Key takeaways on the compliance of an electronic seal
- The electronic seal ensures the origin and integrity of documents issued by a legal entity.
- Only the qualified level benefits from a legal presumption of conformity throughout the European Union.
- A certificate issued by a Qualified Trust Service Provider (QTSP) is required.
- Implementation may be manual or automated, including through a server-based electronic seal.
- Ongoing regulatory monitoring is required to maintain lasting compliance in light of developments under eIDAS v2.
What is an electronic seal ?
The European eIDAS Regulation (Article 3(25)) defines an electronic seal as a set of data in electronic form, which is attached to or logically associated with other electronic data, in order to ensure the origin and integrity of that data. In practical terms, it is the digital equivalent of the official stamp that an organisation applies to its paper documents.
The distinction from an electronic signature is fundamental:
- An electronic signature is created by a natural person and expresses that individual’s consent to the content of a document.
- An electronic seal, by contrast, is applied by a legal entity (the organisation itself) and confirms that the document genuinely originates from that entity and has not been altered.
This distinction has significant practical consequences. Whereas an electronic signature requires the intervention of an identified individual, an electronic seal may be applied in an automated manner across entire document flows: invoices generated by an ERP system, payslips issued by HR software, or certificates produced in bulk.
The eIDAS Regulation distinguishes three levels of electronic seal:
- the simple electronic seal,
- the advanced electronic seal,
- the qualified electronic seal.
Only the qualified electronic seal benefits from a presumption of integrity and accuracy as to the origin of the data. This presumption, set out in Article 35 of the Regulation, confers on the qualified seal an evidential effect recognised across all Member States.
What are the requirements for an eIDAS-compliant electronic seal?
For an electronic seal to be legally enforceable, it is not sufficient to affix a logo or a statement to a PDF. Article 36 of the eIDAS Regulation sets out specific requirements for the advanced level, which are further reinforced at the qualified level.
First, the seal must be uniquely linked to its creator, namely the legal entity that applies it. This link is established through an electronic certificate that reliably identifies the organisation: its registered name, registration number and Member State of establishment.
Data integrity constitutes the second requirement. The electronic seal must make it possible to detect any subsequent modification of the document.
From a technical perspective, this assurance relies on a cryptographic fingerprint (hash) calculated at the moment the seal is applied. If even a single character of the document is altered afterwards, the fingerprint will no longer match, and the tampering will be detectable.
The creator of the electronic seal must retain exclusive control over the seal creation data. These data, in particular the private cryptographic key, must not be shared or compromised.
To reach the qualified level, the seal must additionally rely on a qualified electronic seal certificate issued by a Qualified Trust Service Provider (QTSP) listed on an official register of the European Union.
How to create an eIDAS-compliant electronic seal: the steps
Implementing an electronic seal that complies with the eIDAS Regulation requires a structured, step-by-step approach.
Identify the documents concerned
Not all documents are intended to be sealed. It is advisable to target those that commit the company to third parties and for which proof of origin and integrity is important, for example:
- invoices,
- payslips,
- certificates,
- attestations,
- official reports,
- purchase orders or delivery notes.
This preliminary mapping makes it possible to size the project appropriately.
Selecting a qualified trust service provider
This is the decisive step. The provider (QTSP) must appear on the European Union Trusted List, which is accessible via the European Commission’s website. Each Member State also publishes its own national trusted list. In France, this supervisory role is carried out by ANSSI.
The choice of provider determines the legal validity of the electronic seal: a certificate issued by a non-qualified provider will not benefit from the presumption of integrity provided for under the eIDAS Regulation.
Obtain the identification certificate
The provider carries out a rigorous verification of the legal entity’s identity:
- verification of registration documents,
- verification of the authority of the legal representative or authorised signatory submitting the application.
This process may take several days, depending on the provider. Once the certificate has been issued, it is associated with a pair of cryptographic keys, the private key remaining under the exclusive control of the organisation.
Integrate the electronic seal into document workflows
Two implementation options are available:
- Manual application, which is suitable for low volumes: an authorised staff member applies the seal document by document via a web interface or dedicated software.
- Automated application, using a server-based electronic seal, which meets the needs of organisations processing large volumes. In this case, the seal is applied automatically by an application connected to the information system (ERP, HRIS, DMS) via an API.
Solutions such as Evidency allow this integration into existing workflows without requiring fundamental changes to the technical architecture.
Electronic seals and eIDAS certificates: the foundation of compliance
To understand this compliance framework, it is necessary to return to the central element of the scheme: the qualified eIDAS certificate, which forms the legal and technical basis of the electronic seal.
What is a qualified eIDAS certificate?
A qualified electronic seal certificate (QSealC) is a digital certificate issued by a Qualified Trust Service Provider, in accordance with the requirements set out in Annex III of the eIDAS Regulation. This certificate attests to the identity of the legal entity and enables the creation of qualified electronic seals.
The certificate contains standardised information:
- the name of the seal creator (the legal entity),
- a unique identifier,
- the seal validation data,
- as well as the qualified electronic signature of the provider that issued the certificate.
Its validity period is generally between one and three years, after which it must be renewed.
An eIDAS server-based electronic seal corresponds to a use case in which the certificate, hosted on a secure server, enables the automated and large-scale application of electronic seals, without human intervention. This approach supports scalability, operational reliability and seamless integration into business processes.
Why does this certificate ensure legal compliance?
The eIDAS Regulation, in its revised 2024 version (eIDAS v2), establishes a principle of mutual recognition between Member States. A qualified electronic seal created in one European Union country must be recognised as such in all other Member States. This interoperability is based precisely on the qualified certificate.
Article 35 of the Regulation grants the qualified electronic seal a presumption of data integrity and accuracy as to origin. In the event of a dispute, it is therefore for the party challenging the authenticity of the document to prove that it has been altered, rather than for the organisation that applied the seal to demonstrate that the document is authentic. This reversal of the burden of proof represents a significant procedural advantage.
By contrast, an electronic seal based on a non-qualified certificate does not benefit from any legal presumption. Its evidential value will be assessed freely by the court, exposing the organisation to legal uncertainty in the event of litigation.
Best practices for sustainable compliance
The eIDAS Regulation, in its revised version of 2024 (eIDAS v2), establishes a principle of mutual recognition between Member States. A qualified electronic seal created in one European Union country must be recognised as such in all other Member States. This interoperability is based precisely on the qualified certificate.
The certificate has a limited period of validity. Renewal should be planned several weeks before expiry in order to avoid any interruption of service. Some providers offer automatic alerts as the expiry date approaches.
Periodic audits of the scheme, ideally on an annual basis, help ensure that internal procedures remain compliant: authorisations granted to individuals entitled to trigger sealing operations, security of key storage, and traceability of actions. Choosing a reliable partner with both technical and legal support facilitates this process over time.
Conclusion
The qualified electronic seal is now the benchmark for authenticating documents issued by a legal entity within the European Union. Its implementation requires the selection of a qualified eIDAS trust service provider, the issuance of a compliant certificate, and the integration of sealing mechanisms into the organisation’s document processes.
Beyond regulatory compliance, the qualified electronic seal is a major instrument for document security and fraud prevention. It ensures document integrity, enables any subsequent alteration to be detected, and makes attempted falsification immediately identifiable. In the event of a dispute concerning the authenticity of an invoice, contract or certificate, it provides a high level of legal certainty that non-qualified solutions cannot offer. Trust service providers such as Evidency support organisations at each stage, from certificate issuance to technical integration, in order to secure document flows on a lasting basis and strengthen trust in digital exchanges.
Disclaimer
The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Evidency. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.
