How Electronic Signature Works in 2026

Introduction

Electronic signature is today at the heart of digital transformation in enterprises: in 2025, more than 70% of major European organizations have integrated it into at least one contractual process (source: Gartner, Digital Process Automation Survey 2025). Yet few decision-makers understand precisely the mechanisms that render it legally valid and technically unforgeable. Understanding how electronic signature technically works — cryptography, PKI, certificates — makes it possible to choose the right solution, reduce legal risks, and accelerate internal adoption. This article guides you, step by step, through the technical architecture and standards that govern electronic signature in 2026.

---

The Cryptographic Foundations of Electronic Signature

Electronic signature rests on proven cryptographic primitives. Understanding the mechanisms is understanding why it is more reliable than a digitized handwritten signature.

Asymmetric Encryption: Public Key and Private Key

The fundamental principle is asymmetric cryptography, invented in the 1970s and standardized by algorithms such as RSA (Rivest–Shamir–Adleman) or elliptic curves (ECDSA). Each signatory has two mathematically linked keys:

• The private key: kept secret by the signatory, on a secure device (smart card, HSM token, or protected software module). It is used to create the signature.
• The public key: distributed freely, included in a digital certificate. It is used to verify the signature.

The security principle rests on computational asymmetry: it is mathematically trivial to verify a signature with the public key, but practically impossible to reconstruct the private key from the public key (discrete logarithm problem or factorization of large integers).

Hash Functions: The Digital Fingerprint of the Document

Before signing, the system calculates a cryptographic fingerprint of the document using a hash function (SHA-256 or SHA-3 in 2026). This fingerprint, called hash or condensate, is a fixed-length character string (256 bits for SHA-256) that uniquely represents the content of the document.

Essential property: modifying even a single character of the document produces a radically different hash. This is what guarantees the integrity of the signed document: any alteration after signing is immediately detectable.

The electronic signature itself is therefore the encryption of this hash with the signatory's private key. When verifying, the recipient:

1. Decrypts the signature with the public key to find the original hash;
2. Recalculates the hash of the received document themselves;
3. Compares the two: if identical, the signature is valid.

---

Public Key Infrastructure (PKI): The Chain of Trust

Cryptography alone is not enough: it is also necessary to prove that the public key belongs to the person who claims to use it. This is the role of PKI (Public Key Infrastructure).

Certification Authorities (CA)

A Certification Authority (CA) is an accredited trusted third party that issues digital certificates. A digital certificate is a standardized file (X.509 format) containing:

• The identity of the holder (name, organization, email);
• Their public key;
• The validity period;
• The digital signature of the CA itself.

In Europe, qualified CAs are listed in the Trusted Lists published by each EU Member State in accordance with the eIDAS regulation. In France, ANSSI publishes and maintains this list. Qualified trust service providers (QTSP) — such as CertSign, Certigna, or Universign — are subject to regular audits according to the ETSI EN 319 401 standard.

The Certificate Chain and Revocation

PKI operates on a hierarchical model:

• A Root CA (Root Certification Authority) self-signed, kept offline under maximum physical security conditions;
• Intermediate CAs that issue certificates to end users.

The revocation of certificates is a critical mechanism: if a private key is compromised, the CA publishes its invalidation via a CRL (Certificate Revocation List) or via the OCSP (Online Certificate Status Protocol) protocol, allowing real-time verification.

For qualified electronic signature under eIDAS, the private key must be generated and stored in a QSCD (Qualified Signature Creation Device) — hardware certified CC EAL4+ or higher, such as a smart card or HSM (Hardware Security Module).

---

The Three Levels of Signature According to eIDAS

European regulation eIDAS No. 910/2014 (and its evolution eIDAS 2.0 in the course of deployment) defines three levels of signature, each based on increasing technical guarantees. To deepen this regulatory framework, consult our comprehensive guide to eIDAS regulation.

Simple Electronic Signature (SES)

Simple signature is the least constraining form technically. It can be as basic as a checkbox, a one-time password (OTP) sent by SMS, or an image of a handwritten signature. It does not necessarily involve a qualified certificate.

Typical use: approval of quotes, marketing consents, low-stakes contracts.

Risk: limited probative value in case of judicial dispute. The burden of proof falls on the person invoking the signature.

Advanced Electronic Signature (AdES)

Advanced signature meets four precise technical requirements (article 26 eIDAS):

1. It is uniquely linked to the signatory;
2. It allows identification of the signatory;
3. It is created from data under the exclusive control of the signatory;
4. It allows detection of any subsequent modification of the document.

Concretely, this involves the use of a personal digital certificate and a robust authentication mechanism. Standard formats are defined by ETSI: PAdES (for PDF), XAdES (XML), CAdES (binary data) and JAdES (JSON), all standardized in the ETSI EN 319 100 series.

Qualified Electronic Signature (QES)

Qualified signature is the highest level. It requires:

• A qualified certificate issued by an accredited QTSP eIDAS;
• A QSCD for signature creation.

It benefits from a legal presumption of reliability and legal equivalence with handwritten signature throughout the European Union (article 25 eIDAS). It is the level required for electronic notarial acts, certain notarial documents, or sensitive public procurement.

Our comparative guide to electronic signature solutions analyzes the practical differences between these levels to help you choose.

---

The Complete Process of Electronic Signature Step by Step

Here is how an electronic signature transaction concretely proceeds on a SaaS platform like Certyneo:

Step 1: Document Preparation and Sending

The signature initiator uploads the document (contract, amendment, purchase order) to the platform. The system immediately generates a SHA-256 hash of the original file, timestamped and preserved immutably. This fingerprint will serve as reference for any future verification.

Step 2: Signatory Authentication

Depending on the signature level chosen, authentication varies:

• SES: email + signature link;
• AdES: strong authentication (SMS OTP, FIDO2 mobile application);
• QES: prior identity verification (face-to-face or video IDV), issuance of a qualified certificate for single or persistent use.

Step 3: Creation of the Cryptographic Signature

The signatory triggers the signature act. The platform (or the QSCD):

1. Calculates the document hash;
2. Encrypts this hash with the signatory's private key;
3. Integrates the signature and certificate into the document (PDF signed in PAdES-LTV format for long-term preservation).

Step 4: Qualified Timestamping

A qualified timestamping service (TSA) compliant with RFC 3161 applies a cryptographic timestamp, proving that the signature existed at a specific moment. This protects against date falsification and guarantees probative value over time — even if the signatory's certificate expires later.

Step 5: Evidential Archival

The signed document is archived with its complete audit trail: signatory identity, IP address, timestamp, document hash, certificates used. This proof record (audit trail) is essential in case of judicial dispute. Solutions compliant with eIDAS maintain these proofs in a PAdES-LTV (Long-Term Validation) format that integrates validation data to allow verification years after signature.

To understand how to integrate this process into your HR workflows, discover our electronic signature solution for HR and our contract templates to download.

Legal Framework Applicable to Electronic Signature

Electronic signature is part of a multilayered regulatory framework, articulating national civil law and harmonized European law.

French Civil Code

Article 1366 of the Civil Code establishes the fundamental principle: "Electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be properly identified and that it is established and preserved under conditions likely to guarantee its integrity." Article 1367 specifies that electronic signature "consists in the use of a reliable identification process guaranteeing its link with the act to which it is attached."

Decree No. 2017-1416 of September 28, 2017 defines the presumption of reliability for qualified and advanced signatures compliant with eIDAS.

eIDAS Regulation No. 910/2014

Cornerstone of European digital trust law, the regulation eIDAS (electronic IDentification, Authentication and trust Services) establishes a unified legal framework for electronic signatures, electronic seals, qualified timestamping, registered delivery services and website authentication certificates. Its article 25, paragraph 2, confers on qualified signature a legal presumption of equivalence with handwritten signature throughout the EU.

The regulation eIDAS 2.0 (in the course of transposition in the first quarter of 2026) strengthens these provisions with the European digital identity wallet (EUDIW) and extends obligations to financial services and healthcare markets.

ETSI Standards

Signature formats are standardized by ETSI:

• ETSI EN 319 132 (XAdES), EN 319 122 (CAdES), EN 319 102 (PAdES) define the technical profiles of advanced and qualified signatures;
• ETSI EN 319 421 governs the policies of qualified timestamping services.

GDPR and Data Protection

The processing of identity data in the context of electronic signature (name, email, biometrics for identity verification) is subject to GDPR No. 2016/679. Data controllers must: have a legal basis (legitimate interest or contract execution), apply the principle of data minimization, and guarantee security through appropriate technical measures (encryption, pseudonymization).

NIS2 Directive

The NIS2 directive (2022/2555/EU), transposed into French law since October 2024, imposes strengthened obligations on operators of essential services and suppliers of digital services (including electronic signature providers) in terms of cybersecurity, risk management and incident notification within 24 hours. Non-compliance exposes them to penalties of up to 10 million euros or 2% of global turnover.

Concrete Use Cases for Electronic Signature

Scenario 1: A Corporate Law Firm Automates the Signature of Mandates

A corporate law firm with about a dozen collaborators processed on average 120 representation mandates per month. The paper procedure involved printing, postal delivery or hand delivery, then digitizing returned documents — resulting in an average delay of 4.5 business days per file and an estimated document loss rate of 8%.

By deploying advanced electronic signature (AdES) with OTP authentication, the firm reduced the signature delay to less than 4 hours on average, reduced the document anomaly rate to less than 1%, and saved approximately €2,200 per year in postage and printing costs. The automatically generated audit trail also simplified two mandate dispute procedures, providing indisputable timestamped evidence. Discover our solution dedicated to law firms.

Scenario 2: An Industrial SME Digitalizes Its Supplier Contracts

An industrial SME managing approximately 200 supplier contracts per year (general terms of purchase, price amendments, NDAs) suffered signature delays potentially exceeding three weeks for cross-border contracts with German and Spanish partners. Differences in legal systems and lack of mutual recognition slowed negotiations.

By adopting qualified signature (QES) issued by an accredited QTSP eIDAS, recognized throughout the EU, the SME benefited from automatic legal recognition in all three countries without any additional legalization. The average cross-border signature delay fell from 18 days to 2.5 days. Electronic signature in enterprise details these benefits for procurement teams.

Scenario 3: A Hospital Group Secures Patient Informed Consent

A hospital group with approximately 800 beds had to obtain informed consent from patients for clinical research protocols. Paper management created GDPR compliance risks (poorly archived documents, untraceable dates) and mobilized nursing staff for administrative tasks.

By integrating simple electronic signature with SMS code identification — sufficient for acts not subject to qualified requirements — the group automated collection, archival and traceability of consents. The administrative time per patient fell from 12 minutes to less than 2 minutes, freeing up approximately 800 nursing hours per year. All documents are archived with qualified timestamping, fully meeting CNIL requirements. Explore our signature solution for healthcare.

Conclusion

Understanding how electronic signature technically works — from asymmetric cryptography to PKI, from qualified certificates to probative timestamping — is essential for making informed choices regarding compliance and operational efficiency. The three eIDAS levels (simple, advanced, qualified) meet different needs, and the choice should always be guided by analysis of legal risk and expected probative value.

Certyneo supports you in this transition with an eIDAS-compliant SaaS platform, accredited QTSPs and simplified integration into your existing processes. Estimate potential gains for your organization using our electronic signature ROI calculator, or get started directly by consulting our offers and pricing. Compliance and performance are no longer trade-offs.