Qualified Electronic Certificate for Businesses: 2026 Guide

Why the qualified electronic certificate has become essential for businesses

At a time when the digitalization of contractual processes is accelerating across all sectors, the issue of the qualified electronic certificate has become a strategic concern for legal departments, IT directors, and senior management. According to the ANSSI 2024 annual report, more than 78% of French SMEs that have adopted qualified electronic signatures have reduced their contract execution timeframes by over 60%. Yet many still confuse simple, advanced, and qualified signatures — risking their legal documents being challenged. This article guides you step-by-step to understand what a qualified electronic certificate is, how to obtain it in compliance with the RGS and eIDAS framework, and how to deploy it effectively within your organization.

What is a qualified electronic certificate?

An electronic certificate is a digital file issued by a Certification Authority (CA) that binds the identity of a natural or legal person to a public cryptographic key. It is the cornerstone component that allows a third party to verify the authenticity and integrity of a digital signature.

The term "qualified" refers to a precise definition from the European regulation eIDAS (No. 910/2014, Article 28): the certificate must be issued by a Qualified Trust Service Provider (QTSP), registered on the national trust list (in France, published by ANSSI). It must also comply with the technical requirements of the ETSI EN 319 411-2 standard, which governs certification policies and practices.

In practice, a qualified certificate guarantees:

• Verified identity of the signatory (documentary verification face-to-face or by an equivalent approved method);
• Integrity of the signed document (any subsequent modification is detectable);
• Non-repudiation (the signatory cannot deny having affixed their signature).

Difference between simple, advanced, and qualified signatures

The eIDAS regulation distinguishes three levels of electronic signature, each associated with a certificate level:

| Level | Certificate Required | Probative Value | Typical Use | |---|---|---|---| | Simple | Not required | Low | Standard purchase orders | | Advanced | Advanced certificate (QTSP) | Medium | B2B commercial contracts | | Qualified | Qualified certificate (Qualified QTSP) | Maximum, equivalent to handwritten | Notarial acts, public procurement, sensitive HR |

For qualified signature — the only one benefiting from the legal presumption of equivalence to handwritten signature (Art. 1367 Civil Code) — a qualified certificate is strictly required. To learn more about the differences between levels, consult our comprehensive guide to electronic signatures.

---

The RGS framework: French specificities you need to know

In France, the General Security Reference (RGS), established by Decree No. 2010-112 and regularly updated by ANSSI, defines the security requirements applicable to information systems of administrations. For companies that contract with public entities (public procurement, e-procedures), compliance with the RGS is often a contractual or regulatory obligation.

RGS levels applicable to certificates

The RGS defines three qualification stars for certificates:

• RGS* (one star): basic level, suitable for common uses of low sensitivity;
• RGS (two stars)**: intermediate level, required for most administrative e-procedures;
• RGS (three stars)*: high level, for acts with significant legal or financial stakes.

For digitalized public procurement via the buyer profile, Decree No. 2016-360 (Articles 39 and 40) generally imposes a minimum signature level of RGS, which implies an equivalent certificate qualification.

Articulation between RGS and eIDAS

Since the implementation of the eIDAS regulation, the two reference frameworks coexist. A certificate qualified under eIDAS is deemed to satisfy RGS** requirements in the vast majority of cases. ANSSI has published correspondence tables to ensure compatibility. It is therefore advisable for companies working with both private and public partners to prioritize a qualified eIDAS certificate issued by a QTSP registered on the French trust list — which simultaneously covers both frameworks.

To deepen the European regulation, our eIDAS 2.0 guide details the major developments planned and their impact on French businesses.

---

How to obtain a qualified electronic certificate: step-by-step process

Obtaining a qualified electronic certificate is not a trivial matter: it involves rigorous verification of the applicant's identity and, for a legal entity, their legal representation. Here are the major steps.

Step 1: Identify the right qualified trust service provider

In France, QTSPs authorized to issue qualified certificates are listed on the Trust Service Status List (TSL) published by ANSSI (available on the esignature.gouv.fr portal). Among the players on this list are CAs such as CertEurope, Certinomis (La Poste subsidiary), Keynectis, or other European providers recognized under the eIDAS mutual recognition principle.

Selection criteria to examine:

• Effective presence on the French and/or European TSL;
• Format of the proposed certificate (software, smart card, cloud HSM);
• Compatibility with your existing IT infrastructure;
• Pricing and validity period (generally 1 to 3 years);
• Support level and enrollment timeframe.

Step 2: Preparation of the enrollment file

For a business, the request for a qualified certificate requires the production of documents proving both the identity of the holder (natural person) and their capacity to represent the legal entity. The documents generally required are:

• Official identity document of the holder (passport, national ID card);
• Kbis extract less than 3 months old (or equivalent for associations, public establishments);
• Power of attorney if the holder is not the statutory legal representative;
• Application form specific to the selected QTSP.

Identity verification must be performed face-to-face before a Registration Officer (RO) mandated by the QTSP, or through an approved remote verification process (video identification compliant with ETSI TS 119 461 standard).

Step 3: Issuance and activation of the certificate

Depending on the format chosen, the certificate is issued:

• On a qualified signature creation device (QSCD): cryptographic USB key or smart card certified Common Criteria EAL 4+;
• Via a remote signature service (Remote Qualified Electronic Signature — RQES) managed by the QTSP, where the private key is hosted in a certified HSM (Hardware Security Module) according to ETSI EN 419 241 standard.

Deploying a RQES service is today the most widely adopted solution by businesses, as it avoids managing physical cryptographic media while maintaining qualified compliance. Compare electronic signature solutions to identify the model best suited to your context.

Step 4: Integration into your business processes

Once the certificate is obtained, its integration into the company's document workflows typically goes through a SaaS electronic signature platform. It must be compatible with ETSI standards (XAdES, PAdES, CAdES) to ensure interoperability and sustainability of digital evidence. Our dedicated article on electronic signature in business will help you structure this deployment.

---

Cost, validity, and renewal: what businesses must anticipate

Price ranges in 2026

The prices of qualified certificates vary significantly depending on the format and provider:

• Certificate on physical media (USB key/card): between €80 and €250 excluding tax per holder per year;
• Cloud qualified certificate (RQES): between €40 and €150 excluding tax per holder per year, depending on volume;
• Enterprise packages: significant discounts apply from 10 holders onwards, potentially reaching 30 to 40% of the unit price.

These costs should be put in perspective with the savings generated: elimination of printing, postage, postal processing delays, and disputes related to contested signatures.

Validity period and renewal

The validity of a qualified certificate is generally set at 1, 2, or 3 years depending on the subscription offered. Upon expiration, previously signed documents remain valid (provided their integrity is preserved via a qualified timestamping service), but new documents cannot be signed with the expired certificate. It is therefore essential to establish a process for monitoring and anticipated renewal — ideally 60 days before expiration.

Revocation and incident management

In the event of private key compromise (loss, theft of the media, suspicion of disclosure), the certificate must be revoked immediately to the QTSP. The QTSP publishes the revocation in its Certificate Revocation List (CRL) or via the OCSP protocol, making any subsequent signature with this certificate invalid. Internal security policy must therefore provide for a dedicated point of contact and an alert timeframe of less than 24 hours.

---

Best practices for successful deployment in your business

Governance and internal roles

Successful deployment relies on clear governance. It is recommended to designate:

• A PKI manager (Public Key Infrastructure) on the IT side, responsible for the relationship with the QTSP and monitoring renewals;
• A legal representative who validates use cases requiring a qualified signature (vs. advanced);
• Delegated administrators by department for operational management of holders.

Training and change management

Adopting a qualified certificate is not enough: employees must understand how to use their certificate, when to activate it, and how to respond in case of incident. A brief training plan (1 to 2 hours) and documented procedures significantly reduce usage errors and support tickets.

Audit and traceability

To satisfy evidence obligations, maintain a timestamped audit log of each signature performed: signatory identity, document fingerprint, certified date/time, certificate identifier. These data form the basis of the evidence chain in case of dispute. The ETSI EN 319 132 (XAdES) standard provides signature formats that natively include this information.

Legal framework applicable to qualified electronic certificates

Civil Code and probative value

In French law, Article 1366 of the Civil Code establishes the principle of equivalence between electronic and paper writing, provided that "the identity of the person from whom it emanates is duly assured and that it is established and preserved in conditions such as to guarantee its integrity". Article 1367 paragraph 2 specifies that qualified electronic signature benefits from a presumption of reliability: it is for the party contesting the signature to provide proof to the contrary, thus reversing the burden of proof in favor of the signatory.

EIDAS Regulation No. 910/2014

The European regulation eIDAS (No. 910/2014), directly applicable in all Member States since July 1, 2016, constitutes the supranational foundation. Its Article 25(2) states that "a qualified electronic signature has a legal effect equivalent to that of a handwritten signature". Articles 28 and 29 define the requirements applicable to qualified certificates and qualified signature creation devices (QSCD). Annex I lists the mandatory entries of a qualified certificate (policy OID, QTSP identity, public key, validity dates, etc.).

EIDAS 2.0 developments

The eIDAS 2.0 Regulation (EU Regulation 2024/1183, which entered into force on May 20, 2024) introduces the European digital identity wallet (EUDIW) and strengthens accessibility requirements to qualified trust services. Companies must anticipate the integration of these new identification mechanisms by 2026-2027.

Applicable ETSI standards

• ETSI EN 319 411-2: policy and practices for QTSPs issuing qualified certificates;
• ETSI EN 319 132 (XAdES) and ETSI EN 319 122 (CAdES), ETSI EN 319 162 (PAdES): advanced and qualified electronic signature formats;
• ETSI EN 419 241: requirements for signature servers (RQES).

GDPR and data protection

The processing of personal data in the context of enrollment (identity verification, documentary collection) is subject to GDPR No. 2016/679. The QTSP and client company are joint controllers or in a controller/processor relationship depending on configuration. A DPA (Data Processing Agreement) compliant with Article 28 GDPR must be signed. Enrollment data must be retained for the lifetime of the certificate plus the applicable limitation period (5 years for contractual matters).

NIS2 Directive and digital infrastructure security

The NIS2 Directive (2022/2555/EU), transposed into French law by Law No. 2024-449, requires essential and important entities to implement risk management measures including digital supply chain security. Recourse to a qualified QTSP registered on the national TSL constitutes a recognized best practice for partially satisfying these requirements.

Use cases: the qualified certificate in practice

Scenario 1: A law firm managing high-value legal documents

A business law firm with about twenty partners and associates must regularly sign articles of assignment of partnership interests, settlement agreements, and powers of attorney. Previously, each document required printing, handwritten signature, scanning, and postal delivery — an average timeframe of 4 to 7 business days per signature cycle. After deploying cloud qualified certificates (RQES) for each partner, this timeframe is reduced to less than 4 hours for documents not requiring notarial intervention. The firm estimates a 65% reduction in administrative time related to document management and has recorded no signature disputes over the first 18 months of use. Electronic signature solutions for law firms offered by Certyneo integrate natively into this type of workflow.

Scenario 2: An SME contracting with public sector customers

An SME in the metalworking sector, employing approximately 120 people, regularly responds to digitalized public calls for tenders on buyer profiles. It is required to electronically sign its bids and commitment documents with a minimum RGS** level certificate. After obtaining two qualified certificates (for the CEO and an authorized commercial director), the SME was able to submit its bids within the set timeframes without travel or postal delivery. Over a year, this represents approximately 35 public bid files, or estimated savings of about 15 person-days per year on document management alone. The eIDAS compliance of the certificate also ensures recognition of its signatures by public sector customers in Germany and Belgium, expanding its commercial scope. Use our ROI calculator to estimate potential gains in your own context.

Scenario 3: A health group securing HR and supplier agreements

A hospital group with approximately 1,200 beds, grouping several facilities, faces an annual volume of nearly 3,000 employment contracts, amendments, and supplier commitments. The human resources department and purchasing department have jointly deployed a qualified signature solution, with certificates issued for authorized managers. In parallel, documents to be signed by staff are processed via an advanced signature workflow, reserving qualified signature for high-value management documents. Result: the average time to finalize an employment contract dropped from 12 days to 2.5 days, and the rate of incomplete files (missing signature, wrong version signed) decreased by 78%. Electronic signature solutions in healthcare from Certyneo integrate the specific regulatory requirements of the hospital sector.

Conclusion

Obtaining a qualified electronic certificate is today an essential step for any business seeking to legally secure its digital documents, meet public procurement requirements, and comply with the eIDAS regulatory framework. Far from being a constraint, it is a competitive advantage: reduced signature timeframes, an unassailable evidence chain, and transnational recognition throughout the European Union.

Key steps to remember: choose a QTSP registered on the ANSSI trust list, prepare a rigorous enrollment file, opt for a cloud format (RQES) to facilitate deployment, and integrate the certificate into a platform compliant with ETSI standards.

Certyneo supports you at every step: from selecting the right signature level to integration into your business processes. Request a free demo and discover how to deploy qualified signature in less than 48 hours in your organization.