The qualified electronic signature: insights into processes, security and application

Imagine this: You only have a few hours left to conclude an important contract, but the law requires it to be in writing. The contractual partner is hundreds of kilometers away and the usual postal service is not an option. In an increasingly digitalized world, in which contracts are increasingly concluded online, the qualified electronic signature (QES) is the solution for legally compliant and fast action. It makes it possible to sign contracts in a legally valid manner and without being physically present - an indispensable tool for companies and private individuals in the digital age.

But what exactly is a qualified electronic signature?

The qualified electronic signature (QES) is a signature option that allows contracts and documents to be signed digitally and in a legally secure manner. Among the various types of electronic signatures, the QES is the most secure and legally binding variant. It comes closest to a handwritten signature and meets the strictest legal requirements. The QES ensures that the signature is clearly assigned to a specific person and protects against subsequent changes to the document. This means that it is legally equivalent to a handwritten signature and is used for contracts with high liability or legally required written form. Its security standards offer maximum probative value in the event of legal disputes.

In comparison, the simple electronic signature (EES) does not offer secure identification of the signatory and is therefore more commonly used for documents without special formal requirements. Although the advanced electronic signature (FES) offers a certain level of security through two-factor authentication, it does not meet the strict legal requirements of the QES. While the EES and FES can be sufficient in certain situations, the QES is particularly needed when maximum legal certainty and probative value are required - for example, for contracts that require the written form. 

The exact requirements that the various signature types must meet are regulated in Europe by the eIDAS Regulation.

What does the eIDAS Regulation mean for the QES?

The eIDAS Regulation (electronic Identification, Authentication and Trust Services) regulates the legal framework for electronic signatures and trust services within the European Union. It sets out clear criteria as to when an electronic signature is considered a qualified electronic signature (QES). 

According to the eIDAS Regulation, a QES must fulfill several strict requirements:

  1. Unique assignment: The signature must be clearly assigned to a person.

  2. Unquestionable identification: The identity of the signatory must be proven beyond doubt.

  3. Use of a qualified signature creation device: The signature must be created with a special signature creation device that guarantees a high level of security.

  4. Immutability: Subsequent changes to the signed document must be recognizable.

  5. Qualified certificate: The signature must be based on a qualified certificate issued by a qualified trust service provider (QTSP).

The eIDAS Regulation aims to strengthen trust in electronic transactions and create a common basis for secure digital interaction in the EU. A central component of the QES is the qualified certificate, which is issued by a recognized trust service provider (QTSP). These providers are accredited by the state and ensure that the identity of the signatories is verified and the security of the signatures is guaranteed.

 

How does a Qualified Electronic Signature (QES) work?

The qualified electronic signature (QES) process follows clear steps that guarantee both security and integrity:

  1. Identity verification and certificate issuance
    First, the signatory must prove their identity to a qualified trust service provider (QTSP), for example by presenting an ID document. After successful verification, the QTSP issues a qualified certificate containing the signatory's public key.

  2. Creating the key pair
    A secure signature creation device (SSCD) such as a signature card is used to generate a key pair: a private and a public key. The private key remains securely in the SSCD and is not disclosed.

  3. Signature creation and hash value
    When signing a document, a unique hash value (a kind of digital fingerprint of the document) is first created. This hash value is then encrypted using the private key and forms the qualified electronic signature. This signature is sent together with the document.

Signature verification

The recipient decrypts the hash value using the public key contained in the qualified certificate. The recipient then creates a new hash value from the received document and compares it with the decrypted hash value. If both values match, the document is unchanged and the signature is authentic.

Cloud solution vs. signature card

  1. Cloud solution: The certificate is stored in the secure IT environment of the trust service provider. The signatory authenticates himself using a combination of user name, password and two-factor authentication (e.g. SMS-TAN). This solution is flexible and enables signing from any location. It is therefore often used as a remote signature.

  2. Signature card: The certificate and the private key are stored on a physical signature card. This requires a card reader and special software to create the signature. The physical card offers additional security, as the private key remains exclusively on the card.

If the card is lost or stolen, the cardholder can have it blocked immediately to prevent unauthorized persons from acting in a legally binding manner on behalf of the cardholder. Blocking is crucial, as every electronic signature generated with the card is legally assigned to the holder. Certification service providers are legally obliged to revoke the certificate immediately if this is requested by the cardholder or an authorized representative. The revocation of the qualified signature card is therefore an important security mechanism to prevent misuse.

Both options are secure, with the cloud solution offering flexibility above all and the signature card scoring points for physical security.

What is a hash function and how does it help with the security and integrity of digital signatures?

The hash value plays a central role in the security of the qualified electronic signature (QES), as it indicates whether a document has been subsequently changed. Without this function, the integrity of the signature would be seriously compromised.

A hash function is a mathematical algorithm that generates a unique numerical value from any data (e.g. a document) - the so-called hash value. This value serves as a digital fingerprint of the document. Even the smallest change to the document results in a completely different hash value. This is crucial for the security and integrity of digital signatures, as the hash value is used to verify that the document has remained unchanged after signing.

With the qualified electronic signature (QES), the hash value of the document is encrypted with the signatory's private key and thus forms the signature. The recipient can decrypt the hash value with the respective public key and compare it with the hash value of the received document. If both match, the signature is valid and the document is unchanged. This ensures the integrity and authenticity of the digital signature.

A hash function has several important properties:

  1. Uniqueness: It converts any input (e.g. files or texts) into a fixed, usually shorter value. Even the smallest changes to the document result in a completely different hash value.

  2. Deterministic: The same input always results in the same hash value. This ensures that consistency is maintained when checking the data.

  3. One-way function: It is impossible to deduce the original content from the hash value. This provides additional security, as the hash value cannot be decrypted.

  4. Collision protection: A good hash function prevents two different inputs from generating the same hash value. This ensures the integrity of the data and tampering can be reliably detected.

These properties make the hash function an indispensable component of digital signatures, as it verifies whether a document has remained unchanged after signing.

What is a qualified certificate and why is it so important for the QES?

A qualified certificate is a digital document that confirms the identity of the signatory and guarantees the security of the signature. It is issued by a qualified trust service provider (QTSP) who has previously verified the identity of the signatory. This certificate contains the public key of the person in question, which is used to verify the signature.

The qualified certificate is the central component of the QES, as it ensures that the signature is clearly assigned to a person and is legally binding. In order to obtain such a certificate, the signatory must identify themselves once to a QTSP, e.g. using the video identification procedure. Thanks to these strict verification processes, the QES is the most secure form of electronic signature that is recognized as legally binding in all EU countries.

What role does a qualified trust service provider play?

A qualified trust service provider (QTSP) is a provider that operates in accordance with the strict requirements of the eIDAS Regulation and provides trusted services such as qualified electronic signatures (QES). QTSPs play a central role in the security and binding nature of digital transactions by verifying the identity of the signatory and ensuring that signatures cannot be tampered with.

Main tasks of a QTSP:

  1. Issue of qualified certificates: Confirm the identity of the signatory and contain the public key.

  2. Security infrastructure: Implement secure signature creation devices (SSCD) and ensure the protection of signatures.

  3. Identity check: Carry out a thorough identity check, e.g. via Video-Ident.

  4. Trust services: Provide additional services such as qualified time stamps and electronic seals.

  5. Regular audits: Are reviewed by independent bodies to ensure that all safety standards are met.

With these functions, QTSPs guarantee the security, authenticity and legal validity of the QES.

When does the QES make sense?

The Qualified Electronic Signature (QES) meets strict requirements and is therefore not necessary for every contract. However, the QES can be recommended for the following types of contract:

In summary, the qualified electronic signature (QES) is the most secure form of digital signature, as it is subject to strict security and identity checks. It guarantees maximum integrity and legal validity, which makes it ideal for contracts with a legally required written form or a high liability risk. However, the creation of a QES is also more complex and time-consuming due to the required registration process and elaborate identity checks. It is therefore particularly useful for important contracts where maximum security and legal recognition are essential.

The QES at ContractHero

At ContractHero, we offer both the advanced electronic signature (FES) for contracts with less stringent regulations and the qualified electronic signature (QES) for particularly security-relevant documents. As an ISO 27001 and eIDAS-compliant company, we attach great importance to the security of your data. Contracts can be created directly with us, sent for signature and managed securely in ContractHero after signing - efficient, legally binding and easy to use.

Sebastian Wengryn
CEO

You may also be interested in...

Blog

Contract automation: How modern technologies are revolutionizing the process

Find out how you can automate your contract processes with contract management software.
Read the article
Blog

Recognizing and avoiding contractual risks: What to look out for?

Find out which contractual clauses you should pay particular attention to.
Read the article
Blog

Drawing up a contract: Challenges & solutions

Learn how to create contracts and how this process can be simplified.
Read the article
Get started with ContractHero now
See ContractHero live in action! Register here for the 30-minute demonstration:
Book a demo