How to timestamp a document: practical guide and method comparison
When a contract or accounting document loses its trusted date, the risk is procedural, not technical. Without a verifiable timestamp, a tax deadline, a notification, or a statute-of-limitations cutoff becomes contestable, and the burden of proving the exact moment of formation falls entirely on the producer of the document. The eIDAS Regulation (EU 910/2014) Article 41 makes the rule explicit: without a qualified timestamp, the legal effect of an electronic record weakens.
Adding a timestamp to a PDF today requires a precise technical choice: free services from a Trust Service Provider, plugins integrated into Adobe Acrobat, or platforms that apply the timestamp directly at the moment of data acquisition. The difference is not only cost, but probative value and chain of custody. The complete guide on qualified electronic timestamps explains when a qualified timestamp is legally required. This insight focuses on the operational side: how to apply the timestamp, when a qualified one is mandatory, and where the free PDF route falls short.
This insight is part of our guide: Qualified electronic timestamps: how they work and when they are legally required
Three methods to timestamp a document
The available methods reduce to three families, distinguished by automation level, cost, and forensic robustness. The choice depends on the document type, on the frequency of the operation, and on the legal context where the document will be produced.
Method 1: Time Stamping Authority (TSA) of a qualified QTSP
This is the standard method when a qualified electronic timestamp under eIDAS Article 42 is required. Qualified Trust Service Providers across the EU expose endpoints compliant with the RFC 3161 protocol. The user sends the SHA-256 hash of the file and receives a TSR token signed digitally with the private key of the TSA.
The typical steps are:
- Compute the SHA-256 hash of the document to be timestamped (local operation, the file never leaves the computer)
- Send the hash to the TSA service through a dedicated client or QTSP software
- Receive the TSR token (.tsr or .p7m format) and store it together with the document
- For PDFs, embed the timestamp directly in the file by generating a PAdES-signed PDF with embedded timestamp
Costs are typically structured as packages of timestamp tokens, with a typical 36-month validity window. Limited free offers exist (single trial timestamps or small lots included in digital signature kits), but professional continuous use requires a QTSP contract. The qualified electronic timestamp obtained this way enjoys the legal effect set by eIDAS Article 41: presumption of accuracy of the indicated date and time, and of integrity of the data with which they are associated.
Method 2: Adobe Acrobat with a QTSP timestamp server
Adobe Acrobat Pro lets you configure an RFC 3161-compliant timestamp server in the preferences (Edit > Preferences > Signatures > Document Timestamping). Once the URL of the chosen QTSP TSA service is configured, every digital signature applied to the PDF can automatically include the qualified timestamp.
The procedure is useful for those already using Acrobat to sign contracts, expert reports, or contractual documents, because it integrates the timestamp into the existing flow without additional software. However, two limits deserve attention: the timestamp applies only to the signed PDF (not to images, videos, ZIP files, or screenshots), and the document integrity depends on the moment Acrobat is opened, not on when the document was originally produced. If a draft is saved today and timestamped a week later, the timestamp only attests to the file state at the moment of application, not to its initial creation.
Method 3: integrated source-certification platforms
For activities that require a timestamp immediately bound to the moment of data production, such as web acquisitions, screenshots, video recordings, on-site photographs, or digital evidence in general, integrated platforms apply the timestamp inside the acquisition process itself. TrueScreen is the Data Authenticity Platform that applies forensic methodology at the exact moment of capture: hash of the content, qualified electronic seal, and qualified electronic timestamp, delivered through an integrated QTSP via API, are applied contextually to creation, with no temporal window for manipulation between production and certification.
The practical difference compared to the previous methods is the chain of custody: with a TSA or Adobe, the timestamp attests to the file state at the moment of application, with no guarantee about what happened before. With source-level certification, typical of Digital Provenance, the timestamp is part of a process that documents the moment and the conditions of acquisition as well.
When free services are enough and when a qualified timestamp is required
Not every document requires a qualified electronic timestamp. Understanding the difference avoids paying unnecessary costs and, more importantly, avoids discovering during litigation that the chosen timestamp is not enforceable against third parties.
Simple timestamp (free): organizational value, not probative
Free timestamps are offered by many online services (some free, others freemium like FreeTSA or blockchain-based services). They are not delivered by an accredited QTSP and do not enjoy the legal presumption of eIDAS Article 41.
They are appropriate for:
- Internal versioning of technical or working documents
- Marking internal backups or application logs without probative purposes
- Dating drafts in creative or R&D pipelines
- Internal notes, organizational memos, training materials
They are not appropriate when the document may become subject to dispute: contracts, private deeds, communications with public authorities, regulatory deadlines, mandatory accounting records.
Qualified timestamp (QTSP): mandatory for legal value
The qualified electronic timestamp is explicitly required in many EU regulatory contexts:
- Long-term electronic archiving: archival packages compliant with European e-archiving standards must be sealed with a qualified electronic timestamp before retention
- Public deeds, private agreements, and special powers of attorney: national digital administration laws require a qualified timestamp to give the document a date enforceable against third parties
- Communications with public administrations (public tenders, telematic deposits of acts, B2G electronic invoicing)
- MiFID II financial flow transmission, MAR registers, anti-money-laundering reporting
- Records subject to long-term retention: financial statements, statutory ledgers, tax-relevant accounting records
The discriminator is not the file format, but the probative function. A certified email does not replace a qualified electronic timestamp: certified email attests to the act of sending and receiving, not to the formation of the attached document. Likewise, an EXIF metadata field of a photograph is not enforceable, because it is locally editable.
| Use case | Recommended timestamp | Indicative cost | Probative value |
|---|---|---|---|
| Internal draft versioning | Simple timestamp (free TSA) | Free or freemium | Organizational |
| Contracts, private agreements | Qualified QTSP timestamp | Token packages | Full (eIDAS Art. 41) |
| Long-term archiving | Qualified QTSP timestamp | Included in service | Full (EU archiving rules) |
| Web captures, photo, video | Source-certification platform | Per-use | Full + chain of custody |
| PDF already digitally signed | Qualified timestamp via Adobe + QTSP | Token packages | Full for the PDF, not for the origin |
Timestamping a PDF: three limits the standard flow does not solve
The most common pattern in SMEs and professional firms is the PDF signed and timestamped via Adobe Acrobat or QTSP software. It works well for documents born as PDFs: contracts, expert reports, statements. But when the original data is a web page, a chat, a photograph, or a video, the PDF flow shows three limits.
First, the temporal window: between data generation and timestamping, time passes, and that time is contestable. A web page saved today and timestamped tomorrow does not guarantee that the content was identical yesterday.
Second, the technical context: the timestamp attests that a file with a certain hash existed at a certain moment, but does not document how that file was produced, from which device, with which acquisition metadata. In litigation, opposing counsel can challenge the genuineness of the capture.
Third, the flow integrity: EXIF, GPS, HTTP headers, the DOM content at the moment of capture do not fit into the printed PDF and are lost. The timestamp preserves only the PDF, not the complete original data.
The TrueScreen platform resolves these three limits by applying forensic methodology (acquisition + qualified electronic seal + qualified electronic timestamp via integrated QTSP) in the same temporal atom, and by producing a complete report that documents the chain of custody. For documents that will never be contested, the traditional PDF flow is sufficient. For digital evidence intended for legal proceedings, regulatory inspections, or disputes with public administrations, it is worth evaluating whether the weak point is precisely the temporal window between creation and timestamping.
Costs of the qualified timestamp, by the way, are far more contained than commonly perceived once mapped against typical enterprise document volumes. With a TrueScreen scoping conversation, the plan can be sized to real volumes and priority use cases, avoiding both oversizing and the runtime discovery that the selected plan does not cover dynamic content.
