Simple Electronic Signature: The Illusion of Security
Simple Electronic Signature, or SES, is what most people think of when they imagine a digital signature. Someone clicks "sign", their name appears as proof they did it, and a timestamp says when it happened. That's it.
No identity verification. No special certificate. No encryption. No tamper protection. You could forge an SES by copying another person's signature image. You could alter a document after someone signed it and the SES would still sit there, perfectly happy. From a technical standpoint, SES is barely more than metadata attached to a file.
Here's the thing: SES is technically legally valid under eIDAS Regulation in the EU. Courts will look at it. But if someone later claims they never actually signed something, you're fighting an uphill battle. You're basically saying "I have no idea who this really came from, but I hope it was them." That's not a strong position.
SES works fine for internal business use: team member approval forms, internal sign-offs on process changes, budget acknowledgments within your own organization where everyone trusts everyone else anyway. The moment external parties are involved, the moment anything carries real risk, SES is a liability dressed up as a solution.
Advanced Electronic Signature: The Practical Standard
Advanced Electronic Signature, or AES, is where most business contracts should live. This is the category that actually means something.
AES requires qualified digital certificates. This means a certificate authority verified someone's identity to some degree before issuing the certificate. It doesn't require a government ID scan — that's QES territory — but it does require real verification. Often, a phone number verification combined with identity checks through other channels.
Once that certificate is in place, when someone signs with AES, the signature becomes mathematically linked to the document. You can't alter the document after signing without the signature becoming invalid. Change even one character and the whole thing breaks.
This is the level that covers serious business needs without the overhead of government ID verification processes. Commercial contracts: AES works perfectly. Non-disclosure agreements: AES is standard. Employment agreements: AES handles them. Leasing contracts: AES is solid. Service agreements: AES covers you.
AES has strong legal standing under eIDAS. If someone disputes the signature, they're arguing against qualified certificates, encryption, and tamper detection. You're in a significantly stronger position than SES, but you're not yet at the level where the law assumes the signature is valid unless proven otherwise — that's QES.
Qualified Electronic Signature: When It Absolutely Matters
Qualified Electronic Signature, or QES, is the heavyweight division. This is what you use when failure is genuinely expensive or legally complex.
QES requires a qualified certificate issued by a government-approved trust service provider. Before that certificate gets issued, someone verifies your identity in person using official government documents — a passport, national ID card, or equivalent. This costs more and takes longer than AES because it's actually rigorous.
But here's the legal difference: under eIDAS, a QES has exactly the same legal weight as a handwritten signature. Full stop. Courts don't question it. The burden of proof flips. If someone disputes a QES signature, they have to prove it was forged or manipulated. You don't have to prove it was legitimate.
This matters for mergers and acquisitions where documents carry multimillion-euro liability. It matters for employment contracts with serious severance clauses. It matters for credit agreements, medical records, and sensitive legal contracts. Anything where a disputed signature could genuinely hurt your business.
The cost difference between AES and QES is usually smaller than people expect. Often just a few euros per signature. The difference in legal protection is enormous.
Making the Choice: A Decision Tree
Ask these questions in order:
- Is this an internal document or process? Use SES. No external parties means you're just using signatures for workflow tracking.
- Is this a standard business contract with an external party? Move to AES. Commercial agreements, NDAs, service terms, leasing contracts. AES is the standard for a reason.
- Does this contract involve significant money, legal complexity, or regulatory requirements? Use QES. Employment contracts with real severance exposure. M&A. Credit agreements. Healthcare. Real estate.
- Is your counterparty specifically asking for a certain signature type? Use what they ask for. Always defer to specific requirements written into a contract or dictated by industry standards.
The Honest Assessment
Most businesses need AES as their baseline. It's the thinking person's choice. You're paying for real security without the overhead of full government ID verification processes. You're covering your legal backside on normal commercial agreements without unnecessary complexity.
Some businesses occasionally need QES for specific high-value contracts. Build that into your workflow for those situations. Know when you need it.
And SES? Unless you're using it internally or for the most trivial sign-offs, you're taking an unnecessary risk. The legal cover isn't there when things go wrong.
| Feature | Simple (SES) | Advanced (AES) | Qualified (QES) |
|---|---|---|---|
| Identity Verification | None | Certificate-based (phone/email check) | Government ID + QTSP certificate |
| Tamper Detection | None | Yes — signature breaks if doc changes | Yes — encrypted + timestamped |
| Legal Weight (eIDAS) | Valid but easily disputed | Strong — challengeable but solid | Equal to handwritten signature |
| Burden of Proof | On you | Mostly on you | On the challenger |
| Best For | Internal workflows | NDAs, contracts, HR docs | M&A, finance, legal deeds |