EpicSign
    Back to blog
    Legislation16.2.2026

    EU Electronic Signature Levels (eIDAS): What's the Difference Between Simple, Advanced, and Qualified?

    The EU's eIDAS regulation defines three levels of electronic signatures: simple (SES), advanced (AES), and qualified (QES). In this article, we explain in plain language what each level means, when each is sufficient, and how a small business can use them in its daily operations.

    The Basic Idea of the eIDAS Regulation

    eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation that came into force in 2016. It creates common rules for electronic identification and electronic signatures in all EU countries. In practice, eIDAS means that an electronic signature cannot be dismissed in court simply because it is in electronic form. This applies throughout the EU. The regulation was updated in 2024 (eIDAS 2.0), which introduced, among other things, the EU Digital Identity Wallet (EUDI Wallet) and stricter requirements for trust services.

    SES – Simple Electronic Signature

    SES (Simple Electronic Signature) is the simplest signature level. It can be, for example:

    • A name typed in an email
    • An "I accept the terms" checkbox on a web form
    • A signature drawn on a touchscreen

    SES does not require separate identity verification. It is sufficient for situations where the risk is low and there is already a relationship of trust between the parties. What this means in practice: if you sell a service for €500 to a small, regular client and they confirm the order by email, this is an SES-level signature. It is valid, but in a dispute, its evidentiary value is the weakest.

    AES – Advanced Electronic Signature

    AES (Advanced Electronic Signature) requires that the signer is reliably identified and the signature is linked to them in such a way that it cannot be altered afterwards. In practice, AES means that the signer authenticates themselves using, for example, bank credentials, a mobile certificate, or a similar method before signing. AES meets four requirements:

    1. It is uniquely linked to the signatory
    2. It is capable of identifying the signatory
    3. It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control
    4. It is linked to the data signed therewith in such a way that any subsequent change in the data is detectable

    What this means in practice: when you send a customer agreement for signature through EpicSign and the customer authenticates with their bank credentials, it is an AES-level signature. For most commercial agreements, this is perfectly adequate.

    QES – Qualified Electronic Signature

    QES (Qualified Electronic Signature) is the strongest level. In EU law, it is directly equivalent to a handwritten signature. QES requires two things:

    1. A qualified certificate issued by a qualified trust service provider
    2. A qualified signature creation device (QSCD)

    The creators of QES signatures can be found on the EU Trusted List—an official list of qualified trust service providers. Each EU country maintains its own list. What this means in practice: QES is necessary mainly when the law explicitly requires a written form (e.g., certain real estate transactions, government interactions) or when the value and risk of the contract are particularly high.

    When is each level sufficient?

    For a small business, choosing the right level depends on the risk and value of the document:

    Document TypeRecommended LevelJustification
    Internal acknowledgment, order confirmationSESLow risk, fast, and inexpensive
    Customer contract, quotationAESReliably identifies the signer
    Employment contract, NDAAESIdentification of both parties is important
    Subcontractor agreementAESStrong link to the signer
    Meeting minutes (board, general meeting)AESIdentified person, protection against changes
    Real estate transaction, official documentQESThe law may require the highest level

    Audit Trail and Evidence

    Every electronic signature leaves a digital trail, or audit trail. It is electronic evidence of who signed, when, and from where. A well-implemented audit trail includes:

    • Signer's identification details (name, email, authentication method)
    • Timestamp (when the signature was made)
    • IP address and device information
    • Document hash, which proves that the document has not been altered after signing

    Practical Example: a consulting firm and contract management

    A three-person consulting firm in Tampere creates 10–15 client contracts per month. Previously, contracts were printed, signed, and scanned. The process took 30–45 minutes per contract. Switching to an AES-level electronic signature with EpicSign changed the process:

    1. Upload the contract to EpicSign (1 min)
    2. Add signers and send the signature request (1 min)
    3. The client authenticates with bank credentials and signs (2 min)
    4. The signed contract is automatically archived (0 min)

    Time savings: about 2 hours per week. Additionally, every contract is traceable thanks to the audit trail.

    Frequently Asked Questions

    What is the practical difference between SES, AES, and QES signatures?

    SES is the simplest (e.g., a name in an email). AES requires strong authentication, like bank credentials. QES is the strongest and is equivalent to a handwritten signature—it requires a qualified certificate.

    Is an AES-level signature sufficient for an employment contract?

    Yes, in most cases, AES is sufficient for employment contracts in Finland. The law does not generally require a QES level for employment contracts.

    What is the EU Trusted List?

    The Trusted List is an official list of qualified trust service providers maintained by EU member states. The list can be found on the EU Commission's website.

    Can an SES signature be disputed in court?

    An SES signature cannot be dismissed solely because it is in electronic form (eIDAS Article 25). However, its evidentiary value is weaker than that of AES or QES.

    Does EpicSign support AES-level signatures?

    Yes. EpicSign supports strong authentication (bank credentials), which meets the requirements for AES.

    Does a small business need QES signatures?

    Rarely. QES is necessary mainly when the law explicitly requires a written form or for government interactions. For standard contracts, AES is sufficient.

    Sources

    1. eIDAS Regulation (EU) No 910/2014 – on electronic identification and trust services
    2. Digital and Population Data Services Agency (DVV) – Electronic identification and trust services
    3. Traficom – Trust services and electronic signatures
    4. EU Trusted Lists – list of qualified trust service providers

    This article is for general informational purposes and does not constitute legal advice.

    Try EpicSign

    Start a free trial and send your first signature request in under 20 seconds.

    See pricing