Qualified Electronic Certificate for Business: 2026 Guide

Why the qualified electronic certificate has become essential for businesses

As the dematerialization of contractual processes accelerates across all sectors, the question of the qualified electronic certificate is emerging as a strategic issue for legal departments, IT directors and senior management. According to ANSSI's 2024 annual report, more than 78% of French SMEs that have adopted qualified electronic signatures have reduced their contractualization timelines by over 60%. Yet many still confuse simple, advanced and qualified signatures — risking exposing their legal acts to contestation. This article guides you step-by-step through understanding what a qualified electronic certificate is, how to obtain it in compliance with the RGS and eIDAS framework, and how to deploy it effectively within your organization.

What is a qualified electronic certificate?

An electronic certificate is a digital file issued by a Certification Authority (CA) that binds the identity of a natural or legal person to a public cryptographic key. It is the cornerstone that allows a third party to verify the authenticity and integrity of a digital signature.

The qualifier "qualified" refers to a precise definition from the European regulation eIDAS (No. 910/2014, Article 28): the certificate must be issued by a Qualified Trust Service Provider (QTSP), registered on the national trust list (in France, published by ANSSI). It must also comply with the technical requirements of the ETSI EN 319 411-2 standard, which governs certification policies and practices.

In practice, a qualified certificate guarantees:

• Verified identity of the signatory (face-to-face document verification or equivalent approved means);
• Integrity of the signed document (any subsequent modification is detectable);
• Non-repudiation (the signatory cannot deny having affixed their signature).

Difference between simple, advanced and qualified signatures

The eIDAS regulation distinguishes three levels of electronic signature, each associated with a certificate level:

| Level | Certificate Required | Probative Value | Typical Use | |---|---|---|---| | Simple | Not required | Low | Routine purchase orders | | Advanced | Advanced certificate (QTSP) | Average | B2B commercial contracts | | Qualified | Qualified certificate (qualified QTSP) | Maximum, equivalent to handwritten | Notarial acts, public procurement, sensitive HR |

For qualified signature — the only one benefiting from the legal presumption of equivalence to handwritten signature (Art. 1367 Civil Code) — a qualified certificate is imperatively required. To learn more about the differences between signature levels, consult our complete electronic signature guide.

---

The RGS Framework: French specificities to know

In France, the General Security Framework (RGS), established by Decree No. 2010-112 and regularly updated by ANSSI, defines security requirements applicable to information systems of public administrations. For businesses that enter into contracts with public entities (public procurement, electronic procedures), compliance with RGS is often a contractual or regulatory obligation.

RGS levels applicable to certificates

The RGS defines three qualification stars for certificates:

• RGS* (one star): basic level, suited to routine uses of low sensitivity;
• RGS (two stars)**: intermediate level, required for most administrative e-procedures;
• RGS (three stars)*: high level, for acts with major legal or financial stakes.

For dematerialized public procurement via the buyer profile, Decree No. 2016-360 (Articles 39 and 40) generally imposes a signature of RGS minimum level, which implies an equivalent qualification certificate.

RGS and eIDAS articulation

Since the eIDAS regulation came into force, the two frameworks coexist. A certificate qualified under eIDAS is deemed to satisfy RGS** requirements in the vast majority of cases. ANSSI has published correspondence tables to ensure compatibility. It is therefore advisable, for businesses working with both private and public partners, to favor a qualified certificate under eIDAS issued by a QTSP registered on the French trust list — which simultaneously covers both frameworks.

To deepen knowledge of the European regulation, our eIDAS 2.0 guide details the major developments planned and their impact on French businesses.

---

How to obtain a qualified electronic certificate: step-by-step process

Obtaining a qualified electronic certificate is not a trivial matter: it involves rigorous verification of the applicant's identity and, for a legal person, their legal representativeness. Here are the main steps.

Step 1: Identify the right qualified trust service provider

In France, the QTSPs authorized to issue qualified certificates are listed on the Trust Service Status List (TSL) published by ANSSI (available on the esignature.gouv.fr portal). Among the actors on this list are CAs such as CertEurope, Certinomis (La Poste subsidiary), Keynectis or other European service providers recognized under the eIDAS mutual recognition principle.

Selection criteria to examine:

• Actual presence on the French and/or European TSL;
• Format of certificate offered (software, smart card, cloud HSM);
• Compatibility with your existing IT infrastructure;
• Pricing and validity period (generally 1 to 3 years);
• Support level and enrollment timeline.

Step 2: Preparation of the enrollment file

For a business, the request for a qualified certificate requires the production of documents proving both the identity of the holder (natural person) and their capacity to represent the legal person. The documents generally required are:

• Official identification document of the holder (passport, national ID card);
• Kbis extract less than 3 months old (or equivalent for associations, public establishments);
• Power of attorney if the holder is not the statutory legal representative;
• Application form specific to the chosen QTSP.

Identity verification must be carried out face-to-face before a Registration Officer (RO) mandated by the QTSP, or by an approved remote verification process (video identification compliant with ETSI TS 119 461 standard).

Step 3: Delivery and activation of the certificate

Depending on the chosen format, the certificate is delivered:

• On a qualified signature creation device (QSCD): cryptographic USB key or certified smart card with Common Criteria EAL 4+ rating;
• Via a remote signature service (Remote Qualified Electronic Signature — RQES) managed by the QTSP, where the private key is hosted in a certified HSM (Hardware Security Module) according to ETSI EN 419 241 standard.

Deploying a RQES service is now the most widely adopted solution by businesses, as it avoids managing physical cryptographic media while maintaining qualified compliance. Compare electronic signature solutions to identify the model most suited to your context.

Step 4: Integration into your business processes

Once the certificate is obtained, its integration into your company's document flows generally passes through a SaaS electronic signature platform. This must imperatively be compatible with ETSI standards (XAdES, PAdES, CAdES) to guarantee interoperability and durability of digital evidence. Our dedicated article on electronic signature in business will help you structure this deployment.

---

Cost, validity and renewal: what businesses must anticipate

Price ranges in 2026

Qualified certificate rates vary significantly depending on format and provider:

• Certificate on physical media (USB key/card): between €80 and €250 excl. VAT per holder per year;
• Qualified cloud certificate (RQES): between €40 and €150 excl. VAT per holder per year, depending on volumes;
• Enterprise packages: significant discounts apply from 10 holders, potentially reaching 30 to 40% of unit price.

These costs should be viewed in perspective with the savings generated: elimination of printing, postage, postal processing timelines and disputes related to contested signatures.

Validity period and renewal

The validity of a qualified certificate is generally set at 1, 2 or 3 years depending on the subscribed offer. Upon expiration, previously signed documents remain valid (provided their integrity is preserved via a qualified timestamping service), but new acts cannot be signed with the expired certificate. It is therefore imperative to establish a monitoring and early renewal process — ideally 60 days before expiration.

Revocation and incident management

In case of private key compromise (loss, theft of media, suspicion of disclosure), the certificate must be immediately revoked with the QTSP. The latter publishes the revocation in its Certificate Revocation List (CRL) or via the OCSP protocol, making any subsequent signature with this certificate invalid. Internal security policy must therefore provide for a dedicated contact point and an alert timeline of less than 24 hours.

---

Best practices for successful deployment in business

Governance and internal roles

Successful deployment relies on clear governance. It is recommended to designate:

• A PKI manager (Public Key Infrastructure) on the IT side, responsible for the relationship with the QTSP and monitoring renewals;
• A legal referent who validates use cases requiring qualified signature (vs. advanced);
• Delegated administrators by department for operational management of holders.

Training and change management

Adopting a qualified certificate is not enough: employees must understand how to use their certificate, when to activate it, and how to respond in case of incident. A short training plan (1 to 2 hours) and documented procedures significantly reduce usage errors and support tickets.

Audit and traceability

To satisfy proof obligations, maintain a timestamped audit log of each signature performed: signer identity, document hash, certified date/time, certificate identifier. These data form the basis of the chain of evidence in case of dispute. The ETSI EN 319 132 (XAdES) standard provides signature formats that natively include this information.

Legal framework applicable to qualified electronic certificates

Civil Code and probative value

In French law, Article 1366 of the Civil Code establishes the principle of equivalence between electronic and paper writing, provided that "the identity of the person from whom it emanates is duly established and it is drawn up and kept under conditions likely to guarantee its integrity". Article 1367 paragraph 2 specifies that qualified electronic signature benefits from a presumption of reliability: it is up to the party contesting the signature to provide contrary proof, thus reversing the burden of proof in favor of the signatory.

Regulation eIDAS No. 910/2014

The European regulation eIDAS (No. 910/2014), directly applicable in all Member States since July 1, 2016, constitutes the supranational foundation. Its Article 25(2) states that "a qualified electronic signature has legal effect equivalent to that of a handwritten signature". Articles 28 and 29 define requirements applicable to qualified certificates and qualified signature creation devices (QSCD). Annex I lists the mandatory statements of a qualified certificate (policy OID, QTSP identity, public key, validity dates, etc.).

eIDAS 2.0 developments

The eIDAS 2.0 regulation (EU Regulation 2024/1183, which came into force on May 20, 2024) introduces the European digital identity wallet (EUDIW) and strengthens accessibility requirements for qualified trust services. Businesses must anticipate the integration of these new identification mechanisms by 2026-2027.

Applicable ETSI standards

• ETSI EN 319 411-2: policy and practices for QTSPs issuing qualified certificates;
• ETSI EN 319 132 (XAdES) and ETSI EN 319 122 (CAdES), ETSI EN 319 162 (PAdES): advanced and qualified electronic signature formats;
• ETSI EN 419 241: requirements for signature servers (RQES).

GDPR and data protection

The processing of personal data as part of enrollment (identity verification, document collection) is subject to GDPR No. 2016/679. The QTSP and the client company are joint responsible for processing or in a responsible/sub-processor relationship depending on configuration. A DPA (Data Processing Agreement) compliant with Article 28 GDPR must be signed. Enrollment data must be retained for the lifetime of the certificate plus the applicable limitation period (5 years in contract matters).

NIS2 Directive and critical infrastructure security

The NIS2 Directive (2022/2555/EU), transposed into French law by Law No. 2024-449, requires essential and important entities to implement risk management measures including the security of digital supply chains. Recourse to a qualified QTSP registered on the national TSL constitutes a recognized good practice to partially satisfy these requirements.

Use scenarios: the qualified certificate in practice

Scenario 1: A law firm managing acts with high probative value

A corporate law firm with about twenty partners and associates must regularly sign share transfer acts, settlement protocols and powers of attorney. Previously, each act required printing, handwritten signature, scanning and postal sending — a total average timeline of 4 to 7 business days per signature cycle. After deploying cloud qualified certificates (RQES) for each partner, this timeline is reduced to less than 4 hours for acts not requiring notarial intervention. The firm estimates a 65% reduction in administrative time related to document management and has recorded no signature contestations over the first 18 months of use. The electronic signature solutions for law firms offered by Certyneo integrate natively into this type of workflow.

Scenario 2: An industrial SME contracting with public sector buyers

An SME in the metal manufacturing sector, employing approximately 120 people, regularly responds to dematerialized public tenders on buyer profiles. It is required to electronically sign its offers and commitment acts with a certificate of RGS** minimum level. After obtaining two qualified certificates (for the general manager and an authorized sales manager), the SME was able to submit its offers within the prescribed deadlines without travel or postal sending. Over a year, this represents about 35 public tender files, representing an estimated savings of 15 person-days per year on document management alone. eIDAS compliance of the certificate also ensures recognition of its signatures with German and Belgian buyers, expanding its commercial scope. Use our ROI calculator to estimate potential gains in your own context.

Scenario 3: A healthcare group securing HR and supplier acts

A hospital group of approximately 1,200 beds, comprising several establishments, faces an annual volume of nearly 3,000 employment contracts, amendments and supplier commitments. The human resources management department and procurement management have jointly deployed a qualified signature solution, with certificates issued to authorized managers. In parallel, documents to be signed by agents are processed through an advanced signature workflow, reserving qualified signature for management acts of high legal value. Result: the average timeline for finalizing an employment contract has gone from 12 days to 2.5 days, and the rate of incomplete files (missing signature, wrong signed version) has decreased by 78%. The electronic signature solutions in healthcare from Certyneo integrate the specific regulatory requirements of the hospital sector.

Conclusion

Obtaining a qualified electronic certificate is today a mandatory step for any business wishing to legally secure its digital acts, meet public procurement requirements and comply with the eIDAS regulatory framework. Far from being a constraint, it is a competitive lever: reduced signature timelines, an unassailable chain of evidence and cross-border recognition throughout the European Union.

Key steps to remember: choose a QTSP registered on ANSSI's trust list, prepare a rigorous enrollment file, opt for a cloud format (RQES) to facilitate deployment, and integrate the certificate into a platform compliant with ETSI standards.

Certyneo supports you at every step: from selecting the right signature level to integration into your business processes. Request a free demonstration and discover how to deploy qualified signature in less than 48 hours in your organization.