Electronic Signature Service Provider Obligations in France

Introduction

Deploying an electronic signature solution in France requires careful planning. Behind every qualified or advanced signature lie dozens of legal obligations that fall on the Trust Service Provider (TSP). The eIDAS Regulation, GDPR, General Security Framework, ETSI standards… the regulatory landscape is both dense and evolving. For user companies, understanding these legal obligations for electronic signature service providers in France, eIDAS, and GDPR is essential to choosing a compliant partner and avoiding any legal risk. This article details, section by section, all the requirements applicable to TSPs operating on French territory.

---

The Status of Qualified Trust Service Provider

What is a TSP under eIDAS?

The eIDAS Regulation No. 910/2014 distinguishes between two categories of providers: non-qualified trust service providers and qualified providers (QTSPs). The former may offer simple or advanced electronic signature services without mandatory third-party audit. The latter — solely authorized to deliver signatures qualified under Article 3(15) of eIDAS — must satisfy considerably stricter requirements.

In France, it is the National Agency for Information Systems Security (ANSSI) that fulfills the role of supervisory authority provided for in Article 17 of eIDAS. It publishes and maintains the French Trust List (TSL), accessible on its official website, listing qualified providers and their services.

The qualification procedure: audit and compliance

To obtain qualified status, a TSP must necessarily:

• Have its services audited by a Conformity Assessment Body (CAB) accredited by COFRAC in accordance with the EN ISO/IEC 17065 standard.

• Submit the audit report to ANSSI, which decides on granting qualified status. This status is re-evaluated at least every 24 months (Article 20 §1 eIDAS).

• Notify ANSSI of any substantial change to its services within 3 months before the planned modification (Article 21 eIDAS).

Failure to follow these steps exposes the provider to removal from the TSL and loss of the legal presumptions attached to qualified signatures. For client companies, using a TSP not listed on the TSL means losing any legal presumption of reliability.

> For more information on different signature levels and their legal effects, consult our article.

---

Technical and Security Obligations Imposed on TSPs

Compliance with ETSI Standards

Qualified providers must comply with a set of European standards published by the European Telecommunications Standards Institute (ETSI). The main ones are:

• ETSI EN 319 401: general security requirements applicable to all TSPs.

• ETSI EN 319 411-1 and 411-2: policies and practices of certification authorities issuing qualified signature certificates.

• ETSI EN 319 132: advanced electronic signature formats (XAdES for XML, PAdES for PDF, CAdES for CMS).

• ETSI EN 319 122: CAdES format for qualified signatures.

• ETSI TS 119 431: requirements for remote signature creation services (remote QSCD).

These standards are not optional: the eIDAS Regulation (Annex II, III and IV) explicitly refers to them to define the minimum requirements for qualified certificates and signature creation devices.

Management of Qualified Signature Creation Devices (QSCD)

One of the cornerstones of qualified signatures is the use of a Qualified Signature Creation Device (QSCD) compliant with Annex II of eIDAS. The provider must ensure that:

• The signatory's private key can only be generated, stored or copied within the QSCD.

• Key generation occurs exclusively in a certified environment (Common Criteria EAL 4+ certification or equivalent).

• Signatory authentication preceding any signature act is based on at least two authentication factors.

In the context of remote signature — increasingly common in SaaS environments — these requirements apply to the HSM (Hardware Security Module) server hosting the keys. ANSSI has published specific protection profiles (PP-0075, PP-0076) defining the security criteria to be met.

Business Continuity Policy and Incident Notification

Article 19 of eIDAS requires every trust service provider (qualified or not) to:

• Notify the supervisory authority (ANSSI) and, if applicable, the data protection authority (CNIL), within 24 hours of detecting a security breach likely to impact the reliability of the service.

• Maintain a documented and regularly tested business continuity plan.

• Have a formalized information security policy covering risk management, incident management and backup policy.

These requirements partially overlap with those of the NIS2 Directive (2022/2555/EU), transposed into French law by Law No. 2023-703 of August 1, 2023, which classifies TSPs of significant size among important or essential entities subject to enhanced cybersecurity obligations.

> Discover how document management platforms must integrate these constraints into their workflows.

---

GDPR-Specific Obligations for TSPs

Is the TSP a Data Controller or Processor?

The GDPR qualification of the provider depends on the nature of the service rendered:

• When the TSP directly issues qualified certificates on behalf of the signatory and determines the purposes of personal data processing (identity, authentication biometric data), it acts as a data controller under Article 4(7) GDPR.

• When it integrates its API into a B2B client's platform and processes personal data solely according to that client's instructions, it acts as a processor (Article 4(8) GDPR) and must necessarily conclude a DPA (Data Processing Agreement) compliant with Article 28 GDPR.

In practice, most SaaS TSPs hold both roles: controller for managing their own certification infrastructure, processor for processing signatories' documents and metadata.

Specific Obligations Related to Biometric and Identity Data

Signatory identification and authentication — a mandatory step for issuing a qualified certificate — often involves processing sensitive data: identity document scans, video selfies, facial recognition biometric data. This data constitutes personal data subject to GDPR, and may even constitute biometric data falling under Article 9 GDPR (special categories).

The TSP's obligations include:

• Legal basis: explicit consent (Article 9§2a) or, in some cases, legal obligation (Article 9§2b) for processing biometric data.

• Limited retention period: according to CNIL guidelines, identification data must be retained only as long as necessary, typically aligned with the certificate's validity period plus legal proof retention period (often 10 years for private deeds, Article 2224 of the French Civil Code).

• Mandatory impact assessment (DPIA) (Article 35 GDPR) whenever processing is likely to create a high risk — which is systematically the case for biometrics.

• Processing register (Article 30 GDPR) kept up to date and documenting each processing category.

International Data Transfers

Many TSPs host all or part of their infrastructure outside the European Economic Area (EEA). In this case, the appropriate safeguards required by GDPR Chapter V are mandatory: adequacy decision, Standard Contractual Clauses (SCCs) from the European Commission or Binding Corporate Rules (BCR). The Schrems II ruling (CJEU, C-311/18, July 16, 2020) recalled that transfers to the United States require prior country risk analysis.

> To understand the impact of these rules on your organization, consult our article.

---

Transparency and Information Obligations Toward Users

Certification Policy (CP) and Certification Practice Statement (CPS)

Every TSP issuing certificates must publish a Certification Policy (CP) and Certification Practice Statement (CPS), in accordance with ETSI EN 319 411 standard. These freely accessible documents detail:

• Procedures for signatory identification and registration.

• Physical and logical security measures deployed.

• Certificate revocation conditions and associated timelines.

• TSP responsibilities and liability limitations.

The absence or incompleteness of these documents constitutes non-compliance that may be identified during requalification audit by the accredited body.

Pre-contractual and Contractual Information to Clients

Beyond purely technical obligations, Article 13 GDPR requires the TSP to provide each person whose data is collected with clear and accessible information on:

• The identity of the data controller and contact details of the DPO (mandatory for TSPs processing sensitive data at scale, Article 37 GDPR).

• The purposes and legal basis of each processing.

• The rights of individuals (access, rectification, deletion, portability, opposition).

• Any recipients of data (processors, authorities).

This information must appear in the service's privacy policy, in the terms of use and, if applicable, in the DPA concluded with business clients.

Qualified Timestamps and Audit Trail

To guarantee long-term evidentiary value of signatures, serious TSPs systematically associate a qualified electronic timestamp (Article 42 eIDAS) with each signed act. This timestamp is legally presumed evidence of the data's existence at the stated date. Maintaining the audit trail (identification logs, document fingerprint, signature data) is a practical obligation to enable any subsequent judicial verification.

> Compare market solutions according to these criteria in our comparison guide.

---

eIDAS 2.0: New Obligations on the Horizon for 2026-2027

The eIDAS 2.0 Regulation (EU) 2024/1183

Published in the EU Official Journal on April 30, 2024, Regulation (EU) 2024/1183 "eIDAS 2.0" significantly strengthens TSP obligations around three axes:

• The European Digital Identity Wallet (EUDI Wallet): Member States must make available a certified digital identity wallet by November 2, 2026. TSPs will need to integrate their service with this wallet to offer qualified signatures via eIDAS 2.0 identity.

• Attribute attestation management: eIDAS 2.0 introduces qualified attribute attestations (QEAAs), issued by qualified attestation providers. New audit and qualification procedures will apply.

• Enhanced supervision: national supervisory authorities (ANSSI for France) see their powers expanded, notably the ability to conduct surprise audits and impose binding corrective measures within shortened timelines.

Practical implications for current providers

TSPs already qualified under eIDAS 1.0 will need to proceed with progressive compliance before the deadlines set by implementing acts from the Commission (published or forthcoming). The main adaptations concern:

• Refurbishment of identification infrastructure to support the EUDI Wallet as an authentication method.

• Update of CP/CPS to integrate new types of certificates and attestations.

• Strengthened security requirements for remote QSCDs, with new protection profiles forthcoming.

For client companies, this means verifying today that your provider has a documented and verifiable eIDAS 2.0 compliance roadmap.

Legal Framework Applicable to Electronic Signature Service Provider Obligations

The regulatory chain applicable to electronic signature service providers operating in France is structured across several complementary hierarchical levels.

French Civil Code — Articles 1366 and 1367

Article 1366 of the French Civil Code recognizes electronic writing as a mode of proof equivalent to paper writing, provided that "the person from whom it emanates can be duly identified and it is established and preserved in conditions of a nature to guarantee its integrity." Article 1367 specifies that electronic signature "consists in the use of a reliable identification method guaranteeing its link with the act to which it is attached." The presumption of reliability benefits qualified signatures within the meaning of eIDAS, reversing the burden of proof in favor of the signatory.

eIDAS Regulation No. 910/2014/EU

This regulation, directly applicable in all Member States, establishes the legal framework for trust services. Its Article 26 defines the conditions for advanced electronic signatures; Article 28 the requirements for qualified certificates; Annex I details the mandatory content of these certificates. Qualified TSPs benefit from a presumption of compliance with the technical and legal requirements of the regulation (Article 19§2), which is a major advantage in case of dispute.

eIDAS 2.0 Regulation — (EU) 2024/1183

Published on April 30, 2024, this amending regulation introduces new categories of trust services (qualified attribute attestations, qualified archiving services) and strengthens supervisory obligations. It repeals and partially replaces Regulation 910/2014, with progressive applicability according to implementing acts from the European Commission.

GDPR — Regulation (EU) 2016/679

GDPR applies to any processing of personal data carried out in the context of an electronic signature service. Articles 5 (lawfulness principles), 6 (legal basis), 9 (sensitive data), 13-14 (information), 28 (processing), 32 (security), 33-34 (breach notification), 35 (DPIA) and 37 (DPO) constitute the most frequently applicable provisions. CNIL is the competent supervisory authority in France and may impose fines up to €20 million or 4% of global annual turnover (Article 83§5 GDPR).

NIS2 Directive — (EU) 2022/2555

Transposed into French law by Law No. 2023-703 of August 1, 2023, NIS2 classifies significant TSPs among important or essential entities subject to cyber risk management obligations and incident notification to ANSSI within 24 hours (early warning) then 72 hours (full notification).

ETSI Standards

The complete set of EN 319 401, EN 319 411-1/2, EN 319 132, EN 319 122 and TS 119 431 standards constitutes the mandatory technical reference for qualification audit. Non-compliance results in the inability to obtain or maintain qualified status.

Legal Risks in Case of Non-Compliance

A non-compliant provider faces exposure to: removal from the French TSL, engagement of contractual and non-contractual liability, CNIL administrative penalties, NIS2 fines potentially reaching €10 million or 2% of global turnover for important entities and €20 million or 4% of global turnover for essential entities, as well as judicial proceedings from clients who suffered harm due to legally invalid signatures.

Usage Scenarios: How Companies Verify TSP Compliance

Scenario 1 — An industrial group managing 3,000 supplier contracts per year

A mid-sized industrial group (ETI), active in mechanical equipment manufacturing, digitizes all its supplier contracts via a SaaS electronic signature platform. Following an internal audit triggered by regulatory evolution, the legal department discovers that the selected provider — initially chosen on price — is neither listed on the French TSL nor on any European TSL. The signatures delivered are of "simple" type without robust signatory identification mechanism.

Faced with legal risk — the entire body of signed contracts could see their evidentiary value contested in case of dispute — the company initiates migration to an ANSSI-qualified TSP. The new solution integrates an advanced signature with qualified certificate, a qualified timestamp and an exportable audit trail. The migration project, completed in less than 8 weeks, enables retroactive securing of new acts and establishing a compliant document policy. Legal teams estimate that litigation risk related to old contracts remains marginal due to their execution without dispute, but all new signatures are now covered.

Observed benefits: 60% reduction in potential litigation related to signature authenticity, and 3.5-day average gain in signature timing on complex contracts through workflow automation.

Scenario 2 — A law firm of 25 lawyers specializing in business law

A law firm wishing to digitize the signature of mandates, opinions and court documents evaluates several providers. Its evaluation grid integrates the following criteria: presence on the TSL, publication of an accessible CP/CPS, existence of GDPR-compliant DPA, availability of a reachable DPO and certification of remote QSCDs.

Of five evaluated providers, only two satisfy all criteria. The firm ultimately selects a TSP natively offering qualified signatures via remote QSCD, guaranteeing the presumption of reliability under Article 1367 of the French Civil Code. Implementation takes 3 weeks, training included. Result: 75% of mandates are now signed in under 24 hours versus 5 to 7 days previously (postal sending), and the firm can justify to its clients the level of legal security offered by the solution — a differentiating argument in its commercial proposals.

Scenario 3 — A Hospital Group of Approximately 1,200 Beds

A public hospital group wishes to digitize employment contracts, internship agreements and partnership conventions with partner care facilities. The sensitivity of processed data (health data of nursing staff, HR data) requires particular vigilance regarding the provider's GDPR obligations.

The IT department and the facility's DPO require: data hosting in France with a healthcare data hosting provider certified HDS (Healthcare Data Hosting Provider, certification provided for by Article L.1111-8 of the French Public Health Code), no transfers outside EEA, documented DPIA for signatory identification processing, and DPA signed before any production launch.

Following selection of a TSP meeting these criteria, deployment initially covers HR contracts (approximately 800 acts per year). The average time for signing fixed-term contracts drops from 9 days to less than 48 hours, freeing significant capacity for human resources teams. The facility has a complete traceability of collected consents, audited annually by its DPO.

Conclusion

The legal obligations weighing on electronic signature service providers in France form a demanding regulatory corpus: eIDAS qualification, GDPR compliance, ETSI standards compliance, NIS2 obligations and imminent adaptation to eIDAS 2.0. For user companies, ensuring your TSP's compliance is not an optional endeavor — it is a sine qua non condition for the evidentiary value of signed acts and the protection of signatories' personal data.

Certyneo is an electronic signature service provider designed to meet all these requirements: eIDAS compliance, GDPR by design, sovereign hosting and documented eIDAS 2.0 roadmap. Ready to secure your signatures in full compliance? Contact us and benefit from personalized support from day one.