Simple, Advanced and Qualified Electronic Signatures — When Should You Use Each?

The choice of electronic signature determines an organisation's evidential standing in any given transaction, its capacity for technological integration, and the level of regulatory compliance it can demonstrate. Choosing between a simple, advanced and qualified electronic signature is a legal risk management decision with a direct impact on process automation and the legal validity of documents signed under the eIDAS Regulation and Spain's Law 6/2020.

Many organisations apply the same type of signature to all their operations without assessing the real cost of a potential legal challenge. However, a marketing consent form and a financing agreement require different levels of signature, with criteria that go well beyond the technical definition of each category.

The Simple Electronic Signature (SES), Advanced Electronic Signature (AES) and Qualified Electronic Signature (QES) represent three levels of legal protection under Regulation (EU) 910/2014, known as eIDAS. Each level determines what a company can demonstrate before a court, what degree of automation it permits, and what regulatory compliance it guarantees in domestic and cross-border transactions.

These three levels respond to functional requirements defined with technological neutrality. Any electronic data associated with a signing act constitutes a SES. The AES requires four cumulative conditions under Article 26, including a unique link to the signatory, identification, exclusive control of the signature creation data, and detection of any subsequent alterations. The QES adds a qualified device and a qualified certificate issued by a supervised trust service provider, with legal equivalence to a handwritten signature throughout the EU under Article 25.2.

In Spain, Law 6/2020 complements eIDAS with specific requirements for trust service providers. eIDAS 2, adopted through Regulation (EU) 2024/1183, extends the ecosystem with remote management of qualified devices, qualified electronic archiving and electronic ledgers, making it possible to build complete chains of signing, identity and evidential preservation with cross-border validity.

Each type of electronic signature fits a different risk profile. The SES covers transactions of low financial impact, the AES protects ordinary contracts with robust identification, and the QES provides legal equivalence to a handwritten signature for high-value transactions or those subject to formal requirements.

The legal and financial impact of the transaction, sector-specific legal requirements, the risk profile of the counterparties, user experience requirements and the retention horizon all determine which level of signature each transaction requires.

Organisations can begin with SES where the financial impact is low and migrate towards AES or QES as the economic value, regulatory demands or likelihood of litigation increase.

The evidential value of an electronic signature in Spain depends on its category under Law 6/2020, which refers to the Civil Procedure Act (LEC — Ley de Enjuiciamiento Civil). Qualified services benefit from a presumption of authenticity and integrity under Article 326.4. Non-qualified services are subject to free judicial assessment under Article 326.3.

A SES based on an email address or IP address can be challenged on the grounds of unauthorised access. The company will need to produce supplementary evidence such as server logs or usage patterns. With an AES, personal certificates, multi-factor authentication and timestamps improve the evidential position in accordance with the standards of the European Telecommunications Standards Institute (ETSI). The QES benefits from a presumption of authorship and equivalence to a handwritten signature under Article 25.2 of eIDAS, which effectively reverses the burden of proof.

Certificates expire and algorithms can lose their robustness.

Long-term validation (LTV) signature profiles, defined in ETSI standards EN 319 132 and EN 319 142, incorporate periodic timestamps and certification chains that maintain verifiability decades later. Regulation (EU) 2024/1183 consolidates qualified electronic archiving as a regulated trust service for this purpose.

Advanced and qualified electronic signatures are integrated into business workflows via APIs provided by trust service providers. Regulation (EU) 2024/1183 also enables remote management of qualified devices, allowing signing processes to operate without manual back-office intervention.

eIDAS makes no distinction as to whether the signature is triggered from a web portal, an ERP system or a robotic process automation (RPA) workflow. The complete cycle must comply with the requirements of integrity, identification and exclusive control of the signatory. A well-designed integration triggers signing workflows from master systems with complete business records, associates each request with a case file containing metadata, and adds timestamps and the organisation's electronic seals.

eIDAS 2 allows qualified signing keys to be held on servers operated by qualified trust service providers. The signatory retains exclusive control through strong authentication, and the remote device executes the cryptographic operation via API call. Full automation requires internal governance defining which processes use SES, AES or QES according to risk thresholds, secure technical integration with audit logs, and signature profiles that allow subsequent independent validation.

The Blockchain Services Infrastructure of Spain (ISBE — Infraestructura de Servicios Blockchain de España) reinforces the legal certainty of electronic signatures through immutable registration, distributed timestamping and independent third-party verification. This evidential layer complements the regulated trust services operating under eIDAS.

This legal certainty is consistent with the technological neutrality of eIDAS, which neither mandates nor prohibits blockchain. ISBE offers blockchain traceability as an additional layer. The hash of a signed document is anchored in a public-permissioned infrastructure with regulatory compliance by design, and attests that a given set of data existed at a specific point in time without having been altered.

An advanced or qualified signature compliant with eIDAS, qualified archiving and blockchain anchoring together form an evidential layer that balances legal certainty with technical resilience. ISBE facilitates this integration with ready-to-use tools, interoperability with European infrastructure and a public-private collaboration model. Organisations thereby strengthen their evidential layer with cross-border legal validity.

Does your electronic signature strategy protect each transaction according to its risk level? Discover how ISBE reinforces the legal certainty of your signed documents with immutable registration, European interoperability and regulatory compliance by design. Visit redisbe.com to learn about the use cases already under way.

Simple vs. advanced electronic signature: when does cost-saving become a legal risk?

The cost saving of a simple signature over an advanced one diminishes as the transaction value or likelihood of litigation increases. European courts look more favourably upon signatures with robust identification and technical traceability. The SES should be reserved for low-impact consents. For long-term or high-value contracts, the AES or QES offer a better balance between cost and security.

Is the qualified signature always the safest option, or can it become an operational constraint?

The qualified signature offers the highest level of legal security and a presumption of validity throughout the EU. Its enrolment process is more demanding, it depends on qualified devices, and it carries higher costs per certificate and per transaction. In high-volume B2C contexts it may reduce conversion rates. The standard approach reserves the QES for high-value transactions and dealings with public authorities, and applies the AES for everything else.

European interoperability: what happens if my clients or suppliers are in different EU countries?

A qualified signature issued by a trust service provider in one Member State is valid in all others, thanks to trusted lists and ETSI standards. For advanced and simple signatures, each national legal system determines the specific evidential value. eIDAS 2 strengthens interoperability through the European Digital Identity Wallet and newly harmonised trust services.

Automation: can the advanced signature be integrated directly into my systems (ERP/CRM) without human intervention?

Yes. The advanced signature can be integrated into ERP and CRM systems via APIs from trust service providers, subject to the exclusive control requirements of the signatory under eIDAS. Regulation (EU) 2024/1183 recognises remote management of qualified devices invocable by API. Full automation requires internal governance with defined risk thresholds and secure technical integration with audit logs.

Long-term validation and custody: is it sufficient to hold a digitally signed archive?

Having a signed document is a necessary but not sufficient condition to guarantee its long-term evidential value. Cryptographic certificates expire and algorithms can lose their robustness. LTV (Long-Term Validation) signature profiles incorporate periodic timestamps and certification chains that maintain verifiability for decades. eIDAS 2 regulates qualified electronic archiving for this purpose.