Verifying the Authenticity of a Signed Document: The DUER

The Single Document for Risk Assessment (DUER) is a cornerstone of workplace health and safety compliance in France. Established by Decree No. 2001-1016 of November 5, 2001, it is mandatory for any company with at least one employee. However, its legal value in the event of inspection by the Labor Inspectorate, accident, or dispute rests largely on its traceability and the authenticity of the signatures that validate it. How can you ensure that a digitally signed DUER has not been altered after signature? What tools and methods make it possible to verify this authenticity? This article guides you step by step, from technical fundamentals to organizational best practices.

Why the Authenticity of the DUER Signature is Critical

Legal and Regulatory Implications

The DUER is not an ordinary administrative document. In the event of a workplace accident, occupational disease, or labor dispute, it can be submitted as evidence of the employer's prevention policy. The French Labor Code (articles L.4121-1 and following) imposes a strict liability obligation on the employer for worker safety, and the DUER is the formal record of this assessment.

An unverifiable or altered electronic signature can lead to:

• Document nullity as evidence before a court;
• Administrative sanctions reaching €3,750 fine per uncovered employee;
• Criminal liability of the company head in the event of a serious accident.

Since Law No. 2021-1018 of August 2, 2021 (Occupational Health Law), DUER updates must be more frequent in companies with 11 or more employees, and its conservation period has been extended to 40 years. This long duration reinforces the imperative for a robust and verifiable electronic signature over time.

The Difference Between Scanned Signature and Qualified Electronic Signature

Many HR or HSE managers believe that affixing a scanned handwritten signature to a PDF is sufficient. It is not. A scanned signature image guarantees no document integrity: the file can be modified afterward without leaving any detectable trace.

A electronic signature compliant with the eIDAS regulation, on the other hand, relies on a cryptographic mechanism that irreversibly links the signer's identity to the document content at a precise moment. Any subsequent modification, however minor — an added space, a changed digit — invalidates the signature and triggers an alert during verification.

The glossary of electronic signatures distinguishes three levels recognized by eIDAS: simple electronic signature (SES), advanced (AES), and qualified (QES). For a document as sensitive as the DUER, the advanced level is recommended at minimum, with the qualified level being preferable for companies subject to frequent inspections.

Concrete Methods to Verify the Authenticity of a Signed DUER

Verification via Native PDF Reader

The most accessible method is to open the document in Adobe Acrobat Reader (free version) or a compatible PDF reader. When a compliant electronic signature is present, a signature panel displays automatically. It indicates:

1. The signer's identity: name, first name, organization, and certificate used;
2. The date and time of signature, timestamped by cryptographic timestamping;
3. Integrity status: "The signature is valid" or "The document has been modified after signature";
4. The certificate chain of trust: validated by a recognized certification authority.

This verification is immediate and requires no subscription. However, it has limitations: if the certificate of the issuing authority is not in the software's trusted list (such as the EUTL — European Union Trusted Lists), the signature may appear as "unverified" even if technically valid.

Verification via Online Validation Services

The European Commission provides the DSS Demo Tools service (accessible on ec.europa.eu), which allows you to upload a signed document and obtain a validation report compliant with the ETSI EN 319 102 standard. This service:

• Verifies compliance with XAdES, CAdES, PAdES, and JAdES formats;
• Checks the validity of the certificate at the time of signature via OCSP or CRL protocols;
• Generates a JSON or PDF report detailing each validation step.

There are also private services offered by qualified trust service providers (QTSP) listed on national trust lists. In France, ANSSI publishes the list of accredited QTSPs. Using one of these services to validate a disputed DUER in litigation provides significantly greater evidentiary force.

Verification via the Originating Signature Platform

If the DUER was signed via a SaaS solution like Certyneo, verification is even more direct. Each signed document generates a signature certificate (also called audit report or signature trail) that archives:

• The IP address and session identifier of the signer;
• The SHA-256 cryptographic hash of the original document;
• The qualified RFC 3161 timestamping;
• The identity proofs used (email, SMS OTP, or even eIDAS strong authentication).

This report is itself electronically signed by the service provider, making it unfalsifiable and directly usable as evidence in court. The electronic signature solution for enterprises Certyneo integrates this mechanism natively for all documents, including DUERs.

Best Practices for Securing DUER Signature and Retention

Choosing the Right Signature Level According to Risk Profile

The selection of the signature level should not be left to chance. For a DUER, here is the recommended reasoning:

| Context | Recommended Level | Justification | |---|---|---| | Micro-enterprises < 10 employees, low-risk activity | Advanced signature (AES) | Cost/probative value balance | | SMEs, industrial or construction sector | Advanced signature with QSCD certificate | High-level eIDAS compliance | | Large enterprise, healthcare or chemical sector | Qualified signature (QES) | Equivalent to handwritten signature |

For healthcare sector enterprises, electronic signature in healthcare responds to additional regulatory constraints (HDS, medical GDPR) that systematically justify the use of qualified signature.

Timestamping and Long-Term Archiving

With the Occupational Health Law imposing DUER retention for 40 years, the question of signature validity duration becomes concrete. A signature certificate has a limited validity period (generally 1 to 3 years). Beyond this time, the chain of trust can be broken.

The solution is the long-term value archiving service (electronic archiving service or EAS), combined with long-term timestamping according to the ETSI EN 319 122 standard. This mechanism, sometimes called LTV (Long Term Validation), periodically re-timestamps the document by adding additional integrity proofs, guaranteeing its verifiability for the entire legal duration.

Do not confuse archiving and storage: a simple file server or cloud drive does not constitute value-based archiving. Only a system guaranteeing integrity, readability, and traceability of access meets legal requirements.

Verification Process During Updates

The DUER must be updated at least once per year, and with each significant change in working conditions. Each new version must be distinguished from the previous one and subject to a new signature. A rigorous process includes:

1. Explicit versioning: version number, effective date, list of changes made;
2. Signature of the new version by the HSE manager and, in some cases, by the employee representative (CSE);
3. Retention of all previous versions in the EAS, accessible in read-only mode;
4. Systematic verification of the integrity of the current version before any sharing with the Labor Inspectorate or occupational health services.

Automating these steps via a platform like Certyneo significantly reduces the risk of human error and ensures continuous process compliance. To measure the return on investment of such a solution, the electronic signature ROI calculator allows you to estimate gains according to your organization's size.

Applicable Legal Framework for DUER Signature and Verification

Foundational Texts in Labor Law

The obligation to establish a Single Document for Risk Assessment (DUERP) stems from article L.4121-1 of the French Labor Code, which imposes on the employer the transcription and updating of risk assessment results. Decree No. 2001-1016 of November 5, 2001 instituted this formal obligation. Law No. 2021-1018 of August 2, 2021 for strengthening occupational health prevention extended retention obligations to 40 years and introduced requirements for dematerialized filing with occupational health services for companies with at least 150 employees.

Legal Value of Electronic Signature

Article 1366 of the French Civil Code establishes the principle: "Electronic writing has the same probative force as writing on paper, provided that the person from whom it emanates can be duly identified and that it is established and retained under conditions to guarantee its integrity." Article 1367 specifies that the electronic signature "consists in the use of a reliable identification process guaranteeing its link with the act to which it is attached."

The eIDAS Regulation No. 910/2014 of the European Parliament and Council establishes the European framework of trust for electronic transactions. It defines three levels of signatures (simple, advanced, qualified) and establishes equivalence between qualified electronic signature and handwritten signature in article 25§2. The advanced signature, without benefiting from this legal presumption, remains admissible as a means of proof according to the non-discrimination principle of article 25§1.

Technical Reference Standards

Electronic signature formats recognized for PDF documents are defined by the ETSI EN 319 132 (XAdES), ETSI EN 319 122 (CAdES), and ETSI EN 319 142 (PAdES) standards. For long-term validation, the ETSI EN 319 102 standard defines validation algorithm procedures compliant with eIDAS.

Qualified electronic timestamping is governed by article 41 of the eIDAS Regulation and the RFC 3161 standard of the IETF, guaranteeing a certain date enforceable against third parties.

Personal Data Protection

The DUER contains personal data (employee identities, information about their health and safety). Its processing is subject to the GDPR Regulation No. 2016/679. Electronic signature itself implies processing of signer identity data. The employer, as data controller, must ensure that the signature provider is a GDPR-compliant processor with a DPA (Data Processing Agreement) compliant with article 28 of the GDPR.

Risks in Case of Non-Compliance

The absence of a DUER or a DUER whose signature is not enforceable exposes the employer to a fine of €3,750 (5th class misdemeanor) per infraction found. In the event of a serious accident, the non-enforceability of the DUER can lead to recognition of the employer's inexcusable fault, resulting in increased compensation to the victim and a contribution claim by the CPAM.

Concrete Use Scenarios

An Industrial Contractor Facing a Labor Inspectorate Audit

An industrial SME of 85 employees, operating in the manufacture of metal parts, is subject to an unannounced visit by the Labor Inspectorate following a machinery accident. The inspector requests to consult the DUER in effect on the accident date. The HSE manager presents a PDF file electronically signed via the company's signature platform.

Thanks to the audit certificate attached to the document, the inspector can verify in real time: the signature date and time (prior to the accident), the signer's identity (the authorized production manager), document integrity (SHA-256 hash intact), and signature level compliance (advanced with qualified certificate). The company is able to demonstrate that the risk was identified and corrective measures had been planned. This record avoids qualification as inexcusable fault. According to CNAM annual report data on accident rates, companies with robust documentary traceability reduce their exposure to CPAM contribution claims by 30 to 45%.

An HR Consulting Firm Managing Multi-Client DUERs

An HR consulting firm of 18 staff members assists some forty SME and micro-enterprise clients in drafting and annually updating their DUERs. Previously, documents were sent by unsignedPDF email, then signed manually and returned as scans.

After migration to a SaaS electronic signature solution, each DUER is signed online by the client manager in less than 3 minutes. The firm has a centralized dashboard allowing verification at any time of each document's status: signed, timestamped, archived. If a client questions the validity of a previous version, authenticity verification takes less than 30 seconds. Time spent on follow-ups and document management has decreased by approximately 60%, according to comparable industry benchmarks published by HR consulting associations.

A Healthcare Facility Group Managing Multi-Year DUERs

A private hospital group of approximately 600 beds, comprising several healthcare facilities and nursing homes, must manage specific DUERs for each site, including chemical, biological, and psychosocial risks. The 40-year legal retention period and the multiplicity of signatories (site directors, occupational physicians, CSE representatives) make monitoring particularly complex.

The group deploys a qualified electronic signature solution with value-based archiving and long-term timestamping. Each DUER version is cryptographically sealed and automatically re-timestamped every 3 years to maintain the chain of trust. In case of ARS audit or litigation, any historical version can be extracted with its complete validation report. This organization reduced by nearly 70% the time for preparing files during external inspections, compared to the previous hybrid paper-digital archiving system.

Conclusion

Verifying the authenticity of a document signed for a Single Document for Risk Assessment is not an optional formality: it is a legal and organizational necessity. Between obligations arising from the Labor Code, the 40-year retention period imposed since 2021, and the liability stakes in case of accident, only a robust electronic signature — accompanied by reliable verification tools — guarantees the full probative value of your DUER.

Whether you go through a PDF reader, a European validation service, or directly through your signature platform, the essential is to integrate this verification into a documented and reproducible process.

Certyneo allows you to sign, verify, and archive your DUERs in full eIDAS compliance, with a complete audit trail and integrated value-based archiving. Create your free account on Certyneo and secure today the legal value of your prevention documents.