EpicSign
    Back to blog
    Legislation16.2.2026

    EU Electronic Signature Levels (eIDAS): What's the Difference Between Simple, Advanced, and Qualified Signatures?

    The EU's eIDAS regulation defines three levels of electronic signature: simple (SES), advanced (AES), and qualified (QES). In this article, we will explain in plain language what each level means, when each is sufficient, and how a small business can utilize them in their daily operations.

    The Basic Idea of the eIDAS Regulation

    eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation that came into effect in 2016. It establishes common rules for electronic identification and electronic signatures across all EU member states.\n\nIn practice, eIDAS means the following: an electronic signature cannot be denied legal effect in court solely because it is in electronic form. This applies throughout the EU.\n\nThe regulation was updated in 2024 (eIDAS 2.0), introducing elements such as the EU Digital Identity Wallet (EUDI Wallet) and stricter requirements for trust services.

    SES – Simple Electronic Signature

    SES (Simple Electronic Signature) is the simplest signature level. It can be, for example:

    • A name typed in an email
    • A 'I accept the terms' checkbox on a web form
    • A drawn signature on a touchscreen

    SES does not require separate identity verification. It is sufficient for situations with low risk and an existing trust relationship between parties.\n\nWhat this means in practice: if you sell a service for €500 to a small regular customer and they confirm the order via email, it constitutes an SES-level signature. It is valid, but its evidentiary value is weakest in case of a dispute.

    AES – Advanced Electronic Signature

    AES (Advanced Electronic Signature) requires that the signatory be reliably identified and that the signature be linked to them in a way that prevents post-signing alteration.\n\nIn practice, AES means the signer authenticates themselves using, for example, bank credentials, a mobile certificate, or a similar method before signing.\n\nAES meets four requirements:

    1. The signature is uniquely linked to the signer
    2. The signer is identifiable
    3. The signatory has exclusive control over the information used to create the signature
    4. Any changes made to the document after signing are detectable

    What this means in practice: when you send a client contract for signature via EpicSign and the client authenticates with online banking credentials, this is an AES-level signature. This is sufficient for most commercial agreements.

    QES – Qualified Electronic Signature

    QES (Qualified Electronic Signature) is the strongest level. In EU legislation, it is directly equated with a handwritten signature.\n\nQES requires two things:

    1. A certificate issued by an accredited trust service provider (Qualified Certificate)
    2. An accredited signature creation device (Qualified Signature Creation Device, QSCD)

    Signatories for QES can be found on the EU's Trusted List – an official registry where accredited trust service providers are listed. Each EU country maintains its own list.\n\nWhat this means in practice: QES is primarily necessary when the law explicitly requires a written form (e.g., certain real estate transactions, official dealings) or when the value and risk of the contract are particularly high.

    When is each level sufficient?

    For a small business, choosing the right level depends on the risk and value of the document:

    Document TypeRecommended LevelRationale
    Internal acknowledgment, order confirmationSESLow risk, fast and affordable
    Client contract, offerAESReliably identifies the signer
    Employment contract, non-disclosure agreementAESIdentification of both parties is important
    Subcontracting agreementAESStrong link to the signer
    Minutes (board, general meeting)AESIdentified individual, tamper protection
    Real estate transaction, official documentQESLaw may require the strongest level

    Audit trail and evidence

    Every electronic signature leaves a digital trace, known as an audit trail. It serves as electronic evidence of who signed, when, and from where.\n\nA well-implemented audit trail includes:

    • Signer identification data (name, email, authentication method)
    • Timestamp (when the signature was made)
    • IP address and device information
    • A hash of the document, proving that the document has not been altered since signing

    Practical Example: Consulting Firm and Contract Management

    A three-person consulting firm in Tampere handles 10–15 customer contracts monthly. Previously, contracts were printed, signed, and scanned. This process took 30–45 minutes per contract.\n\nSwitching to an AES-level electronic signature with EpicSign transformed the process:

    1. The contract is uploaded to EpicSign (1 min)
    2. Signers are added and the signature request is sent (1 min)
    3. The client authenticates with bank IDs and signs (2 min)
    4. The signed agreement is automatically archived (0 min)

    Time savings: approximately 2 hours per week. Additionally, every agreement is traceable thanks to the audit log.

    Frequently asked questions

    What is the practical difference between SES, AES, and QES signatures?

    SES is the simplest (e.g., a name in an email). AES requires strong authentication, like bank credentials. QES is the strongest and equivalent to a handwritten signature – it requires an approved certificate.

    Is AES level sufficient for an employment contract?

    Yes, in most cases, AES is sufficient for employment contracts in Finland. The law generally does not require QES level for employment contracts.

    What is the EU's Trusted List?

    The Trusted List is an official list maintained by EU countries of approved trust service providers. The list can be found on the EU Commission's website.

    Can an SES signature be disputed in court?

    An SES signature cannot be rejected solely because it is in electronic form (eIDAS Article 25). However, its evidentiary value is weaker than that of AES or QES.

    Does EpicSign support AES-level signatures?

    Yes. EpicSign supports strong authentication (bank credentials), which meets the AES requirements.

    Does a small business need a QES signature?

    Rarely. QES is primarily needed when the law explicitly requires a written form or when dealing with authorities. For regular agreements, AES is sufficient.

    Sources

    1. eIDAS Regulation (EU) No 910/2014 – on electronic identification and trust services
    2. Digital and Population Data Services Agency (DVV) – Electronic identification and trust services
    3. Traficom – Trust services and electronic signatures
    4. EU Trusted Lists – list of approved trust service providers

    This article is general in nature and does not constitute legal advice.

    Try EpicSign

    Start a free trial and send your first signature request in under 20 seconds.

    See pricing