Go to main content
Certyneo

Electronic signature cloud or on-premise: which choice in 2026?

Cloud SaaS or on-premise deployment: your choice of electronic signature solution hosting determines security, costs and eIDAS compliance. Discover our expert analysis.

Équipe éditoriale Certyneo12 min read

Équipe éditoriale Certyneo

Writer — Certyneo · About Certyneo

a computer generated image of a computer

Introduction

Choosing between a cloud electronic signature and on-premise hosting is one of the most structuring strategic decisions for an IT department or legal team in 2026. While SaaS has largely seduced SMEs with its simplicity of deployment, large companies and organizations subject to sector-specific regulatory constraints are still questioning the relevance of internalized hosting. This in-depth comparison analyzes the two models according to five key axes: data sovereignty, technical security, eIDAS compliance, total cost of ownership and business agility. By the end of this article, you will have an operational decision-making framework to choose the architecture suited to your context.

Understanding the two hosting models

Cloud electronic signature (SaaS)

In a cloud model, the publisher operates the entire infrastructure: servers, updates, availability, backup and data security. The client company accesses the solution via an API or web interface, without any local installation. European market players — including Certyneo — generally rely on ISO 27001 certified datacenters located in the European Union (France, Germany, Netherlands), guaranteeing GDPR compliance without additional effort on the client side.

The advantages are well known: deployment within hours, immediate scalability, automatic updates incorporating regulatory developments (eIDAS 2.0, DSP3, NIS2), and usage-based economics (OPEX). According to the Markess by Exaegis 2025 report, 78% of French companies with fewer than 500 employees now favor SaaS for their dematerialization tools.

On-premise deployment

On-premise consists of installing the electronic signature platform directly on the company's own servers or in a private datacenter that it controls. This model offers total control over data, workflows and security policies. It is historically adopted by banks, insurers, hospitals or public administrations processing sensitive data subject to specific frameworks (HDS, SecNumCloud, PGSSI-S).

The counterpart is a significant operational burden: the IT team must manage updates, qualified signature certificates, HSMs (Hardware Security Modules), high availability and regulatory monitoring. The initial cost (CAPEX) is high, with licenses potentially exceeding €80,000 for an enterprise installation, plus annual infrastructure costs.

Data sovereignty and regulatory compliance

GDPR and data localization

The eIDAS regulation and its implications for your qualified signatures require that trusted service providers (TSPs) be audited and listed in national trusted lists. Whether you opt for cloud or on-premise, your solution must imperatively rely on a qualified TSP. The real GDPR question concerns transfers outside the EU: a cloud hosted by an American hyperscaler (AWS, Azure, GCP) without valid standard contractual clauses (SCCs) exposes the company to sanctions potentially reaching 4% of global revenue.

European cloud solutions like Certyneo meet this requirement natively, with servers exclusively located in France and a DPA (Data Processing Agreement) compliant with Article 28 of GDPR provided upon subscription.

SecNumCloud and regulated sectors

For operators of vital importance (OVI) and organizations subject to the DINUM cloud doctrine, ANSSI SecNumCloud qualification is progressively becoming mandatory. In 2026, only a few French cloud players have obtained this qualification (OVHcloud, Outscale). Affected organizations must therefore either choose a SecNumCloud qualified cloud or maintain an on-premise compliant with the ANSSI RGS v2 framework.

Note that NIS2, transposed into French law by the law of January 26, 2025, extends cybersecurity obligations to more than 15,000 essential and important entities, creating new normative pressure on architecture choice.

Total cost of ownership: comparative analysis

TCO (Total Cost of Ownership) analysis over 5 years systematically reveals a cloud advantage for volumes below 50,000 signatures/year. Beyond that, on-premise can become competitive if infrastructure already exists. Certyneo's ROI calculator allows you to estimate this break-even point precisely according to your volume and sector.

A typical on-premise deployment for a company of 1,000 employees represents:

  • Initial license: €60,000 to €120,000
  • HSM infrastructure and dedicated servers: €30,000 to €50,000
  • Annual maintenance (20% of license): €12,000 to €24,000/year
  • Internal IT resources: 0.5 to 1 FTE dedicated

Against this, a cloud SaaS of equivalent capacity generally costs €18,000 to €40,000/year all-inclusive, with zero CAPEX.

Technical security: advantages and limitations of each model

Security in cloud environment

Contrary to a persistent preconception, the cloud of a specialized publisher often offers a higher level of security than a typical enterprise on-premise infrastructure. The reasons are structural: publishers invest heavily in dedicated teams (24/7 SOC, quarterly pen-tests, ISO 27001 and SOC 2 Type II certifications), which is beyond the reach of most internal IT departments.

Best practices include AES-256 encryption at rest and TLS 1.3 in transit, mandatory multi-factor authentication, immutable logging of signature events, and geo-redundant backups. The legal value of electronic signature rests precisely on this inalterability of records.

Risks specific to on-premise

On-premise generates specific risks often underestimated:

  • Version drift: without a dedicated team, cryptographic updates (certificate revocation, migration to SHA-3) are delayed, exposing the company to technically invalid signatures.
  • HSM management: a poorly configured Hardware Security Module or whose firmware is not updated invalidates non-repudiation guarantees.
  • Business continuity plan: availability (SLA) of an internal on-premise rarely exceeds 99.5%, versus 99.95% for a structured cloud SaaS.

For organizations wishing to combine sovereignty and operational delegation, the private cloud model (dedicated Private Cloud in a third-party certified HDS or SecNumCloud datacenter) constitutes a relevant middle ground.

Integration, agility and scalability

API and interoperability

Both models now expose documented REST APIs. Nevertheless, the speed of update is structurally different: a cloud publisher deploys new features (biometric signature, AI fraud detection, eIDAS 2.0 Wallet support) within weeks, while on-premise involves an internal qualification cycle of 3 to 6 months per major version.

To integrate electronic signature into an ERP (SAP, Oracle), an HRIS or a document management system (OpenText, Alfresco), the cloud offers pre-built connectors maintained by the publisher. The complete comparison of electronic signature solutions details the integration capabilities of the main market players.

Scalability and volume

In cloud, scalability is nearly instant: a campaign of 10,000 simultaneous signatures (shareholder meeting, mass HR deployment) is absorbed without prior configuration. On-premise, infrastructure oversizing must anticipate peaks, generating immobilization costs.

Organizations in rapid growth or practicing seasonal cycles (real estate, insurance) particularly benefit from cloud elasticity. Electronic signature in real estate, for example, experiences volume peaks linked to market cycles that would render permanently oversized on-premise.

Decision criteria: which model for which profile?

Companies and SMEs without specific sector constraints

For an SME of 10 to 500 employees without specific sector regulatory obligation, cloud SaaS is the obvious choice: rapid deployment, controlled cost, eIDAS and GDPR compliance guaranteed by the publisher. Integration into existing HR tools is facilitated by native connectors — as illustrated by the use of electronic signature for HR teams covering payslips, contracts and severance without dedicated infrastructure.

Large companies and regulated sectors

Companies processing health data (mandatory HDS), critical financial data or classified information must seriously evaluate on-premise or qualified private cloud. The question is not technical but regulatory: does the applicable framework allow room for a public cloud?

A hybrid architecture — cloud for routine signatures, on-premise for the most sensitive qualified acts — has been adopted by several large French groups since 2024. This model requires rigorous orchestration and solid API gateways.

Public organizations and administrations

Since the DINUM circular 2023-1, state administrations are encouraged to favor SecNumCloud qualified cloud offerings. On-premise remains authorized for sensitive information systems (SIS) but must comply with RGS v2 and PGSSI-S for health data. The electronic signature for law firms illustrates how entities with high traceability requirements find their balance between these two models.

The choice between cloud and on-premise is not neutral in legal terms. Several regulatory frameworks directly govern the technical architecture of your signature solutions.

Civil Code, articles 1366 and 1367: These provisions define electronic signature as a reliable process of identification guaranteeing its link with the act to which it attaches. The reliability of the process is presumed unless proven otherwise when a qualified electronic signature is used. This presumption applies regardless of hosting mode, provided that the trusted service provider (TSP) is qualified.

eIDAS Regulation No. 910/2014 and eIDAS 2.0 (EU Regulation 2024/1183): The eIDAS regulation distinguishes three signature levels (simple, advanced, qualified). Qualified signature mandatorily requires the involvement of a TSP registered on the national trusted list (ANSSI trust list for France). Whether your solution is cloud or on-premise, it must interface with a qualified TSP to issue qualified signatures. eIDAS 2.0, applicable since May 2024, introduces the European digital identity wallet (EUDIW) and strengthens requirements on qualified certificate management.

GDPR Regulation No. 2016/679: Article 28 imposes the conclusion of a DPA (data processing agreement) with any cloud provider handling personal data on your behalf. Article 44 prohibits data transfers outside the EU without adequate safeguards (standard contractual clauses or binding corporate rules). In internal on-premise, this obligation disappears but the company becomes a controller in full and must document its technical and organizational measures (TOM) in accordance with article 32.

NIS2 Directive (EU Directive 2022/2555), transposed into French law by the law of January 26, 2025: Essential and important entities (energy, health, finance, water, digital, transport, administration sectors) must implement proportionate cybersecurity measures, including management of risks related to digital supply chain. An electronic signature cloud provider constitutes a critical third-party supplier under NIS2: mandatory due diligence, specific contractual clauses and audit rights.

ETSI Standards EN 319 132 and ETSI EN 319 122: These standards define the formats for advanced electronic signature (XAdES, PAdES, CAdES) accepted in European public procurement and B2B exchanges. Compliance with these formats must be verified regardless of the architecture retained.

General Security Reference (RGS v2) and HDS: For administrations and health data hosters, ANSSI's RGS v2 and HDS certification (Health Data Hoster, order of June 11, 2018) are respectively mandatory. A non-HDS certified cloud is legally disqualified from hosting health personal data, even temporarily during consent signature.

Anticipated legal risks: A signature issued from a non-compliant system can be contested in court, notably if the integrity of the document or the identity of the signatory cannot be proven incontestably. The burden of proof lies with the one invoking the signature. A prior compliance audit, cloud or on-premise, is strongly recommended.

Usage scenarios: cloud or on-premise depending on business context

Scenario 1 — A mid-sized industrial group managing 15,000 contracts annually

A mid-sized industrial company (approximately 1,200 employees, 3 production sites in France) must dematerialize all its supplier, customer and sub-contractor contracts. It averages 15,000 signatures per year, with peaks in January (renewal of framework contracts) and September (purchasing campaigns). Its industrial data is sensitive but not classified.

After TCO analysis over 5 years, the finance department concludes that a European cloud SaaS certified ISO 27001 is 40% less expensive than an equivalent on-premise deployment (publisher's economy of scale vs. 0.7 FTE dedicated IT internally). IT selects a cloud solution hosted in France with 99.95% SLA and documented REST API, integrated directly into its ERP. Seasonal peaks are absorbed without additional cost. Result observed after 12 months: 65% reduction in average supplier contract signing time (from 8.3 days to 2.9 days), and estimated annual savings of €120,000 on paper handling and follow-up costs.

Scenario 2 — A hospital group of 1,200 beds subject to HDS certification

A public hospital group wishes to dematerialize patient consents, freelance practitioner contracts and public contracts. Data processed includes health information of a personal nature, subject to HDS certification (Health Data Hoster) and PGSSI-S.

Pure on-premise is ruled out due to the complexity of HSM maintenance and absence of internal cryptographic expertise. The group opts for a private cloud hosted by an HDS certified and SecNumCloud qualified provider. The signature solution is deployed in this dedicated cloud, with strict network segregation and audit logs exported to the internal SIEM. Cost is 25% higher than a standard mutualized cloud, but 35% lower than a complete on-premise. Operational benefit: the 800 monthly consents are processed within 24 hours versus 5 days in paper format, with full traceability compliant with HAS requirements.

Scenario 3 — A law firm of 25 associates integrating signature into daily workflow

A Parisian law firm specializing in corporate law daily handles transfer deeds, settlement protocols and mandates requiring advanced or qualified electronic signature. Client data confidentiality is a top priority, but the firm has no dedicated IT infrastructure.

On-premise is immediately excluded for resource reasons. The firm chooses a European cloud SaaS with end-to-end encryption, encryption keys controlled by the client (BYOK — Bring Your Own Key), and contractual guarantee of non-access to data by the publisher. This "zero knowledge" architecture satisfies both the Bar's ethical requirements and GDPR obligations. Integration with case management software (via API) reduces the time to prepare a signable deed from 45 minutes to 8 minutes on average, a productivity gain of 82% on this task.

Conclusion

Cloud or on-premise: there is no universal answer, but a structured decision-making framework. For the vast majority of French companies — SMEs, mid-market companies without critical sector constraints — European cloud SaaS compliant with eIDAS and GDPR offers the best balance between security, compliance and total cost of ownership. On-premise or qualified private cloud remains relevant for regulated sectors (health, defense, OVI) where binding frameworks (HDS, SecNumCloud, RGS v2) impose total control of infrastructure.

In 2026, the real question is no longer "cloud or on-premise" but "what level of sovereignty for which data, with which qualified TSP?" Certyneo meets these requirements with a cloud architecture hosted exclusively in France, ISO 27001 certified, eIDAS 2.0 and GDPR compliant. Discover our offerings and pricing on Certyneo or contact our team for a free audit of your electronic signature needs.

Try Certyneo for free

Send your first signature envelope in under 5 minutes. 5 free envelopes per month, no credit card required.

Go deeper on the topic

Our comprehensive guides to master electronic signatures.

Certyneo Community

A question about electronic signatures?

Join the Certyneo community: ask your questions, share your answers and connect with thousands of users and our team.