Go to main content
Certyneo
EU regulation 910/2014 — art. 26

The lifecycle of an eIDAS electronic signature

An eIDAS-compliant electronic signature follows 8 technical steps precisely defined by articles 24 to 42 of EU regulation 910/2014 and article 1366 of the French Civil Code. Each step is designed to guarantee a distinct element of legal reliability: identity, consent, integrity, temporal enforceability, probative archiving.

This page documents each step with its exact regulatory citation. It is designed as a stable reference for legaltech journalists, B2B buyers and lawyers — each cited article is verifiable on EUR-Lex or Légifrance via the provided links. Durations correspond to a standard advanced signature (AES) workflow; qualified signature (QES) adds an average 30 seconds for in-depth identity verification.

The 8 technical steps

From document upload to 10-year probative archive, each step cites the exact article that governs it.

  1. 1

    1. Document upload

    The document (PDF, image, contract) is uploaded by the sender and associated with one or more signer email addresses. The eIDAS regulation defines an electronic signature as 'data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign' (art. 3 §10). No format constraint is imposed at this step: only the document–signer link traceability matters legally.

    Regulatory citation: Règlement (UE) n° 910/2014 (eIDAS) — art. 3 §10

    Définition de la signature électronique

  2. 2

    2. Signer identity verification

    To reach AES (advanced signature) level, the regulation requires 'unique identification of the signatory' (art. 26 a). Concretely: SMS OTP on a verified phone, ID document control via video capture, or strong identification via an EU-notified identity provider (FranceConnect+, itsme, BankID). For QES, identification must be performed by a QTSP (Qualified Trust Service Provider) listed in the national TSL.

    Regulatory citation: Règlement (UE) n° 910/2014 (eIDAS) — art. 24

    Vérification d'identité du signataire (AES/QES)

  3. 3

    3. Informed consent capture

    The signer must have read the content and expressed their willingness to sign. Art. 1366 of the French Civil Code requires that 'the person from whom [the electronic writing] emanates may be duly identified' and that the signature be 'affixed under conditions that guarantee its integrity'. Concretely: signable document display, consent checkbox, handwritten mention if required by certain branches (insurance art. L132-5-1 Insurance Code).

    Regulatory citation: Code civil — art. 1366

    Force probante de l'écrit électronique (consentement éclairé)

  4. 4

    4. Strong cryptographic authentication

    Art. 26 of the eIDAS regulation requires for AES that the signature be 'uniquely linked to the signatory' (art. 26 b) AND 'created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control' (art. 26 c). Technically: generation of a unique X.509 certificate per signer, linked to their verified SMS OTP. For QES, this certificate must be qualified (QSCD).

    Regulatory citation: Règlement (UE) n° 910/2014 (eIDAS) — art. 26 (b) & (c)

    Lien univoque signature–signataire + détection altération

  5. 5

    5. Signature application to the document

    The electronic signature is cryptographically linked to the document content via SHA-256 hashing. Art. 1367 of the French Civil Code establishes the presumption of reliability: a 'reliable' electronic signature procedure is presumed legally valid until proven otherwise — this reversal of the burden of proof is what makes the eIDAS signature so powerful. In the PAdES (PDF Advanced Electronic Signatures) format, the signature is embedded in the PDF itself.

    Regulatory citation: Code civil — art. 1367

    Présomption de fiabilité du procédé de signature électronique

  6. 6

    6. Qualified electronic timestamping

    A cryptographic timestamp is applied via a qualified service (QTSP timestamping authority). The eIDAS regulation defines qualified timestamping in arts. 41 and 42: it establishes legally enforceable proof of the exact date and time of signature, with millisecond precision. Without qualified timestamping, the date can be contested — with it, it benefits from the presumption of accuracy (art. 41 §2).

    Regulatory citation: Règlement (UE) n° 910/2014 (eIDAS) — art. 41 & 42

    Horodatage électronique qualifié (preuve de la date)

  7. 7

    7. Cryptographic sealing and tamper detection

    A qualified electronic seal (arts. 35–40 of the eIDAS regulation) is affixed to the signed document to guarantee its integrity. Any subsequent modification of the content — even of a single byte — automatically invalidates the seal, and therefore the signature. This cryptographic property ('tamper evidence') is what makes the eIDAS signature superior to a handwritten signature: on paper, a discreet alteration is very difficult to detect; in eIDAS, it is mechanically impossible to conceal.

    Regulatory citation: Règlement (UE) n° 910/2014 (eIDAS) — art. 35–40

    Cachet électronique qualifié + intégrité cryptographique

  8. 8

    8. Probative archiving

    The signed document + its eIDAS audit trail (identity, timestamp, certificates, seal) are archived per the AFNOR NF Z42-013 standard ('probative electronic archiving'). The minimum duration is 10 years, aligned with art. L123-22 of the French Commercial Code for accounting documents and art. 2224 of the Civil Code for common-law prescription. An NF Z42-020-compliant electronic safe (electronic archiving services) is required.

    Regulatory citation: Norme AFNOR NF Z42-013

    Archivage électronique à valeur probante (10 ans minimum)

Why these 8 steps are inseparable

Each step addresses a distinct legal risk. Without identity verification, the signer can deny authorship (step 2). Without informed consent, the signature can be attacked for consent vice (art. 1130 CCiv, step 3). Without strong cryptographic authentication, the uniqueness of the signature–signer link is contestable (step 4). Without qualified timestamping, the date can be disputed (step 6). Without sealing, document integrity can be attacked post-hoc (step 7). Without probative archiving, evidence disappears (step 8). The strength of eIDAS comes precisely from the chaining of these 8 guarantees: none is optional in a correctly implemented AES workflow.

Learn more

Put the eIDAS lifecycle into practice on your documents

Free plan, no credit card. eIDAS AES advanced signature, 10-year archive included.