E-Signatures for Regulated Firms: QES, AES, and SES — When Each Is Valid: Qualified, Advanced, and Simple electronic signatures explained. Which level your regulated firm needs for contracts, client onboarding, and compliance…
HubSecure is relevant when teams need secure client records, document collection, workflow ownership, role-based access and audit-ready evidence in one governed workspace.
Related HubSecure buying path
AML/KYC & Onboarding guideclient onboarding softwareAML/KYC moduleSumsub comparisonAML/KYC compliance software guideGuide Librarybook a workflow demo
Related secure document collection resources
Continue with secure document collection, document collection checklist, secure client portal, Secure Vault module, security and trust center.
Related use case
This guide belongs to the Secure Document Collection Guides cluster. Continue with the product hub for secure document collection.
Why E-Signature Levels Matter for Regulated Businesses
Electronic signatures are now routine for business. Most regulated firms — law firms, financial advisors, wealth managers, insurers — use some form of digital signing for client onboarding, engagement letters, and agreements. But "digital signing" is not a single thing. Under EU Regulation 910/2014 (eIDAS), electronic signatures exist on a hierarchy of three trust levels, each with different legal effects and evidentiary weight.
Using the wrong level for a given use case creates real legal risk. In 2024–2025, several contract disputes in UK and continental European courts turned on whether an electronic signature met the threshold required by applicable law or sector regulation. In two cases involving financial advisory engagement letters, courts found that click-to-sign email signatures — Simple Electronic Signatures — were insufficient for contracts subject to MiFID II written agreement requirements.
For regulated firms, the question is not "can I use e-signatures?" — the answer is almost always yes. The question is "which level of signature does this specific document, in this specific legal context, require?"
The Three Levels of Electronic Signature Under eIDAS
Simple Electronic Signature
The broadest definition. Any data in electronic form attached to or logically associated with a document for the purpose of signing. This includes a typed name in an email, a scanned wet signature, a checkbox "I agree", or a basic click-to-sign workflow. No identity verification or cryptographic binding is required.
Advanced Electronic Signature
Must be uniquely linked to the signatory; must be capable of identifying the signatory; must be created using data under the signatory's sole control; and must detect any subsequent changes to the signed data. Typically implemented through a PKI-based digital signature with identity verification (email OTP, SMS OTP, or identity document check). Does not require a Qualified Certificate or QSCD.
Qualified Electronic Signature
The highest level. Must be an Advanced Electronic Signature created with a Qualified Electronic Signature Creation Device (QSCD) and based on a Qualified Certificate issued by a Trust Service Provider on the EU Trusted List. QES has the same legal effect as a handwritten signature across all EU Member States. This is the only level of e-signature mandated by law for certain document categories.
eIDAS 2.0 (Regulation 2024/1183) entered into force in May 2024, extending the framework with the EU Digital Identity Wallet (EUDIW). Member States must offer EUDIW-based QES to all citizens by 2026. For regulated firms, this will eventually make QES issuance far more accessible and lower-cost — but the underlying three-tier signature framework remains unchanged.
Legal Effect: What Each Tier Gives You
| Property | SES | AES | QES |
|---|---|---|---|
| Legally admissible as evidence? | ✓ Generally yes | ✓ Yes | ✓ Yes |
| Equivalent to handwritten signature? | ✗ Not guaranteed | ~ Varies by jurisdiction | ✓ Yes, across all EU |
| Non-repudiation? | ✗ Weak | ~ Moderate | ✓ Strong |
| Tamper evidence? | ✗ None | ✓ Yes | ✓ Yes |
| Identity verification required? | ✗ No | ~ Moderate (OTP/ID check) | ✓ Qualified certificate |
| Mandated by law for certain documents? | ✗ Never | ~ Sometimes | ✓ Yes (specific contexts) |
| Cross-border legal recognition in EU? | ✗ Not guaranteed | ~ Partial | ✓ Mandatory mutual recognition |
Which Level Does Your Document Require?
The most common question: "What level of e-signature do I actually need for this?" The answer depends on three factors: applicable national law for the document type, sector-specific regulation, and your firm's own evidentiary risk appetite.
Documents requiring QES by law
Some document types require a qualified electronic signature (or wet signature) because national law mandates written form with legal equivalency. Examples across EU Member States:
- Real estate sale contracts and title transfers (most Member States)
- Testamentary dispositions and notarial instruments
- Consumer credit agreements exceeding specific thresholds in certain jurisdictions
- Employment termination agreements in some Member States
- Certain company formation and share transfer documentation
- Court submissions and regulatory filings requiring verified signatures
Documents where AES is typically sufficient for regulated firms
- Client engagement letters and terms of business (law firms, financial advisors)
- Service agreements and SaaS contracts above standard commercial thresholds
- MiFID II suitability and appropriateness acknowledgements
- Non-disclosure agreements
- Data Processing Agreements under GDPR Article 28
- GDPR consent forms for high-risk processing where genuine consent must be proven
- Insurance policy documents
- Loan documentation (non-mortgage)
- KYC/CDD declarations in digital onboarding workflows
Documents where SES is generally acceptable
- Internal approvals, workflow sign-offs, and meeting minutes
- Low-value purchase orders and supplier acknowledgements
- Policy acknowledgements and employee handbook confirmations
- Marketing consent (though documented consent mechanisms must still be GDPR-compliant)
- Standard terms acceptance for B2C services without enhanced regulatory overlay
The MiFID II written agreement requirement (Article 25(5) and implementing measures) is a recurring source of confusion. MiFID does not specify a signature level — it requires a "durable medium" written agreement before providing investment services. Most regulators accept AES as satisfying this requirement. SES (a typed name in an email) is increasingly challenged — particularly for high-value discretionary mandates where client disputes are foreseeable.
E-Signatures in Specific Regulated Contexts
Legal (law firms and notaries)
Law firms use e-signatures across the spectrum. For routine correspondence and internal approvals, SES is fine. For engagement letters and client service agreements, AES provides adequate non-repudiation for dispute purposes. For conveyancing, corporate transactions, and documents that will be used in court or regulatory proceedings, the applicable substantive law of the governing jurisdiction determines whether QES is required. Notarial acts in most EU jurisdictions must be executed before a notary in person or with QES — this cannot be downgraded.
Financial services (MiFID, insurance, banking)
Financial services generate high volumes of e-signed documentation. Client-facing firms should use AES as the baseline for anything above internal workflow approvals. The principal risk is dispute resolution: if a client disputes a suitability assessment acknowledgement or a contract term, an AES with a clear audit trail (identity verification method, timestamp, IP, document hash) provides a robust evidentiary record. SES provides almost no protection in a dispute where the client claims they did not agree to a term or did not understand a risk disclosure.
Healthcare
Patient consent for medical treatment raises complex questions. Informed consent is a clinical and legal requirement, not purely contractual. In most EU jurisdictions, documented verbal consent recorded by the clinician is legally sufficient for routine care. For research participation, clinical trials, and processing of special category health data under GDPR Article 9, written consent with a clear, verifiable audit trail is required. AES is generally appropriate; QES may be required for specific consent types in certain national systems.
HR and employment
Most employment documentation — offer letters, policy acknowledgements, non-disclosure agreements — can use AES. Employment contracts in the EU typically require written form (pen-and-paper or electronic equivalent). QES is safest for employment termination documents in jurisdictions with strict written form requirements. Note that employee consent under GDPR has specific limitations (see the GDPR for HR guide in our blog).
What a Compliant E-Signature Audit Trail Looks Like
The audit trail is often more important than the signature mechanism itself. In the event of a dispute, your ability to prove what was signed, by whom, when, and what verification was done is what courts and regulators assess. A compliant AES audit trail should include:
- Full document hash before and after signing (proving no tampering)
- Timestamp from a trusted timestamping service (not just the signing platform's server clock)
- Identity verification method used (email OTP, SMS OTP, identity document scan, eID)
- IP address and device fingerprint of the signatory
- Audit log of all events: document sent, opened, signed, downloaded
- Certificate of completion from the platform provider
- Long-term archival in a format that remains verifiable after certificate expiry (PAdES or XAdES with archival timestamps)
Choosing an E-Signature Provider: Key Questions
- Is the provider on the EU Trusted List (EUTL)? Only providers on the EUTL can issue QES. Verify at the official EUTL browser provided by the European Commission.
- What signature levels does the platform actually support? Many providers advertise "legally binding" e-signatures that are technically SES or at best low-assurance AES. Ask for the eIDAS compliance documentation.
- What identity verification methods are offered? Email OTP alone provides low assurance. SMS OTP is moderate. Government-issued ID scan with liveness check is high assurance.
- What archival format is used? PAdES (PDF Advanced Electronic Signature) with LTV (Long-Term Validation) is the standard for long-term admissibility. XAdES for XML documents.
- Where is signed document data stored? Under GDPR, the storage location of signed documents containing personal data is subject to the same transfer obligations as any other personal data. Ensure your provider offers compliant storage or appropriate SCCs.
Frequently Asked Questions
Get platform and compliance insights in your inbox
Join 300+ compliance officers and legal teams getting weekly updates on GDPR, AML, and regulatory technology — no noise, unsubscribe anytime.
See HubSecure in action
Built-in e-signature workflows, GDPR-compliant document vault, and client onboarding automation — all in one platform for regulated businesses.
Book a 20-minute demo →