Electronic Signature Provider Obligations in France

Introduction

In France, the electronic signature market is experiencing sustained growth: according to a 2024 IDC study, more than 4.2 billion electronic documents are signed each year in the European Union, with annual growth of 22%. Behind this massive adoption lies an exacting legal reality: the Trust Service Providers (TSP) that offer electronic signature solutions are subject to a dense regulatory corpus, articulated around the eIDAS regulation, GDPR and ETSI technical standards. Understanding these legal obligations of an electronic signature provider in France is essential for any organization wishing to choose a compliant and secure solution. This article decodes all applicable requirements, from qualification conditions to personal data management, including contractual responsibilities.

---

The eIDAS Regime: The Cornerstone of Provider Obligations

European Regulation No. 910/2014, known as eIDAS (Electronic Identification, Authentication and Trust Services), constitutes the fundamental basis governing trust service providers in Europe. Directly applicable in all Member States since July 1, 2016, it distinguishes three levels of electronic signature — simple, advanced and qualified — and imposes differentiated obligations depending on the level offered.

Qualification and Supervision by ANSSI

In France, it is the National Agency for Information Systems Security (ANSSI) that acts as the supervisory body within the meaning of Article 17 of eIDAS. Any provider wishing to appear on the national trust list (Trusted Service List - TSL) must submit to a rigorous qualification process:

• Compliance audit conducted by a Conformity Assessment Body (CAB) accredited by COFRAC.

• Compliance with ETSI EN 319 401 standards (general requirements for trust service providers) and ETSI EN 319 411 for certification authorities.

• Periodic renewal of qualification, with audit at least every 24 months.

Qualified providers benefit from a presumption of compliance and can offer qualified electronic signatures (QES), the highest level, recognized as equivalent to a handwritten signature in all EU Member States.

Technical and Operational Obligations Imposed by eIDAS

Beyond qualification, eIDAS imposes a set of permanent obligations on providers:

• Service availability: the provider must guarantee the operational continuity of its trust services. Article 19 of eIDAS requires the implementation of security measures appropriate to risks and proportionate to requirements.

• Incident notification: any security incident impacting the provision of the service or user data must be notified to ANSSI within 24 hours of detection.

• Publication of a certification policy: the qualified provider must publish and keep up to date its Certification Policy (CP) and Certificate Practice Statement (CPS), documents binding on users.

• Qualified electronic time-stamping: when the service includes time-stamping, it must comply with ETSI EN 319 421 standard.

---

GDPR and Personal Data Processing: A Cross-Cutting Obligation

Electronic signature necessarily involves the processing of personal data — signer identity, email address, biometric data in some cases, audit logs. The provider is therefore subject to the provisions of the General Data Protection Regulation (GDPR, No. 2016/679), which entered into application on May 25, 2018.

Legal Qualification of the Provider: Responsible or Processor?

The qualification of the provider's role vis-à-vis its customers is decisive:

• Processor (Article 28 GDPR): in most cases, the provider processes data on behalf of its customer (the using company). A data processing agreement compliant with Article 28 is mandatory, specifying in particular: the nature and purpose of processing, security measures, obligations in case of data breach and conditions for data return or deletion.

• Joint controller: in some cases (e.g., shared identity verification service), the provider may be co-responsible for processing, with the enhanced obligations that follow (Article 26 GDPR).

Concrete Obligations Regarding Personal Data

• Data minimization (Article 5 GDPR): only data strictly necessary for authentication and signature can be collected.

• Retention period: signature evidence (audit logs, certificates) must be retained for the time necessary for their probative value, generally aligned with the applicable limitation period (10 years for commercial acts, 30 years for certain civil acts), then deleted.

• Transfers outside the EU: if data is hosted or processed outside the European Economic Area, the provider must guarantee an adequate level of protection (standard contractual clauses, adequacy decisions). Data hosting in France or Europe is a major differentiating criterion.

• Records of processing activities: the provider must maintain a record of processing carried out on behalf of its customers (Article 30 GDPR).

In case of personal data breach, notification to the CNIL must occur within 72 hours (Article 33 GDPR), parallel to notification to ANSSI under eIDAS.

---

Obligations Regarding Information Systems Security

Cybersecurity is at the heart of the obligations of a trust service provider. Applicable texts have been significantly strengthened in recent years.

NIS 2: A New Level of Requirements

The NIS 2 Directive (EU 2022/2555), transposed into French law by Law No. 2024-449 of May 21, 2024, significantly extends the scope of entities subject to enhanced cybersecurity obligations. Trust service providers qualified under eIDAS are now systematically classified as essential entities, subject to the strictest obligations:

• Implementation of a documented cybersecurity risk management policy.

• Obligation to report significant incidents to ANSSI (reduced timeframes: early alert within 24 hours, full notification within 72 hours).

• Supply chain security requirements (control of subcontractors and suppliers).

• Sanctions that can reach 10 million euros or 2% of global turnover for essential entities.

ETSI Standards and Complementary Certifications

Qualified providers rely on several structuring ETSI standards:

• ETSI EN 319 132: XAdES profile for advanced XML signature.

• ETSI EN 319 122: CAdES profile for advanced cryptographic signatures.

• ETSI EN 319 102: procedures for creation and validation of electronic signatures.

ISO/IEC 27001 certification (information security management system) is also recommended, even required in certain public procurement calls. Some providers supplement their system with ANSSI SecNumCloud qualification for cloud-hosted components.

---

Contractual Responsibility and Obligations to End Users

Beyond regulatory obligations, the provider engages its contractual and sometimes extra-contractual responsibility to parties using its service.

Service Guarantees and Availability Levels

SLAs (Service Level Agreements) constitute the central contractual framework. A serious provider typically commits to:

• An annual availability rate of at least 99.9% (less than 8.7 hours of downtime per year).

• Guaranteed processing times for the creation of qualified certificates.

• Operational certificate revocation procedures in less than 24 hours in case of compromise.

Transparency and User Information

Article 13 of eIDAS requires qualified trust service providers to inform users of the characteristics and limitations of their service. This obligation translates into:

• Publication of clear terms and conditions of use, specifying the signature levels offered and their legal value.

• Information on identity verification procedures implemented (face-to-face verification, remote via video, automated).

• Provision of signature verification tools allowing any third party to verify the validity of a signature produced.

To learn more about choosing a solution adapted to your organization, consult our guide which evaluates these compliance criteria in detail.

The Chain of Responsibility in Case of Dispute

In case of dispute over the probative value of a signature, responsibility may be distributed among several actors: the provider (certificate quality, process integrity), the signer (use of authentication means) and the client company (signature workflow configuration). The qualified provider benefits from a presumption of technical compliance, but remains responsible for failures in its own systems.

For companies seeking to optimize the management of their document flows, our guide on best practices details implementation best practices.

Legal Framework Applicable to Electronic Signature Providers

The obligations of electronic signature providers in France are part of a coherent regulatory stacking, combining directly applicable European law and national law.

eIDAS Regulation No. 910/2014 (EU) — Founding text, it defines the three levels of electronic signature (simple, advanced, qualified), the conditions for qualification of trust service providers, and the legal effects attached to each level. Its Article 25 states the cardinal rule: "a qualified electronic signature has a legal effect equivalent to that of a handwritten signature". The eIDAS 2.0 revision, through Regulation No. 2024/1183, strengthens requirements related to the European digital identity wallet (EUDIW) and extends provider obligations.

Civil Code, Articles 1366 and 1367 — Article 1366 recognizes electronic writing with the same probative force as writing on paper, subject to reliability conditions for identifying the author and document integrity. Article 1367 defines electronic signature as "the use of a reliable process of identification guaranteeing the link with the act to which it is attached". These provisions, from Ordinance No. 2016-131 of February 10, 2016, establish the probative value of signatures produced by compliant providers.

Decree No. 2017-1416 of September 28, 2017 — Implementing text for Article 1367 of the Civil Code, it clarifies the conditions under which the reliability of an electronic signature process is presumed: use of a qualified electronic signature within the meaning of eIDAS. It establishes a rebuttable presumption of reliability in favor of qualified providers.

GDPR No. 2016/679 (EU) — Applicable to any processing of personal data carried out in the context of providing electronic signature services. Articles 28 (data processing), 32 (processing security), 33-34 (breach notification) and 82-83 (liability and sanctions) are directly applicable. Administrative fines can reach 20 million euros or 4% of annual global turnover.

NIS 2 Directive (EU) 2022/2555 — Law No. 2024-449 of May 21, 2024 — Transposes into French law the enhanced cybersecurity obligations for essential service operators and important entities. Qualified trust service providers are classified as essential entities by right, exposing their managers to personal sanctions in case of proven breach.

Reference ETSI Standards — ETSI EN 319 401 (general TSP requirements), ETSI EN 319 411-1 and 411-2 (certification policy), ETSI EN 319 421 (time-stamping), ETSI EN 319 102-1 (validation procedures), ETSI EN 319 132 (XAdES), ETSI EN 319 122 (CAdES). These technical standards have quasi-regulatory scope as soon as they are referenced in European Commission implementing decisions published in the OJEU.

Consult our guide for an in-depth analysis of these texts and their practical implications.

Usage Scenarios: Provider Obligations in Practice

Scenario 1 — A Business Law Firm with 30 Employees

A law firm specializing in corporate law, with about thirty lawyers, seeks to dematerialize the signature of its acts (mandates, fee agreements, share transfer documents). Its main constraint: the probative value of signatures must be irrefutable in case of litigation.

The firm requires from its provider:

• The provision of qualified electronic signatures (QES) for the most sensitive acts, with identity verification compliant with the eIDAS high level regulation.

• A complete evidence file (time-stamped audit log, qualified certificate, document hash) retained for 30 years in accordance with limitation periods applicable to private agreements.

• A detailed GDPR data processing agreement, as the processed data includes information about corporate clients and individuals.

Result observed in comparable structures: reduction of 70 to 80% of mandate signing times (from 5 to 7 business days to less than 24 hours) and almost complete elimination of follow-ups related to missing signatures. For law firms, our dedicated solution responds precisely to these requirements.

Scenario 2 — An Industrial SME Managing 300 Supplier Contracts Per Year

An intermediate-sized manufacturing company, with a procurement department of 8 people, annually signs approximately 300 supplier contracts (general conditions of purchase, amendments, NDAs). It currently uses handwritten signature with digitization, generating average delays of 12 days and recurring traceability problems.

It selects a qualified eIDAS provider offering advanced signatures with qualified certificate for its common commercial contracts. Key obligations verified during selection:

• ISO 27001 certification of the provider's infrastructure.

• Data hosting exclusively on servers located in France (GDPR compliance, protection against extraterritorial injunctions).

• API integration with its ERP to automate signature workflows.

• SLA guaranteeing 99.95% availability and signature evidence retention for 10 years.

After deployment, comparable companies observe on average a 65% reduction in contracting delays and annual savings estimated between 15,000 and 25,000 euros (printing, physical archiving, management time). Use our calculator to estimate your own gains.

Scenario 3 — A Hospital Group with Approximately 1,500 Employees

A healthcare cooperation group wishing to dematerialize the signature of employment contracts, amendments and patient consent forms must accommodate specific regulatory requirements for the healthcare sector.

Provider obligations scrutinized:

• Hosting health data on HDS infrastructure (Health Data Host certified), mandatory certification for health personal data.

• Compliance with digital identity benchmarks from ANS (French Digital Health Agency) for healthcare professionals.

• Ability to manage differentiated signature levels: simple signature for internal administrative forms, advanced signature for employment contracts, qualified signature for certain regulated acts.

• Inviolable and exportable audit logs to respond to ARS controls.

Comparable institutions report significant HR processing gains: reduction of 50 to 60% of time spent on administrative management of employee entries/exits. Our dedicated page details the specific regulatory features of this sector.

Conclusion

The legal obligations weighing on electronic signature providers in France form a coherent but demanding set: eIDAS qualification supervised by ANSSI, strict GDPR compliance, ETSI technical standards, enhanced cybersecurity by NIS 2 and clearly defined contractual responsibility. For using companies, these requirements constitute as many essential selection criteria: a non-qualified or non-compliant provider exposes its clients to real legal risks, both in terms of the probative value of signatures and the protection of personal data.

Certyneo is an electronic signature provider compliant with eIDAS, GDPR and NIS 2, with data hosting in France. To discover how our solution concretely responds to these obligations while simplifying your signature processes, get started today.