Go to main content
Certyneo

Electronic Signature Provider Obligations France

eIDAS Qualification, RGPD Compliance, ANSSI Requirements: electronic signature providers face a demanding legal framework. Discover all the obligations to comply with.

Rédaction Certyneo14 min read

Updated on

Rédaction Certyneo

Writer — Certyneo · About Certyneo

white printer paper close-up photography

Introduction

Deploying an electronic signature solution in France is not something to be done on the fly. Behind each qualified or advanced signature lie dozens of legal obligations incumbent upon the trust service provider (TSP). eIDAS Regulation, RGPD, general security framework, ETSI standards… the regulatory framework is both dense and evolving. For user companies, understanding these electronic signature provider legal obligations France eIDAS RGPD is essential in order to choose a compliant partner and avoid any legal risk. This article details, section by section, all the requirements applicable to TSPs operating on French territory.

---

The Status of Qualified Trust Service Provider

What is a TSP under eIDAS?

Regulation eIDAS No. 910/2014 distinguishes two categories of providers: non-qualified trust service providers and qualified providers (QTSP). The former may offer simple or advanced electronic signature services without mandatory third-party audit. The latter — alone authorized to deliver qualified signatures within the meaning of Article 3(15) of eIDAS — must satisfy considerably stricter requirements.

In France, it is the National Agency for Information Systems Security (ANSSI) that fulfills the role of supervisory authority ("Supervisory Body") provided for in Article 17 of eIDAS. It publishes and maintains the French trust list (TSL — Trust Service List), accessible on its official website, listing qualified providers and their services.

The Qualification Procedure: Audit and Compliance

To obtain qualified status, a TSP must:

  • Have its services audited by a conformity assessment body (CAB — Conformity Assessment Body) accredited by COFRAC in accordance with the EN ISO/IEC 17065 standard.
  • Submit the audit report to ANSSI, which rules on the granting of qualified status. This status is re-evaluated at least every 24 months (Article 20 §1 eIDAS).
  • Notify ANSSI of any substantial change to its services within 3 months prior to the planned modification (Article 21 eIDAS).

Non-compliance with these steps exposes the provider to removal from the TSL and loss of the legal presumptions attached to the qualified signature. For client companies, using a TSP not listed on the TSL means benefiting from no legal presumption of reliability.

> For further information on the different signature levels and their legal effects, consult our comprehensive guide to eIDAS 2.0 regulation.

---

Technical and Security Obligations Imposed on TSPs

Compliance with ETSI Standards

Qualified providers must comply with a set of European standards published by the European Telecommunications Standards Institute (ETSI). The main ones are:

  • ETSI EN 319 401: general security requirements applicable to all TSPs.
  • ETSI EN 319 411-1 and 411-2: policies and practices of certification authorities issuing qualified signature certificates.
  • ETSI EN 319 132: advanced electronic signature formats (XAdES for XML, PAdES for PDF, CAdES for CMS).
  • ETSI EN 319 122: CAdES format for qualified signatures.
  • ETSI TS 119 431: requirements for remote signature creation services (remote QSCD).

These standards are not optional: the eIDAS regulation (Annex II, III and IV) explicitly refers to them to define the minimum requirements for qualified certificates and signature creation devices.

Management of Qualified Signature Creation Devices (QSCD)

One of the pillars of the qualified signature is the use of a qualified signature creation device (QSCD) compliant with Annex II of eIDAS. The provider must ensure that:

  • The private key of the signatory cannot be generated, stored or copied outside the QSCD.
  • Key generation occurs exclusively in a certified environment (Common Criteria certification EAL 4+ or equivalent).
  • Signatory authentication preceding any signature act is based on at least two authentication factors.

In a remote signature context — increasingly common in SaaS environments — these requirements apply to the HSM (Hardware Security Module) server hosting the keys. ANSSI has published specific protection profiles (PP-0075, PP-0076) defining the security criteria to be met.

Business Continuity Policy and Incident Notification

Article 19 of eIDAS requires all trust service providers (qualified or not) to:

  • Notify the supervisory authority (ANSSI) and, if applicable, the data protection authority (CNIL), within 24 hours of detecting a security breach likely to impact the reliability of the service.
  • Maintain a documented and regularly tested business continuity plan.
  • Have a formalized information security policy covering notably risk management, incident management and backup policy.

These requirements overlap partially with those of the NIS2 directive (2022/2555/EU), transposed into French law by law No. 2023-703 of August 1, 2023, which classifies TSPs of significant size among important or essential entities subject to enhanced cybersecurity obligations.

> Discover how electronic signature for law firms must integrate these constraints into their document workflows.

---

RGPD Obligations Specific to TSPs

Is the TSP a Data Controller or Processor?

The RGPD qualification of the provider depends on the nature of the service rendered:

  • When the TSP directly delivers qualified certificates on behalf of the signatory and determines the purposes of personal data processing (identity, biometric authentication data), it acts as a data controller within the meaning of Article 4(7) RGPD.
  • When it integrates its API into a B2B client's platform and processes personal data solely according to that client's instructions, it assumes the status of processor (Article 4(8) RGPD) and must necessarily enter into a DPA (Data Processing Agreement) compliant with Article 28 RGPD.

In practice, most SaaS TSPs combine both roles: controller for managing their own certification infrastructure, processor for processing signatory documents and metadata.

Signatory identification and authentication — a mandatory step for issuing a qualified certificate — often involves processing sensitive data: identity document scan, video selfie, facial recognition biometric data. This data constitutes personal data subject to RGPD, or even biometric data falling under Article 9 RGPD (special categories).

The TSP's obligations include:

  • Legal basis: explicit consent (Article 9§2a) or, in certain cases, legal obligation (Article 9§2b) for processing biometric data.
  • Limited retention period: according to CNIL guidelines, identification data must be retained for the time strictly necessary, generally aligned with the certificate validity period + legal proof period (often 10 years for private deeds, Article 2224 of the French Civil Code).
  • Impact assessment (DPIA) mandatory (Article 35 RGPD) whenever processing is likely to entail a high risk — which is systematically the case for biometrics.
  • Processing register (Article 30 RGPD) kept up to date and documenting each processing category.

International Data Transfers

Many TSPs host all or part of their infrastructure outside the European Economic Area (EEA). In this case, the appropriate safeguards required by Chapter V RGPD must be in place: adequacy decision, standard contractual clauses (SCCs) from the European Commission, or binding corporate rules (BCRs). The Schrems II judgment (CJEU, C-311/18, July 16, 2020) recalled that transfers to the United States require a prior country risk analysis.

> To understand the impact of these rules on your organization, consult our guide on electronic signature in business.

---

Transparency and Information Obligations Toward Users

Certification Policy (CP) and Certification Practice Statement (CPS)

Any TSP issuing certificates is required to publish a Certification Policy (CP) and a Certification Practice Statement (CPS), in accordance with ETSI EN 319 411. These publicly accessible documents detail:

  • Procedures for signatory identification and registration.
  • Physical and logical security measures deployed.
  • Certificate revocation conditions and associated timelines.
  • The TSP's responsibilities and liability limitations.

The absence or incompleteness of these documents constitutes non-compliance that may be noted during the re-qualification audit by the accredited body.

Pre-contractual and Contractual Information to Clients

Beyond purely technical obligations, Article 13 RGPD requires the TSP to provide to each person whose data is collected clear and accessible information on:

  • The identity of the data controller and the DPO's contact details (mandatory for TSPs processing sensitive data at large scale, Article 37 RGPD).
  • The purposes and legal bases for each processing.
  • The rights of individuals (access, rectification, erasure, portability, objection).
  • Any potential recipients of data (processors, authorities).

This information must appear in the service's privacy policy, in the terms of use and, where applicable, in the DPA concluded with professional clients.

Qualified Timestamping and Audit Trail

To guarantee long-term probative value of signatures, serious TSPs systematically associate a qualified electronic timestamp (Article 42 eIDAS) with each signed deed. This timestamp constitutes legally presumed proof of the existence of the data on the stated date. The maintenance of the audit trail (identification logs, document fingerprint, signature data) is a de facto obligation to allow any subsequent judicial verification.

> Compare market solutions according to these criteria in our comparison of electronic signature solutions.

---

eIDAS 2.0: New Obligations on the Horizon 2026-2027

Regulation eIDAS 2.0 (EU) 2024/1183

Published in the Official Journal of the EU on April 30, 2024, Regulation (EU) 2024/1183 called "eIDAS 2.0" significantly strengthens TSP obligations around three axes:

  • The European Digital Identity Wallet (EUDI Wallet): Member States must make available a certified digital identity wallet by November 2, 2026. TSPs will have to integrate their service with this wallet to offer qualified signatures via eIDAS 2.0 identity.
  • Management of attribute attestations: eIDAS 2.0 introduces qualified attribute attestations (QEAAs), issued by qualified attestation providers. New audit and qualification procedures will apply.
  • Strengthening of supervision: national supervisory authorities (ANSSI for France) see their powers enlarged, notably the ability to conduct unannounced audits and to impose binding corrective measures within shortened timeframes.

Practical Implications for Current Providers

TSPs already qualified under eIDAS 1.0 will need to proceed with progressive compliance before the deadlines set by implementing acts of the Commission (published or in preparation). The main adaptations concern:

  • Refunding of identification infrastructure to support the EUDI Wallet as an authentication method.
  • Updating CP/CPS to integrate new certificate and attestation typologies.
  • Strengthening security requirements for remote QSCDs, with new protection profiles to come.

For client companies, this means verifying from now that their provider has a documented and verifiable eIDAS 2.0 compliance roadmap.

The regulatory chain applicable to electronic signature providers operating in France is articulated across several complementary hierarchical levels.

French Civil Code — Articles 1366 and 1367

Article 1366 of the Civil Code recognizes electronic writing as a means of proof equivalent to paper writing, provided that "the person from whom it emanates can be duly identified and that it is established and preserved under conditions of a nature to guarantee its integrity". Article 1367 specifies that the electronic signature "consists in the use of a reliable identification process guaranteeing its link with the deed to which it attaches". The presumption of reliability benefits qualified signatures within the meaning of eIDAS, reversing the burden of proof in favor of the signatory.

Regulation eIDAS No. 910/2014/EU

This regulation, directly applicable in all Member States, establishes the legal framework for trust services. Its Article 26 defines the conditions of advanced electronic signature; its Article 28 the requirements for qualified certificates; its Annex I details the mandatory content of these certificates. Qualified TSPs benefit from a presumption of compliance with the technical and legal requirements of the regulation (Article 19§2), which constitutes a major advantage in the event of dispute.

Regulation eIDAS 2.0 — (EU) 2024/1183

Published on April 30, 2024, this amending regulation introduces new categories of trust services (qualified attribute attestations, qualified archiving services) and strengthens supervisory obligations. It repeals and partially replaces Regulation 910/2014, with progressive applicability according to implementing acts of the European Commission.

RGPD — Regulation (EU) 2016/679

RGPD applies to any personal data processing carried out in the context of an electronic signature service. Articles 5 (lawfulness principles), 6 (legal basis), 9 (sensitive data), 13-14 (information), 28 (subcontracting), 32 (security), 33-34 (breach notification), 35 (DPIA) and 37 (DPO) constitute the most frequently applicable provisions. CNIL is the competent supervisory authority in France and may impose fines up to 20 million euros or 4% of annual global turnover (Article 83§5 RGPD).

NIS2 Directive — (EU) 2022/2555

Transposed into French law by law No. 2023-703 of August 1, 2023, NIS2 classifies significant TSPs among important or essential entities subject to obligations of cyber risk management and incident notification to ANSSI within 24 hours (early warning) and then 72 hours (complete notification).

ETSI Standards

The entire set of standards EN 319 401, EN 319 411-1/2, EN 319 132, EN 319 122 and TS 119 431 constitutes the mandatory technical reference for qualification audit. Non-compliance therewith prevents obtaining or maintaining qualified status.

Legal Risks in Case of Non-Compliance

A non-compliant provider faces: removal from the French TSL, engagement of its contractual and non-contractual liability, CNIL administrative sanctions, NIS2 fines that may reach 10 million euros or 2% of global turnover for important entities and 20 million or 4% of turnover for essential entities, as well as judicial recourse by clients who suffered loss due to legally invalid signatures.

Usage Scenarios: How Enterprises Verify Their TSP's Compliance

Scenario 1 — An Industrial Group Managing 3,000 Supplier Contracts Annually

An industrial group of intermediate size (SME), active in the manufacture of mechanical equipment, dematerializes all of its supplier contracts via a SaaS electronic signature platform. During an internal audit triggered by a regulatory change, the legal department discovers that the selected provider — initially chosen on price criteria — is listed neither on the French TSL nor on any European TSL. The delivered signatures are of "simple" type without robust signatory identification mechanism.

Facing legal risk — the whole set of signed contracts could see their probative value contested in case of dispute — the company launches a migration to a ANSSI-qualified TSP. The new solution integrates an advanced signature with qualified certificate, a qualified timestamp and an exportable audit trail. The migration project, completed in less than 8 weeks, allows retroactively securing new acts and establishing a compliant document policy. The legal teams estimate that the litigation risk related to old contracts remains marginal due to their execution without challenge, but any new signature is now covered.

Observed gains: 60% reduction in potential disputes related to signature authenticity, and an average 3.5-day gain in signature time on complex contracts thanks to workflow validation automation.

Scenario 2 — A Law Firm of 25 Business Law Specialists

A law firm wishing to digitize the signature of mandates, consultations and procedural deeds evaluates several providers. Its evaluation grid integrates the following criteria: presence on the TSL, publication of an accessible CP/CPS, existence of a RGPD-compliant DPA, availability of a reachable DPO and certification of remote QSCDs.

Of five evaluated providers, only two meet all criteria. The firm ultimately selects a TSP natively offering a qualified signature via remote QSCD, guaranteeing the presumption of reliability of Article 1367 of the Civil Code. Implementation takes 3 weeks, training included. Result: 75% of mandates are now signed in less than 24 hours versus 5 to 7 days previously (postal dispatch), and the firm can justify to its clients the legal security level offered by the solution — a differentiating argument in its commercial proposals.

Scenario 3 — A Hospital Group of Around 1,200 Beds

A hospital group wishes to dematerialize employment contracts, internship agreements and partnership agreements with partner healthcare facilities. The sensitivity of the data processed (healthcare data of nursing staff, HR data) imposes particular vigilance on the TSP's RGPD obligations.

The IT department and the establishment's DPO require: data hosting in France with an HDS-certified health data hosting provider (Health Data Hosting certification provided for in Article L.1111-8 of the Public Health Code), no transfer outside the EEA, documented DPIA for signatory identification processing, and DPA signed before any production deployment.

After selecting a TSP meeting these criteria, deployment covers priority on HR contracts (approximately 800 acts per year). The average signature time for fixed-term contracts drops from 9 days to less than 48 hours, freeing significant capacity for human resources teams. The establishment also has full traceability of collected consents, audited annually by its DPO.

Conclusion

The legal obligations weighing on electronic signature providers in France form a demanding body of law: eIDAS qualification, RGPD compliance, ETSI standards compliance, NIS2 obligations and imminent adaptation to eIDAS 2.0. For user companies, ensuring the compliance of one's TSP is not an optional undertaking — it is a sine qua non condition for the probative value of signed deeds and for the protection of signatories' personal data.

Certyneo is an electronic signature provider designed to meet all these requirements: eIDAS compliance, RGPD by design, sovereign hosting and documented eIDAS 2.0 roadmap. Ready to secure your signatures in full compliance? Request a demonstration or create your account on Certyneo and benefit from personalized support from day one.

Try Certyneo for free

Send your first signature envelope in under 5 minutes. 5 free envelopes per month, no credit card required.

Go deeper on the topic

Our comprehensive guides to master electronic signatures.