Advanced Electronic Signature: What It Is, How It Works, and eIDAS Regulation
The global electronic signature market reached $13.4 billion in 2025, with projections pointing to $70.2 billion by 2030 at a compound annual growth rate of 39.2%, according to MarketsandMarkets. Over 80% of organizations now use some form of electronic signature in their daily operations (eSignGlobal, 2024). Yet a persistent problem undermines this adoption wave: most professionals confuse the three signature levels defined by EU law, exposing their organizations to compliance gaps and disputed contracts. An advanced electronic signature (AES) sits at the centre of this confusion. It offers stronger guarantees than a simple click-to-sign but stops short of the full apparatus required for a qualified electronic signature. Understanding where AES begins and ends, what eIDAS Regulation (EU) No 910/2014 actually demands, and when your organization should move up or down the signature ladder: these are questions that legal officers, compliance teams and IT managers need answered with precision, not marketing slogans.
What is an advanced electronic signature (AES)?
An advanced electronic signature is an electronic signature that meets four specific requirements set out in Article 26 of eIDAS. It is more reliable than a simple electronic signature but less burdensome than a qualified one. AES provides a verifiable link between the signer and the signed data, offers tamper-evidence, and places the signing means under the signer's sole control. In EU courts and cross-border transactions, this combination carries real legal weight.
Definition and eIDAS Article 26 requirements
Article 3(11) of the eIDAS Regulation defines an advanced electronic signature as one that satisfies the requirements referred to in Article 26. Those four requirements form the backbone of every AES implementation:
- Uniquely linked to the signatory: the signature must be tied to a single, identifiable person through a mechanism that cannot be shared or reassigned.
- Capable of identifying the signatory: the process must establish who actually signed, going beyond a mere email address or IP log.
- Created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control: the private key, token, or biometric factor must remain exclusively accessible to the signer.
- Linked to the data signed therewith in such a way that any subsequent change in the data is detectable: integrity protection ensures that the document cannot be altered after signing without leaving evidence.
These four conditions are cumulative. If any one is missing, the signature does not qualify as advanced under eIDAS. In practice, this means that a PDF signed with a basic drawing tool fails on nearly every count, while a signature generated through OTP-verified identity and cryptographic hashing can satisfy all four.
Differences between simple, advanced and qualified signatures
eIDAS establishes a three-tier hierarchy. Each level adds requirements on top of the previous one, increasing both legal certainty and implementation complexity. The comparison table below maps the practical differences that matter for compliance decisions.
| Criterion | Simple Electronic Signature | Advanced Electronic Signature (AES) | Qualified Electronic Signature (QES) |
|---|---|---|---|
| Signer identification | Not guaranteed | Required, uniquely linked | Qualified certificate issued by QTSP |
| Sole control | Not required | High-level security required | Qualified Signature Creation Device (QSCD) |
| Tamper detection | Not required | Mandatory (hash-based) | Mandatory (QSCD-enforced) |
| Legal weight (EU) | Cannot be denied legal effect, but weak evidentiary value | Cannot be denied legal effect; significant evidentiary weight | Equivalent to a handwritten signature (Art. 25.2) |
| Common examples | Click-to-sign, email confirmation | OTP verification, biometric video, SPID-based signing | Smart card, USB token, remote QES via QTSP |
What does this mean in practice? AES carries genuine legal weight across the EU. Article 25(1) of eIDAS states that no electronic signature shall be denied legal effect or admissibility solely because it is in electronic form. For AES specifically, the four requirements of Article 26 create a presumption of reliability that courts and regulators increasingly respect.
AES vs digital signature: clearing the common confusion
The terms "advanced electronic signature" and "digital signature" are frequently used interchangeably, but they refer to different concepts. A digital signature is a technical mechanism based on asymmetric cryptography: a private key encrypts a hash of the document, and a corresponding public key allows verification. An advanced electronic signature is a legal category defined by eIDAS that specifies what a signature must achieve, not how it must be built.
In practice, most AES implementations rely on digital signature technology to satisfy the tamper-detection and unique-linking requirements. But an AES could theoretically use other technical approaches, as long as the four Article 26 requirements are met. Conversely, a digital signature that lacks proper signer identification or sole-control mechanisms would not qualify as an AES under eIDAS.
For a concrete illustration of how digital signatures work in applied contexts, see this digital signature example.
How AES works: the technical process
Behind every advanced electronic signature is a technical architecture that turns the four legal requirements of Article 26 into concrete, verifiable operations. Each step maps directly to a regulatory obligation and produces an audit trail built to withstand legal scrutiny in any EU member state.
Signer identification and unique linking
The first two requirements of Article 26 demand that the signature be uniquely linked to the signatory and capable of identifying them. What this means in practice: there must be an identity verification step before signing, and a cryptographic binding between that verified identity and the signature output.
Common approaches include:
- OTP-based verification: a one-time password sent to a registered mobile number confirms that the person initiating the signature controls a pre-verified device.
- Biometric video verification: the signer records a brief video that is matched against an identity document. This creates a strong link between the physical person and the signing event.
- eID-based authentication: national electronic identity schemes (SPID in Italy, BankID in Scandinavia, eHerkenning in the Netherlands) provide government-grade identification.
Whichever method is chosen, it must produce an identification record stored alongside the signature. Years later, it should still be possible to reconstruct exactly who signed and when.
Sole control and tamper detection
The third requirement states that the signature creation data must be under the signer's sole control with a high level of confidence. This does not necessarily mean the signer holds a physical device. Cloud-based solutions can satisfy this requirement by combining multi-factor authentication with server-side key management, where the private key is activated only after the signer completes an authentication challenge.
The fourth requirement, tamper detection, is typically implemented through cryptographic hashing. When the document is signed, a hash (a fixed-length mathematical fingerprint) of the entire content is computed and sealed with the signing key. If even a single character is modified after signing, the hash changes and the alteration becomes immediately visible. Standards published by the European Telecommunications Standards Institute (ETSI), including the EN 319 series and profiles defined in ISO 14533, specify the technical formats that ensure interoperability across platforms and borders.
When AES is enough and when QES is required
For most commercial transactions in the EU, AES is enough. Employment contracts, service agreements, procurement documents, insurance claims, internal corporate approvals: all of these can be signed with AES in most member states. The principle from Article 25(1) is technology neutrality: a signature's legal effect depends on its reliability, not its format.
That said, specific national laws and sector regulations carve out exceptions where only a qualified electronic signature (QES) will do. Real estate transfers in several member states, certain filings with public registries, and some regulated financial instruments require QES explicitly. The critical distinction: QES is the only electronic signature type that eIDAS automatically equates to a handwritten signature (Article 25.2). For everything else, AES offers a practical balance between security and operational efficiency.
eIDAS regulatory framework for advanced electronic signatures
eIDAS is the binding legal framework that governs electronic signatures across all 27 EU member states, plus EEA countries. Before it, cross-border electronic transactions were a patchwork of conflicting national rules. eIDAS replaced that fragmentation with a single set of requirements.
eIDAS Regulation (EU 910/2014): the 4 requirements
The eIDAS Regulation, formally Regulation (EU) No 910/2014 of 23 July 2014, establishes a single legal framework for electronic identification and trust services. Article 26 codifies the four AES requirements already discussed. But several other provisions shape how AES works in practice:
- Article 25(1): no electronic signature can be denied legal effect or admissibility as evidence in legal proceedings solely because it is in electronic form or because it does not meet the requirements for qualified electronic signatures.
- Article 25(2): only a qualified electronic signature has the equivalent legal effect of a handwritten signature. This means AES has strong but not automatic equivalence to wet ink.
- Article 27: member states must recognize advanced electronic signatures based on qualified certificates and created by qualified signature creation devices from other member states.
Outside the EU, parallel frameworks exist. The United States relies on the ESIGN Act (Electronic Signatures in Global and National Commerce Act, 2000) and UETA (Uniform Electronic Transactions Act), which adopt a technology-neutral approach without the three-tier hierarchy. These frameworks recognize electronic signatures broadly but lack the granular requirements that distinguish AES from simpler forms.
Legal validity across EU member states
The practical payoff of eIDAS is mutual recognition. An advanced electronic signature created in France holds the same legal standing when presented in a German court or submitted to a Spanish regulatory authority. This cross-border validity rests on the regulation's direct applicability: unlike directives, EU regulations do not require national transposition and take effect uniformly.
That said, member states retain discretion over which specific transactions require a qualified electronic signature versus an advanced one. A contract signed with AES in Finland is legally valid in Portugal, but if Portuguese law requires QES for that particular transaction type, the AES will not suffice for compliance purposes in Portugal. Legal officers must therefore verify both the general eIDAS framework and the specific national rules applicable to their transaction type.
eIDAS 2.0 and the EUDI Wallet: what changes
The revised eIDAS framework, commonly called eIDAS 2.0, introduces the European Digital Identity Wallet (EUDI Wallet), which member states must make available to their citizens and residents by 31 December 2026. The EUDI Wallet matters for advanced electronic signatures for two reasons.
First, the wallet will provide a standardized, government-backed identity verification layer that can serve as the foundation for AES and QES across the EU. Instead of relying on disparate national eID schemes, organizations will be able to verify a signer's identity through a single, interoperable infrastructure. Second, the wallet will support qualified electronic signatures natively, potentially lowering the practical barrier between AES and QES. If creating a QES becomes as straightforward as tapping a phone, the current cost and complexity advantages of AES may narrow considerably.
For organizations currently building AES workflows, the takeaway is practical: design systems that can accommodate higher assurance levels without architectural changes. The regulatory direction favours stronger identity verification and higher signature levels. The EUDI Wallet will accelerate that shift.
Certification and AES: how to protect the data at the source
Advanced electronic signatures address the identity and integrity of the signing act itself. But in many operational contexts, the challenge goes beyond signing. The underlying data, whether a photograph, a video, a report, or a contractual document, must also be authentic and unaltered from the moment of its creation. Data certification at the source complements the guarantees of AES by closing the gap between "who signed" and "what was signed."
Digital signature integrated in TrueScreen certification
TrueScreen, the Data Authenticity Platform, integrates digital signature capabilities directly into its certification workflow. When a document, photo, or video is acquired through TrueScreen, two things happen in sequence. First, the platform captures and certifies the data at the point of origin, preserving its digital authenticity with a forensic methodology that ensures immutability from the source. Second, it applies a digital signature with a qualified timestamp. The result is a verifiable record of who signed, when, and that the content has not been altered since.
Signer identification can be performed through OTP verification or biometric video, both compliant with eIDAS requirements and GDPR. The result is a certified package where the data's origin, the signer's identity, and the document's integrity are all provably intact. This approach addresses a weakness that standalone AES tools leave exposed: they verify the signer but say nothing about whether the signed content itself was authentic before the signature was applied.
Practical scenarios: contracts, reports, field documentation
Here are three scenarios where certification with legally binding proof and integrated digital signature solves real operational problems:
Contracts and agreements. A multinational company needs its field representatives to sign service contracts on-site. TrueScreen enables the representative to capture the signed document, certify it at the source, and apply a digital signature in one workflow. The counterparty receives a verifiable package rather than a scanned PDF of questionable provenance.
Inspection reports. An insurance adjuster photographs damage at a claim site. The photos are certified the moment they are taken, and the adjuster signs the report digitally. Any dispute over whether the images were manipulated or the report was altered can be resolved by verifying the certification chain and the digital signature, without relying on witness testimony or metadata analysis.
Field documentation for compliance. An energy company must document environmental inspections for regulatory submission. Photographs, measurements, and inspector notes are acquired through TrueScreen, certified with immutability at the source, and digitally signed. The regulatory authority receives documentation with a complete chain of custody, from the moment of capture to the moment of submission. For a detailed look at how electronic seal and digital signature mechanisms differ in these contexts, see the dedicated comparison.
FAQ
What is the difference between an advanced and a qualified electronic signature?
An advanced electronic signature (AES) meets the four requirements of eIDAS Article 26: unique linking to the signatory, signer identification, sole control, and tamper detection. A qualified electronic signature (QES) meets all AES requirements plus two additional ones: it must be based on a qualified certificate issued by a Qualified Trust Service Provider and created using a Qualified Signature Creation Device (QSCD). Under Article 25(2) of eIDAS, only QES has the automatic legal equivalence of a handwritten signature.
Is an advanced electronic signature legally valid across the EU?
Yes. Under eIDAS Article 25(1), an advanced electronic signature cannot be denied legal effect or admissibility as evidence in any EU member state solely because it is in electronic form. However, specific national laws may require a qualified electronic signature for certain transaction types, such as real estate transfers or filings with public registries. The AES itself remains valid, but it may not satisfy the specific requirements of a particular national regulation.
Can an AES be used for international contracts outside the EU?
AES as defined by eIDAS is an EU legal concept. Outside the EU, recognition depends on local law. The United States, for example, recognizes electronic signatures broadly under the ESIGN Act and UETA, but does not distinguish between simple and advanced levels. Many other countries accept electronic signatures in commercial transactions; the evidentiary weight, though, varies widely. For international contracts, verify the applicable law in each jurisdiction. Using AES with additional data certification can strengthen the evidentiary record where local rules leave gaps.
What will eIDAS 2.0 change for electronic signatures?
eIDAS 2.0 introduces the European Digital Identity Wallet (EUDI Wallet), which member states must deploy by 31 December 2026. The wallet will provide standardized identity verification across the EU and support qualified electronic signatures natively. This will likely lower the barrier between AES and QES, making higher-assurance signatures more accessible and cost-effective for organizations of all sizes.
How does data certification complement an advanced electronic signature?
An AES verifies who signed a document and detects post-signature tampering, but it does not address the authenticity of the underlying content before signing. Data certification, such as the forensic acquisition process used by TrueScreen, captures and protects data at the moment of creation. When combined with AES, this creates a full chain of trust from data origin to signature, with legally binding proof at every step. It matters most for photographic evidence, field reports, and any document where the source data's integrity is as critical as the signature itself.
