The 7 security layers of an eIDAS-compliant electronic signature
Understand what happens under the hood when you sign a document: 7 cryptographic layers stacked together, each with its reference standard (ETSI EN 319, RFC 3161, AFNOR NF Z42-013, Common Criteria EAL4+). Miss one and the signature isn't enforceable.
The 7 layers of the security stack
Each layer brings a specific guarantee. For a signature to be eIDAS-compliant and enforceable, all 7 must be present and correctly implemented. Certyneo is certified at each.
Signer identification
Certyneo certifiedBefore any signature, the signer is identified via SMS code, ID scan, or qualified certificate (QES). This is the layer that answers "who signed?".
📜 eIDAS Annexe II §1.b
Without reliable identification, a signature has no probative value (Civil Code 1367).
Transport security
Certyneo certifiedTLS 1.3 on all client ↔ server communications. No downgrade to TLS 1.0/1.1 allowed. EV certificates with quarterly rotation.
📜 TLS 1.3 (RFC 8446)
Prevents interception of the document between sender and signer (MITM attack).
Cryptographic signature (PAdES)
Certyneo certifiedSignature embedded in PAdES format (PDF Advanced Electronic Signature) per ETSI EN 319 142. Signature bound to the document, not an external wrapper.
📜 ETSI EN 319 142 (PAdES)
Guarantees that the signature cannot be detached and reattached to another document.
Qualified timestamping
Certyneo certifiedRFC 3161 timestamp issued by a qualified TSA listed on the EU LOTL. Millisecond precision.
📜 RFC 3161 + ETSI EN 319 421
Proves the signature exists at a precise moment, not reconstructed after the fact.
HSM (Hardware Security Module)
Certyneo certifiedPrivate signing keys are stored in an HSM certified Common Criteria EAL4+ and FIPS 140-2 level 3. Keys never leave the HSM in cleartext.
📜 Critères Communs EAL4+ / FIPS 140-2
Prevents key theft even if the application server is compromised.
eIDAS audit trail
Certyneo certifiedImmutable log of every signature-cycle event (creation, send, sign, seal) with IP, timestamp, identity. ETSI EN 319 102-1 compliant.
📜 ETSI EN 319 102-1
Provides the full probative evidence a court requires in a dispute.
Probative archival
Certyneo certifiedStorage of the signed document + audit trail + certificate for a minimum 10 years in an AFNOR NF Z42-013 compliant system. Periodic re-timestamping to counter cryptographic obsolescence.
📜 AFNOR NF Z42-013
Preserves probative value throughout the civil prescription period.
The 4 main threats and their mitigation
A solid signature architecture is designed to resist 4 classic attacks. Here's which, and which layer neutralises them.
Impersonation — "someone else signed in my name"
SMS / ID-scan authentication + IP & geolocation logs. For high-stakes deeds, a QES certificate issued by a qualified TSP.
Layer 1 (Identification)
Tampering — "the signed content was modified"
SHA-256 hash of the document signed with the HSM key. Any later modification invalidates the hash and the signature.
Layers 3 & 5 (Signature + HSM)
Man-in-the-middle — "a third party intercepted"
Mandatory TLS 1.3 with EV certificates + HSTS preload on all domains.
Layer 2 (Transport)
Repudiation — "I never signed / not on that date"
Immutable audit trail + RFC 3161 qualified timestamp + AFNOR probative archive. The burden of proof shifts to the signer.
Layers 4, 6 & 7 (Timestamp + Audit + Archive)
Methodology
The 7 layers described match Certyneo's security architecture, compliant with the 2014 eIDAS regulation (EU 910/2014), the ETSI EN 319 standards (Signature and Seals series), ANSSI's Référentiel Général de Sécurité (RGS**), and AFNOR NF Z42-013 for probative archival. Each layer is audited annually by an independent third party.
Go further
A cryptographically sealed electronic signature
The 7 layers above are implemented by default on every Certyneo plan, including the free one.