Qualified Electronic Signature (QES)

Short definition

A Qualified Electronic Signature (QES) is the highest of the three assurance levels for electronic signatures under the eIDAS regulation (EU 910/2014). It is legally equivalent to a handwritten signature and recognised across the EU — without any need for further verification by the recipient or a court.

A signature qualifies as a QES only when all three conditions are met:

1. It is an Advanced Electronic Signature (AES) per Art. 26 eIDAS
2. It is created using a Qualified Signature Creation Device (QSCD)
3. It is based on a qualified certificate issued by a listed Trust Service Provider

The three eIDAS signature levels

Level	Short name	Requirements	Legal effect
Simple signature	SES	no technical requirements	low evidentiary weight; courts assess freely
Advanced signature	AES	uniquely linked to the signer, tampering detectable	stronger evidentiary weight
Qualified signature	QES	AES + QSCD + qualified certificate	equivalent to handwritten signature

A QES is more effortful to produce — but worthwhile wherever written form is required: certain employment contracts, specific administrative filings, audit-safe archives.

Qualified certificate

A qualified certificate comes exclusively from a Qualified Trust Service Provider (QTSP) listed in the EU Trusted List (EU-TL). Each member state maintains its own EU-TL; German QTSPs are listed by the Bundesnetzagentur.

Examples of German QTSPs:

• D-Trust GmbH
• Bundesdruckerei
• DGN Service GmbH
• TeleSec Trust Center (T-Systems)

The certificate itself identifies the signer (a natural person, optionally with organisational context) and is typically valid for 1–3 years.

QSCD — Qualified Signature Creation Device

The Qualified Signature Creation Device is the secure hardware that holds the private key and produces the signature. Permitted forms:

• Smart cards with an HSM chip (e.g. D-Trust Card, Bundesdruckerei)
• HSMs (Hardware Security Modules) in data centres
• Cloud HSMs at trust service providers (for remote signing under Art. 29a eIDAS)

A pure software solution — a key sitting in a .p12 file — does not meet the QSCD requirement. Such signatures are “only” advanced (AES), even with a qualified certificate.

Remote signing — QES from the cloud

Since the 2024 update to eIDAS, remote signatures (Remote Qualified Electronic Signatures, rQES) are a fully equivalent alternative. The private key lives in a cloud HSM at the QTSP, release is authorised by the signer via 2FA. The usage model resembles classic OAuth flows; the legal effect is identical to a local QES with a smart card.

QES and PAdES

Technically a QES on a PDF is typically embedded as PAdES-B-LT or PAdES-B-LTA — the format does not encode the qualification level; it packages the PKCS#7 signature and its certificate chain. The qualification follows from:

• the certificate (listed as qualified in the EU-TL?)
• the creation path (was a QSCD used?)

Validators such as EU DSS or the Dokmatiq verification API check both and explicitly report the qualification status in their verification result.

Checking for QES with the Dokmatiq API

curl -X POST https://api.dokmatiq.com/v1/pdf/sign/verify \
  -H "Authorization: Bearer $DOKMATIQ_KEY" \
  --data-binary "@signed.pdf"

The response includes:

{
  "valid": true,
  "profile": "PAdES-B-LTA",
  "signatureLevel": "QES",
  "trustAnchor": "EU-Trusted-List:DE:D-Trust GmbH",
  "signingTime": "2026-04-18T10:22:31Z",
  "qualifiedCertificate": true,
  "qualifiedSSCD": true
}

Common misconceptions

1. “We signed with a qualified certificate, so it’s a QES” — no, without a QSCD it stays AES
2. “QES is only relevant for government” — no, wherever §§ 126, 127 BGB require written form, a QES is the electronic equivalent (§ 126a BGB)
3. “Cloud signatures are weaker” — not if issued as rQES under eIDAS
4. “Timestamping is optional” — for long-term validity of a QES, a qualified timestamp is effectively mandatory; otherwise the signature loses verifiability when the certificate expires