eIDAS Qualified Timestamping: Proof of Certain Date

Electronic timestamping is often perceived as a minor technical detail. In reality, it constitutes one of the pillars of the evidentiary value of an electronically signed document. Without it, a digital signature says nothing about the moment it was affixed — a gap that can prove fatal in case of litigation. Regulation eIDAS No. 910/2014 precisely introduced the concept of qualified timestamping, the highest level of date certification recognized in all Member States of the European Union. This article decrypts this mechanism, its technical requirements, its legal scope, and the concrete situations in which it becomes indispensable.

What is qualified timestamping under eIDAS?

Definition and timestamping levels

Regulation eIDAS distinguishes two categories of electronic timestamping:

• Simple electronic timestamping: any data in electronic form associating a date and time with other data. It benefits from a rebuttable presumption of reliability (Art. 41 eIDAS).
• Qualified timestamping: higher level, issued by a Qualified Trust Service Provider (QTSP) registered on a supervised national trust list. It benefits from a legal presumption of accuracy of the date and time and integrity of the timestamped data (Art. 42 eIDAS).

This distinction is fundamental: a qualified timestamp is presumed accurate until proven otherwise, which reverses the burden of proof in case of dispute. To learn more about the different trust levels provided for in this text, consult our comprehensive guide to eIDAS 2.0 regulation.

Technical requirements for qualified timestamping

To be qualified under eIDAS, timestamping must meet strict criteria defined in Article 42 of the regulation:

1. Link the date and time to the data in a manner that reasonably excludes any possibility of undetectable modification.
2. Rely on an accurate time source linked to Coordinated Universal Time (UTC), traceable and compliant with ETSI EN 319 421 and EN 319 422 standards.
3. Be signed using an advanced electronic signature or advanced electronic seal of the qualified QTSP, or via an equivalent method.

In practice, the service provider receives a cryptographic fingerprint (hash) of the document, affixes a signed time stamp to it, and returns a timestamp token (TST) compliant with RFC 3161 protocol. This process never transmits the document content to the provider — only its fingerprint — which guarantees data confidentiality.

Trust lists and national supervision

In France, the ANSSI (National Agency for Information Systems Security) is the supervisory authority that maintains the list of qualified providers. This list is published in signed XML format and integrated into the European trust list (EU Trusted List) accessible via the European Commission's eIDAS portal. Every provider listed there has undergone rigorous compliance audits according to ETSI EN 319 401 standards (general requirements) and ETSI EN 319 421 (policy profile for qualified TSAs).

When evaluating an electronic signature solution for your business, verifying that the provider integrates qualified timestamping — not simple internal timestamping — is a decisive selection criterion.

Why is qualified timestamping crucial for proof of date?

Date in the digital evidence chain

A qualified electronic signature proves who signed and that the document was not modified. But it does not prove when the signature was affixed, unless a qualified timestamp is associated with it. This distinction becomes paramount in several scenarios:

• Anteriority of an invention: to establish that a patent or know-how existed before a specific date.
• Compliance with a contractual deadline: to demonstrate that a contract was signed before the expiration of an offer.
• Long-term probative archiving: the cryptographic validity of a signature can expire with the obsolescence of algorithms (signature aging phenomenon). A qualified timestamp would allow the document to be "re-timestamped" and extend its evidentiary value.

Signature aging and re-timestamping

Cryptographic algorithms evolve. A signing certificate based on RSA-2048, considered secure in 2015, might be deemed insufficient by 2030 with the rise of quantum computing. Probative archiving relies on the practice of re-timestamping: before the presumed expiration of algorithm robustness, a new qualified timestamp is applied to the whole (document + signature + previous timestamp), creating an uninterrupted chain of trust.

This approach is standardized in ETSI EN 319 102-2 (verification procedures for advanced and qualified signatures) and recommended for any document that must be retained for more than 10 years — notarial deeds, long-term commercial contracts, medical records, or regulatory documents.

European interoperability and mutual recognition

One of the major strengths of eIDAS qualified timestamping lies in its automatic recognition across all 27 Member States (Art. 41.3 eIDAS). A qualified timestamp issued by a French QTSP produces the same legal effects in Germany, Spain, or Poland. This legal portability is particularly valuable for companies operating on transnational European markets, signing contracts with partners in multiple countries. To compare the different approaches available on the market, our comparison of electronic signature solutions offers detailed analysis.

Integration of qualified timestamping in an electronic signature workflow

Technical architecture of a compliant workflow

In a qualified electronic signature (QES) process, timestamping integrates at several levels of the signed document, according to ETSI formats defined for long-term signatures:

• XAdES-LTA format (XML Advanced Electronic Signatures – Long-Term Archive): for XML documents.
• PAdES-LTA format (PDF Advanced Electronic Signatures – Long-Term Archive): for PDFs, the most common format in business.
• CAdES-LTA format (CMS Advanced Electronic Signatures – Long-Term Archive): for generic binary files.

The suffix LTA (Long-Term Archive) precisely designates the level that incorporates a qualified timestamp and the revocation data necessary for future verification, even after certificate expiration.

The role of the SaaS signature platform

In a SaaS solution like Certyneo, integration of qualified timestamping is transparent for the end user. The platform:

1. Generates the cryptographic fingerprint of the finalized document.
2. Sends this fingerprint to the qualified TSA (Time Stamping Authority) partner via a secure connection.
3. Receives the signed timestamp token (TST).
4. Incorporates the TST into the PDF/A file according to PAdES-LTA format.
5. Stores the entire assembly in a secure archiving environment, itself auditable.

The user thus has a document whose signature completion date is certified and verifiable by any third party, without dependence on the infrastructure of the platform that performed the signature. This verification independence is a criterion of excellence often underestimated during procurement calls. If you are considering changing service providers, our migration guide from DocuSign or YouSign to Certyneo details the technical points of attention to anticipate.

Verification and auditability

Any document incorporating a qualified PAdES-LTA timestamp can be verified free of charge via open source tools (DSS Library from the European Commission) or online validators compliant with eIDAS. Verification confirms:

• The identity of the signatory (qualified certificate).
• Document integrity (no post-signature modification).
• Certified date and time (valid TST token, TSA on trust list).
• Non-revocation of the certificate at the time of signature.

This complete traceability constitutes a determining advantage for legal teams who must regularly produce documentary evidence in the context of litigation or regulatory audits.

Legal framework applicable to qualified timestamping

Regulation eIDAS No. 910/2014

Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014, called eIDAS Regulation, constitutes the legal foundation of qualified timestamping in Europe. Its key provisions are:

• Article 3(34): defines electronic timestamping as "data in electronic form which associates other data in electronic form with a particular instant and establishes proof that such latter data existed at that instant".
• Article 41: grants simple electronic timestamps a rebuttable presumption of accuracy.
• Article 42: sets the conditions for timestamping qualification (traceable UTC source, signature of the qualified QTSP, cryptographic link with the data).
• Article 42(2): confers on qualified timestamping a legal presumption of accuracy of the date and time and integrity of associated data. This presumption applies before any jurisdiction in the EU without requiring additional proof.

eIDAS 2.0 (Regulation EU 2024/1183, progressively entered into application since 2024) strengthens these provisions by extending the framework to European digital identity wallets (EUDIW), without calling into question the foundations of qualified timestamping.

French Civil Code — Articles 1366 and 1367

Under French law, article 1366 of the Civil Code states that "electronic writing has the same probative force as writing on paper medium, provided that the person from whom it originates can be duly identified and that it is established and retained under conditions such as to guarantee its integrity". Article 1367 specifies the conditions of reliable electronic signature. Qualified timestamping directly participates in satisfying the condition of integrity and certain dating required by these texts.

Furthermore, Decree No. 2017-1416 of 28 September 2017 relating to electronic signature explicitly refers to eIDAS Regulation to define the levels of signature admissible before French courts.

Retention obligations and GDPR

Regulation (EU) 2016/679 (GDPR), applicable to all personal data processing, imposes appropriate technical and organizational measures of security (Art. 32). Qualified timestamping, by guaranteeing the integrity and dating of processed data, contributes to GDPR compliance in document workflows involving personal data.

Certain sectors impose specific legal retention periods: 5 years for commercial contracts (Art. L.110-4 of the Commercial Code), 10 years for civil documents, 20 years for certain medical documents. For these long-term archivings, the absence of qualified timestamping and periodic re-timestamping constitutes a major legal risk: the document could lose its evidentiary value before the expiration of the legal retention period.

ETSI standards of reference

• ETSI EN 319 421: policy and security requirements for qualified TSAs (Time Stamping Authorities).
• ETSI EN 319 422: timestamp token profile.
• ETSI EN 319 102-1/2: procedures for creation and verification of advanced and qualified signatures, incorporating timestamping.
• ETSI EN 319 132 (XAdES) and EN 319 122 (CAdES): long-term signature formats.

Use scenarios: when is qualified timestamping decisive?

Scenario 1 — Business law firm managing litigation files

A business law firm of about fifteen collaborators, specialized in B2B contract disputes, uses qualified electronic signature for its procedural instruments, fee agreements, and sensitive correspondence. In the context of litigation over the date of acceptance of a commercial offer, the opponent contests that their client's signature is prior to the expiration of the deadline stipulated in the offer.

Thanks to the qualified timestamp integrated into the PAdES-LTA document, the firm produces a timestamp token issued by a QTSP registered on the French trust list. The certified date — to the second — is independently verifiable by the judge and judicial expert. The legal presumption of Article 42 eIDAS applies: the burden of proof to the contrary now rests with the opponent. The case is resolved without costly expert appraisal, saving approximately 15 to 25 days of proceedings according to usual estimates for this type of litigation.

Scenario 2 — Industrial SME managing a portfolio of supplier contracts

An industrial SME managing approximately 300 supplier contracts per year — NDAs, general purchase conditions, price amendments — seeks to secure its documentary archiving in a context of ERP overhaul. The company wishes to preserve evidentiary value of its contracts for at least 10 years, in compliance with its legal obligations and insurer requirements.

By deploying an electronic signature solution integrating qualified timestamping and PAdES-LTA format, the SME automatically creates long-term probative archives. An internal audit conducted 18 months after deployment reveals a 40% reduction in time spent searching and reconstructing documents during supplier audits, and near-total elimination of disputes related to disagreements over the effective date of price amendments. The human resources teams benefit from the same advantage for employment contracts and amendments, with strengthened compliance during labor inspections.

Scenario 3 — Healthcare facility and archiving of patient consents

An intermediate-sized hospital group (approximately 600 beds) digitizes its informed consent forms for surgical procedures and clinical trials. Applicable regulations (Art. L.1111-4 of the Public Health Code, Regulation (EU) 536/2014 on clinical trials) require not only traceability of consent but also certainty of its dating prior to the medical procedure.

The integration of qualified timestamping in the consent signature workflow guarantees that the consent date is certified and incontestable, including in case of inspection by health authorities (HAS, ANSM) or medical litigation. For this sector, electronic signature solutions adapted to healthcare must imperatively integrate this qualified timestamping to meet specific regulatory obligations. Facilities that have deployed this type of solution generally observe a reduction of 60 to 70% in administrative time managing consents compared to a paper process, according to benchmarks published by associations of healthcare facility directors.

Conclusion

eIDAS qualified timestamping is not a mere digital stamp: it is a strong legal presumption, recognized throughout the European Union, that transforms the date of an electronically signed document into evidence enforceable before any court. By relying on supervised QTSPs, rigorous ETSI standards, and long-term archiving formats (PAdES-LTA), it offers legal certainty that neither an internal server timestamp nor a simple file metadata can match.

For companies that sign contracts, manage sensitive files, or must retain documentary evidence over several years, integrating qualified timestamping into their signature workflow is no longer optional — it is a requirement of good legal practice.

Certyneo natively integrates qualified timestamping in every qualified electronic signature issued on its platform. Discover how to secure your documentary evidence by starting your free trial or consulting our transparent pricing.