Qualified digital signature for procedures with the European Union

A few days ago, the legal officer of a multinational company called us, worried because they were in the middle of a very important procedure with the European Union, and part of the documentation they had submitted was returned because it had not been electronically signed with the highest level, the qualified signature.

This legal officer did not understand what could be wrong, as they were using a qualified software certificate that they already had in the company, and therefore thought they were already obtaining that level of signature.

We understood and solved the problem without difficulty, and we want to share the case to help other companies that may be in a similar situation.

What is the qualified signature?

Within the eIDAS Regulation, which is the European legislation governing electronic signatures and trust services, a qualified electronic signature is one that:

• Must be made with a qualified digital certificate, which is issued by an officially recognized trusted entity (Qualified Trust Service Provider).
• The electronic signature must be made using a qualified device for creating electronic signatures. This type of device guarantees that the signing process is secure and that the private key used to sign is adequately protected.

This second part is very important, as it excludes many of the signatures we regularly make with certificates and might believe are qualified. Even if the certificate used is qualified, it does not necessarily imply that the signature made with it is qualified.

In practical terms, if the certificate you usually use is installed in your browser or PC and can be exported to another computer, then the signatures made with it will be advanced, not qualified.

Another way to know the real level of a signature on a document is by using the European validator available for that purpose.

What are the uses of the qualified signature?

The qualified signature has the highest level of probative value. If a signing party repudiates a qualified signature, the burden of proof lies with them. Therefore, this signature is the most legally robust and is used in processes that handle more valuable and relevant documentation (from audit reports to cross-border documents, including significant commercial agreements).

In addition, administrations themselves require the use of a qualified signature for certain specific procedures.

In fact, this is the case we mentioned at the beginning of the article. Our client was using a software certificate to sign the documents, believing it was a qualified signature, but the administration did not accept that signature, claiming that it was not genuinely qualified.

To solve this problem, we issued a certificate (thanks to Docuten being a Qualified Trust Service Provider) that allowed them to sign properly. The difference between our certificate and a software one is that the software one can be downloaded and shared, whereas ours never leaves the cloud in which it was created, and can only be used by securely connecting to that cloud. This allows fully legal, secure, and easy-to-use qualified signatures to be made.

To see the differences in the signature between using the two types of certificates, the software one and the one we issue, simply upload the same document signed in both ways to the European validator and see the results:

Image 1: Result of the European Signature Validator with a document signed with a software certificate.

This is the result obtained when signing a test document with a software certificate issued by FNMT. As can be seen in the “Qualification” field, this signature is classified as AdESig-QC, which stands for “Advanced Electronic Signature supported by a Qualified Certificate.” This means that we have made a signature with a qualified certificate that turned out to be an advanced (not qualified) signature.

Image 2: Result of the European Signature Validator with a document signed with a Docuten certificate.

In contrast, in this second image, we see the result of using a certificate issued by Docuten. In this case, the “Qualification” field shows QESig, which stands for “Qualified Electronic Signature,” meaning that this time we have indeed signed the document with the highest level, a qualified signature.

This is how we helped that multinational company deliver its documents to the European Union with a qualified signature. If you are in a similar situation, we invite you to contact us to solve it.