV format for long-term preservation).

Step 4: Qualified Timestamping

A qualified timestamping service (TSA) compliant with RFC 3161 standard affixes a cryptographic timestamp, proving that the signature existed at a specific moment. This protects against date falsification and guarantees probative value over time — even if the signer's certificate expires later.

Step 5: Probative Archiving

The signed document is archived with its complete audit trail: signer's identity, IP address, timestamp, document hash, certificates used. This proof file (audit trail) is essential in case of judicial dispute. Solutions compliant with eIDAS maintain these proofs in a PAdES-LTV (Long-Term Validation) format that integrates validation data to allow verification years after signing.

To understand how to integrate this process into your HR workflows, discover our electronic signature solution for HR and our contract templates to download.

Legal Framework Applicable to Electronic Signature

Electronic signature is part of a multi-layered regulatory framework, articulating national civil law and harmonized European law.

French Civil Code

Article 1366 of the French Civil Code establishes the fundamental principle: "Electronic writing has the same probative force as writing on paper, provided that the person from whom it comes can be duly identified and that it is established and preserved in conditions designed to guarantee its integrity." Article 1367 specifies that the electronic signature "consists in the use of a reliable identification process guaranteeing its link with the act to which it is attached".

Decree no. 2017-1416 of September 28, 2017 defines the presumption of reliability for qualified and advanced signatures compliant with eIDAS.

eIDAS Regulation no. 910/2014

Cornerstone of European digital trust law, the eIDAS regulation (electronic IDentification, Authentication and trust Services) establishes a unified legal framework for electronic signatures, electronic seals, qualified timestamping, registered delivery services and website authentication certificates. Its article 25, paragraph 2, confers on qualified signature a legal presumption of equivalence with handwritten signature throughout the EU.

The eIDAS 2.0 regulation (being transposed in Q1 2026) strengthens these provisions with the European digital identity wallet (EUDIW) and extends obligations to financial and health services markets.

ETSI Standards

Signature formats are standardized by ETSI:

• ETSI EN 319 132 (XAdES), EN 319 122 (CAdES), EN 319 102 (PAdES) define the technical profiles of advanced and qualified signatures;
• ETSI EN 319 421 governs the policies of qualified timestamping services.

GDPR and Data Protection

Processing identity data in the context of an electronic signature (name, email, biometrics for identity verification) is subject to the GDPR no. 2016/679. Data controllers must: have a legal basis (legitimate interest or contract performance), apply the principle of data minimization, and guarantee security through appropriate technical measures (encryption, pseudonymization).

NIS2 Directive

The NIS2 Directive (2022/2555/EU), transposed into French law since October 2024, imposes on operators of essential services and providers of digital services (including electronic signature providers) reinforced obligations in terms of cybersecurity, risk management and incident notification within 24 hours. Non-compliance exposes them to penalties of up to €10 million or 2% of global turnover.

Concrete Use Cases of Electronic Signature

Scenario 1: A Corporate Law Firm Automates the Signing of Mandates

A corporate law firm with a dozen collaborators processed an average of 120 representation mandates per month. The paper procedure involved printing, postal delivery or hand delivery, then scanning returned documents — resulting in an average delay of 4.5 business days per file and an estimated document loss rate of 8%.

By deploying advanced electronic signature (AdES) with OTP authentication, the firm reduced the average signing delay to less than 4 hours, reduced the documentary anomaly rate to less than 1%, and saved approximately €2,200 per year in postage and printing costs. The automatically generated audit trail also simplified two mandate dispute procedures, providing irrefutable timestamped proof. Discover our solution dedicated to law firms.

Scenario 2: An SME Digitalizes Its Supplier Contracts

An industrial SME managing approximately 200 supplier contracts per year (general terms of purchase, price amendments, NDAs) suffered signing delays that could exceed three weeks for cross-border contracts with German and Spanish partners. Differences in legal systems and lack of mutual recognition slowed negotiations.

By adopting qualified signature (QES) issued by an accredited QTSP eIDAS, recognized throughout the EU, the SME benefited from automatic legal recognition in all three countries without any additional legalization. The average cross-border signing delay dropped from 18 days to 2.5 days. Electronic signature in business details these benefits for procurement teams.

Scenario 3: A Hospital Group Secures Patient Informed Consent

A hospital group of approximately 800 beds needed to collect informed consent from patients for clinical research protocols. Paper management created GDPR compliance risks (documents poorly archived, untraceable dates) and mobilized nursing staff for administrative tasks.

By integrating simple electronic signature with identification via SMS code — sufficient for acts not subject to qualified signature requirements — the group automated the collection, archiving and traceability of consents. Administrative time per patient dropped from 12 minutes to less than 2 minutes, freeing approximately 800 nursing hours per year. All documents are archived with qualified timestamping, fully meeting CNIL requirements. Explore our signature solution for healthcare.

Conclusion

Understanding how electronic signature technically works — from asymmetric cryptography to PKI, from qualified certificates to probative timestamping — is essential for making informed choices regarding compliance and operational efficiency. The three eIDAS levels (simple, advanced, qualified) respond to different needs, and the choice should always be guided by analysis of legal risk and expected probative value.

Certyneo supports you in this transition with an eIDAS-compliant SaaS platform, accredited QTSPs and simplified integration into your existing processes. Estimate the potential gains for your organization using our electronic signature ROI calculator, or start directly by consulting our offers and pricing. Compliance and performance are no longer a compromise.